CSC 470 Midterm Guide
Which of the following enables businesses to transform themselves into an Internet of Things (IoT) service offering?
Anything as a Service (AaaS) delivery model
Carl recently joined a new organization. He noticed that the firewall technology used by the firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?
Application proxying
Which action is the best step toward protecting Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
What compliance regulation is similar to the European Union (EU) General Data Protection Regulation (GDPR) of 2016 and focuses on individual privacy and rights of data owners?
California Consumer Privacy Act (CCPA) of 2018
What is not a symmetric encryption algorithm?
Diffie-Hellman
Aditya recently assumed an information security role for a financial institution located in the United States. He is tasked with assessing the institution's risk profile and cybersecurity maturity level. What compliance regulation applies specifically to Aditya's institution?
FFIEC
True or False? The term certificate authority (CA) refers to a trusted repository of all public keys.
False
Which compliance obligation includes security requirements that apply specifically to the European Union?
General Data Protection Regulation (GDPR)
Which element of the security policy framework offers suggestions rather than mandatory actions?
Guideline
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
What is an example of an alteration threat?
System or data modification
Which of the following is not true of hash functions?
The hashes produced by a specific hash function may vary in size.
True or False? A Chinese wall security policy defines a barrier and develops a set of rules to ensure that no subject gets to objects on the other side.
True
True or False? A business continuity plan (BCP) directs all activities required to ensure that an organization's critical business functions continue when an interruption occurs that affects the organization's viability.
True
True or False? A threat analysis identifies and documents threats to critical resources, which means considering the types of disasters that are possible and what kind of damage they can cause.
True
What is the only unbreakable cipher when it is used properly?
Vernam
Which of the following is an example of a direct cost that might result from a business disruption?
Direct costs are immediate expenditures that reduce profit, such as the cost to repair a facility. Indirect costs, such as damaged reputation, lost market share, and lost customers, affect revenue but are harder to calculate because there is no record of an expenditure.
What is a primary risk to the Workstation Domain, the Local Area Network (LAN) Domain, and the System/Application Domain?
Downtime of IT Systems for an extended period of time after a disaster
What type of firewall security feature limits the volume of traffic from individual hosts?
Flood guard
Maria is the risk manager for a large organization and is evaluating whether the organization should purchase a fire suppression system. She consulted several subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. If the exposure factor (EF) for a $10 million facility is 20 percent, what is the single loss expectancy (SLE)?
$2,000,000
Maria is the risk manager for a large organization and is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$20,000
Maria is the risk manager for a large organization and is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor (EF)?
20 percent
Devaki is capturing traffic on her network. She notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
22
What is the maximum value for any octet in an Internet Protocol version 4 (IPv4) address?
255
What network port number is used for unencrypted web-based communication by default?
80
Juan's web server was down for an entire day in April. It experienced no other downtime during that month. What represents the web server uptime for that month?
99.67
Which of the following is not a market driver for the Internet of Things (IoT)?
A decline in cloud computing
Which of the following is not true of gap analysis?
A gap analysis can be performed only through a formal investigation.
Devaki is evaluating different biometric systems. She understands that users might not want to subject themselves to retinal scans due to privacy concerns. Which concern of a biometric system is she considering?
Acceptability
Which of the following is an example of an authorization control?
Access control list
Jackson is a cybercriminal. He is attempting to keep groups of a company's high-level users from accessing their work network accounts by abusing a policy designed to protect employee accounts. Jackson attempts to log in to their work accounts repeatedly using false passwords. What security method is he taking advantage of?
Account lockout policies
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address resolution protocol (ARP) poisoning
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Alice's public key
Maria is writing a policy that defines her organization's data classification standard. The policy designates the IT assets that are critical to the organization's mission and defines the organization's systems, uses, and data priorities. It also identifies assets within the seven domains of a typical IT infrastructure. Which policy is Maria writing?
Asset Classification Policy
Which security model does not protect the integrity of information?
Bell-LaPadula
Which attack is typically used specifically against password files that contain cryptographic hashes?
Birthday
Alice would like to send a message to Bob securely and wishes to use asymmetric encryption to encrypt the contents of the message. What key does she use to encrypt this message?
