Security Final
Physical Access Controls
Control access to physical resources
Collusion
Users work together to avoid the controls
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation? -11 -13 -15 -18
13
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections? 20 22 23 80
22
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service? 21 23 80 443
80
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month? 96.67% 3.33% 99.96% 0.04%
96.67
Risk Methodology
A description of how you will manage risk.
Risk Register
A document in which the results of risk analysis and risk response planning are recorded.
Rule-based access control
A list of rules maintained by the data owner, determines which users have access to objects
CCTA Risk Analysis and Management Method (CRAMM)
A risk analysis method developed by the UK government. Best suited for large organizations
Access Control Policy
A set of rules that allows a specific group of users to perform a particular set of actions on a particular set of resources
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? -Accuracy -Reaction time -Dynamism -Acceptability
Acceptability
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? -Identification -Authentication -Accountability -Authorization
Authorization
In an accreditation process, who has the authority to approve a system for implementation? -Certifier -Authorizing official (AO) -System owner -System administrator
Authorizing official (AO)
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? -Baseline -Policy -Guideline -Procedure
Baseline
Which security model does NOT protect the integrity of information? -Bell-LaPadula -Clark-Wilson -Biba -Brewer and Nash
Bell-LaPadula
Which password attack is typically used specifically against password files that contain cryptographic hashes? Brute-force attacks Dictionary attacks Birthday attacks Social engineering attacks
Birthday attacks
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? -Black-box test -White-box test -Grey-box test -Blue-box test
Black-box test
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement? Privacy Bring Your Own Device (BYOD) Acceptable use Data classification
Bring Your Own Device (BYOD)
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? -Dictionary attack -Rainbow table attack -Social engineering attack -Brute-force attack
Brute-Force Attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? -Disaster recovery plan (DRP) -Business impact analysis (BIA) -Business continuity plan (BCP) -Service level agreement (SLA)
Business continuity plan (BCP)
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? -Checklist -Interviews -Questionnaires -Observation
Checklist
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs? Voice over IP (VoIP) Audio conferencing Video conferencing Collaboration
Collaboration
Need to Know
Concept of preventing people from gaining access to information they don't need to carry out their duties
Which activity manages the baseline settings for a system or device? -Configuration control -Reactive change management -Proactive change management -Change control
Configuration Control
What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access? Laptop Firewall Router Content filter
Content Filter
Referenece Monitor
Controls all software access to data objects or devices
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)? Home agent (HA) Foreign agent (FA) Care of address (COA) Correspondent node (CN)
Correspondent node (CN)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? -False acceptance rate (FAR) -False rejection rate (FRR) -Crossover error rate (CER) -Reaction time
Crossover error rate (CER)
Which one of the following is an example of a direct cost that might result from a business disruption? -Damaged reputation -Lost market share -Lost customers -Facility repair
Facility repair
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? -Secure European System for Applications in a Multi-Vendor Environment (SESAME) -Lightweight Directory Access Protocol (LDAP) -Security Assertion Markup Language (SAML) -Kerberos
Kerberos
Relationships
Optional conditions that exist between user and resources. Relationships are permissions granted to an authorized user, such as read, write, execute.
Temporal Isolation
Restricts access to specific time. classifying the sensitivity level of objects, then allowing access to those objects only at certain times. (Time of day restrictions)
Which item is an auditor least likely to review during a system controls audit? -Resumes of system administrators -Incident records -Application logs -Penetration test results
Resumes of system administrators
What is NOT generally a section in an audit report? -Findings -System configurations -Recommendations -Timeline for Implementation
System configurations
Which one of the following is NOT an example of store-and-forward messaging? Telephone call Voicemail Unified messaging Email
Telephone call
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using? Cross-site scripting Session hijacking SQL injection Typosquatting
Typosquatting
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using? Vishing Urgency Whaling Authority
Urgency
Which one of the following is NOT a commonly accepted best practice for password security? -Use at least six alphanumeric characters. -Do not include usernames in passwords -Include a special character in passwords -Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
Use at least six alphanumeric characters
Which one of the following is typically used during the identification phase of a remote access connection? Username Password Token Fingerprint
Username
Non-discretionary access control
closely monitored by the security administrator, not the system administrator
Logical Access Controls
control access to a computer system or network.
Biba Integrity Model
fixed a weakness in the Bell-LA Padula model, which addressed only the confidentiality of data.
