InfoSec Cyber Final

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

What organization offers a variety of security certifications that are focused on the requirements of auditors? International Information Systems Security Certification Consortium, Inc. (ISC)2 CompTIA Global Information Assurance Certification (GIAC) ISACA

ISACA

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?

Kerberos

Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security? MBA MS MSc MScIT

MBA

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?

Parallel test

Brian is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of Health Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included? Password management Medical records formats Prescribing procedures Patient safety

Password management

Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?

Password protection

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act? Non-profit organizations Publicly traded companies Government agencies Privately held companies

Publicly traded companies

What is the correct order of steps in the change control process?

Request, impact assessment, approval, build/test, implement, monitor

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? Addressable Standard Security Required

Required

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?

Security Assertion Markup Language (SAML)

A common platform for capturing and analyzing log entries is __________.

Security Information and Event Management (SIEM)

Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?

Software as a Service (SaaS)

Which of the following items would generally NOT be considered personally identifiable information (PII)? Name Driver's license number Trade secret Social Security number

Trade secret

Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit. 30 50 60 120

50

How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam? 7 8 9 10

8

Which Institute of Electrical and Electronics Engineers (IEEE) standard covers wireless LANs? 802.3 802.11 802.16 802.18

802.11

What is NOT a symmetric encryption algorithm? A. Rivest-Shamir-Adelman (RSA) B. Data Encryption Standard (DES) C. International Data Encryption Algorithm (IDEA) D. Carlisle Adams Stafford Tavares (CAST)

A. Rivest-Shamir-Adelman (RSA): Symmetric Key Standards Explanation: DES, CAST, and IDEA are all symmetric algorithms. RSA is an asymmetric algorithm.

The Institute of Electrical and Electronics Engineers (IEEE) publishes or sponsors more than 13,000 standards and projects. True False

True

The Internet Architecture Board (IAB) serves as an advisory body to the Internet Society (ISOC). True False

True

Wireless Network Security Controls

WEP (insecure and flawed) should never be used.

The Main Types of Networks

Wide Area Network (WAN): Connect systems over a large geographical area.

Which scenario presents a unique challenge for developers of mobile applications? a. Applying encryption to network communications b. Selecting multiple items from a list c. Obtaining IP addresses d. Using checkpoints

b. Selecting multiple items from a list

A SOC 1 report primarily focuses on security.

False

A professional certification is typically offered as part of an evening curriculum that leads to a certificate of completion. True False

False

A professional certification is typically offered as part of an evening curriculum thatleads to a certificate of completion. True False

False

A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.

False

Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks. True False

False

Deterrent controls identify that a threat has landed in your system.

False

Most prospective employers value unaccredited programs as much as accredited programs. True False

False

Privacy is the process used to keep data private. True Fals

False

Privacy is the process used to keep data private. True False

False

Risk refers to the amount of harm a threat exploiting a vulnerability can cause.

False

Sarbanes-Oxley Act (SOX) Section 404 compliance requirements are highly specific. True False

False

Which type of authentication includes smart cards?

Ownership

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? Encryption Truncation Hashing Masking

Masking

What term describes the longest period of time that a business can survive without a particular critical system?

Maximum Tolerable Downtime

IPv4 addresses

May contain any integer value between 0 and 255.

Which data source comes first in the order of volatility when conducting a forensic investigation?

RAM

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?

Redundant Array of Independent Disks (RAID)

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?

Risk Management Guide for Information Technology Systems (NIST SP800-30)

Fencing and mantraps are examples of physical controls.

True

The CISSP-ISSEP concentration requires that a candidate demonstrate two years of professional experience in the area of architecture. True False

False

The main difference between a virus and a worm is that a virus does not need a host program to infect. True False

False

What is NOT one of the three tenets of information security?

Safety

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Threat

Distance learning is another term for online study. True False

True

Unified Threat Management (UTM)

URL filter Content inspection Malware inspection

Sarbanes-Oxley Act (SOX) Section 404 requires an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR). True False

True

The Certified Cloud Security Professional (CCSP) certification was created by both (ISC) 2 and the Cloud Security Alliance (CSA). True False

True

The Federal Information Security Management Act (FISMA) of 2014 defines the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements. True False

True

The International Telecommunication Union (ITU) was formed in 1865 as the International Telegraph Union to develop international standards for the emerging telegraph communications industry. True False

True

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Host isolation is the isolation of internal networks and the establishment of a(n) __________.

DMZ

Which organization promotes technology issues as an agency of the United Nations? International Telecommunication Union (ITU) Institute of Electrical and Electronics Engineers (IEEE) American National Standards Institute (ANSI) Internet Assigned Numbers Authority (IANA)

International Telecommunication Union (ITU)

Jim is an experienced security professional who recently accepted a position in an organization that uses Check Point firewalls. What certification can Jim earn to demonstrate his ability to administer these devices? CISSP CCIE Security+ CCSA

CCSA

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?

Crossover error rate (CER)

Which one of the following measures the average amount of time that it takes to repair a system, application, or component?

Mean time to repair (MTTR)

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries? a. Technical and industry development b. Confidentiality of personal information c. Network security devices d. Broadband capacity

a. Technical and industry development

In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)? a. Home agent (HA) b. Foreign agent (FA) c. Care of address (COA) d. Correspondent node (CA)

d. Correspondent node (CN)

Jared recently viewed a forum discussion on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Jared likely encountered? a. SQL injection b. Command injection c. XML injection d. Cross-site scripting (XSS)

d. Cross-site scripting (XSS)

Administrative controls develop and ensure compliance with policy and procedures.

True

Which one of the following is an example of a disclosure threat? a. Espionage b. Alteration c. Denial d. Destruction

a. Espionage

Which one of the following is NOT a market driver for the Internet of Things (IoT)? a. Global adoption of non-IP networking b. Smaller and faster computing c. growth of cloud computing d. advancements in data analytics

a. Global adoption of non-IP networking

With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? a. Home agent (HA) b. Foreign agent (FA) c. Care of address (COA) d. Correspondent node (CN)

a. Home agent (HA)

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? a. Polymorphic virus b. Stealth virus c. Cross-platform virus d. Multipartite virus

a. Polymorphic virus

Which group is the most likely target of a social engineering attack? a. Receptionists and administrative assistants b. Information security response team c. Internal auditors d. Independent contractors

a. Receptionists and administrative assistants

Alison discovers that a system under her control has been infected with malware, which is using a keylogger to report user keystrokes to a third party. What information security property is this malware attacking? A. Integrity B. Availability C. Accounting D. Confidentiality

D. Confidentiality: Malicious Code and Activity Explanation: Malicious code attacks all three properties of information security. In this case, the keylogger is stealing information, which is a violation of confidentiality.

Dynamic Host Configuration Protocol (DHCP)

Is used/assigns a network to simplify the configuration of each user's computer.

What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?" National Institute of Standards and Technology (NIST) Federal Communications Commission (FCC) Federal Trade Commission (FTC) National Aeronautics and Space Administration (NASA)

National Institute of Standards and Technology (NIST)

Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model? Network Application Physical Session

Network

What is NOT a commonly used endpoint security technique?

Network firewall

Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process? Proposed Standard (PS) Draft Standard (DS) Standard (STD) Best Current Practice (BCP)

Proposed Standard (PS)

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use? SAQ A SAQ B SAQ C SAQ D

SAQ C

In what type of attack does the attacker send unauthorized commands directly to a database?

SQL injection

As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?

Simulation test

Remote Desktop Protocol (RDP)

TCP Port 3389. Henry's last firewall rule must allow inbound access to a Windows Terminal Server.

Simple Mail Transfer Protocol (SMTP)

TCP port 25. Henry is creating a firewall rule that will allow inbound mail to the organization.

What file type is least likely to be impacted by a file infector virus? A. .exe B. .docx C. .com D. .dll

B. .docx: File (Program) Infectors Explanation: The .docx file type is least likely to be impacted by a file infector virus. File infectors typically attack program files with .com or .exe file extensions.

What is the only unbreakable cipher when it is used properly? A. Rivest-Shamir-Adelman (RSA) B. Vernam C. Elliptic Curve Diffie-Hellman in Ephemeral mode (ECDHE) D. Blowfish

B. Vernam: Cryptanalysis and Public Versus Private Keys Explanation: The Vernam cipher, also known as a one-time pad, is unbreakable provided that the key is at least as long as the message and that each key is only used one time.

A __________ is a standard used to measure how effective your system is as it relates to industry expectations.

Benchmark

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?

Black-box test

What ISO security standard can help guide the creation of an organization's security policy? A. 12333 B. 17259 C. 27002 D. 42053

C. 27002: Implementing Effective Software Best Practices Explanation: Consider implementing an ISO/IEC 27002-compliant security policy. ISO/IEC 27002 is the most widely recognized security standard

Which set of characteristics describes the Caesar cipher accurately? A. Asymmetric, block, substitution B. Asymmetric, stream, transposition C. Symmetric, stream, substitution D. Symmetric, block, transposition

C. Symmetric, stream, substitution: Substitution Cipher Explanation: The Caesar cipher is an example of a substitution cipher because it changes the letters in a message. It is not a transposition cipher because it does not rearrange the letters. It is also a stream cipher rather than a block cipher because it works on one character at a time. It is a symmetric, not an asymmetric cipher, because both the sender and receiver use the same key.

Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? A. Virus B. Worm C. Trojan horse D. Logic bomb

C. Trojan horse: Trojan Horses Explanation: Trojans, or Trojan horse programs, are the largest class of malware. A Trojan is any program that masquerades as a useful program while hiding its malicious intent. The masquerading nature of a Trojan encourages users to download and run the program.

Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs? CISSP-ISASP CISSP-ISSEP CISSP-ISSMP CISSP-ISSAP

CISSP-ISSAP

Purchasing an insurance policy is an example of the ____________ risk management strategy.

transfer

Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications? Security+ GIAC Certified Firewall Analyst (GCFW) Certified Information Security Manager (CISM) Certified Information Systems Security Professional (CISSP)

Certified Information Security Manager (CISM)

What certification focuses on information systems audit, control, and security professionals? Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) Certified in the Governance of Enterprise IT (CGEIT) Certified in Risk and Information Systems Control (CRISC)

Certified Information Systems Auditor (CISA)

Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC) 2 certification and the gold standard for information security professionals? Certified Authorization Professional (CAP) Certified Cloud Security Professional (CCSP) Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP)

Certified Information Systems Security Professional (CISSP)

Which of the following Cisco certifications demonstrates the most advanced level of security knowledge? Cisco Certified Technician (CCT) Security Cisco Certified Network Associate (CCNA) Security Cisco Certified Network Professional (CCNP) Security Cisco Certified Internetwork Expert (CCIE) Security

Cisco Certified Internetwork Expert (CCIE) Security

The Family Educational Rights and Privacy Act (FERPA) requires that specific information security controls be implemented to protect student records. True False

False

The Payment Card Industry (PCI) Council has only one priority: to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data. True False

False

The four main areas in NIST SP 800-50 are awareness, training, certification, and professional development. True False

False

The four main types of logs that you need to keep to support security auditing include event, access, user and security.

False

Which of the following is NOT an advantage to undertaking self-study of information security topics? Self-motivation Flexible materials Fixed pace Low cost

Fixed pace

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Formatting

Which element of the security policy framework offers suggestions rather than mandatory actions?

Guideline

Smurf Attack

Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network.

Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?

Integrity

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve? Integrity Accountability Availability Confidentiality

Integrity

Which of the following programs requires passing a standardized examination that is based upon a job-task analysis? Certificate of completion Professional certification Bachelor's degree Doctoral degree

Professional certification

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Project initiation and planning

What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? a. Whois b. Simple Network Management Protocol (SNMP) c. Ping d. Domain Name System (DNS)

a. Whois

Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate? a. Encryption b. Decryption c. Deidentification d. Aggregation

c. Deidentification

What is NOT a common motivation for attackers? a. Money b. Fame c. Revenge d. Fear

d. Fear

Which network device is capable of blocking network connections that are identified as potentially malicious?

Intrusion prevention system (IPS)

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? National Security Administration (NSA) National Institute of Standards and Technology (NIST) Department of Defense (DoD) Federal Communications Commission (FCC)

National Institute of Standards and Technology (NIST)

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?

Payment Card Industry Data Security Standard (PCI DSS)

What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)? Architecture for Internet protocols and procedures Editorial and publication procedures for requests for comments (RFCs) Confirmation of IETF chairs Subject matter expertise on routing and switching

Subject matter expertise on routing and switching

Which term describes any action that could damage an asset?

Threat

A personnel safety plan should include an escape plan.

True

ANSI produces standards that affect nearly all aspects of IT. True False

True

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

13

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

2

Compliance not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant. True False

True

Implementing and monitoring risk responses are part of the risk management process.

True

In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.

True

In remote journaling, a system writes a log of online transactions to an offsite location.

True

Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise. True False

True

Many security training courses specifically prepare students for certification exams. True False

True

Master of science (MS) degree programs prepare a student to enter the field of information security and perform the work of securing systems. True False

True

Some of the tools and techniques used in security monitoring include baselines, alarms, closed-circuit TV, and honeypots.

True

Standards provide guidelines to ensure that products in today's computing environments work together. True False

True

What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities? 600 700 800 900

800

What DoD directive requires that information security professionals in the government earn professional certifications? 8088 8140 8270 8540

8140

When you use a control that costs more than the risk involved, you're making a poor management decision.

True

Which one of the following is typically used during the identification phase of a remote access connection?

Username

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works? A. Chosen plaintext B. Ciphertext only C. Known plaintext D. Chosen ciphertext

A. Chosen plaintext: Cryptanalysis and Public Versus Private Keys Explanation: In a chosen-plaintext attack, the cryptanalyst can encrypt any information and observe the output. This is the best case for the cryptanalyst. It offers the most flexibility (and insight) into the encryption mechanism. An example is the encryption offered by older versions of Microsoft Office software applications. You could encrypt only the letter A, then B, and so on, to try to discern what the cipher is doing.

From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? a. Security risk will increase b. Security risk will decrease c. Security risk will stay the same d. Security risk will be eliminated

a. Security risk will increase

The CEO of Erlich's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? a. Spear phishing b. Pharming c. Adware d. Command injection

a. Spear phishing

Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement? a. Privacy b. Bring your own device (BYOD) c. acceptable use d. data classification

b. Bring Your Own Device (BYOD)

What program, released in 2013, is an example of ransomware? a. BitLocker b. Crypt0L0cker c. FileVault d. CryptoVault

b. Crypt0L0cker

What is NOT one of the four main purposes of an attack? a. Denial of availability b. Data correlation c. Data modification d. Launch point

b. Data correlation

Which type of virus targets computer hardware and software startup functions? a. Hardware infector b. System infector c. File infector d. Data infector

b. System infector

Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri? a. Cracker b. White-hat hacker c. Black-hat hacker d. Grey-hat hacker

b. White-hat hacker

Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? a. Virus b. Worm c. Trojan horse d. Logic bomb

c. Trojan horse

What type of malicious software masquerades as legitimate software to entice the user to run it? a. Virus b. Worm c. Trojan horse d. Rootkit

c. Trojan horse

What is NOT a typical sign of virus activity on a system? a. Unexplained decrease in available disk space b. Unexpected error messages c. Unexpected power failures d. Sudden sluggishness of applications

c. Unexpected power failures

Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking? a. Integrity b. Availability c. Accounting d. Confidentiality

d. Confidentiality

Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing? a. Active wiretap b. Between-the-lines wiretap c. Piggyback-entry wiretap d. Passive wiretap

d. Passive wiretap

Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? a. Health Insurance Portability and Accountability Act (HIPAA) b. Family Educational Rights and Privacy Act (FERPA) c. Communications Assistance for Law Enforcement Act (CALEA) d. Payment Card Industry Data Security Standard (PCI DSS)

d. Payment Card Industry Data Security Standard (PCI DSS)

Which term describes an action that can damage or compromise an asset? a. Likelihood b. Vulnerability c. Countermeasure d. Threat

d. Threat

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.

disaster

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? A. Polymorphic virus B. Stealth virus C. Cross-platform virus D. Multipartite virus

A. Polymorphic virus: Other Virus Classifications Explanation: Polymorphic viruses include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. The virus exposes only the decryption routine for possible detection. It embeds the control portion of the virus in the decryption routine, which seizes control of the target system and decrypts the main body of the virus so that it can execute.

Which approach to cryptography provides the strongest theoretical protection? A. Quantum cryptography B. Asymmetric cryptography C. Elliptic curve cryptography D. Classic cryptography

A. Quantum cryptography: Cryptographic Functions and Ciphers Explanation: Quantum cryptography bases its algorithms on the properties of quantum mechanics. The basic difference between classic cryptography and quantum cryptography is in the difficulty in breaking the cipher. Breaking classic ciphers is extremely difficult; breaking quantum cryptography ciphers is theoretically impossible. Of course, quantum cryptography implementations are computationally expensive and more difficult to get "right."

Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged in to Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place? A. Session hijacking B. XML injection C. Cross-site scripting D. SQL injection

A. Session hijacking: How Can Attackers Attack Web Applications? Explanation: Session hijacking is an attack in which the attacker intercepts network messages between a web server and a web browser. It extracts one or more pieces of data, most commonly a session ID, and uses that to communicate with the web server. The attacker pretends to be an authorized user by taking over the authorized user's session.

What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? A. Whois B. Simple Network Management Protocol (SNMP) C. Ping D. Domain Name System (DNS)

A. Whois: DNS, ICMP, and Related Tools Explanation: Whois is a tool that provides information on domain registrations, including the registrar, name servers, and the name of the registering organization

What standard is NOT secure and should never be used on modern wireless networks? A. Wired Equivalent Privacy (WEP) B. Wi-Fi Protected Access (WPA) C. Wi-Fi Protected Access version 2 (WPA2) D. 802.11ac

A. Wired Equivalent Privacy (WEP): A Reference: Wireless Security Explanation: The WEP algorithm is cryptographically insecure and should no longer be used. WPA and its successor WPA2 are both strong, secure wireless encryption algorithms. 802.11ac is a modern Wi-Fi transmission protocol and is acceptable for use.

Which one of the following is the best example of an authorization control?

Access control lists

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a high level of expertise

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

________ refers to a program of study approved by the State Department of Education in the state that a school operates. Continuing education Accredited Continuing professional education (CPE) Certificate of completion

Accredited

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change

Which element of the security policy framework requires approval from upper management and applies to the entire organization?

Policy

Post-audit activities include which of the following?

Presenting findings, data analysis, exit interviews, reviewing of findings

Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?

Procedure

What mathematical problem forms the basis of most modern cryptographic algorithms? A. Factoring large primes B. Traveling salesman problem C. Quantum mechanics D. Birthday problem

A. Factoring large primes: Symmetric and Asymmetric Key Cipher Resistance to Attack Explanation: Today, the basis of most commercial asymmetric key cryptography is the difficulty of factoring large numbers. For example, it is relatively easy with pen and paper to calculate 757 × 769 = 582,133. Yet, given the result 582,133, deriving its two factors is not as easy. The classic approach would involve trying 2, 3, 5, 7, 11, 13, etc., until a prime factor is found. That would take 134 guesses. Although this becomes much easier with a computer, imagine that the two prime factors are 100 digits each!

What type of system is intentionally exposed to attackers in an attempt to lure them out? A. Honeypot B. Bastion host C. Web server D. Database server

A. Honeypot Explanation: Honeypots are sacrificial hosts and services deployed at the edges of a network to act as bait for potential hacking attacks. Typically, you configure these systems to appear real.

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

During what phase of a remote access connection does the end user prove his or her claim of identity?

Authentication

During which phase of the access control process does the system answer the question,"What can the requestor access?"

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

In an accreditation process, who has the authority to approve a system for implementation?

Authorizing official (AO)

Which type of virus targets computer hardware and software startup functions? A. Hardware infector B. System infector C. File infector D. Data infector

B. System infector: Virus Explanation: There are three primary types of viruses. System infectors target computer hardware and software startup functions. File infectors attack and modify executable programs (such as COM, EXE, SYS, and DLL files in Microsoft Windows). Data infectors attack document files containing embedded macro programming capabilities.

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? Covered entity as a health plan Covered entity as a healthcare clearinghouse Covered entity as a provider Business associate of a covered entity

Business associate of a covered entity

Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose? A. Ping B. Simple Network Management Protocol (SNMP) agent C. Nmap D. Remote Access Tool (RAT)

C. Nmap: Port-Scanning and Port-Mapping Tools

What type of malicious software allows an attacker to remotely control a compromised computer? A. Worm B. Polymorphic virus C. Remote Access Tool (RAT) D. Armored virus

C. Remote Access Tool (RAT): Maintaining Access Using a Remote Administration Tool Explanation: RAT is a Trojan that, when executed, enables an attacker to remotely control and maintain access to a compromised computer.

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time? A. Certificate revocation list (CRL) B. International Data Encryption Algorithm (IDEA) C. Transport Layer Security (TLS) D. Online Certificate Status Protocol (OCSP)

D. Online Certificate Status Protocol (OCSP): Asymmetric Key Solutions Explanation: OCSP provides certificate authorities with the means necessary to revoke digital certificates in real-time.

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

Data ownership

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Discretionary access control (DAC)

Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?

Distributed denial of service (DDoS)

What type of security communication effort focuses on a common body of knowledge? Emails Acceptable use policy (AUP) Education Professional development

Education

What type of security communication effort focuses on a common body of knowledge? Emails Acceptable use policy (AUP) Education Professional development

Education

Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)? Semiconductors Solar energy Encryption Consumer appliances

Encryption

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information

Which organization creates information security standards that specifically apply within the European Union? International Telecommunication Union (ITU) American National Standards Institute (ANSI) European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER) Institute of Electrical and Electronics Engineers (IEEE)

European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

Which security testing activity uses tools that scan for services running on systems?

Network mapping

Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?

Health Insurance Portability and Accountability Act (HIPAA)

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Payment Card Industry Data Security Standard (PCI DSS) Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?

Health monitoring

Presentation- (OSI) Reference Model

Hilda is troubleshooting a problem with the encryption of data.

Which recovery site option provides readiness in minutes to hours?

Hot site

Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?

Interoperability

What level of technology infrastructure should you expect to find in a cold site alternative data center facility?

No technology infrastructure

Which one of the following is an example of a logical access control?

Password

Which formula is typically used to describe the components of information security risks?

Risk = Threat X Vulnerability

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016? Senior System Managers System Administrators Information Assurance Officers Risk Analysts

Risk Analysts

Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?

Risk survey results

Flood Guard

Rules can limit the bandwidth from hosts, reducing the ability for any one host to flood a network.

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

A certificate of completion is a document that is given to a student upon completion of a continuing education program and is signed by the instructor. True False

True

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information? International Electrotechnical Commission (IEC) National Institute of Standards and Technology (NIST) World Wide Web Consortium (W3C) Internet Engineering Task Force (IETF)

World Wide Web Consortium (W3C)

Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation? a. Connect b. Secure c. Share d. Speak

b. Secure

Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?

22

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information.

Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees? :Monthly Semi-annually Annually Biannually

Annually

What level of academic degree requires the shortest period of time to earn and does NOT require any other postsecondary degree as a prerequisite? Bachelor's degree Master's degree Doctoral degree Associate's degree

Associate's degree

VPN concentrator

Bob has a high-volume virtual private network (VPN). He would like to use a deice that would best handle the required processing power.

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

C. Bob's public key: Cryptography's Role in Information Security Explanation: If you were encrypting a message to protect its confidentiality and integrity, you would use the recipient's public key. Only the recipient would be able to decrypt the message using the corresponding private key.

Which information security objective allows trusted entities to endorse information? A. Validation B. Authorization C. Certification D. Witnessing

C. Certification: Cryptographic Principles, Concepts, and Terminology Explanation: Certification allows for the endorsement of information by a trusted party. Witnessing is a similar concept, but it is verifying the action used to create an object or verify an object's existence and does not imply endorsement.

Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block? A. Hypertext Transfer Protocol (HTTP) B. Transmission Control Protocol (TCP) C. Internet Control Message Protocol (ICMP) D. User Datagram Protocol (UDP)

C. Internet Control Message Protocol (ICMP): Smurf Attacks Explanation: In a smurf attack, attackers direct forged ICMP echo request packets to IP broadcast addresses from remote locations to generate denial of service (DoS) attacks.

Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database? A. Cross-site scripting (XSS) B. XML injection C. SQL injection D. LDAP injection

C. SQL injection: Injection Explanation: An SQL code injection attacks applications that depend on data stored in databases. SQL statements are inserted into an input field and are executed by the application. SQL injection attacks allow attackers to disclose and modify data, violate data integrity, or even destroy data and manipulate the database server.

What is NOT a typical sign of virus activity on a system? A. Unexplained decrease in available disk space B. Unexpected error messages C. Unexpected power failures D. Sudden sluggishness of applications

C. Unexpected power failures: Evidence of Virus Code Activities Explanation: Unexpected power failures are normally a sign of some type of hardware problem and are not indicative of virus activity on a system.

Colin is a software developer. He would like to earn a credential that demonstrates to employers that he is well educated on software security issues. What certification would be most suitable for this purpose? Certified Information Systems Security Professional (CISSP) Certified Secure Software Lifecycle Professional (CSSLP) Certified Cyber Forensics Professional (CCFP) HealthCare Certified Information Security Privacy Practitioner (HCISPP)

Certified Secure Software Lifecycle Professional (CSSLP)

What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?

Content filter

Forensics and incident response are examples of __________ controls.

Corrective

Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect? Health records Credit card information Educational records Trade secrets

Credit card information

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y? Customer Covered entity Business associate Consumer

Customer

Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered? A. SQL injection B. Command injection C. XML injection D. Cross-site scripting (XSS)

D. Cross-site scripting (XSS): Injection Explanation: XSS attacks allow attackers to embed client-side scripts into webpages that users view. When a user views a webpage with a script, the web browser runs the attacking script. These scripts can be used to bypass access controls. XSS effects can pose substantial security risks, depending on how sensitive the data are on the vulnerable site.

What is NOT a common motivation for attackers? A. Money B. Fame C. Revenge D. Fear

D. Fear: What Motivates Attackers? Explanation: The four main motivations for attackers are money, fame, a desire to impose political beliefs on others, and revenge.

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature? A. Elliptic curve B. Decryption C. Encryption D. Hash

D. Hash: Hash Functions Explanation: Hash functions create a unique, fixed-length output for any given input. This hash value, also known as a message digest, is used to create a digital signature.

. When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve? A. Confidentiality B. Integrity C. Authentication D. Nonrepudiation

D. Nonrepudiation Explanation: Nonrepudiation enables you to prevent a party from denying a previous statement or action. Using asymmetric key cryptography, you can prove mathematically—usually to the satisfaction of a judge or jury—that a particular party did indeed originate a specific message at a specific time.

What is the highest level of academic degree that may be earned in the field of information security? Bachelor of science (BS) Master of business administration (MBA) Doctor of philosophy (PhD) Master of science (MS)

Doctor of philosophy (PhD)

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts?

Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect? User interface Encryption Routing Signaling

Encryption

Which one of the following is an example of a direct cost that might result from a business disruption?

Facility repair

A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.

False

A hardened configuration is a system that has had unnecessary services enabled.

False

Advantages of self-study programs include self-motivation, low-cost, and interaction with other students or an instructor. True False

False

Special Publications (SPs) are standards created by the National Institute of Standards and Technology (NIST). True False

False

The National Institute of Standards and Technology (NIST) is the main United Nations agency responsible for managing and promoting information and technology issues. True False

False

Under the Gramm-Leach-Bliley Act (GLBA), a customer is any person who gets a consumer financial product or service from a financial institution. True False

False

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)? Family Policy Compliance Office (FPCO) Department of Defense (DOD) Federal Communications Commission (FCC) Federal Trade Commission (FTC)

Family Policy Compliance Office (FPCO)

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process? Securities and Exchange Commission (SEC) Federal Trade Commission (FTC) Federal Deposit Insurance Corporation (FDIC) Federal Communications Commission (FCC)

Federal Communications Commission (FCC)

Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?

Federal Information Security Management Act (FISMA)

What certification organization began as an offshoot of the SANS Institute training programs? International Information Systems Security Certification Consortium, Inc. (ISC)2 CompTIA Certified Internet Webmaster (CIW) Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?

HIPAA

Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out? NIST 800-53 IEEE 802.3 ANSI x.1199 ISO 17799

IEEE 802.3

What is a set of concepts and policies for managing IT infrastructure, development and operations?

IT Infrastructure Library (ITIL)

Which one of the following is NOT a good technique for performing authentication of an end user?

Identification number

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?

Incident

Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact? High Tech Crime Network International Council of E-Commerce Consultants (EC-Council) Software Engineering Institute - Carnegie Mellon University The International Society of Forensic Computer Examiners

International Council of E-Commerce Consultants (EC-Council)

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Which of the following is NOT a benefit of cloud computing to organizations?

Lower dependence on outside vendors

Which of the following is an example of a hardware security control?

MAC filtering

Helen is an experienced information security professional who earned a four-year degree while a full-time student. She would like to continue her studies on a part-time basis. What is the next logical degree for Helen to earn? Bachelor's degree Master's degree Doctoral degree Associate's degree

Master's degree

Which one of the following is an example of a reactive disaster recovery control?

Moving to a warm site

What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program? National Security Agency (NSA) Central Intelligence Agency (CIA) Federal Bureau of Investigation (FBI) National Institute of Standards and Technology (NIST)

National Security Agency (NSA)

__________ is used when it's not as critical to detect and respond to incidents immediately.

Non-real-time monitoring

Application proxying

Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall.

Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?

Preventative

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

Which of the following is an example of a level of permissiveness?

Prudent, permissive, promiscuous, paranoid

What is NOT a goal of information security awareness programs?

Punish users who violate policy

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Qualitative

What type of publication is the primary working product of the Internet Engineering Task Force (IETF)? Special Publication (SP) Request for comment (RFC) ISO standard Public service announcement (PSA)

Request for comment (RFC)

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

Security information and event management (SIEM)

Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her? Certified Information Systems Security Professional (CISSP) GIAC Security Expert (GSE) Security+ CompTIA Advanced Security Practitioner (CASP)

Security+

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012? Senior System Managers System Administrators Information Assurance Officers Risk Analysts

Senior System Manager

In __________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern matching and stateful matching.

Signature-based

Which one of the following is an example of two-factor authentication?

Smart card and personal identification number (PIN)

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring

Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC) 2 certification. Which certification is most appropriate for his needs? Systems Security Certified Practitioner (SSCP) Certified Information Systems Security Professional (CISSP) Certified Secure Software Lifecycle Professional (CSSLP) Certified Cloud Security Professional (CCSP)

Systems Security Certified Practitioner (SSCP)

Hypertext Transport Protocol over TLS/SSL (HTTPS) protocol

Transmission Control Protocol (TCP) port 443. Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server.

A GIAC credential holder may submit a technical paper that covers an important area of information security. If the paper is accepted, it adds the Gold credential to the base GIAC credential. True False

True

A certification is an official statement that validates that a person has satisfied specific job requirements. True False

True

A control limits or constrains behavior.

True

A man-in-the-middle attack takes advantage of the multihop process used by many types of networks. True False

True

A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.

True

American National Standards Institute (ANSI) was formed in 1918 through the merger of five engineering societies and three government agencies. True False

True

CompTIA Security+ is an entry-level security certification. True False

True

Juniper Networks offers vendor-specific certifications. True False

True

Master's programs are generally broad and don't focus on a particular field of study. True False

True

Most professional certifications require certification holders to pursue additional education each year to keep their certifications current. True False

True

Nearly any college or university can offer an information systems security or cybersecurity-related degree program once it obtains accreditation for the curriculum from that state's board of education. True False

True

Organizations should seek a balance between the utility and cost of various risk management options.

True

RSA is a global provider of security, risk, and compliance solutions for enterprise environments. True False

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets.

True

Security awareness training should remind employees to ensure confidentiality by not leaving any sensitive information or documents on their desks. True False

True

The purpose of continuing education is to provide formal training courses that lead to a certificate or professional certification and NOT a degree. True False

True

The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.

True

Visa, MasterCard, and other payment card vendors helped to create the Payment Card Industry Data Security Standard (PCI DSS). True False

True

Which one of the following is NOT a commonly accepted best practice for password security?

Use at least six alphanumeric characters.

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?

Warm site

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?

Warm site

What file type is least likely to be impacted by a file infector virus? a. .exe b. .docx c. .com d. .dll

b. .docx

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

$2,000,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?

$2,000,000

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Residual risk

The Internet Architecture Board (IAB) is a subcommittee of the IETF. True False

True

Fibre Channel over Ethernet (FCoE)

David would like to connect a fibre channel storage device to systems over a standard data network.

All request for comments (RFC) originate from the Internet Engineering Task Force (IETF). True False

False

Information Systems Security Certification Consortium, Inc. (ISC)2 is the baseline for federal and DoD work-role definitions. True False

False

Under the Health Insurance Portability and Accountability Act (HIPAA), a security incident is any impermissible use or disclosure of unsecured PHI that harms its security or privacy. True False

False

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?

Separation of duties

The International Electrotechnical Commission (IEC) was instrumental in the development of standards for electrical measurements, including gauss, hertz, and weber. True False

True

The International Organization for Standardization (ISO) organizes its standards by both the International Classification for Standards (ICS) and the Technical Committee (TC) to which it assigns each standard. True False

True

The National Institute of Standards and Technology (NIST) 800 Series publications cover all NIST-recommended procedures for managing information security. True False

True

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Waterfall

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? a. Evil twin b. Wardriving c. Bluesnarfing d. Replay attack

a. Evil twin

What information should an auditor share with the client during an exit interview?

Details on major issues

Which organization created a standard version of the widely used C programming language in 1989? Institute of Electrical and Electronics Engineers (IEEE) International Organization for Standardization (ISO) American National Standards Institute (ANSI) European Telecommunications Standards Institute (ETSI)

American National Standards Institute (ANSI)

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X? Owner Covered entity Business associate Consumer

Consumer

Payment Card Industry Data Security Standard (PCI DSS) version 3.2 defines 12 requirements for compliance, organized into six groups, called control objectives. True False

True

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20 percent

Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?

96.67%

Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Act

Federal Information Security Management Act (FISMA)

How many years of specialized experience are required to earn one of the Certified Information Systems Security Professional (CISSP) concentrations? Two Three Four Five

Two

Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals? Chief information officer (CIO) Chief technology officer (CTO) Chief information security officer (CISO) Chief financial officer (CFO)

Chief information security officer (CISO)

Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors? Children's Online Privacy Protection Act (COPPA) Sarbanes-Oxley Act (SOX) Family Educational Rights and Privacy Act (FERPA) Children's Internet Protection Act (CIPA)

Children's Internet Protection Act (CIPA)

Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block? a. Hypertext Transfer Protocol (HTTP) b. Transmission Control Protocol (TCP) c. Internet Control Message Protocol (ICMP) d. User Datagram Protocol (UDP)

c. Internet Control Message Protocol (ICMP)

Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose? a. Ping b. Simple Network Management Protocol (SNMP) agent c. Nmap d. Remote Access Tool (RAT)

c. Nmap

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Which security model does NOT protect the integrity of information?

Bell-LaPadula

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

Business continuity plan (BCP)

The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? A. Spear phishing B. Pharming C. Adware D. Command injection

A. Spear phishing Explanation: This scenario is a classic example of a spear phishing attack, highly targeted at an individual and including information about the company.

Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees? Monthly Semi-annually Annually Biannually

Annually

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

B. Alice's private key: Digital Signatures Explanation: The sender of a message uses his or her own private key to encrypt a hash of the message. This encrypted value is the digital signature.

Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.

False

The Centers for Medicare & Medicaid Services (CMS) investigates and responds to complaints from people who claim that a covered entity has violated the Health Insurance Portability and Accountability Act (HIPAA). True False

False

The Certified Secure Software Lifecycle Professional (CSSLP) credential measures the knowledge and skills necessary for professionals involved in the process of authorizing and maintaining information systems. True False

False

The National Institute of Standards and Technology (NIST) is a nongovernmental organization whose goal is to develop and publish international standards. True False

False

The National Institute of Standards and Technology (NIST) publishes the IEEE 802 LAN/MAN standard family. True False

False

The skills necessary to manage a technical environment are the same as the skills necessary to perform technical work. True False

False

The standard bachelor's designation is a two-year degree program. True False

False

The standard bachelor's designation is a two-year degree program. True False

False

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Mantraps

Which element is NOT a core component of the ISO 27002 standard? Risk assessment Cryptography Asset management Access control

Cryptography

Which classification level is the highest level used by the U.S. federal government?

Top Secret

An alteration threat violates information integrity. True False

True

ISO/IEC 27002 provides organizations with best-practice recommendations on information security management. True False

True

The (ISC) 2 Systems Security Certified Practitioner (SSCP) credential covers the seven domains of best practices for information security. True False

True

When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks. True False

True

Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? a. SQL injection b. Cross-site scripting c. Cross-site request forgery d. Zero-day attack

d. Zero-day attack

Which activity manages the baseline settings for a system or device?

Configuration control

What is the first step in a disaster recovery effort?

Ensure that everyone is safe.

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key

A. Alice's public key: Digital Signatures Explanation: The recipient of a digitally signed message uses the sender's public key to verify that the digital signature is authentic.

An audit examines whether security controls are appropriate, installed correctly, and __________.

Addressing their purpose

Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with? Network and Session Session and Transport Application and Session Application and Transport

Application and Session

Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?

Applying strong encryption

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor? Qualified security assessor (QSA) Self-assessment vendor (SAV) Approved scanning vendor (ASV) Independent Scanning Assessor (ISA)

Approved scanning vendor (ASV)

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free

Which of the following is NOT a role described in DoD Directive 8140, which covers cyber security training? Attack Protect and defend Operate and maintain Investigate

Attack

Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? Implement security controls in IT systems. Assess security controls for effectiveness. Authorize the IT system for processing. Continuously monitor security controls.

Authorize the IT system for processing.

What program, released in 2013, is an example of ransomware? A. BitLocker B. Crypt0L0cker C. FileVault D. CryptoVault

B. Crypt0L0cker: Ransomware Explanation: One of the first ransomware programs was Crypt0L0cker, which was released in 2013. With ransomware, the attacker generally alerts the users to the restrictions and demands a payment to restore full access. The demand for a payment, or ransom, gives this type of malware its name.

What is NOT one of the four main purposes of an attack? A. Denial of availability B. Data import C. Data modification D. Launch point

B. Data import: The Purpose of an Attack Explanation: The four main purposes of an attack are denial of availability, data modification, data export, and as a launch point.

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve? A. Confidentiality B. Integrity C. Authentication D. Nonrepudiation

B. Integrity Explanation: Integrity ensures that no one, not even the sender, changes information after transmitting it. If a message doesn't decrypt properly, someone or something probably changed the ciphertext in transit.

What is NOT an effective key distribution method for plaintext encryption keys? A. Paper B. Unencrypted email C. CD D. Smart card

B. Unencrypted email: Key Distribution Explanation: When using email as a key transport mechanism, the email itself must be encrypted using a strong key; otherwise, an attacker could intercept the key and use it to eavesdrop on future communications.

Betty receives a ciphertext message from her colleague Tim. What type of function does Betty need to use to read the plaintext message? A. Encryption B. Hashing C. Decryption D. Validation

C. Decryption: What Is Cryptography? Explanation: Decryption is the process of unscrambling ciphertext into plaintext. Encryption is the process of scrambling plaintext into ciphertext.

Which type of cipher works by rearranging the characters in a message? A. Substitution B. Steganographic C. Transposition D. Asymmetric

C. Transposition: Transposition Ciphers Explanation: A transposition cipher does not alter the characters in a message. Instead, it rearranges them using a complex pattern and requires that the receiver unscramble them following the reverse pattern.

Richard would like to earn a certification that demonstrates his ability to manage the information security function. What certification would be most appropriate for Richard? Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) Certified in the Governance of Enterprise IT (CGEIT) Certified in Risk and Information Systems Control (CRISC)

Certified Information Security Manager (CISM)

Which of the following circumstances would NOT trigger mandatory security training for a federal agency under Office of Personnel Management (OPM) guidelines? Change of senior leadership Change in security environment Change in security procedures Change in employee responsibilities

Change of senior leadership

Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?

Collaboration

What is NOT a valid encryption key length for use with the Blowfish algorithm? A. 32 bits B. 64 bits C. 256 bits D. 512 bits

D. 512 bits: Symmetric Key Standards Explanation: The Blowfish algorithm uses a symmetric encryption key with any length between 32 and 448 bits. A 512-bit key is too long for use with Blowfish.

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key? A. Rivest, Shamir, Adelman (RSA) B. Message digest algorithm (MD5) C. Blowfish D. Diffie-Hellman

D. Diffie-Hellman: 20th-Century Cryptography Explanation: Using the Diffie-Hellman algorithm, the sender and receiver use asymmetric encryption to securely exchange symmetric keys. After the initial key exchange, each party can then use symmetric encryption to encrypt and decrypt data.

Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating? A. Blacklisting B. Context-based screening C. Packet filtering D. Whitelisting

D. Whitelisting: Staying Ahead of the Attackers Explanation: Whitelisting is maintaining a list of trusted sites. All messages and connection requests from sites not in the whitelist are ignored. Any site that you wish to use must be added to your whitelist before connections are allowed.

What is a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

Cisco offers certifications only at the Associate, Professional, and Expert levels. True False

False

DoD Directive 8570.01 is a voluntary certification requirement. True False

False

During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.

False

In general, security training programs are identical to security education programs with respect to their focus on skills and in their duration. True False

False

The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies. True False

False

The ISACA Certified in Risk and Information Systems Control (CRISC) certification targets security professionals who ensure that their organization satisfies IT governance requirements. True False

False

The International Standard Book Number (ISBN) is an IEEE standard. True False

False

The first step in the risk management process is to monitor and control deployed countermeasures.

False

The main goal of the Gramm-Leach-Bliley Act (GLBA) is to protect investors from financial fraud. True False

False

Trojans are self-contained programs designed to propagate from one host machine to another using the host's own network communications protocols. True False

False

With adequate security controls and defenses, an organization can often reduce its risk to zero.

False

Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities? GIAC Systems and Network Auditor (GSNA) GIAC Certified Forensic Examiner (GCFE) GIAC Certified Firewall Analyst (GCFW) GIAC Certified Penetration Tester (GPEN)

GIAC Certified Forensic Examiner (GCFE)

Wi-Fi Networks

Gary is configuring a smartphone and is selecting a wireless connectivity method.

Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management? ISO 17799 ISO 9000 ISO 27002 ISO 14001

ISO 27002

Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI? Ocean Surveillance Information System (OSIS) International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) Information Systems Audit and Control Association (ISACA)

International Organization for Standardization (ISO)

Captive portal

Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network.

Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?

OC-12

A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment? Servers Workstations Printers Personally owned device

Personally owned devices

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

The review of the system to learn as much as possible about the organization, its systems, and networks is known as __________.

Reconnaissance

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

Recovery time objective (RTO)

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Reduce

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?

SOC 3

Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?

Standard

Which one of the following principles is NOT a component of the Biba integrity model?

Subjects cannot change objects that have a lower integrity level.

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Supervisory Control and Data Acquisition (SCADA)

Examples of major disruptions include extreme weather, application failure, and criminal activity.

True

One requirement of the GIAC Security Expert (GSE) credential is that candidates must hold three GIAC credentials, with two of the credentials being Gold. True False

True

Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place? Tier A Tier B Tier C Tier D

Tier A

A common method for identifying what skills a security professional possesses is his or her level of certification. True False

True

Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).

True

Defense Information Systems Agency (DISA) is the agency arm of the U.S. Department of Defense that provides information technology and communications support to the White House, Secretary of Defense, and all military sectors that contribute to the defense of the United States of America. True False

True

DoD and NSA have adopted several training standards to serve as a pathway to satisfy Directive 8140. Although they are called standards, they are really training requirements for specific job responsibilities. True False

True

The HealthCare Certified Information Security and Privacy Practitioner (HCISPP) credential recognizes the knowledge and skills necessary to perform and conduct security and privacy work for health care organizations. True False

True

The International Electrotechnical Commission (IEC) is the predominant organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes. True False

True

The Office of Personnel Management (OPM) requires that federal agencies provide the training suggested by the National Institute of Standards and Technology (NIST) guidelines. True False

True

The main purpose of security training courses is to rapidly train students in one or more skills, or to cover essential knowledge in one or more specific areas. True False

True

While running business operations at an alternate site, you must continue to make backups of data and systems.

True

Virtual Lans (VLANs)

Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware.

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

Vulnerability

Hubs

When they receive a packet, they automatically retransmit those packets to other ports. (Terry).

Switches

When they receive a packet, they look at the destination MAC address and send it only to that port.

Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet? a. Internet Society b. Internet Engineering Task Force c. Internet Association d. Internet Authority

b. Internet Engineering Task Force

Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database? a. Cross-site scripting (XSS) b. XML injection c. SQL injection d. LDAP injection

c. SQL injection

Which tool can capture the packets transmitted between systems over a network? a. Wardialer b. OS fingerprinter c. Port scanner d. Protocol analyzer

d. Protocol analyzer