Bob's public key
Ron is the IT director at a medium-sized company. He frequently gets requests from employees who want to select customized mobile devices. He decides to allow them to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? Group of answer choices
Business continuity plan (BCP)
Miriam is a network administrator. She would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?
Captive portal
A company's IT manager has advised the business's executives to use a method of decentralized access control rather than centralized to avoid creating a single point of failure. She selects a common protocol that hashes passwords with a one-time challenge number to defeat eavesdropping-based replay attacks. What is this protocol?
Challenge-Handshake Authentication Protocol (CHAP)
Rodrigo is a security professional. He is creating a policy that gives his organization control over mobile devices used by employees while giving them some options as to the type of device they will use. Which approach to mobile devices is Rodrigo focusing on in the policy?
Choose Your Own Device (CYOD)
Which cryptographic attack is relevant in only asymmetric key systems and hash functions?
Chosen ciphertext
Bob is sending a message to Alice. He wants to ensure that nobody can read the content of the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Confidentiality
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)? Group of answer choices
Correspondent node (CN)
A hacker has stolen logon IDs and passwords. The hacker is now attempting to gain unauthorized access to a public-facing web application by using the stolen credentials one by one. What type of attack is taking place?
Credential harvesting
Which of the following is the point at which two error rates of a biometric system are equal and is the measure of the system's accuracy expressed as a percentage? Correct Answer
Crossover error rate (CER)
What term describes data that has been stripped of personally identifiable information for privacy reasons?
De-identified
Maria receives a ciphertext message from her colleague Wen. What type of function does Maria need to use to read the plaintext message?
Decryption
Which type of password attack is used on weak passwords and compares a hashed value of the passwords to the system password file to find a match?
Dictionary attack
Alice and Bob would like to communicate with each other using a session key, but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Diffie-Hellman
Security objectives add value to relationships between businesses or between businesses and their customers. Which objective binds a message or data to a specific entity?
Digital signature
Arturo is a network engineer. He wants to implement an access control system in which the owner of the resource decides who can change permissions, and permission levels can be granted to specific users, groups of people in the same or similar job roles, or by project. Which of the following should Arturo choose?
Discretionary access control (DAC)
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?
Distributed Denial of Service (DDoS)
What protocol is responsible for assigning Internet Protocol (IP) addresses to hosts on many networks?
Dynamic Host Configuration Protocol (DHCP)
Which term best describes the sale of goods and services on the Internet, whereby online customers buy those goods and services from a vendor's website and enter private data and checking account or credit card information to pay for them? Group of answer choices
E-commerce
Maria is using accounting software to compile sensitive financial information. She receives a phone call and then momentarily leaves her desk. While she's gone, Bill walks past her cubicle and sees that she has not locked her desktop and left data exposed. Bill uses his smartphone to take several photos of this data with the intent of selling it to the company's competitor. What access control compromise is taking place?
Eavesdropping by observation
Lincoln is a network security specialist. He is updating the password policy for his company's computing infrastructure. His primary method of improving password policy involves lowering the chance that an attacker can compromise and use the password before it expires. What does he do?
Enables a 30-day password change policy
Which of the following is not an objective of cryptanalysis, the process of breaking codes?
Encrypt the plaintext of a target message
Which security control is most helpful in protecting against eavesdropping on wide area network (WAN) transmissions?
Encrypting transmissions with virtual private networks
What is the first priority when responding to a disaster recovery effort?
Ensuring that everyone is safe
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil twin
True or False? A block cipher encrypts one byte (or bit) at a time, whereas a stream cipher encrypts an entire block of data at a time.
False
True or False? A border router can provide enhanced features to internal networks and help keep subnet traffic separate.
False
True or False? A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource.
False
True or False? A digitized signature is a combination of a strong hash of a message and a secret key.
False
True or False? A packet-filtering firewall remembers information about the status of a network communication.
False
True or False? A phishing attack "poisons" a domain name on a domain name server (DNS).
False
True or False? A private key cipher is also called an asymmetric key cipher.
False
True or False? A product cipher is an encryption algorithm that has no corresponding decryption algorithm.
False
True or False? A router is a security appliance that is used to filter Internet Protocol (IP) packets and block unwanted packets.
False
True or False? A smart card is an example of a logical access control.
False
True or False? A smishing attack is a type of phishing attack involving voice communication.
False
True or False? An authentication, authorization, and accounting (AAA) server, such as Remote Authentication Dial-In User Service (RADIUS), is a type of decentralized access control.
False
True or False? An information system is a safeguard or countermeasure an organization implements to help reduce risk.
False
True or False? Another name for a border firewall is a demilitarized zone (DMZ) firewall.
False
True or False? Authentication by characteristics/biometrics is based on something you have, such as a smart card, a key, a badge, or either a synchronous or asynchronous token.
False
True or False? Authorization controls include biometric devices.
False
True or False? Bluejacking is an attack in which wireless traffic is sniffed between Bluetooth devices.
False
True or False? Corrective controls are implemented to address a threat in place that does not have a straightforward risk-mitigating solution.
False
True or False? Facility automation uses Internet of Things (IoT) to integrate automation into business functions to reduce reliance on machinery.
False
True or False? Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure webpages.
False
True or False? In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data and has no choice as to what that data might be.
False
True or False? In mandatory access control (MAC), access rules are closely managed by the security administrator and not by the system owner or ordinary users for their own files.
False
True or False? In most organizations, focusing on smaller issues rather than planning for the most wide-reaching disaster results in a more comprehensive disaster recovery plan.
False
True or False? Internet Protocol version 4 (IPv4) uses the Internet Control Message Protocol (ICMP) within a network to automatically assign an Internet Protocol (IP) address to each computer.
False
True or False? Internet of Things (IoT) devices are typically physically secure.
False
True or False? Internet of Things (IoT) devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.
False
True or False? Kerberos is an example of a biometric method.
False
True or False? Passphrases are less secure than passwords.
False
True or False? Physical access to network equipment is required to eavesdrop on a network connection.
False
True or False? Preventive controls merely attempt to suggest that a subject not take a specific action, whereas corrective controls do not allow the action to occur.
False
True or False? Regarding data-center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.
False
True or False? Service-level agreements (SLAs) are a common part of the Local Area Network (LAN)-to-Wide Area Network (WAN) Domain of a typical IT infrastructure.
False
True or False? Store-and-forward communications should be used when you need to talk to someone immediately.
False
True or False? Temporal isolation is commonly used in combination with rule-based access control.
False
True or False? The Sarbanes-Oxley Act (SOX) requires all types of financial institutions to protect customers' private financial information.
False
True or False? The U.S. government currently has no standard for creating cryptographic keys for classified applications.
False
True or False? The business continuity plan (BCP) identifies the resources for which a business impact analysis (BIA) is necessary.
False
True or False? The computer game Solitaire operates at the Application Layer of the Open Systems Interconnection (OSI) Reference Model.
False
True or False? The four central components of access control are users, resources, actions, and features.
False
True or False? The number of failed logon attempts that trigger an account action is called an audit logon event.
False
True or False? The ping utility identifies the path that packets travel through a network.
False
True or False? The term "risk methodology" refers to a list of identified risks that results from the risk identification process.
False
True or False? The type of wireless access point antenna in use, rather than its placement, can present a security risk.
False
True or False? To create the most secure network, configure the firewall to allow all messages except the ones that are explicitly denied.
False
True or False? Voice pattern biometrics are accurate for authentication because voices cannot easily be replicated by computer software.
False
True or False? You must always use the same algorithm to encrypt information and decrypt the same information.
False
True or False? An uninterruptible power supply (UPS) is an example of a reactive component of a disaster recovery plan (DRP).
False (Its preventive)
Anya is a cybersecurity engineer for a high-secrecy government installation. She is configuring biometric security that will either admit or deny entry using facial recognition software. Biometric devices have error rates and certain types of accuracy errors that are more easily tolerated depending on need. In this circumstance, which error rate is she likely to allow to be relatively high?
False rejection rate (FRR)
Which regulation requires schools to receive written permission from a parent or an eligible student before releasing any information contained in a student's education record?
Family Education Rights and Privacy Act (FERPA)
Arturo would like to connect a fibre channel storage device to systems over a standard data network. What protocol should he use?
