C727 - Study Questions

A company uses a document management system to classify documents created by employees. Ownership of the document management system belongs to the chief information officer (CIO). The department managers classify documents that were created by employees in their department as business-critical and sensitive. The information security officer (ISO) maintains the system security plan for the documents created and used by the corresponding department, and the system administrator (SA) ensures that the system is deployed based on the security requirements. Who is the owner of the data in this company? The employee The department managers The information security officer The system administrator

The department managers

Which description suggests that a process has reached the highest level of maturity possible under capability maturity model integration? The process is managed using reliable metrics. The process is defined, documented, reviewed, and subject to improvement. The process is optimized, with a focus on continuous improvement. The process is repeatable, with repeatable results.

The process is optimized, with a focus on continuous improvement.

A company plans to implement a new authentication system for customers accessing the company website. When customers log on, the website indicates that it sent a text message that includes a code to the customer's mobile phone. To complete the log-on process, the customer is required to enter the appropriate code within five minutes. Which authentication mechanism is this system based on? -Time-based one-time password. -Hash-based one-time password -Synchronous dynamic password tokens -Asynchronous dynamic password tokens

Time-based one-time password`

What is the purpose of threat modeling tools? To identify employees who could be potential insider threats To consider the range of compromise concerns and focus on the end result of an attack To identify all the technologies involved in a threat To consider hardware and software tools that provide strong resilience to attackers

To consider the range of compromise concerns and focus on the end result of an attack

Which group of security controls is necessary to protect accounts against stolen credentials? Two-factor authentication Password phrases Personal identification numbers Employee awareness training

Two-factor authentication

Which integrity measure should be applied to enforce nonrepudiation of emails sent from internal users? -Use digital signatures on emails -Ensure emails contain accurate data -Hold users accountable for emails -Scan attachments for viruses

Use digital signatures on emails

Which type of attack exclusively uses the telephone system or VoIP to perform the attack? Birthday Rainbow table Dictionary Vishing

Vishing

Someone has broken to the company's server and was able to obtain an administrative account that he/she used to continue causing havoc in the company's network. What part of STRIDE is this? -levation of privilege -Repudiation -Spoofing -Denial Of Service

• Elevation of privilege • Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.

In addition to AAA in CIA triad, what are the 2 additional parts -Confidentiality -Auditing -Accountability -Integrity -Identification

-Auditing -Identity You may have heard of the concept of AAA services. The three A's in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing). However, what is not as clear is that although there are three letters in the acronym, it actually refers to five elements: identification, authentication, authorization, auditing, and accounting. These five elements represent the following processes of security

A company is concerned about unauthorized alteration of data in a customer database. Which security principle is implicated? -Confidentiality -Integrity -Availablity -Accountability

-Integrity

On an employee's first day of work, she notices a large number of file shares available, most of which do not pertain to her position. The employee went to her manager about the level of access. The employee's manager said she has the same level of access as her predecessor. Which principle does this level of access violate? -Role-based access -Job rotation -Rule-based access -Least Privilege

-Least Privilege

John has provided his social security information to HR department who provides John with insurance benefits. What type of information does John has provided to HR? -PHI -PII -SHI -SOX

-PII Personally identifiable information (PII): Used to distinguish or trace an individual's originality

Research department members encrypt their Office 365 files by using keys residing in an on-premises key store. Due to a failure of on-premises network connectivity, the files cannot be decrypted. What should be done to maintain the availability of these files without compromising their confidentiality and integrity? -Set up redundant internet connectivity -Copy files to an on-premises file server -Maintain files in an unencrypted format -Maintain keys with Office 365 files

-Set up redundant internet connectivity

A company has a data center estimated to be worth $5 million located in an area known for earthquakes. Based on the design of the building, if an earthquake strikes the data center it will cause a 40% loss. What is the single loss expectancy (SLE) of an earthquake striking the data center? $2 million $4 million $7.5 million $50 million

2 Million

A company conducts a quantitative risk analysis. The exposure factor (EF) is 25% and the single loss expectancy (SLE) is $100,000. What is the asset value? $25,000 $75,000 $125,000 $400,000

400 000

A company has a data center estimated to be worth $10 million located in an area known for earthquakes. Based on the design of the building, if an earthquake strikes the data center it will cause a 50% loss. What is the single loss expectancy (SLE) of an earthquake striking the data center? $1.25 million $5 million $7.5 million $50 million

5 Million

A server with critical data is valued at $8,000 and the exposure factor to a hack is 10%. What is the single loss expectancy (SLE)? $720 $800 $7,200 $80,000