Clark and Wilson integrity model
focuses on what happens when users allowed into a system try to do things they are not permitted to do while also looking at internal integrity threats. 3 goals are: -stops unauthorized user from making changes -stops authorized users from making improper changes -keeps internal and external consistency
Least Privilege
granting the minimum access that allows a user to accomplish assigned takes.
Permission Levels - Task based
limits a person to executing certain functions and often enforces mutual exclusivity
Permission Levels - User bases
permissions granted to a user are often specific to that user
Chinese Wall
security policy defines a wall, or barrier, and develops a set of rules that makes sure no subject gets to objects on the other side of the wall.
Discretionary Access Control (DAC)
the owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others.
Risk Management
the process of identifying, assessing, and reducing risks
Share Permissions
Full, change, read, and deny
What is NOT one of the three tenets of information security? -Confidentiality -Integrity -Safety -Availability
Safety
Which one of the following is the best example of an authorization control? -Biometric device -Digital certificate -Access control lists -One-time password
Access control lists
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? -Reduced operating costs -Access to a high level of expertise -Developing in-house talent -Building internal knowledge
Access to a high level of expertise
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? -Identification -Authentication -Authorization -Accountability
Accountability
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place? Address Resolution Protocol (ARP) poisoning Internet Protocol (IP) spoofing URL hijacking Christmas attack
Address Resolution Protocol (ARP) poisoning
Trusted Operating System (TOS)
An operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements.
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? -An organization should collect only what it needs. -An organization should share its information. -An organization should keep its information up to date. -An organization should properly destroy its information when it is no longer needed.
An organization should share its information.
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements? Applying security updates promptly Using encryption for communications Removing IoT devices from the network Turning IoT devices off when not in use
Applying security updates promptly
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality? Securing wiring closets Applying patches promptly Implementing LAN configuration standards Applying strong encryption
Applying strong encryption
What is NOT a good practice for developing strong professional ethics? -Set the example by demonstrating ethics in daily activities -Encourage adopting ethical guidelines and standards -Assume that information should be free -Inform users through security awareness training
Assume that information should be free
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? -Monitor -Audit -Improve -Secure
Audit
During what phase of a remote access connection does the end user prove his or her claim of identity? Identification Authentication Authorization Tokenization
Authentication
During which phase of the access control process does the system answer the question,"What can the requestor access?" -Identification -Authentication -Authorization -Accountability
Authorization
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices? -Support ownership -Onboarding/offboarding -Forensics -Data ownership
Data ownership
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Defines a risk-based strategic assessment and planning technique for security. OCTAVE is a self-directed approach. Two versions are OCTAVE for large corporations and OCTAVE-S for smaller companies of 100 or smaller
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate? Encryption Decryption Deidentification Aggregation
Deidentification
ISO/IEC 27005,"Information Security Risk Management"
Describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities and security controls.
What information should an auditor share with the client during an exit interview? -Draft copy of the audit report -Final copy of the audit report -Details on major issues -The auditor should not share any information with the client at this phase
Details on major issues
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? -Discretionary access control (DAC) -Mandatory access control (MAC) -Rule-based access control -Role-based access control (RBAC)
Discretionary access control
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)? Distributed denial of service (DDoS) Lost productivity Firewall configuration error Unauthorized remote access
Distributed denial of service (DDoS)
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? -Does the organization have an effective password policy? -Does the firewall properly block unsolicited network connection attempts? -Who grants approval for access requests? -Is the password policy uniformly enforced?
Does the firewall properly block unsolicited network connection attempts?
Which one of the following is NOT an area of critical infrastructure where the Internet of Things (IoT) is likely to spur economic development in less developed countries? Wastewater treatment Water supply management E-commerce Agriculture
E-commerce
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? -Seeking to gain unauthorized access to resources -Disrupting intended use of the Internet -Enforcing the integrity of computer-based information -Compromising the privacy of users
Enforcing the integrity of computer-based information
What is the first step in a disaster recovery effort? -Respond to the disaster -Follow the disaster recovery plan (DRP) -Communicate with all affected parties -Ensure that everyone is safe.
Ensure that everyone is safe
Which one of the following is an example of a disclosure threat? Espionage Alteration Denial Destruction
Espionage
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? Evil twin Wardriving Bluesnarfing Replay attack
Evil twin
Which type of attack involves the creation of some deception in order to trick unsuspecting users? Interception Interruption Fabrication Modification
Fabrication
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? -Remote administration error -False positive error -Clipping error -False negative error
False positive error
What compliance regulation applies specifically to the educational records maintained by schools about students? -Family Education Rights and Privacy Act (FERPA) -Health Insurance Portability and Accountability Act (HIPAA) -Federal Information Security Management Act (FISMA) -Gramm-Leach-Bliley Act (GLBA)
Family Education Rights and Privacy Act (FERPA)
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States? Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA)
Federal Information Security Management Act (FISMA)
Which control is not designed to combat malware? Firewalls Antivirus software Awareness and education efforts Quarantine computers
Firewalls
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? -Formatting -Degaussing -Physical destruction -Overwriting
Formatting
Security Permissions
Full, modify, list folder contents, read-execute, write, special, and deny
Which one of the following is NOT a market driver for the Internet of Things (IoT)? Global adoption of non-IP networking Smaller and faster computing Growth of cloud computing Advancements in data analytics
Global adoption of non-IP networking
Which element of the security policy framework offers suggestions rather than mandatory actions? Policy Standard Guideline Procedure
Guideline
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers? -FFIEC -FISMA -HIPAA -PCI DS
HIPPA
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer? -Federal Information Security Management Act (FISMA) -Health Insurance Portability and Accountability Act (HIPAA) -Children's Internet Protection Act (CIPA) -Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals? Payment Card Industry Data Security Standard (PCI DSS) Federal Financial Institutions Examination Council (FFIEC) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)? Virtual workplace Infrastructure monitoring Health monitoring Supply chain management
Health monitoring
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? Home agent (HA) Foreign agent (FA) Care of address (COA) Correspondent node (CN)
Home agent (HA)
hat is a set of concepts and policies for managing IT infrastructure, development, and operations? -ISO 27002 -Control Objectives for Information and related Technology (COBIT) -IT Infrastructure Library (ITIL) -NIST Cybersecurity Framework (CSF)
IT Infrastructure Library (ITIL)
Which one of the following is NOT a good technique for performing authentication of an end user? Password Biometric Identification Number Token
Identification Number
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate? Confidentiality Integrity Availability Nonrepudiation
Integrity
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet? Internet Society Internet Engineering Task Force Internet Association Internet Authority
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion? Security Privacy Interoperability Compliance
Interoperability
Which network device is capable of blocking network connections that are identified as potentially malicious? Intrusion Prevention Sytem (IPS) Intrusion Detection System (IDS) Demilitarized Zone (DMZ) Web Server
Intrusion Prevention Sytem (IPS)
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? -Is the level of security control suitable for the risk it addresses? -Is the security control in the right place and working well? -Is the security control effective in addressing the risk it was designed to address? -Is the security control likely to become obsolete in the near future?
Is the security control likely to become obsolete in the near future?
Which of the following would NOT be considered in the scope of organizational compliance efforts? -Laws -Company policy -Internal audit -Corporate culture
Laws
Which type of denial of service attack exploits the existence of software flaws to disrupt a service? SYN flood attack Smurf attack Logic attack Flooding attack
Logic attack
Which of the following is NOT a benefit of cloud computing to organizations? -On-demand provisioning -Improved disaster recovery -No need to maintain a data center -Lower dependence on outside vendors
Lower dependence on outside vendors
Which of the following is an example of a hardware security control? -NTFS permission -MAC filtering -ID badge -Security policy
MAC filtering
When should an organization's managers have an opportunity to respond to the findings in an audit? -Managers should write a report after receiving the final audit report. -Managers should include their responses to the draft audit report in the final audit report. -Managers should not have an opportunity to respond to audit findings. -Managers should write a letter to the Board following receipt of the audit report.
Managers should include their responses to the draft audit report in the final audit report.
Which one of the following measures the average amount of time that it takes to repair a system, application, or component? Uptime Mean time to failure (MTTF) Mean time to repair (MTTR) Recovery time objective (RTO)
Mean time to repair (MTTR)
Which agreement type is typically less formal than other agreements and expresses areas of common interest? -Service level agreement (SLA) -Blanket purchase agreement (BPA) -Memorandum of understanding (MOU) -Interconnection security agreement (ISA)
Memorandum of understanding (MOU)
Which one of the following is an example of a reactive disaster recovery control? -Moving to a warm site -Disk mirroring -Surge suppression -Antivirus software
Moving to a warm site
What is NOT a commonly used endpoint security technique? -Full device encryption -Network firewall -Remote wiping -Application control
Network Firewall
Which security testing activity uses tools that scan for services running on systems? -Reconnaissance -Penetration testing -Network mapping -Vulnerability testing
Network mapping
What level of technology infrastructure should you expect to find in a cold site alternative data center facility? -Hardware and data that mirror the primary site -Hardware that mirrors the primary site, but no data -Basic computer hardware -No technology infrastructure
No technology infrastructure
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput? OC-12 DS1 DS3 OC-3
OC-12
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales? Replacement cost Opportunity cost Manpower cost Cost of good sold
Opportunity cost
Which type of authentication includes smart cards? -Knowledge -Ownership -Location -Action
Ownership
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? -Checklist test -Full interruption test -Parallel test -Simulation test
Parallel test
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing? Active wiretap Between-the-lines wiretap Piggyback-entry wiretap Passive wiretap
Passive wiretap
Which one of the following is an example of a logical access control? -Key for a lock -Password -Access card -Fence
Password
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations? Password Protection Antivirus Software Deactivating USB Ports Vulnerability Scanning
Password Protection
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals? -Health Insurance Portability and Accountability Act (HIPAA) -Payment Card Industry Data Security Standard (PCI DSS) -Federal Information Security Management Act (FISMA) -Federal Financial Institutions Examination Council (FFIEC)
Payment Card Industry Data Security Standard (PCI DSS)
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) Communications Assistance for Law Enforcement Act (CALEA) Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
Permission Levels - Job Bases, group-based
Permissions are based on a common set of permissions for all people in the same or similar job role
Mandatory Access Control (MAC)
Permissions to access a system or any resource is determined by the sensitivity of the resource and the security level of the subject. It cannot be given to someone else. Making it stronger the DAC
Which regulatory standard would NOT require audits of companies in the United States? -Sarbanes-Oxley Act (SOX) -Personal Information Protection and Electronic Documents Act (PIPEDA) -Health Insurance Portability and Accountability Act (HIPAA) -Payment Card Industry Data Security Standard (PCI DSS)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? -Intimidation -Name dropping -Appeal for help -Phishing
Phishing
Which one of the following is NOT an advantage of biometric systems? -Biometrics require physical presence -Biometrics are hard to fake -Users do not need to remember anything -Physical characteristics may change.
Physical characteristics may change
Which element of the security policy framework requires approval from upper management and applies to the entire organization? Policy Standard Guideline Procedure
Policy
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing? Policy Standard Guideline Procedure
Procedure
Risk Management for Information Technology Systems
Products that provide detailed guidance of what you should consider in risk management and risk assessment in computer security. The reports include checklists, graphics, formulas, and references to U.S. regulatory issues
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking? -Project initiation and planning -Functional requirements and definition -System design specification -Operations and maintenance
Project Initiation and planning
Which tool can capture the packets transmitted between systems over a network? Wardialer OS fingerprinter Port scanner Protocol analyzer
Protocol analyzer
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? -Promiscuous -Permissive -Prudent -Paranoid
Prudent
What is NOT a goal of information security awareness programs? -Teach users about security objectives -Inform users about trends and threats in security -Motivate users to comply with security policy -Punish users who violate policy
Punish users who violate policy
Which group is the most likely target of a social engineering attack? Receptionists and administrative assistants Information security response team Internal auditors Independent contractors
Receptionists and administrative assistants
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining? -Recovery time objective (RTO) -Recovery point objective (RPO) -Business recovery requirements -Technical recovery requirements
Recovery time objective (RTO)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? -Remote Authentication Dial-In User Service (RADIUS) -Terminal Access Controller Access Control System Plus ------Redundant Array of Independent Disks (RAID) -DIAMETER
Redundant Array of Independent Disks (RAID)
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? -Vulnerability testing -Report writing -Penetration testing -Configuration review
Report writing
What is the correct order of steps in the change control process? -Request, approval, impact assessment, build/test, monitor, implement -Request, impact assessment, approval, build/test, implement, monitor -Request, approval, impact assessment, build/test, implement, monitor -Request, impact assessment, approval, build/test, monitor, implement
Request, impact assessment, approval, build/test, implement, monitor
Which formula is typically used to describe the components of information security risks? -Risk = Likelihood X Vulnerability -Risk = Threat X Vulnerability -Risk = Threat X Likelihood -Risk = Vulnerability X Cost
Risk = Threat X Vulnerability
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? -Risk Management Guide for Information Technology Systems (NIST SP800-30) -CCTA Risk Analysis and Management Method (CRAMM) -Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) -ISO/IEC 27005, "Information Security Risk Management"
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? -Description of the risk -Expected impact -Risk survey results -Mitigation steps
Risk survey results
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? -SOC 1 -SOC 2 -SOC 3 -SOC 4
SOC 3
In what type of attack does the attacker send unauthorized commands directly to a database? -Cross-site scripting -SQL injection -Cross-site request forgery -Database dumping
SQL Injection
Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation? Connect Secure Share Speak
Secure
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? -Transmission Control Protocol/Internet Protocol (TCP/IP) -Secure Sockets Layer (SSL) -Domain Name System (DNS) -Dynamic Host Configuration Protocol (DHCP)
Secure Sockets Layer (SSL)
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? -Security Assertion Markup Language (SAML) -Secure European System for Applications in a Multi-Vendor Environment (SESAME) -User Datagram Protocol (UDP) -Password Authentication Protocol (PAP)
Security Assertion Markup Language (SAML)
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. -Security kernel -CPU -Memory -Co-processor
Security Kernel
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? -Security information and event management (SIEM) -Intrusion prevention system (IPS) -Data loss prevention (DLP) -Virtual private network (VPN)
Security information and event management (SIEM)
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? Security risks will increase. Security risks will decrease. Security risks will stay the same. Security risks will be eliminated.
Security risks will increase.
Which scenario presents a unique challenge for developers of mobile applications? Applying encryption to network communications Selecting multiple items from a list Obtaining Internet Protocol (IP) addresses Using checkboxes
Selecting multiple items from a list
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? -Job rotation -Least privilege -Need-to-know -Separation of duties
Separation of Duties
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place? Spam Phishing Social engineering Spim
Spim
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? -Least privilege -Security through obscurity -Need to know -Separation of duties
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? -Service level agreement (SLA) -Blanket purchase agreement (BPA) -Memorandum of understanding (MOU) -Interconnection security agreement (ISA)
Service level agreement (SLA)
In which type of attack does the attacker attempt to take over an existing connection between two systems? Man-in-the-middle attack URL hijacking Session hijacking Typosquatting
Session hijacking
Which intrusion detection system strategy relies upon pattern matching? -Behavior detection -Traffic-based detection -Statistical detection -Signature detection
Signature detection
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct? -Checklist test -Parallel test -Simulation test -Structured walk-through
Simulation test
Which one of the following is an example of two-factor authentication? -Smart card and personal identification number (PIN) -Personal identification number (PIN) and password -Password and security questions -Token and smart card
Smart card and personal identification number (PIN)
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using? Platform as a Service (PaaS) Software as a Service (SaaS) Communications as a Service (CaaS) Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used? Policy Standard Guideline Procedure
Standard
Which one of the following principles is NOT a component of the Biba integrity model? -Subjects cannot read objects that have a lower level of integrity than the subject -Subjects cannot change objects that have a lower integrity level -Subjects at a given integrity level can call up only subjects at the same integrity level or lower -A subject may not ask for service from subjects that have a higher integrity level.
Subjects cannot change objects that have a lower integrity level.
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? -Network IDS -System integrity monitoring -CCTV -Data loss prevention
System integrity monitoring
Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries? Technical and industry development Confidentiality of personal information Network security devices Broadband capacity
Technical and industry development
Security Kernel
The central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems
Separation of Duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.
Covert Channels
These are hidden ways of passing information against organizational policy. Two main types are Timing (signaling from one system to another) and storage (the storing of data in an unprotected or inappropriate place)
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? -Value -Sensitivity -Criticality -Threat
Threat
Which term describes an action that can damage or compromise an asset? Risk Vulnerability Countermeasure Threat
Threat
Which term describes any action that could damage an asset? Risk Countermeasure Vulnerability Threat
Threat
Which classification level is the highest level used by the U.S. federal government? Top Secret Secret Confidential Private
Top Secret
What type of malicious software masquerades as legitimate software to entice the user to run it? Virus Worm Trojan horse Rootkit
Trojan horse
Delphi Method
Using anonymous surveys during multiple rounds to collect opinions and information
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? -Hot site -Warm site -Cold site -Primary site
Warm Site
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? -Spiral -Agile -Lean -Waterfall
Waterfall
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri? Cracker White-hat hacker Black-hat hacker Grey-hat hacker
White-hat hacker
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? SQL injection Cross-site scripting Cross-site request forgery Zero-day attack
Zero-day attack
Permission Levels - Project based
a group of people are working on a project, they are often granted access to documents and data related just to that project
Multitenancy
allows different groups of users to access a database without being able to access each other's data