Fibre Channel over Ethernet (FCoE)
Some ciphers, regardless of type, rely on the difficulty of solving certain mathematical problems, which is the basis for asymmetric key cryptography. Which of the following is a branch of mathematics that involves multiplicative inverses that these ciphers use?
Field theory
With the use of Mobile IP, which device is responsible for assigning each mobile node (MN) a local address?
Foreign agent (FA)
Isabella is in charge of the disaster recovery plan (DRP) team. She needs to ensure that data center operations will transfer smoothly to an alternate site in the event of a major interruption. She plans to run a complete test that will interrupt the primary data center and transfer processing capability to a hot site. What option is described in this scenario?
Full-interruption test
What compliance regulation focuses on management and evaluation of the security of unclassified and national security systems? Group of answer choices
Government Information Security Reform Act (Security Reform Act) of 2000
Bob is the information security and compliance manager for a financial institution. Which regulation is most likely to directly apply to Bob's employer?
Gramm-Leach-Bliley Act (GLBA)
Which of the following would govern the use of Internet of Things (IoT) by health care providers, such as physicians and hospitals?
Health Insurance Portability and Accountability Act (HIPAA)
Which of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health monitoring
Dawn is selecting an alternative processing facility for her organization's primary data center. She needs a facility with the least switchover time, even if it's the most expensive option. What is the most appropriate option in this situation?
Hot site
Carrie is a network technician developing the Internet Protocol (IP) addressing roadmap for her company. While IP version 4 (IPv4) has been the standard for decades, IP version 6 (IPv6) can provide a much greater number of unique IP addresses. Which addressing system should she designate for primary use on her roadmap and why?
IPv6 is only slowly being adopted. She should make IPv4 the primary addressing scheme in her roadmap until IPv6 is more widely adopted.
Keisha is a network administrator. She wants a cloud-based service that will allow her to load operating systems on virtual machines and manage them as if they were local servers. What service is Keisha looking for?
Infrastructure as a Service (IaaS)
Bob is sending a message to Alice. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Integrity
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If that is correct, which one of the tenets of information security did this attack violate?
Integrity
Which type of attack involves eavesdropping on transmissions and redirecting them for unauthorized use?
Interception
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet? Group of answer choices
Internet Engineering Task Force (IETF)
Which term best describes how a wide variety of objects, devices, sensors, and everyday items can connect and be accessed?
Internet of Things (IoT)
What is key to implementing a consistent Internet of Things (IoT) device, connectivity, and communications environment?
Interoperability and standards
Which network device is designed to block network connections that are identified as potentially malicious?
Intrusion Prevention System (IPS)
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
What measures the average amount of time between failures for a particular system?
Mean Time to Repair
Maria is a freelance network consultant. She is setting up security for a small business client's wireless network. She is configuring a feature in the wireless access point (WAP) that will allow only computers with certain wireless network cards to connect to the network. This feature filters out the network cards of any wireless computer not on the list. What is this called?
Media Access Control (MAC) address filtering
Which of the following is an example of a reactive disaster recovery plan?
Moving to a warm site
Isabella is a network engineer. She would like to strengthen the security of her organization's networks by adding more requirements before allowing a device to connect to a network. She plans to add authentication to the wireless network and posture checking to the wired network. What technology should Isabella use?
Network access control (NAC)
What is not a commonly used endpoint security technique?
Network firewall
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
What is the only unbreakable cipher when it is used properly?
Nonrepudiation
Which type of authentication includes smart cards?
Ownership
What is an example of a logical access control?
Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Gwen's company is planning to accept credit cards over the Internet. What governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?
Payment Card Industry Data Security Standard (PCI DSS)
Susan is troubleshooting a problem with a computer's network cabling. At which layer of the Open Systems Interconnection (OSI) Reference Model is she working?
Physical
An automatic teller machine (ATM) uses a form of constrained user interface to limit the user's ability to access resources in the system. Specifically for ATMs, which method is being used?
Physically constrained user interfaces
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventive
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?
Procedure
Which approach to cryptography uses highly parallel algorithms that could solve problems in a fraction of the time needed by conventional computers?
