Chapter 3 & 4

Maria is the risk manager for a large organization and is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor (EF)? 10 percent 1 percent 20 percent 50 percent

20 percent The EF is calculated as the percentage of the asset value that would be lost if an incident were to occur. In this case, $2 million in damage to a $10 million facility is an exposure factor of 20 percent.

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? Bluesnarfing Evil twin Jamming/interference Near field communication

Evil twin In an evil twin attack, the attacker deploys a fake open or public wireless network to use a packet sniffer on any user who connects to it.

True or False? An uninterruptible power supply (UPS) is an example of a reactive component of a disaster recovery plan (DRP). True False

False An uninterruptible power supply is an example of a preventive component of a DRP.

True or False? Authorization controls include biometric devices. True False

False Authorization controls include access control lists, physical access control, and network traffic filters. A biometric device is an authentication control.

Dawn is selecting an alternative processing facility for her organization's primary data center. She needs a facility with the least switchover time, even if it's the most expensive option. What is the most appropriate option in this situation? Cold site Hot site Mobile site Warm site

Hot site A hot site is a facility with environmental utilities, hardware, software, and data that closely mirrors the original data center. It is the most expensive option but has the shortest switchover time.

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals? Federal Financial Institutions Examination Council (FFIEC) Payment Card Industry Data Security Standard (PCI DSS) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry Data Security Standard (PCI DSS) PCI DSS applies to all merchants and service providers who handle credit card information.

Aditya is the security manager for a mid-sized business. The company has suffered several serious data losses when laptops were stolen. Aditya decides to implement full disk encryption on all laptops. What risk response did Aditya take? Transfer Reduce Avoid Accept

Reduce Risk reduction (or mitigation) lowers the likelihood or impact of a risk by implementing security controls. Full disk encryption is an example of a control that lowers risk of data loss when a device containing the disk is stolen.

In which type of attack does the attacker attempt to take over an existing connection between two systems? Man-in-the-middle attack Uniform resource locator (URL) hijacking Typosquatting Session hijacking

Session hijacking In a session hijacking attack, the attacker attempts to take over an existing connection between two network computers.

True or False? A threat analysis identifies and documents threats to critical resources, which means considering the types of disasters that are possible and what kind of damage they can cause. True False

True

True or False? Anti-malware programs and firewalls cannot detect most phishing scams because the scams do not contain suspect code. True False

True

Forensics and incident response are examples of __________ controls. deterrent detective preventive corrective

corrective Corrective controls reduce the effects of a threat. When you reload an operating system after it is infected with malware, you are using a corrective control. Forensics and incident response are other examples of corrective controls.

Purchasing an insurance policy is an example of the ____________ risk management strategy. accept transfer reduce avoid

transfer Transference allows an organization to transfer risk to another entity. Insurance is a common way to reduce risk. An organization "sells" the risk to an insurance company in return for a premium.

As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster recovery tests. These tests should include role-playing and introduce as much realism as possible without affecting live operations. What type of test should Isabella conduct? Simulation test Checklist test Parallel test Structured walk-through

Simulation test A simulation test is more realistic than a structured walk-through. In a simulation test, the discovery recovery plan (DRP) team uses role-playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations.

Rodrigo is a security professional. He is creating a policy that gives his organization control over mobile devices used by employees while giving them some options as to the type of device they will use. Which approach to mobile devices is Rodrigo focusing on in the policy? Choose Your Own Device (CYOD) Bring Your Own Device (BYOD) Company-owned business-only (COBO) Company-owned/personally enabled (COPE)

Choose Your Own Device (CYOD) Some of the concerns around employees having their own devices are eliminated when an organization takes a more controlling or active role in personal device management. For example, an approach called CYOD means the organization might opt to provide employees with a few options from which to choose a device, for example, a device from each mobile operating system or vendor might be offered.

Hajar is developing a business impact assessment for her organization. She is working with business units to determine the target state of recovered data that allows the organization to continue normal processing after a major interruption. Which of the following is Hajar determining? Recovery point objective (RPO) Recovery time objective (RTO) Business recovery requirements Technical recovery requirements

Recovery point objective (RPO) The RPO describes the target state of recovered data that allows an organization to continue normal processing. It is the maximum amount of data loss that is acceptable. The RPO provides direction on how to back up data, what policies are needed regarding recovery, and whether loss prevention or loss correction is a better option.

As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster recovery tests. These tests should include role-playing and introduce as much realism as possible without affecting live operations. What type of test should Isabella conduct? Simulation test Structured walk-through Checklist test Parallel test

Simulation test A simulation test is more realistic than a structured walk-through. In a simulation test, the discovery recovery plan (DRP) team uses role-playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations.

True or False? Authentication controls include passwords and personal identification numbers (PINs). True False

True

True or False? Changes to external requirements, such as legislation, regulation, or industry standards, that require control changes can result in a security gap for an organization. True False

True

True or False? Safeguards address gaps or weaknesses in the controls that could otherwise lead to a realized threat. True False

True

True or False? Theft of intellectual property and its release to competitors or to the public can nullify an organization's competitive advantage. True False

True

True or False? When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks. True False

True

An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using? Vishing Authority Urgency Whaling

Urgency In an urgency attack, the attacker uses some sort of urgent or emergency situation to get someone to perform an action or divulge information.

An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using? Vishing Urgency Authority Whaling

Urgency In an urgency attack, the attacker uses some sort of urgent or emergency situation to get someone to perform an action or divulge information.

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows a cross-site scripting attack against the server. What term describes the issue that Adam discovered? Risk Impact Threat Vulnerability

Vulnerability A vulnerability is any exposure that could allow a threat to be realized. A cross-site scripting issue in code is an example of such an exposure. The scenario does not describe a specific threat, and a risk requires the presence of a threat to exist.