3200 Final
Which TCP port does IMAP use by default?
143
Which TCP port does SMTP use by default?
25
If you have a farm of five web servers and two of them break, what is the exposure factor (EF)?
40 percent
In a UNIX operating system, which runlevel reboots the machine?
6
Which statement applies to a low-impact exposure incident?
A low-impact exposure incident only involves repairing the broken system.
What does the term spiral method refer to?
A software engineering process category
What does a host-based IDS monitor?
Activity on an individual system
Which product filters out junk e-mail?
Antispam
What is the first step in the general risk management model?
Asset identification
What term refers to the process of assessing the state of an organization's security compared against an established standard?
Auditing
Which term is a means of signing an ActiveX control so that a user can judge trust based on the control's creator?
Authenticode
What term refers to the process of establishing a system's operational state?
Baselining
Which term refers to the process by which application programs manipulate strings to a base form, creating a foundational representation of the input?
Canonicalization
Which management tool is used for identifying relationships between a risk and the factors that can cause it?
Cause and effect analysis
Which term refers to ensuring proper procedures are followed when modifying the IT infrastructure?
Change management
Which protocol is designed to operate both ways, sending and receiving, and can enable remote file operations over a TCP IP connection?
FTP
What application is associated with TCP Ports 989 and 990?
FTPS
A birthday attack is a type of logic bomb virus that releases its payload on some famous person's birthday, such as Michelangelo.
False
A control classified as preventative has to be known by a person in order to be effective.
False
A worm is malicious code that has to attach itself to something else to survive.
False
Evidence offered by the witness that is not based on the personal knowledge of the witness—but is being offered to prove the truth of the matter asserted—falls under the exclusionary rule.
False
FTP encrypts traffic by default.
False
For an intangible impact, assigning a financial value of the impact is easy.
False
Hostile activity that does not match an IDS signature and goes undetected is called a false positive.
False
Incident response is strictly an information security operation.
False
JavaScript is part of the Java environment.
False
Large organizations typically have the resources to protect everything against all threats.
False
Least privilege refers to removing all controls from a system.
False
Which term refers to the ability to distribute the processing load over two or more systems?
Load balancing
Which type of testing involves running the system under a controlled speed environment?
Load testing
Which protocol allows the exchange of different kinds of data across text-based e-mail systems?
MIME
Which action is an example of transferring risk?
Management purchases insurance for the occurrence of the risk.
When using Secure FTP (SFTP) for confidential transfer, what protocol is combined with FTP to accomplish this task?
Secure Shell (SSH)
__________ systems are a combination of hardware and software designed to classify and analyze security data from numerous sources.
Security information and event management (SIEM)
Which type of systems is one that fairly closely mimics the production environment, with the same versions of software, down to patch levels, and the same sets of permissions, file structures, and so on?
Test
In which phase of the secure development lifecycle model would you employ use cases?
Testing phase
The interruption of power is a common issue during a disaster.
True
Which alternative site is designed to be operational within a few days?
Warm site
Law that is based on previous events or precedents is known as __________.
common law
The process of attempting to break a cryptographic system is called __________.
cryptanalysis
SYN flooding is an example of a __________.
denial-of-service attack
A honeypot is sometimes called a(n) __________.
digital sandbox
Few instant messaging programs currently support __________.
encryption
The Wassenaar Arrangement can be described as a(n) __________.
international arrangement on export controls for conventional arms and dual-use goods and technologies
All accesses and privileges to systems, software, or data should be granted based on the principle of __________.
least privilege
The term __________ describes a series of digits near the beginning of the file that provides information about the file format.
magic number
A __________ is a software or hardware device that is used to observe traffic as it passes through a network on shared broadcast media.
network sniffer
The security kernel is also known as a __________.
reference monitor
An attack that takes advantage of bugs or weaknesses in the software is referred to as __________.
software exploitation
A law that is passed by a legislative branch of government is known as a(n) __________.
statutory law
The term __________ refers the unauthorized scanning for and connecting to wireless access points, frequently done while driving near a facility.
war-driving
Which law makes it a crime to knowingly access a computer that is either considered a government computer or used in interstate commerce, or to use a computer in a crime that is interstate in nature?
Computer Fraud and Abuse Act
Which change management phase ensures that only approved changes to a baseline are allowed to be implemented?
Configuration control
Which attack is a code injection attack in which an attacker sends code in response to an input request?
Cross-site scripting attack
Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?
Cyber Observable eXpression (CybOX
What are the two components comprising information criticality?
Data classification and the quantity of data involved
Which backup requires a small amount of space and is considered to have a complex restoration process?
Delta
Which phase of the secure development lifecycle model is concerned with minimizing the attack surface area?
Design phase
Which cryptographic protocols can be used by SSL/TLS?
Diffie-Hellman and RSA
Oral testimony that proves a specific fact with no inferences or presumptions is which type of evidence?
Direct evidence
Which plan defines the data and resources necessary and the steps required to restore critical organizational processes?
Disaster recovery plan (DRP)
Business records, printouts, and manuals are which type of evidence?
Documentary evidence
__________ is a branch of digital forensics dealing with identifying, managing, and preserving digital information that is subject to legal hold.
E-discovery
Which event is an example of a tangible impact?
Endangerment of staff or customers
In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan.
Enumeration
Which of the following rules applies to evidence obtained in violation of the Fourth Amendment of the Constitution?
Exclusionary rule
A principal reference for rules governing the export of encryption can be found in the __________.
Export Administration Regulations
All data is equally important, and it is equally damaging in the event of loss.
False
All risks need to be mitigated or controlled.
False
Backups can prevent a security event from occurring.
False
Buffer overflow is one of the most common web attack methodologies.
False
Certificates vouch for code security.
False
Change management should only be used in the quality assurance (QA) phase of a system's life.
False
Changing a file's extension will alter the contents of a file.
False
Check fraud is an example of computer-based fraud that deals with Internet advertising.
False
Compilers create runtime code that can be executed via an interpreter engine, like a Java virtual machine (JVM), on a computer system.
False
Computer trespass is only treated as a crime in the United States.
False
Defense against attack begins by eliminating threats.
False
Detecting that a security event is occurring or has occurred is an easy matter.
False
Most large enterprises rely on a paper-based system problem report (SPR) process.
False
Network-based IDS (NIDS) examines activity on a system, such as a mail server or web server.
False
Oral testimony that proves a specific fact is considered real evidence.
False
Performing cloud-based data loss prevention (DLP) is as simple as moving the enterprise edge methodology to the cloud.
False
Relevant evidence must be convincing or measure up without question.
False
Sender Policy Framework (SPF) validates the receiving address of the e-mail.
False
Service pack is the term given to a small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system to attacks.
False
Since developers create and enhance programs, they should be able to install these programs on the production system.
False
TLS is dead and SSL is the path forward
False
The archive bit is cleared in a differential backup.
False
The generation of a real random number is a trivial task.
False
The spiral model is an iterative model designed to enable the construction of increasingly complex versions of a project.
False
When analyzing computer storage components, the original system should be analyzed.
False
When performing forensics on a computer system you should use the utilities provided by that system.
False
With the availability of DNS blacklisting, pattern matching is no longer utilized for filtering spam.
False
Which backup technique requires a large amount of space and is considered to have a simple restoration process?
Full
Which form of configuration auditing verifies that the configuration item performs as defined by the documentation of the system requirements?
Functional configuration audit
Which protocol is used for the transfer of hyperlinked data over the Internet, from web servers to browsers?
HTTP
Which plug-in helps a browser maintain an HTTPS connection and gives a warning when it is not present?
HTTPS Everywhere
Which of the following has the least volatile data?
Hard disk
Substitutions in the event that the primary person is not available to fulfill their assigned duties?
Succession planning
Evidence that is convincing or measures up without question is known as __________.
Sufficient
__________ technologies involve the miniaturization of the various circuits needed for a working computer system.
System on a Chip (SoC)
Which report documents changes or corrections to a system?
System problem report
Which port is used by SSMTP?
TCP port 465
Which port does HTTP traffic travel over by default?
TCP port 80
The process of taking control of an already existing session between a client and a server is known as __________.
TCP/IP hijacking
What is the Convention on Cybercrime?
The first international treaty on crimes committed via the Internet and other computer networks
The PATRIOT Act permits the Justice Department to proceed with its rollout of the Carnival program, an eavesdropping program for the Internet.
True
The impact of an event is a measure of the actual loss when a threat exploits a vulnerability.
True
The space that is left over in a cluster is called slack space.
True
There is no recovery from data that has been changed.
True
Traffic that is encrypted will typically pass by an intrusion prevention system untouched.
True
Usually risk management includes both qualitative and quantitative elements.
True
Virtualization can be used as a form of sandboxing with respect to an entire system.
True
Windows Defender is now standard with all versions of the Windows desktop operating systems.
True
Windows Server 2016 replaced the traditional ROM-BIOS with the __________.
Unified Extensible Firmware Interface (UEFI)
Which item should be available for short-term interruptions, such as what might occur as the result of an electrical storm?
Uninterruptible power supply (UPS)
Which term refers to the process of checking whether the program specification captures the requirements from the customer?
Validation
Which alternative site is partially configured, usually having peripherals and software, but perhaps not the more expensive main processing components?
Warm site
Which infection method involves planting malware on a Web site that the victim employees will likely visit?
Watering hole attack
Which of the following is a popular, open source protocol analyzer?
Wireshark
How is quarantine accomplished?
With the erection of firewalls that restrict communication between machines
Which advanced malware tool assists security engineers in hunting down malware infections based on artifacts that the malware leaves behind in memory?
Yara
The Gramm-Leach-Bliley Act is a major piece of legislation that __________.
affects the financial industry and contains significant privacy provisions for individuals
A(n) __________ outlines the proper settings and configurations for an application or set of applications.
application configuration baseline
Clusters that are marked by the operating system as usable when needed are referred to as __________.
free space
The two main places to filter spam are at the __________.
host itself and the server
One of the steps that the majority of system administrators running Internet e-mail servers have taken to reduce spam is to shut down __________.
mail relaying
The term __________ refers to software that has been designed for some nefarious purpose.
malware
DNS __________ is a variant of a larger attack class referred to as DNS spoofing, in which an attacker changes a DNS record through any of a multitude of means
poisoning
Which service allows organizations to share cyberthreat information in a secure and automated manner?
rusted Automated eXchange of Indicator Information (TAXII)
In PGP, the content is encrypted with the generated __________ key.
shared key
How does an IPS differ from an IDS?
•An IPS will block, reject, or redirect unwanted traffic; an IDS will only send an alert.
Which calculated value determines the threshold for evaluating the cost/benefit ratio of a given countermeasure?
ALE
Which statistical term is a representation of the frequency of the event, measured in a standard year?
ARO
Which term describes a piece of code that is distributed to allow additional functionality to be added to an existing program?
Add-on
What is an advantage of a network-based IDS? The difference between misuse and anomaly IDS models is
An IDS coverage requires fewer systems.
Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database?
Analysis engine
What is a software bomb?
Software that can destroy or modify files when commands are executed on the computer
Unsolicited commercial e-mail is known as __________.
Spam
Which term refers to a preapproved change that is low risk, relatively common and follows a procedure or work instruction?
Standard change
S/MIME uses the X.509 format for certificates
True
Shimming is the process of putting a layer of code between the driver and the operating system.
True
Snapshots are instantaneous save points in time on virtual machines.
True
The DMCA protects the rights of recording artists and the music industry.
True
Which type of attack can be used to execute arbitrary commands in a database?
SQL injection
What was the primary reason for the spread of the ILOVEYOU worm?
Automatic execution, such as Microsoft Outlook's preview pane.
Which term refers to the quarantine or isolation of a system from its surroundings?
Sandboxing
What are the three states of the data lifecycle in which data requires protection?
In storage, in transit, and during processing
Which term refers to the process responsible for managing the lifecycle of all incidents?
Incident management
Which term refers to a key measure used to prioritize actions throughout the incident response process?
Information criticality
What is an advantage of a host-based IDS?
It can reduce false-positive rates.
What command stops a service in UNIX?
Kill
Which term refers to the targeting of specific steps of a multistep process with the goal of disrupting the overall process?
Kill chain
In which CMMI-DEV maturity level are processes generally ad hoc and chaotic?
Level 1: Initial
In which CMMI-DEV maturity level does an organization establish quantitative objectives for quality and process performance and use them as criteria in managing projects?
Level 4: Quantitatively Managed
Which term refers to a type of an attack where an attacker spoofs addresses and imposes their packets in the middle of an existing connection?
Man-in-the-middle attack
Which term refers to refers to the predicted average time that will elapse before failure (or between failures) of a system?
Mean time to failure
What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?
NetFlow
Which law overhauled the financial accounting standards for publicly traded firms in the United States?
Sarbanes-Oxley Act
Which tool has been the de facto standard IDS engine since its creation in 1998?
Snort
Which attack type is common, and to a degree, relatively harmless?
Port scan
Which tool is designed to probe a system for open ports?
Port scanner
Which RAID configuration, known as byte-striped with error check, spreads the data across multiple disks at the byte level with one disk dedicated to parity bits?
RAID 3
Which RAID configuration, known as block-striped with error check, is a commonly used method that stripes the data at the block level and spreads the parity data across the drives?
RAID 5
Which strategy has the goal of defining the requirements for business continuity?
Recovery time objective (RTO)
Which process is responsible for planning, scheduling and controlling the movement of releases to test and live environments?
Release management
Which term refers to a risk that remains after implementing controls?
Residual risk
Which protection ring has the highest privilege level and acts directly with the physical hardware?
Ring 0
Which term refers to the possibility of suffering harm or loss?
Risk
Which term refers to a form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality?
Rootkit
Which of the following is a primary e-mail protocol?
SMTP
Which term refers to the path or tool used by an attacker to attack a target?
Threat vector
A major focus of the disaster recovery plan (DRP) is the protection of human life.
True
A physical hard disk drive will persist data longer than a solid state drive.
True
A signed applet can be hijacked
True
Both forensics and e-discovery are secondary processes from a business perspective.
True
Context-based signatures match a pattern of activity based on the other activity around it, such as a port
True
Executable code integrity can be verified using host-based intrusion detection systems.
True
Export control rules for encryption technologies fall under the Wassenaar Arrangement.
True
General UNIX baselining follows similar concepts as baselining for Windows OSs.
True
Hoax e-mails can have a real impact on bandwidth
True
Major legal awards have been decided based on failure to retain information.
True
Most e-mail is sent in plaintext, providing no privacy in its default form.
True
Perpetrating some sort of electronic fraud is one reason a specific system might be targeted for attack.
True
Protecting data while in use is a much trickier proposition than protecting it in transit or in storage.
True
RAID increases reliability through the use of redundancy.
True
Recovery is the returning of the asset into the business function.
True