800

A company receives numerous complaints from employees about the high number of usernames and passwords each employee must maintain. Which solution would allow employees to store usernames and passwords? A credential management system A centralized access control system A key distribution center A public key infrastructure

A credential management system

An employee manages a perimeter network in a retail company that sells health supplements. The company wants to establish an online presence. Which preventive control should this employee recommend for the perimeter network? A logging server Desktop antivirus software An intrusion detection system A firewall device

A firewall device

What is a risk management framework? A document listing all assessed risks A guideline or recipe for how risk is to be assessed, resolved, and monitored An architectural document showing all security controls in an organization Physical borders protecting business-critical systems

A guideline or recipe for how risk is to be assessed, resolved, and monitored

An information security manager has been asked to develop security policies and to deploy security solutions for an organization. Which security principles must be considered in addition to CIA triad principles? -Encryption -AAA -Abstraction -Layering

AAA

State law requires that offices retain medical records for six years. What should the personnel in a medical office do with unneeded patient records before those six years have passed? Archive Degauss Encrypt Transfer

ARCHIVE

An attacker uses multiple websites to collect public information and pieces together a profile to be used for identity impersonation. Which type of attack is this? Database aggregation Information theft Access aggregation Access theft

Access aggregation

A company has an online log-on page for employees to access limited data while working remotely. The log-on is a username and password. Which access control would help prevent an attack on the log-on page given an attacker has unlimited time? Account lockout Strong password policy Last log-on notification Password masking

Account lockout

Which security control is appropriate to protect database applications and associated data from creeping privileges? Account review Account revocation Provisioning Deprovisioning

Account review

Which security concept includes the process of reviewing the activities of an identity? -Accountability -Authentication -Authoriztion -Identification

Accountability

A company needs to improve the security of systems on the corporate network using multiple layers of access control to achieve the strongest level of security possible. Which access control methods should be implemented? Administrative, technical, and physical Physical, attribute, and mandatory Role-based, administrative , and rule-based Administrative, rule-based, and discretionar

Administrative, technical, and physical

Which host-based control should be implemented to ensure that infected web file downloads are isolated? A firewall Anti-malware Intrusion detection A web-filtering client

Anti-malware

Which security control should be employed to remedy access aggregation attacks? Limiting physical access to systems Implementing account lockout Applying need-to-know principle Enforcing password hash and salt

Applying need-to-know principle

An organization plans to design and implement a new IT architecture. The architecture should be flexible, and the access-control management system should use several different characteristics of users, the network, and devices on the network. Which access-control model can be used to implement the new architecture? Rule-based Attribute-based Discretionary Mandator

Attribute-based

Which security concept includes comparing a user's fingerprint against authorized fingerprints stored in a database? -Accountability -Authentication -Authoriztion -Identification

Authentication

A company hires a consulting group to perform a security audit on its network. The audit finds that the email servers are vulnerable to SMTP relay attacks. The company decides to migrate email services to a cloud-based provider and decommission the email servers. Which strategic risk response is applied? Avoidance Mitigation Acceptance Rejection

Avoidance

What is an example of an administrative access control? Security badges Background checks Access control lists Encryption

Background checks

In an organization, the information security management department (ISMD) standardized data classification levels, identifying safeguards and controls for every level. The ISMD started to ask business units (BUs) to classify data. Why is the ISMD asking BUs to classify data before implementing the controls and safeguards? Because the ISMD is the data owner Because BUs are data owners Because BUs own the budget Because the ISMD owns the budget

Because BUs are data owners

Which framework is focused solely on process and process maturity and has five levels of maturity? -CIMM -COBIT -ISACA -SIEM

CIMM

Which framework is focused solely on process and process maturity and has five levels of maturity? COBIT CMMI COSO ITIL

CMMI

A company implements an information security management system (ISMS). The company uses the system to implement security controls and publish security policies. After an assessment, the company discovers that ISMS processes are unpredictable and changing in reaction to events. Which framework should this company implement to improve ISMS processes? The Open Group Architecture Framework (TOGAF) Capability Maturity Model Integration (CMMI) Payment card industry data security standard (PCI-DSS) Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Capability Maturity Model Integration (CMMI)

Which classification of data loss would create a grave danger to the company? -Confidantial -Sensitive -Top Secret -Private

Confidential Confidential is the highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if confidential data is disclosed. Sometimes the label proprietary is substituted for confidential. Sometimes proprietary data is considered a specific form of confidential information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization.

