Security Principles Exam 2
7. Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? A. Seeking to gain unauthorized access to resources B. Disrupting intended use of the Internet C. Enforcing the integrity of computer-based information D. Compromising the privacy of users
C. Enforcing the integrity of computer-based information
7. What is a set of concepts and policies for managing IT infrastructure, development, and operations? A. ISO 27002 B. Control Objectives for Information and related Technology (COBIT) C. IT Infrastructure Library (ITIL) D. NIST Cybersecurity Framework (CSF)
C. IT Infrastructure Library (ITIL)
15. Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? A. Least privilege B. Security through obscurity C. Need to know D. Separation of duties
D. Separation of duties
1. Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B. Audit
17. Which one of the following principles is NOT a component of the Biba integrity model? A. Subjects cannot read objects that have a lower level of integrity than the subject. B. Subjects cannot change objects that have a lower integrity level. C. Subjects at a given integrity level can call up only subjects at the same integrity level or lower. D. A subject may not ask for service from subjects that have a higher integrity level.
B. Subjects cannot change objects that have a lower integrity level.
17. Which security testing activity uses tools that scan for services running on systems? A. Reconnaissance B. Penetration testing C. Network mapping D. Vulnerability testing
C. Network mapping
20. Forensics and incident response are examples of __________ controls. A. detective B. preventive C. corrective D. deterrent
C. corrective
19. A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime. A. incident B. event C. disaster D. emergency
C. disaster
12. Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? A. Intimidation B. Name dropping C. Appeal for help D. Phishing
D. Phishing
11. Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure
A. Baseline
2. Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture
A. Laws
10. Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take? A. Reduce B. Transfer C. Accept D. Avoid
A. Reduce
12. What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? A. Secure European System for Applications in a Multi-Vendor Environment (SESAME) B. Lightweight Directory Access Protocol (LDAP) C. Security Assertion Markup Language (SAML) D. Kerberos
A. Secure European System for Applications in a Multi-Vendor Environment (SESAME)
16. Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? A. 1 B. 2 C. 3 D. 4
B. 2
5. Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis? A. Quantitative B. Financial C. Qualitative D. Objective
C. Qualitative
18. In an accreditation process, who has the authority to approve a system for implementation? A. Certifier B. Authorizing official (AO) C. System owner D. System administrator
B. Authorizing official (AO)
1. Which one of the following is an example of a logical access control? A. Key for a lock B. Password C. Access card D. Fence
B. Password
9. Purchasing an insurance policy is an example of the ____________ risk management strategy. A. reduce B. transfer C. accept D. avoid
B. transfer
2. Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? A. Promiscuous B. Permissive C. Prudent D. Paranoid
C. Prudent
11. Which one of the following is NOT an advantage of biometric systems? A. Biometrics require physical presence. B. Biometrics are hard to fake. C. Users do not need to remember anything. D. Physical characteristics may change.
D. Physical characteristics may change.
10. What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D. Punish users who violate policy
17. Which data source comes first in the order of volatility when conducting a forensic investigation? A. Logs B. Data files on disk C. Swap and paging files D. RAM
D. RAM
20. Which of the following is NOT a benefit of cloud computing to organizations? A. On-demand provisioning B. Improved disaster recovery C. No need to maintain a data center D. Lower dependence on outside vendors
D. Lower dependence on outside vendors
6. What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training
C. Assume that information should be free
2. During which phase of the access control process does the system answer the question, "What can the requestor access?" A. Identification B. Authentication C. Authorization D. Accountability
C. Authorization
1. Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization
D. Authorization
16. Which intrusion detection system strategy relies upon pattern matching? A. Behavior detection B. Traffic-based detection C. Statistical detection D. Signature detection
D. Signature detection
13. Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Sensitivity C. Criticality D. Threat
D. Threat
20. In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? A. Spiral B. Agile C. Lean D. Waterfall
D. Waterfall
18. Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? A. Black-box test B. White-box test C. Grey-box test D. Blue-box test
A. Black-box test
8. Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? A. Checklist B. Interviews C. Questionnaires D. Observation
A. Checklist
14. Which activity manages the baseline settings for a system or device? A. Configuration control B. Reactive change management C. Proactive change management D. Change control
A. Configuration control
17. Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? A. Formatting B. Degaussing C. Physical destruction D. Overwriting
A. Formatting
8. Which one of the following is NOT a commonly accepted best practice for password security? A. Use at least six alphanumeric characters. B. Do not include usernames in passwords. C. Include a special character in passwords. D. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
A. Use at least six alphanumeric characters.
8. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? A. $2,000 B. $20,000 C. $200,000 D. $2,000,000
B. $20,000
5. Which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action
B. Ownership
12. Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed? A. Detective B. Preventive C. Corrective D. Deterrent
B. Preventive
15. What is the correct order of steps in the change control process? A. Request, approval, impact assessment, build/test, monitor, implement B. Request, impact assessment, approval, build/test, implement, monitor C. Request, approval, impact assessment, build/test, implement, monitor D. Request, impact assessment, approval, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor
19. In what type of attack does the attacker send unauthorized commands directly to a database? A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Database dumping
B. SQL injection
13. Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? A. Transmission Control Protocol/Internet Protocol (TCP/IP) B. Secure Sockets Layer (SSL) C. Domain Name System (DNS) D. Dynamic Host Configuration Protocol (DHCP)
B. Secure Sockets Layer (SSL)
11. What is NOT generally a section in an audit report? A. Findings B. System configurations C. Recommendations D. Timeline for Implementation
B. System configurations
12. What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? A. Network IDS B. System integrity monitoring C. CCTV D. Data loss prevention
B. System integrity monitoring
7. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)? A. $2,000 B. $20,000 C. $200,000 D. $2,000,000
D. $2,000,000
10. Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? A. Accuracy B. Reaction time C. Dynamism D. Acceptability
D. Acceptability
13. Which of the following is an example of a hardware security control? A. NTFS permission B. MAC filtering C. ID badge D. Security policy
D. Security policy
9. Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties
D. Separation of duties
14. What term describes the longest period of time that a business can survive without a particular critical system? A. Maximum tolerable downtime (MTD) B. Recovery time objective (RTO) C. Recovery point objective (RPO) D. Emergency operations center (EOC)
A. Maximum tolerable downtime (MTD)
6. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor? A. 1 percent B. 10 percent C. 20 percent D. 50 percent
C. 20 percent
9. Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? A. False acceptance rate (FAR) B. False rejection rate (FRR) C. Crossover error rate (CER) D. Reaction time
C. Crossover error rate (CER)
10. What information should an auditor share with the client during an exit interview? A. Draft copy of the audit report B. Final copy of the audit report C. Details on major issues D. The auditor should not share any information with the client at this phase
C. Details on major issues
13. Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need? A. Video surveillance B. Motion detectors C. Mantraps D. Biometrics
C. Mantraps
5. Which agreement type is typically less formal than other agreements and expresses areas of common interest? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
C. Memorandum of understanding (MOU)
18. Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? A. Remote Authentication Dial-In User Service (RADIUS) B. Terminal Access Controller Access Control System Plus (TACACS+) C. Redundant Array of Independent Disks (RAID) D. DIAMETER
C. Redundant Array of Independent Disks (RAID)
5. Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C. SOC 3
3. Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? A. Identification B. Authentication C. Authorization D. Accountability
D. Accountability
7. Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? A. Dictionary attack B. Rainbow table attack C. Social engineering attack D. Brute-force attack
D. Brute-force attack
18. Which recovery site option provides readiness in minutes to hours? A. Warm site B. Cold site C. Multiple sites D. Hot site
D. Hot site
3. Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? A. Event B. Outage C. Incursion D. Incident
D. Incident
3. Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? A. Is the level of security control suitable for the risk it addresses? B. Is the security control in the right place and working well? C. Is the security control effective in addressing the risk it was designed to address? D. Is the security control likely to become obsolete in the near future?
D. Is the security control likely to become obsolete in the near future?
11. What term describes the risk that exists after an organization has performed all planned countermeasures and controls? A. Total risk B. Business risk C. Transparent risk D. Residual risk
D. Residual risk
14. Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control (RBAC)
D. Role-based access control (RBAC)
15. Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? A. Security information and event management (SIEM) B. Intrusion prevention system (IPS) C. Data loss prevention (DLP) D. Virtual private network (VPN)
A. Security information and event management (SIEM)
16. Which security model does NOT protect the integrity of information? A. Bell-LaPadula B. Clark-Wilson C. Biba D. Brewer and Nash
A. Bell-LaPadula
16. Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance
A. Project initiation and planning
6. Which item is an auditor least likely to review during a system controls audit? A. Resumes of system administrators B. Incident records C. Application logs D. Penetration test results
A. Resumes of system administrators
19. What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? A. Security Assertion Markup Language (SAML) B. Secure European System for Applications in a Multi-Vendor Environment (SESAME) C. User Datagram Protocol (UDP) D. Password Authentication Protocol (PAP)
A. Security Assertion Markup Language (SAML)
15. Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime? A. Clustering B. Warm site C. Load balancing D. Redundant Array of inexpensive Disks (RAID)
B. Warm site
4. Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
A. Service level agreement (SLA)
6. Which one of the following is an example of two-factor authentication? A. Smart card and personal identification number (PIN) B. Personal identification number (PIN) and password C. Password and security questions D. Token and smart card
A. Smart card and personal identification number (PIN)
4. Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? A. Supervisory Control and Data Acquisition (SCADA) B. Embedded C. Mobile D. Mainframe
A. Supervisory Control and Data Acquisition (SCADA)
4. The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. A. security kernel B. CPU C. memory D. co-processor
A. security kernel
3. Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge
B. Access to a high level of expertise
8. What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? A. An organization should collect only what it needs. B. An organization should share its information. C. An organization should keep its information up to date. D. An organization should properly destroy its information when it is no longer needed.
B. An organization should share its information.
9. Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? A. Does the organization have an effective password policy? B. Does the firewall properly block unsolicited network connection attempts? C. Who grants approval for access requests? D. Is the password policy uniformly enforced?
B. Does the firewall properly block unsolicited network connection attempts?
1. What a key principle of risk management programs? A. Security controls should be protected through the obscurity of their mechanisms. B. Don't spend more to protect an asset than it is worth. C. Apply controls in ascending order of risk. D. Risk avoidance is superior to risk mitigation.
B. Don't spend more to protect an asset than it is worth.
14. Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? A. Remote administration error B. False positive error C. Clipping error D. False negative error
B. False positive error
19. When should an organization's managers have an opportunity to respond to the findings in an audit? A. Managers should write a report after receiving the final audit report. B. Managers should include their responses to the draft audit report in the final audit report. C. Managers should not have an opportunity to respond to audit findings. D. Managers should write a letter to the Board following receipt of the audit report.
B. Managers should include their responses to the draft audit report in the final audit report.
4. Which regulatory standard would NOT require audits of companies in the United States? A. Sarbanes-Oxley Act (SOX) B. Personal Information Protection and Electronic Documents Act (PIPEDA) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standard (PCI DSS)
B. Personal Information Protection and Electronic Documents Act (PIPEDA)
20. Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? A. Vulnerability testing B. Report writing C. Penetration testing D. Configuration review
B. Report writing
2. Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered? A. Threat B. Vulnerability C. Risk D. Impact
B. Vulnerability