Quantum cryptography
Hajar is developing a business impact assessment for her organization. She is working with business units to determine the target state of recovered data that allows the organization to continue normal processing after a major interruption. Which of the following is Hajar determining?
Recovery point objective (RPO)
Aditya is the security manager for a mid-sized business. The company has suffered several serious data losses when laptops were stolen. Aditya decides to implement full disk encryption on all laptops. What risk response did Aditya take?
Reduce
A brute-force password attack and the theft of a mobile worker's laptop are risks most likely found in which domain of a typical IT infrastructure?
Remote Access Domain
Which type of attack involves capturing data packets from a network and retransmitting them to produce an unauthorized effect? The receipt of duplicate, authenticated Internet Protocol (IP) packets may disrupt service or produce another undesired consequence.
Replay
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Which term describes the level of exposure to some event that has an effect on an asset, usually the likelihood that something bad will happen to an asset?
Risk
Which is the typical risk equation?
Risk = Threat x Vulnerability
What firewall approach is shown in the figure, assuming the firewall has three network cards? (There is a picture here but I can't see it)
Screened subnet
What is a U.S. federal government classification level that applies to information that would cause serious damage to national security if it were disclosed?
Secret
Hakim is a network engineer. He is configuring a virtual private network (VPN) technology that is available only for computers running the Windows operating system. Which technology is it?
Secure Socket Tunneling Protocol (SSTP)
There are a large number of protocols and programs that use port numbers to make computer connections. Of the following, which ones do not use port numbers?
Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
From a security perspective, what should organizations expect will occur as they become more dependent on the Internet of Things (IoT)?
Security risks will increase.
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster recovery tests. These tests should include role-playing and introduce as much realism as possible without affecting live operations. What type of test should Isabella conduct?
Simulation test
What is an example of two-factor authentication (2FA)?
Smart card and personal identification number (PIN)
Hajar is investigating a denial of service attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?
Smurf
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?
Standard
Which of the following principles is not a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
Unauthorized access to data centers and downtime of servers are risks to which domain of an IT infrastructure? Group of answer choices
System/Application Domain
True or False? A challenge created by the Internet of Things (IoT) is how to protect personal identity and private data from theft or unauthorized access.
TRUE
True or False? Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.
TRUE
True or False? Bring Your Own Device (BYOD) often replaces the need for the organization to procure limited mobile device model options and issue them to employees for individual use.
TRUE
Which of the following is not an example of store-and-forward messaging?
Telephone call
Which term describes an action that can damage or compromise an asset?
Threat
What is the main purpose of risk identification in an organization?
To make the organization's personnel aware of existing risk
Which type of cipher works by rearranging the characters in a message?
Transposition
True or False? A data classification standard provides a consistent definition for how an organization should handle and secure different types of data.
True
True or False? A degausser creates a magnetic field that erases data from magnetic storage media.
True
True or False? A disaster recovery plan (DRP) is part of a business continuity plan (BCP) and is necessary to ensure the restoration of resources required by the BCP to an available state.
True
True or False? A firewall can be used to segment a network.
True
True or False? A home user connecting to a website over the Internet is an example of a wide area network (WAN) connection.
True
True or False? A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
True
True or False? A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.
True
True or False? A network protocol governs how networking equipment interacts to deliver data across the network.
True
True or False? A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded link or opening an email attachment.
True
True or False? A protocol is a set of rules that govern the format of messages that computers exchange.
True
True or False? A salt value is a set of random characters you can combine with an input key to create an encryption key.
True
True or False? A social engineering consensus tactic relies on the position that "everyone else has been doing it" as proof that it is okay or acceptable to do.
True
True or False? A unified threat management (UTM) device can provide content inspection, where some or all network packet content is inspected to determine whether the packet should be allowed to pass.
True
True or False? A wireless access point (WAP) is the connection between a wired network and wireless devices.
True
True or False? Access control lists (ACLs) are used to permit and deny traffic in an Internet Protocol (IP) router. Group of answer choices
True
True or False? An IT security policy framework is like an outline that identifies where security controls should be used.
True
True or False? An algorithm is a repeatable process that produces the same result when it receives the same input.
True
True or False? An alteration threat violates information integrity.