Which security principle uses countermeasures such as encryption and data classification? -Confidentiality -Integrity -Availablity -Accountability

Confidentiality

COBIT

Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT 5 is based on five key principles for governance and management of enterprise IT: • Principle 1: Meeting Stakeholder Needs • Principle 2: Covering the Enterprise End-to-End • Principle 3: Applying a Single, Integrated Framework • Principle 4: Enabling a Holistic Approach • Principle 5: Separating Governance From Management COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors. COBIT is a widely recognized and respected security control framework.

Which framework achieves the needs of stakeholders and the goals of an enterprise? The Open Group Architecture Framework (TOGAF) Control objectives for information and related technology (CoBIT) Capability Maturity Model Integration (CMMI) Information Technology Infrastructure Library (ITIL)

Control objectives for information and related technology (CoBIT)

Which group of security controls provides storage space for users to keep usernames and passwords stored when a single sign-on is not available? Credential management system OpenID Federated identity management (FIM) OAuth 2.0

Credential management system

How would you minimalize data loss due to ransomware? -IPS -Firewall -Data Backups -Anti Virus

Data Backups

Company has outsourced it's DR of data to a third party, who is responsible to check the backups and ensure they are working? -Data Owner -Data Operator -Data Custodian -Auditor

Data Custodian Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. The data custodian performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. • Auditor: Responsible for checking and verifying the security policies • Senior Manager: Responsible for approving any security policy before they can be carried out • Security Professional: Responsible for implementing security policies with the exception of taking any decisions • Data Owner: Responsible for protecting the data within the security policies of the organization • Data Custodian: Responsible for the protection of data for CIA triad and carries out the responsibilities and activities from upper management • User: Responsible for understanding and upholding the security policy of an organization

A firm supplies workers' compensation claims (which include supporting personal data) to an outsourced claims investigator. The claims investigator is responsible for packaging the claim data supplied by the firm into a claim file, validating the supplied data, obtaining additional data where warranted, and then recommending a final claim disposition to the firm. Which role is this claims provider fulfilling under the General Data Protection Regulation (GDPR)? Asset owner Business owner Data owner Data processor

Data processor

Company is concerned with their HDDs and they would like to ensure there is no data remnant left at the end of their life spam. What is best way to ensure that:? -Erasing -Degaussing -Purging -Clearing

Degaussing

Company is concerned with their Magnetic tapes and they would like to ensure there is no data remnant left at the end of their life spam. What is best way to ensure that:? -Erasing -Degaussing -Purging -Clearing

Degaussing

You are to sanitize the Solid State Hard drive, what is the safest way to do so? -Erasing -Degaussing -Purging -Destruction

Destruction

A company has created a honeypot on the network with fake data. Which type of access control is this honeypot? Detective Corrective Recovery Directive

Detective

A company discovers that employees are accessing restricted areas. To discourage employees, the security manager posts restricted access signs. What is this security manager's risk response? Acceptance Assignment Avoidance Deterrence

Deterrence

A company develops project management software. The design requires the project manager to control access to the project files. Which access control model should this project manager use? Attribute-based Discretionary Role-based Mandator

Discretionary

The vice president of a company distributes corporate policies by emailing employees links to the files. An IT professional needs to implement a solution that allows only the vice president to manage who can edit corporate policies. Which access control model should this professional implement? Attribute-based Discretionary Mandatory Role-based

Discretionary

A company stores sensitive data on backup tapes. The data must be secured from unauthorized access. How should the backup tapes be secured to minimize unauthorized access? Encrypt data, and then store it in a safe location Digitally sign data, and then store it in a data center Encode the data, and then store it in an office Mask the data, and then store it in a vault

Encrypt data, and then store it in a safe location

Which security control can be applied to prevent eavesdropping attacks? Firewall Encryption Antivirus Patching

Encryption

An organization stores hashed passwords using Secure Hash Algorithm 256 (SHA-256). The organization has concerns about data breaches that result from rainbow table attacks. Which security control should this organization implement? Limiting physical access to company computers Enforcing account lockout Implementing need-to-know principles Enforcing salting before storing the data

Enforcing salting before storing the data

What is a characteristic of discretionary access controls? Rules are based on attributes. Every object has an owner. They are centrally administered. Changes are global.

