BCIS 4740

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the single loss expectancy (SLE)?

$500,000

Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the annualized rate of occurrence (ARO)?

0.05

What is the output value of the mathematical function 16 mod 3?

1

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?

10

Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the exposure factor (EF)?

100%

How many possible keys exist in a 4-bit key space?

16

What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?

56 bits

Which one of the following is not a possible key length for the Advanced Encryption Standard Rijndael cipher?

56 bits

What block size is used by the 3DES encryption algorithm?

64 bits

What type of malware connects to a command-and-control system, allowing attackers to manage, control, and update it remotely?

A bot

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?

A race condition

Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used?

A watering hole attack

Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from the choices below. What algorithm should he choose?

AES

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?

API keys

Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?

AUP

Which one of the following software development models focuses on the early and continuous delivery of software?

Agile

Which one of the following statements about cryptographic keys is incorrect?

All cryptographic keys should be kept secret.

Which one of the following is the best example of a hacktivist group?

Anonymous

A person's name, age, location, or job title are all examples of what?

Attributes

What is the primary purpose of Kerberos?

Authentication

When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization's firewall due to an ongoing issue with their e-commerce website. After Amanda made the change, she discovered that the caller was not the head of IT, and that it was actually a penetration tester hired by her company. Which social engineering principle best matches this type of attack?

Authority

Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

Block cipher

Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?

Buffer overflow

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?

Bug bounty

Which element of the SCAP framework can be used to consistently describe vulnerabilities?

CVE

What is the function of the network access server within a RADIUS architecture?

Client

What type of security policy often serves as a backstop for issues not addressed in other policies?

Code of conduct

Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve?

Confidentiality

Which one of the following statements is not true about compensating controls under PCI DSS?

Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?

DOM-based XSS

Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization?

Data processor

Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts?

Data protection officer

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?

David's private key

When Mike receives the digitally signed message from David, what key should he use to verify the digital signature?

David's public key

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?

Development

What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server?

Downgrade

Ben searches through an organization's trash looking for sensitive documents, internal notes, and other useful information. What term describes this type of activity?

Dumpster diving

What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be?

EV

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?

False positive

Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users?

Fingerprint scanner

Which of the following is the best description of tailgating?

Following someone through a door they just unlocked

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information?

Footprinting

What kind of attack makes the Caesar cipher virtually unusable?

Frequency analysis attack

What law creates privacy obligations for those who handle the personal information of European Union residents?

GDPR

Samantha wants to set an account policy that ensures that devices can be used only while the user is in the organization's main facility. What type of account policy should she set?

Geofencing

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?

Guideline

What type of security solution provides a hardware platform for the storage and management of encryption keys?

HSM

Alan's team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data?

Homomorphic encryption

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:http://www.mycompany.com/servicestatus.php?serviceID=1http://www.mycompany.com/servicestatus.php?serviceID=2http://www.mycompany.com/servicestatus.php?serviceID=3http://www.mycompany.com/servicestatus.php?serviceID=4http://www.mycompany.com/servicestatus.php?serviceID=5http://www.mycompany.com/servicestatus.php?serviceID=6What type of vulnerability was the attacker likely trying to exploit?

Insecure direct object reference

Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden's activities? (Choose two.)

Insider hacktivist

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?

IoC

What does the CER for a biometric device indicate?

It indicates the point where the false rejection rate equals the false acceptance rate.

Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on?

It is a one-way function.

Which of the following best identifies the benefit of a passphrase?

It is easy to remember.

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?

Lateral movement

Refer the following scenario when answering questions.An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month.The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. Which of the following basic principles was violated during the administrator's employment?

Least privilege

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?

Low

Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using?

M of N Control

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?

Man-in-the-middle

Matt is updating the organization's threat assessment process. What category of control is Matt implementing?

Managerial

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?

Mandatory vacations

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test?

Metasploit

David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?

Mike's public key

Which one of the following attackers is most likely to be associated with an APT?

Nation-state actor

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?

Network-based

John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message?

Nonrepudiation

What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?

One

When correctly implemented, what is the only cryptosystem known to be unbreakable?

One-time pad

Which one of the following certificate formats is closely associated with Windows binary certificate files?

PFX

Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records?

PHI

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?

PR

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ;DROP TABLE Services;--What type of attack was most likely attempted?

Parameter pollution

Precompiled SQL statements that only require variables to be input are an example of what type of application security control?

Parameterized queries

Which of the following technologies is the least effective means of preventing shared accounts?

Password complexity requirements

During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability: Threat-Impact-Solution.jpg What security control, if deployed, would likely have addressed this issue?

Patch management

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?

Performing user input validation

Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?

Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.•Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks.In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is being used in this situation?

Which of the following best expresses the primary goal when controlling access to assets?

Preserve confidentiality, integrity, and availability of systems and data.

Which one of the following is not an advantage of database normalization?

Preventing injection attacks

Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?

Preventive

Which one of the following items is not normally included in a request for an exception to security policy?

Proposed revision to the security policy

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?

Purpose limitation

Elaine wants to implement an AAA system. Which of the following is an AAA system she could implement?

RADIUS

Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation?

RBAC

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?

Read-only

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise?

Red team

Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use?

Risk avoidance

Which one of the following servers is almost always an offline CA in a large PKI deployment?

Root CA

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?

Rules of engagement

Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?

Run the scan in a test environment.

What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key?

Running key cipher

Which type of multifactor authentication is considered the least secure?

SMS

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?

Session cookie

Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message?

Shared secret key

Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted?

She should run the ML algorithm on the network only if she believes it is secure.

Alan reads Susan's password from across the room as she logs in. What type of technique has he used?

Shoulder surfing

Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide?

Something you can do

A PIN is an example of what type of factor?

Something you know

What type of phishing targets specific groups of employees, such as all managers in the financial department of a company?

Spear phishing

Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images?

Steganography

What type of cipher operates on one character of text at a time?

Stream cipher

Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

Synchronous token

Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?

Technical control

Which of the following is true related to a subject?

The subject is always the entity that receives information about or data from an object.

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise?

Threat hunting

Trevor is deploying the Google Authenticator mobile application for use in his organization. What type of one-time password system does Google Authenticator use in its default mode?

Time-based one-time passwords

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?

Timing-based SQL injection

What is a HSM used for?

To generate, manage, and securely store cryptographic keys

Which one of the following data protection techniques is reversible when conducted properly?

Tokenization

What type of cipher relies on changing the location of characters within a message to achieve confidentiality?

Transposition cipher

Which AES finalist makes use of prewhitening and postwhitening techniques?

Twofish

Nicole accidentally types www.smazon.com into her browser and discovers that she is directed to a different site loaded with ads and pop-ups. Which of the following is the most accurate description of the attack she has experienced?

Typo squatting

When you combine phishing with Voice over IP, it is known as:

Vishing

Which one of the following tools is most likely to detect an XSS vulnerability?

Web application vulnerability scanner

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting?

White-box test

What language is STIX based on?

XML


Kaugnay na mga set ng pag-aaral

Ch11 - Creativity, Innovation, and Leadership-m

View Set

Intro to Weather and Climate (Exam 3)

View Set

Mastering Biology 3 - Mendelian Genetics

View Set

CGS power point chapters 1-3 TEST 2

View Set

Lecture 7 - Fundamentals of Machine Learning & Intro to Keras

View Set

Sociology Exam over Lessons 5 & 7.

View Set

Chapters 1 and 2 Introduction to Psychology and Research Methods

View Set

Algebra 2 B Unit 2: Radical Functions and Rational Exponents

View Set

9th Grade Abeka Test 1 Algebra I

View Set