True
True or False? Anti-malware programs and firewalls cannot detect most phishing scams because the scams do not contain suspect code.
True
True or False? Authentication by action is based on something you do, such as typing.
True
True or False? Authentication by knowledge is based on something the user knows, such as a password, passphrase, or personal identification number (PIN).
True
True or False? Authentication controls include passwords and personal identification numbers (PINs).
True
True or False? Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.
True
True or False? Availability is the tenet of information security that deals with uptime and downtime.
True
True or False? Bring Your Own Device (BYOD) opens the door to considerable security issues.
True
True or False? Changes to external requirements, such as legislation, regulation, or industry standards, that require control changes can result in a security gap for an organization.
True
True or False? Common methods used to identify a user to a system include username, smart card, and biometrics.
True
True or False? Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
True or False? Cryptography is the practice of making data unreadable.
True
True or False? Digital signatures require asymmetric key cryptography.
True
True or False? E-commerce systems and applications demand strict confidentiality, integrity, and availability (C-I-A) security controls.
True
True or False? Each 5G device has a unique Internet Protocol (IP) address and appears just like any other wired device on a network.
True
True or False? Each layer of the Open Systems Interconnection (OSI) Reference Model needs to be able to talk to the layers above and below it.
True
True or False? Elliptic curve cryptography (ECC) relies on algebraic structures of elliptic curves over finite fields.
True
True or False? Encrypting data within databases and storage devices gives an added layer of security.
True
True or False? For businesses and organizations under recent compliance laws, data classification standards typically include private, confidential, internal use only, and public-domain categories.
True
True or False? Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in cleartext.
True
True or False? If a company informs employees that email sent over the company's network is monitored, the employees can no longer claim to have an expectation of privacy.
True
True or False? Impact refers to the amount of risk or harm caused by a threat or vulnerability that is exploited by a perpetrator.
True
True or False? In a browser or uniform resource locator (URL) hijacking attack, users are directed to websites other than what they requested, usually to fake pages that attackers have created.
True
True or False? In a masquerade attack, one user or computer pretends to be another user or computer.
True
True or False? In a watering-hole attack, a targeted user is lured to a commonly visited website on which malicious code has been planted
True
True or False? In cryptography, a keyspace is the number of possible keys to a cipher.
True
True or False? In e-business, secure web applications are one of the critical security controls that each organization must implement to reduce risk.
True
True or False? Internet of Things (IoT) upgrades can be difficult to distribute and deploy, leaving gaps in the remediation of IoT devices or endpoints.
True
True or False? Log files are one way to prove accountability on a system or network.
True
True or False? Metadata of Internet of Things (IoT) devices is sometimes sold to companies seeking demographic marketing data about users and their spending habits.
True
True or False? Mobile device management (MDM) includes a software application that allows organizations to monitor, control, data wipe, or data delete business data from a personally owned device.
True
True or False? Networks, routers, and equipment require continuous monitoring and management to keep wide area network (WAN) service available.
True
True or False? Not all risks are inherently bad; some risks can lead to positive results.
True
True or False? OCTAVE is an approach to risk-based strategic assessment and planning.
True
True or False? Physically disabled users might have difficulty with biometric system accessibility, specifically with performance-based biometrics.
True
True or False? Posting a comment on social media is an example of real-time communication.
True
True or False? Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device.
True
True or False? Revocation is a security measure that stops authorization for access to data.
True
True or False? Safeguards address gaps or weaknesses in the controls that could otherwise lead to a realized threat.
True
True or False? Screen locks are a form of endpoint device security control.
True
True or False? Single sign-on (SSO) can provide for greater security because with only one password to remember, users are generally willing to use stronger passwords.
True
True or False? Smart cities can monitor and report on real-time traffic conditions using Internet of Things (IoT) technology.
True
True or False? Storage segmentation is a mobile device control that physically separates personal data from business data.
True
True or False? Symmetric key ciphers require that both parties first exchange keys to be able to securely communicate.
True
True or False? The Data Link Layer of the Open Systems Interconnection (OSI) Reference Model is responsible for transmitting information on computers connected to the same local area network (LAN).
True
True or False? The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
True
True or False? The Local Area Network (LAN) Domain of a typical IT infrastructure includes both physical network components and logical configuration of services for users.
True
True or False? The Local Area Network (LAN)-to-Wide Area Network (WAN) Domain is where the IT infrastructure links to a WAN and the Internet.
True
True or False? The Physical Layer of the Open Systems Interconnection (OSI) Reference Model must translate the binary ones and zeros of computer language into the language of the transport medium.
True
True or False? The System/Application Domain of a typical IT infrastructure consists of hardware, operating system software, applications, and data and includes hardware and its logical design.
True
True or False? The User Domain of a typical IT infrastructure defines the people and processes that access an organization's information systems.
True
True or False? The ownership of Internet of Things (IoT) data, as well as the metadata of that data, is sometimes in question.
True
True or False? The protocols in the Transmission Control Protocol/Internet Protocol (TCP/IP) suite work together to allow any two computers to be connected and thus create a network.
True
True or False? The recovery time objective (RTO) expresses the maximum allowable time in which to recover the function after a major interruption.
True
True or False? The term "risk management" describes the process of identifying, assessing, prioritizing, and addressing risks.
True
True or False? The term "router" describes a device that connects two or more networks and selectively interchanges packets of data between them.
True
True or False? The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
True or False? Theft of intellectual property and its release to competitors or to the public can nullify an organization's competitive advantage.
True
True or False? Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of protocols that operates at both the Network and Transport layers of the Open Systems Interconnection (OSI) Reference Model.
True
True or False? Transmitting private or sensitive data unencrypted is a risk in both the Local Area Network (LAN) and Wide Area Network (WAN) Domains of a typical IT infrastructure. Group of answer choices
True
True or False? Transport Layer Security (TLS) is an example of a transport encryption protocol.
True
True or False? Using Mobile IP, users can move between segments on a local area network (LAN) and stay connected without interruption.
True
True or False? Utility companies are incorporating Internet-connected sensors into their business functions.
True
True or False? Vehicles that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer
True
True or False? Vendors or service providers that have remote access to an Internet of Things (IoT) device may be able to pull information or data from your device without your permission.
True
True or False? When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks. Group of answer choices
True
True or False? Whereas a cipher performs a particular task, a key gives the specific directions for how to do it.
True
True or False? With asymmetric key ciphers, it is computationally infeasible to derive the second algorithm from the first algorithm.
True
True or False? You can break a cipher by analyzing the ciphertext to find the plaintext or key or by analyzing the ciphertext and its associated plaintext to find the key.
True
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
In which domain of a typical IT infrastructure is the first layer of defense for a layered security strategy? Group of answer choices
User Domain
Bob has a high-volume virtual private network (VPN). He would like to use a device that would best handle the required processing power. What type of device should he use?
VPN concentrator
Wen is a network engineer. For several months, he has been designing a system of controls to allow and restrict access to network assets based on various methods and information. He is currently configuring the authentication method. What does this method do?
Verifies that requestors are who they claim to be
Wen is a network engineer. He would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology is best to use?
Virtual LAN (VLAN)
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows a cross-site scripting attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Juan is a wireless security professional. He is selecting a standard for wireless encryption protocols for access points and devices for his agency. For the highest security, which protocol should Juan choose?
Wi-Fi Protected Access version 3 (WPA3)
Which information security objective verifies the action to create an object or verifies an object's existence by an entity other than the creator?
Witnessing
What type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
Forensics and incident response are examples of __________ controls.
corrective
Remote access security controls help to ensure that the user connecting to an organization's network is who the user claims to be. A username is commonly used for _______, whereas a biometric scan could be used for _______.
identificaiton, authenticaiton
Because network computers or devices may host several services, programs need a way to tell one service from another. To differentiate services running on a device, networking protocols use a(n) ________, which is a short number that tells a receiving device where to send messages it receives.
network port
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
A ________ is used to identify the part of an Ethernet network where all hosts share the same host address.
subnet mask
On early Ethernet networks, all computers were connected to a single wire, forcing them to take turns on a local area network (LAN). Today, this situation is alleviated on larger networks because each computer has a dedicated wire connected to a ___________ that controls a portion of the LAN.
switch
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer
