info systems
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?
96.67%
Authorization controls include biometric devices.
False
Which one of the following is an example of a logical access control?
Password
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
Which term describes an action that can damage or compromise an asset?
Threat
Which term describes any action that could damage an asset?
Threat
Which one of the following is the best example of an authorization control?
Access control lists
Which information security objective allows trusted entities to endorse information?
Certification
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
What is the first step in a disaster recovery effort?
Ensure that everyone is safe.
Which one of the following is an example of a disclosure threat?
Espionage
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource.
False
A phishing attack "poisons" a domain name on a domain name server.
False
A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.
False
Bricks-and-mortar stores are completely obsolete now.
False
Cryptography is the process of transforming data from cleartext into ciphertext.
False
Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.
False
The main difference between a virus and a worm is that a virus does not need a host program to infect.
False
The weakest link in the security of an IT infrastructure is the server.
False
Vishing is a type of wireless network attack.
False
Which control is not designed to combat malware?
Firewalls
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
Hash
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Integrity
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?
Integrity
Which of the following is an example of a hardware security control?
MAC filtering
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
What is NOT a goal of information security awareness programs?
Punish users who violate policy
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
What type of network connects systems over the largest geographic area?
Wide area network (WAN)
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
Forensics and incident response are examples of __________ controls.
corrective
What is NOT a commonly used endpoint security technique?
Network firewall
What is NOT one of the three tenets of information security?
Safety
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-hat hacker
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Decryption
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity cost
Which type of authentication includes smart cards?
Ownership
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
Password protection
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?
Switch
A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks.
True
A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
True
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
True
A surge protector is an example of a preventative component of a disaster recovery plan (DRP).
True
Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).
True
Authentication controls include passwords and personal identification numbers (PINs).
True
Rootkits are malicious software programs designed to be hidden from normal methods of detection.
True
Screen locks are a form of endpoint device security control.
True
Spyware gathers information about a user through an Internet connection, without his or her knowledge.
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.
True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
True
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Alice's public key
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday attacks
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Which activity manages the baseline settings for a system or device?
Configuration control
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer