yolo

¡Supera tus tareas y exámenes ahora con Quizwiz!

Cryptographic key distribution is typically done by phone.

True *False*

The term certificate authority (CA) refers to a trusted repository of all public keys.

True *False*

You must always use the same algorithm to encrypt information and decrypt the same information.

True *False*

In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data, and has no choice as to what that data might be.

True *False* it's *Ciphertext-only attack (COA)*

Product cipher is an encryption algorithm that has no corresponding decryption algorithm.

True *False* it's *One-way algorithm*

A personnel safety plan should include an escape plan.

True.

A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.

True.

Administrative controls develop and ensure compliance with policy and procedures.

True.

Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).

True.

Examples of major disruptions include extreme weather, application failure, and criminal activity.

True.

Fencing and mantraps are examples of physical controls.

True.

Implementing and monitoring risk responses are part of the risk management process.

True.

In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.

True.

In remote journaling, a system writes a log of online transactions to an offsite location.

True.

The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.

True.

While running business operations at an alternate site, you must continue to make backups of data and systems.

True.

Which information security objective allows trusted entities to endorse information?

Validation <wrong Authorization Certification Witnessing

Authentication (Policy enforcement phase)

Validation or proof that the subject requesting access is indeed the same subject who has been granted that access.

What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities?

800

true

A control limits or constrains behavior.

Threat

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

reduce

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's private key

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

Alice's public key

Monitoring activity in the workplace includes which of the following?

All of these could be monitored.

Which organization created a standard version of the widely used C programming language in 1989?

American National Standards Institute (ANSI)

$20,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

Access to high level of expertise

Mark is considering outsourcing security functions to a third-party provider. What benefit is he most likely to achieve?

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?

Masking

What term describes the longest period of time that a business can survive without a particular critical system?

Maximum tolerable downtime (MTD)

The four main types of logs that you need to keep to support security auditing include event, access, user, and security.

False

When Patricia receives a message from Gary she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia trying to achieve?

Nonrepudiation

FALSE

Often an extension of memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.

Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?

Virtual LAN (VLAN)

TRUE

With proactive change management. management initiates the change to achieve a desired goal.

the security kernel enforces access control of computer systems

true

RADIUS

two config files: a client config file that contains the client address and the shared secret for transaction authentication;; a user config hat contains the user identification and authentication data as well as the connection and authorization info

false

A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's public key *Alice's private key* Bob's public key Bob's private key

Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system?

Federal Information Security Management Act (FISMA)

TRUE

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.

Organizations should seek a balance between the utility and cost of various risk management options.

True.

What standard is NOT secure and should never be used on modern wireless networks?

*Wired Equivalent Privacy (WEP)* Wi-Fi Protected Access (WPA) Wi-Fi Protected Access version 2 (WPA2) 802.11ac

Bob has a high-volume virtual private network (VPN). He would like to use a device that would best handle the required processing power. What type of device should he use

VPN concentrator

preventive

Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?

$2,000,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

$20,000

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

2

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20 percent

Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall?

25

What is the maximum value for any octet in an IPv4 IP address?

255

FALSE

A hardware configuration chart should NOT include copies of software configurations.

Rule-based Access Control

A list of rules, maintained by the data owner, determines which users have access to objects.

true

A personnel safety plan should include an escape plan.

FALSE

A remediation liaison makes sure all personnel are aware of and comply with organization's policies.

false

A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.

true

A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.

disaster

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to archive?

Access to a high level of expertise

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

Which answer best describes the accountability component of access control?

Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

vulnerability

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

incident

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?

true

Administrative controls develop and ensure compliance with policy and procedures.

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information. (An organization should collect only what it needs, keep its information up to date, and properly destroy its information when its no longer needed)

Baseline

Ann is creating a template for the configuration of Windows servers in her organization, it includes the basic security setting that should apply to all systems. What type of document should she create?

true

Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).

Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?

Application Proxying

ary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with?

Application, session

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?

Approved scanning vendor (ASV)

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

Which answer best describes the authentication component of access control?

Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access.

During which phase of the access control process does the system answer the question,"What can the requestor access?"

Authorization

Which answer best describes the authorization component of access control?

Authorization is the process of determining who is approved for access and what resources they are approved for.

DIAMETER

BASED in RADIUS but is not restricted to highly fluid or mobile workforce.

Formatting

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?

Bob's Public Key

mantraps

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?

Business associate of a covered entity

The Security Kernel

Central part of a computing environment's hardware, software, and firmware that enforces access control for computers systems.

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?

Certificate revocation list (CRL) < wrong International Data Encryption Algorithm (IDEA) < wrong Transport Layer Security (TLS) Online Certificate Status Protocol (OCSP)

Which information security objective allows trusted entities to endorse information?

Certification

FALSE

Change doesn't create a risk for a business.

Degausser

Creates a magnetic field that erases data from magnetic storage media. Once data go through a degausser, the data cannot be recovered.

Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect?

Credit card information

Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?

Cross-site scripting (XSS)

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?

Crossover error rate (CER)

What program, released in 2013, is an example of ransomware?

Crypt0L0cker

Which element is NOT a core component of the ISO 27002 standard?

Cryptography

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?

Customer

Betty receives a ciphertext message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Decryption

When the owner of the resource determines the access and changes permissions as needed, it's known as...

Discretionary access control (DAC)

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts?

What protocol is responsible for assigning IP addresses to hosts on most networks?

Dynamic Host Configuration Protocol (DHCP)

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?

Elliptic curve Decryption Encryption *Hash*

Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect?

Encryption

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Encryption Hashing *Decryption* Validation

Which practice is NOT considered unethical under RFC-1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information (Seeking to gain unauthorized access to resources,Disrupting intended use of the Internet, Compromising the privacy of users)

A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.

False

A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system.

False

Access controls cannot be implemented in various forms, restriction levels, or different levels within the computing environment.

False

An SOC 1 report primarily focuses on security.

False

Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.

False

During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.

False

Procedures do NOT reduce mistakes in a crisis

False

Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.

False

A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.

False. Business impact analysis (BIA) - A prerequisite analysis for a business continuity plan that prioritizes business operations and functions and their associated IT systems, applications, and data and the impact of an outage or downtime.

Deterrent controls identify that a threat has landed in your system.

False. Deterrent control - A control that warns the user that completing a requested action could result in a violation or threat.

Bell-La Padula Model

Focus on the confidentiality of data and the control of access to classified information. The parts of a system is described as its state. the model defines a security state. The model guarantees that each state transition preserves security by moving from secure state to secure state.

Clark and Wilson Integrity Model

Focuses on what happens when users allowed into a system try to do things they are not permitted to do. It also looks at whether the software does what it is designed to do.

corrective

Forensics and incident response are examples of __________ controls.

What type of funciton generates the unique value that corresponds to the contents of a message and is issued to create a digital signature?

Hash

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records?

Health Insurance Portability and Accountability Act (HIPAA)

What type of system is intentionally exposed to attackers in an attempt to lure them out?

Honeypot

Which recovery site option provides readiness in minutes to hours?

Hot site

Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management?

ISO 27002

Which answer best describes the identification component of access control?

Identification is the method a subject uses to request access to a system.

true

Implementing and monitoring risk responses are part of the risk management process.

Authorizing official (AO)

In an accreditation process, who has the authority to approve a system for implementation?

true

In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.

true

In remote journaling, a system writes a log of online transactions to an offsite location.

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?

Incident

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary trying to achieve?

Integrity

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?

Integrity

Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?

International Organization for Standardization (ISO)

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future?

Biba Integrity Model

It fixed a weakness in the Bell-La Padula model, which addresses only the confidentiality of data.

false

Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Supervisory Control and Data Acquisition (SCADA)

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Challenges to access control include...

Laptop loss, exploiting hardware, eavesdropping and exploiting applications

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws (Company policy, Internal audit, Corporate culture)

When it comes to privacy, organizations are concerned about which of the following?

Liability in harassment suits, skyrocketing losess from employee theft, productivity losses from employees shopping or performing other nonwork-related tasks online.

When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access by the system. This is an example if

Logical access controls

true

Organizations should seek a balance between the utility and cost of various risk management options.

Which type of authentication includes smart cards?

Ownership

What is NOT an effective key distribution method for plaintext encryption keys?

Paper *Unencrypted email* CD Smart card

Which one of the following is an example of a logical (as opposed to physical) access control?

Password

Mandatory Access Control (MAC)

Permission to access a system or any resource is determined by sensitivity of the resource and the security level of the subject. It cannot be given to someone else.

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act (PIPEDA)

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change.

TRUE

Policies that cover data management should cover transitions throughout the data life cycle

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?

Polymorphic virus

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?

Presentation

Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?

Preventive

Accountability (Policy enforcement phase)

Process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

Role engeneering

Process of defining roles, approvals, role hierarchies, and constraints.

Authorization (Policy definition phase)

Process of determining who is approved for access and what resources they are approved for.

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Qualitative

Which approach to cryptography provides the strongest theoretical protection?

Quantum cryptography

Which approach to cryptography provides the strongest theoretical protection?

Quantum cryptography Asymmetric cryptography < wrong Elliptic curve cryptography Classic cryptography

Which data source comes first in the order of volatility when conducting a forensic investigation?

RAM

Role-Based Access Control (RBAC)

RBAC is a policy based on approvals on the jobs the user is assigned.

Charles has obtained a user/password database and will attempt to crack the passwords. The passwords are hashed (encrypted). Charles has a huge list of precomputed hashes to compare to the encrypted passwords to see if he gets any matches. This password cracking technique utilizes:

Rainbow Tables

What type of malicious software allows an attacker to remotely control a compromised computer?

Remote Access Tool (RAT)

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

Report writing

What type of publication is the primary working product of the Internet Engineering Task Force (IETF)?

Request for comment (RFC)

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Residual risk

Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)?

Right to delete unwanted information from records

false

Risk refers to the amount of harm a threat exploiting a vulnerability can cause.

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?

Rivest, Shamir, Adelman (RSA) Message digest algorithm (MD5) Blowfish *Diffie-Hellman*

Phishing

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Role-based access control (RBAC)**** Rule-based access control****

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?

SAQ C

Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?

SQL Injection

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?

Secure European System for Applications in a Multi-Vendor Environment (SESAME)****

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances?

Security

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?

Security Assertion Markup Language (SAML)

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

Security information and event management (SIEM)

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?

Separation of duties

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for a timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged in to Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?

Session Hacking

What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?

Switch

Which set of characteristics describes the Caesar cipher accurately?

Symmetric, stream, substitution

What is NOT generally a section in an audit report?

System configurations

Which type of virus targets computer hardware and software startup functions?

System infector

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring

Which of the following is an example of a formal model of access control?

The Clark and Wilson integrity model

false

The first step in the risk management process is to monitor and control deployed countermeasures.

Identification (Policy enforcement phase)

The method a subject uses to request access to a system.

threshold

The number of failed logons attempts that trigger an account action

Discretionary Access Control (DAC)

The owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others.

true

The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.

Nondiscretionary Access Control

They are closely monitored by the security administrator, not the system administrator.

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these types of classification decisions?

Threat (Value, sensitivity, criticality are)

Bobbi recently discovered that an email program used within her health care practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely

Tier A

Which of the following items would generally NOT be considered personally identifiable information (PII)?

Trade Secret

Which type of cipher works by rearranging the characters in a message?

Transposition

Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?

Trojan Horse

1. Access controls are policies or procedures used to control access to certain items

True

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing

True

An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.

True

Company-related classifications are not standard, therefore there may be some differences between the terms "private" and "confidential" in different companies

True

Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.

True

During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.

True

In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

True

Many jurisdictions require audits by law.

True

One advantage of using a security management firm for security monitoring is that it has a high level of expertise.

True

Performing security testing includes vulnerability testing and penetration testing.

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets.

True

SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.

True

Social engineering is deceiving or using people to get around security controls.

True

Standards are used when an organization has selected a solution to fulfill a policy goal.

True

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege

True

A private key cipher is also called an asymmetric key cipher.

True *False*

A control limits or constrains behavior.

True.

What is NOT an effective key distribution method for plaintext encryption keys?

Unencrypted Email

What is NOT a typical sign of virus activity on a system?

Unexpected power failure

Which one of the following is NOT a commonly accepted best practice for password security?

Use no more than eight characters.

Constrained User Interface

User's ability to get into certain system resources is restrained by two things: The user's rights and permissions are restricted, and constraints are put on the device or program providing the interface

Cloud Computing

Using computing services that are delivered over a network.

What is the only unbreakable cipher when it is used properly?

Vernam

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

Vulnerability

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?

Warm site

Punish users who violate policy

What is NOT a goal of information security awareness programs?

Don't spend more to protect an asset than it is worth.

What is a key principle of risk management programs?

Request, impact assessment, approval, build/test, implement, monitor

What is correct order of steps in the charge control process?

Maximum tolerable downtime (MTD)

What term describes the longest period of time that a business can survive without a particular critical system?

residual risk

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Memorandum of understanding (MOU)

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

warm site

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?

RAM

Which data source comes first in the order of volatility when conducting a forensic investigation?

Laws

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Enforcing the integrity of computer-based information

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

hot site

Which recovery site option provides readiness in minutes to hours?

true

While running business operations at an alternate site, you must continue to make backups of data and systems.

Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating?

Whitelisting

What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?

Whois

Gary is configuring a smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?

Wi-Fi

What type of network connects systems over the largest geographic area?

Wide Area Network (WAN)

What standard is NOT secure and should never be used on modern wireless networks?

Wired Equivalent Privacy (WEP)

What wireless security technology contains significant flaws and should never be used?

Wired Equivalent Privacy (WEP)

What is NOT a service commonly offered by unified threat management (UTM) devices?

Wireless network access

false

With adequate security controls and defenses, an organization can oftenreduce its risk to zero.

Physical access, security bypass, and eavesdropping are examples of how access controls can be...

compromised

Forensics and incident response are examples of __________ controls.

corrective

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.

disaster

Overwriting

method used to destroy data without destroying the media itself. It consists of repeatedly writing random characters over data.

Which of the following is an example of a hardware security control?

password*** security policy***

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Purchasing an insurance policy is an example of the ____________ risk management strategy.

transfer

Physical access control deter physical access to resources, such as buildings or gated parking lots.

true

The process of identifying, quantifying, and prioritizing the vulnerabilities in a system is known as a

vulnerability assessment

What is NOT a valid encryption key length for use with the Blowfish algorithm?

512 Bits

What mathematical problem forms the basis of most modern cryptographic algorithms?

Factoring Large Primes

Which Institute of Electrical and Electronics Engineers (IEEE) standard covers wireless LANs?

802.11

false

Deterrent controls identify that a threat has landed in your system.

What is NOT a common motivation for attackers?

Fear

Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?

3389

What is NOT a symmetric encryption algorithm?

Rivest-Shamir-Adelman (RSA)

Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?

443

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

*Alice's public key* Alice's private key Bob's public key Bob's private key

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?

*Chosen plaintext* Ciphertext only Known plaintext Chosen ciphertext

What is NOT a symmetric encryption algorithm?

*Rivest-Shamir-Adelman (RSA)* Data Encryption Standard (DES) International Data Encryption Algorithm (IDEA) Carlisle Adams Stafford Tavares (CAST

A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.

*True* False

A salt value is a set of random characters you can combine with an actual input key to create the encryption key.

*True* False

A substitution cipher replaces bits, characters, or blocks of information with other bits, characters, or blocks.

*True* False

What file type is least likely to be impacted by a file infector virus?

.docx

What ISO security standard can help guide the creation of an organization's security policy?

27002

What is NOT a valid encryption key length for use with the Blowfish algorithm?

32 bits 64 bits 256 bits *512 bits*

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free (Set the example by demonstrating ethics in daily activities, Encourage adopting ethical guidelines and standards, Inform users through security awareness training)

Which set of characteristics describes the Caesar cipher accurately?

Asymmetric, block, substitution < wrong Asymmetric, stream, transposition Symmetric, stream, substitution Symmetric, block, transposition

Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?

Authorize the IT system for processing

Brewer and Nash Integrity Model

Based on a mathematical theory published in 1989 to ensure fair competition. It is used to apply dynamically changing access permissions.

Qualitative

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?

Captive portal

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?

Chief information security officer (CISO)

Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors?

Children's Internet Protection Act (CIPA)

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?

Chosen Plaintext

TRUE

Classification scope determines what data you should classify; classification process determines how you handle classified data.

Alison discovers that a system under her control has been infected with malware, which is using a keylogger to report user keystrokes to a third party. What information security property is this malware attacking?

Confidentiality

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

Confidentiality Integrity Authentication < wrong Nonrepudiation

What is NOT one of the four main purposes of an attack?

Data Import

What information should an auditor share with the client during an exit interview?

Details on major issues

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?

Diffie-Hellman

What a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

Which organization creates information security standards that specifically apply within the European Union?

European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

true

Examples of major disruptions include extreme weather, application failure, and criminal activity.

What mathematical problem forms the basis of most modern cryptographic algorithms?

Factoring large primes Traveling salesman problem Quantum mechanics < wrong Birthday problem

A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.

False. A structured walk-through test is a tabletop exercise. During this test, a team of representatives from each department should do the following: • Present their portion of the plan to the other teams. • Review the goals of the plan for completeness and correctness. • Affirm the scope of the plan as well as any assumptions made. • Look for overlaps and gaps. • Review the structure of the organization as well as the reporting/communications structure. • Evaluate the testing, maintenance, and training requirements. • Conduct a number of scenario-based exercises to evaluate the plan's effectiveness. • Meet to step through the plan together in a structured manner.

The first step in the risk management process is to monitor and control deployed countermeasures.

False. Identify risks — The first step to managing risk is identifying risks.

Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.

False. Parallel Test - The same as a full-interruption test, except that processing does not stop at the primary site.

Risk refers to the amount of harm a threat exploiting a vulnerability can cause.

False. Risk - The likelihood that something, generally something bad, will happen to an asset.

With adequate security controls and defenses, an organization can often reduce its risk to zero.

False. You can never reduce risk to zero.

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?

Family Policy Compliance Office (FPCO)

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?

Federal Communications Commission (FCC)

20%

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

$2,000,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?

When should an organization's managers have an opportunity to respond to the findings in an audit?

Managers should include their responses to the draft audit report in the final audit report.

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Mantraps

Project initiation and planning

Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process?

Proposed Standard (PS)

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?

Publicly traded companies

transfer

Purchasing an insurance policy is an example of the ____________ risk management strategy.

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Reduce

What is the only unbreakable cipher when it is used properly?

Rivest-Shamir-Adelman (RSA) *Vernam* Elliptic Curve Diffie-Hellman in Ephemeral mode (ECDHE) Blowfish

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?

World Wide Web Consortium (W3C)

TRUE

Written security policies document management's goals and objectives

Digital signatures require asymmetric key cryptography.

*True* False

In a chosen-ciphertext attack, cryptanalysts submit data coded with the same cipher and key they are trying to break to the decryption device to see either the plaintext output or the effect the decrypted message has on some system.

*True* False

Integrity-checking tools use cryptographic methods to make sure nothing and no one has modified the software.

*True* False

The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).

*True* False

The financial industry created the ANSI X9.17 standard to define key management procedures.

*True* False

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Confidentiality *Integrity* Authentication Nonrepudiation

Waterfall

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Which organization promotes technology issues as an agency of the United Nations?

International Telecommunication Union (ITU)

2

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?"

National Institute of Standards and Technology (NIST)

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?

National Institute of Standards and Technology (NIST)

Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model?

Network

Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?

Nmap

TRUE

One advantage of using a security management firm for security monitoring is that it has a high level of expertise.

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?

Redundant Array of Independent Disks (RAID)

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Supervisory Control and Data Acquisition (SCADA)

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

False positive error

true

Fencing and mantraps are examples of physical controls.

David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?

Fibre Channel over Ethernet (FCoE)

What type of firewall security feature limits the volume of traffic from individual hosts?

Flood Guard

Which unit of measure represents frequency and is expressed as the number of cycles per second?

Hertz

Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?

Hub

Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out?

IEEE 802.3

Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block?

Internet Control Message Protocol (ICMP)

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?

Online Certificate Status Protocol (OCSP)

SAML

Open standard used for exchanging both authentication and authorization data.

TACACS+

Single config file to: Control server operations, define users and attribute/value pairs and control authentication and authorization procedures.

Which one of the following is an example of two-factor authentication?

Smart card and personal identification number (PIN)

Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?

Smurf

TRUE

Social engineering is deceiving or using people to get around security controls.

Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)?

Solar energy

The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?

Spear Phishing

What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)?

Subject matter on expertise routing and switching

Which one of the following principles is NOT a component of the Biba integrity model?

Subjects cannot change objects that have a lower integrity level.


Conjuntos de estudio relacionados

Respiratory & Cardiac PrepU Health Assessment

View Set

DFTG2319 - Intermediate AutocAD Study 01

View Set

A&C I Practice Neuro musculoskeletal

View Set

missed questions on ap test - Mackenzie Green

View Set

BOARD PRACTICE QUESTIONS - PROFESSIONAL ROLE

View Set