Every object has an owner

You need to determine the error ratio on unauthorized user who was authenticated with the bio metric -FAR -FRR -CER -ERR -EAr

FAR False Acceptance Rate: A false acceptance occurs when an invalid subject is authenticated. This is also known as a false positive authentication. As an example, imagine that Hacker Joe doesn't have an account and hasn't registered his fingerprint. However, he uses his fingerprint to authenticate, and the system recognizes him. This is a false positive or a false acceptance. The ratio of false positives to valid authentications is called the false acceptance rate (FAR). False acceptance is sometimes called a Type II error

Diana is unable to log in with the use of the biometric, what Error Rate would be used for such event? -FAR -FRR -CER -ERR -EAr

FRR False Rejection Rate: A false rejection occurs when a valid subject is not authenticated. As an example, Dawn has registered her fingerprint and used it to authenticate herself before. Imagine that she uses her fingerprint to authenticate herself today, but the system incorrectly rejects her fingerprint as valid. This is sometimes called a false negative authentication. The ratio of false rejections to valid authentications is known as the false rejection rate (FRR). False rejection is sometimes called a Type I error.

Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn't recognize her so she wasn't able to log on. What best describes this? -Crossover Error -=Equal Error -False Rejection -False Acceptance

False Rejection A false rejection, sometimes called a false negative authentication or a Type I error, occurs when a valid subject (Sally in this example) is not authenticated. A Type 2 error (false acceptance, sometimes called a false positive authentication or Type II error) occurs when an invalid subject is authenticated. Crossover errors and equal errors aren't valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an accuracy measurement for a biometric system

Which identity management solution allows multiple organizations to share identities based on a common method? Lightweight directory access protocol (LDAP) Kerberos authentication protocol Public key infrastructure (PKI) Federated identity management (FIM)

Federated identity management (FIM)

Which type of security documentation offers recommendations and suggestions on creating a strong password?+ -Standards -Policy -Proicedure -Guidance

Guidance

An organization deploys multifactored authentication. One of the required factors is a username and password. What is the purpose of this username? Identification Authentication Authorization Accountability

Identification

Company has decided to use IDaaS, what is the function of it? -Authorization -Identity -Audit -Accountability

Identity

The use of fingerprints is an example of? -Identity -Authentication -Authoriztaion -Accounting

Identity Fingerprints: Fingerprints are the visible patterns on the fingers and thumbs of people. They are unique to an individual and have been used for decades in physical security for identification. Fingerprint readers are now commonly used on laptop computers and USB flash drives as a method of identification and authentication.

A company is headquartered in a region that has frequent internet connectivity issues due to inclement weather. The company's primary reporting servers are located in this office and are critical to the sales team in the field for accurate product pricing. Employees require 24/7 access to the most up-to-date information, as the data frequently changes. Which solution will ensure a higher availability of these servers outside this company? -Develop a mechanism to publish the necessary pricing information to a cloud location for sales teams to access anytime -Open a direct virtual private network (VPN) access connection between the servers and the sales team's computers -Implement a secondary internet connectivity solution at headquarters, which fails over when the primary connection is unavailable -Create a cloud-based web service that queries a cloud database and replicates the product pricing data periodically

Implement a secondary internet connectivity solution at headquarters, which fails over when the primary connection is unavailable

Which security control should prevent unauthorized access from spoofing attacks? Hash and salt passwords Use account lockout Implement multifactor authentication Enforce password complexity

Implement multifactor authentication

Which security control should be employed as part of a comprehensive process to address the physical theft of virtual servers? Limiting physical access to the hosting servers Enforcing account lockout on the virtual servers Implementing need-to-know principles with authentication to physical servers Enforcing hashing and salting of passwords to hosting servers

Limiting physical access to the hosting servers

Which type of access control do smart cards for employees represent? Logical Administrative Directive Recovery

Logical

A word-processing program uses document labels to determine which users can access files. For example, only members of the legal department can access files labeled legal. Which access control model is applied? Mandatory Discretionary Rule-based Attribute-based

Mandatory

Which environment type allows a user to gain access to objects using classification labels in a compartmentalized environment? Role-based access control Mandatory access control Discretionary access control Attribute-based access control

Mandatory access control

A company wants to enforce strict penalties on a former employee who uploaded sensitive company technical schematics onto a personal website. Which type of document will this company use to enforce penalties? -Nondisclosure Agreement. -Employment agreement -Noncompete agreement -Personnel security agreement

Nondiscrosure Ag

Which identity technology is an open request for comments (RFC) standard that provides access delegation of online websites? Extensible authentication protocol (EAP) Service provisioning markup language (SPML) OpenID identity provider Open Authentication (OAuth) 2.0

Open Authentication (OAuth) 2.0

All of an organization's offices have cable laptop locks to secure a laptop when the user walks away. Which access control type are these locks? Physical Logical Directive Corrective

Physical

Which data classification would cause serious damage to the mission of an organization, is less damaging than its highest classification, and is the label used by most organizations for the classification of PII and PHI data? Public Sensitive Confidential Private

Private

What information classification might have significant impact to the company if they are leaked to the public- -Confidantial -Sensitive -Top Secret -Private

Private (ans) Private: Private is used for data that is of a private or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed. Sensitive: Sensitive is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed. Public: Public is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.

Company has provided a step by step instructions regarding post data breach events, what is this example of? -Standards -Baseline -Guidelines -Procedures

Procedures • Standards: Are the requirements which need to be followed to accomplish the goals of an organization • Baselines: Create a common secure state that acts a foundation to more severe security measures • Guidelines: Create new procedures by outlining approaches and including recommended actions • Procedures: Define the exact actions required to execute a specific security method or solution

Which security concept controls access to the network? -Provide individuals access after they supply a username and password -Create audit logs that will monitor successful and failed log-in attempts -Allow individuals to perform tasks based on assigned rights and permissions -Create audit trails to manage and track user access to network resources

Provide individuals access after they supply a username and password

The document policy of an organization is that there is no negative impact if documents are released outside the organization. What is the data classification of the documents? Confidential Sensitive Public Private

Public

A company wants to provide authentication, authorization, and accounting (AAA) protocols for employees who use virtual private networks (VPNs). Which protocol provides this company with AAA? RADIUS Integrating identity services Federated identity management OpenID

RADIUS

A private company identifies a risk with a high-value asset. A threat has been reported to be attacking only government entities. The company's board of directors has concluded that the threat will likely never materialize for private companies, and that nothing should be done about it. What is the risk response? Avoidance Deterrence Rejection Assignment

Rejection

An employee using a public key infrastructure (PKI) receives an unsigned email from a coworker. Which category of the STRIDE threat model is applicable to this scenario? Spoofing Tampering Repudiation Elevation of privilege

Repudiation

John has received an unsigned email from Bob, under the STRIDE what part of it is it. -Elevation of privilege -Repudiation -Spoofing -Denial Of Service

Repudiation • Repudiation: The ability of a user or attacker to deny having performed an action or activity. Often attackers engage in repudiation attacks in order to maintain plausible deniability so as not to be held accountable for their actions. Repudiation attacks can also result in innocent third parties being blamed for security violations

Senior management has asked you to review security data, interview as part of risk analysis: -Risk Assessment -Risk Evaluation -Risk register -Threat Assesment

Risk Assessment

Scenario where company moved their location from volcano active to not volcano active zone -Risk Avoidance -Risk Mitigation -Risk Acceptance

Risk Avoidance

Which process identifies factors that could damage or disclose data, evaluates those factors considering data value and countermeasure cost, and implements cost-effective solutions? Risk management Asset valuation Vulnerability identification Impact assessment

Risk management

A company wants only members of its database administrator team to have administrative access to all SQL server databases. Which access control model should this company apply? Attribute-based Discretionary Mandatory Role-based

Role-based

A company secures its network by closing specific ports on its firewalls. Which access control method is being applied? Discretionary Mandatory Role-based Rule-based

Rule-based

What is the best way of preventing Rainbow Attack -Salting -Hashing -CLearing -Encryption

Salting, peppering

What is the correct order of the steps in the risk assessment life cycle? Security control selection Security control monitoring Security control implementation Information system authorization Security categorization Security control assessment Security categorization Security control selection Security control implementation Security control assessment Information system authorization Security control monitoring Security categorization Security control selection Security control implementation Security control monitoring Security control assessment Information system authorization Security control selection Security control monitoring Security control implementation Security categorization Security control assessment Information system authorization

Security categorization Security control selection Security control implementation Security control assessment Information system authorization Security control monitoring

Which type of an attack involves an attacker looking at a victim's computer screen to capture sensitive information? Shoulder surfing Tailgating Piggybacking Screen scraping

Shoulder surfing

Which type of attack is passive and noninvasive and intended to observe the operation of a device? Social engineering Side channel Rainbow table Spear phishing

Side channel

The management team of an organization creates a document stating employees who access the company's enterprise resource planning (ERP) system must use a certain browser and are required to have antivirus installed on their machines. Which type of document is this? -Standards -Policy -Proicedure -Guidance

Standards

Which type of controls involves the use of software or hardware mechanisms and may include authentication methods, the use of encryption, firewalls, or intrusion detection systems? Technical Administrative Physical Directive

Technical