Cyber Exam II (Ch.5-8)

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

2

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?

Black-box test

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?

Crossover error rate (CER)

What information should an auditor share with the client during an exit interview?

Details on major issues

Which recovery site option provides readiness in minutes to hours?

Hot site

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future?

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

Which data source comes first in the order of volatility when conducting a forensic investigation?

RAM

The _____________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Purchasing an insurance policy is an example of the ____________ risk management strategy.

transfer

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

What a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Mantraps

What term describes the longest period of time that a business can survive without a particular critical system?

Maximum tolerable downtime (MTD)

Which one of the following is an example of a logical access control?

Password

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Qualitative

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20%

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Discretionary access control (DAC)

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

False positive error

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Formatting

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

When should an organization's managers have an opportunity to respond to the findings in an audit?

Managers should include their responses to the draft audit report in the final audit report

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act (PIPEDA)

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Reduce

What is the correct order of steps in the change control process?

Request, impact assessment, approval, build/test, implement, monitor

In what type of attack does the attacker send unauthorized commands directly to a database?

SQL injection

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.

disaster

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a high level of expertise

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

During which phase of the access control process does the system answer the question, "What can the requestor access?"

Authorization

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Threat

Which of the following is NOT a commonly accepted best practice for password security?

Use at least six alphanumeric characters

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

Vulnerability??

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?

Warm site

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Waterfall

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?

Separation of duties

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

Which of the following is an example of two-factor authentication?

Smart card and personal identification number (PIN)

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring