Cybersecurity Exam 1 CS 301
The weakest link in the security of an IT infrastructure is the server
False
User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity. Options Menu: Question Text
False
Networks, routers, and equipment require continuous monitoring and management to keep wide area network (WAN) service available
True
Performing security testing includes vulnerability testing and penetration testing. Options Menu: Question Text
True
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
Which one of the following is the best example of an authorization control?
Access control lists
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
BCP
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? Options Menu: Question Text
Does the firewall properly block unsolicited network connection attempts?
A VPN router is a security appliance that is used to filter IP packets.
False
Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management. Options Menu: Question Text
False
Which control is not designed to combat malware?
Firewalls
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking? Options Menu: Question Text
Project initiation and planning
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing. Options Menu: Question Text
True
A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.
True
Access control lists (ACLs) are used to permit and deny traffic in an IP router.
True
Social engineering is deceiving or using people to get around security controls. Options Menu: Question Text
True
What is NOT a good practice for developing strong professional ethics? Options Menu: Question Text
Assume that information that should be free
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? Options Menu: Question Text
Audit
During what phase of a remote access connection does the end user prove his or her claim of identity?
Authentication
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? Options Menu: Question Text
Authorization
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
22
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?
96.67%
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? Options Menu: Question Text
Acceptability
In an accreditation process, who has the authority to approve a system for implementation? Options Menu: Question Text
AO
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
ARP Poisoning
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? Options Menu: Question Text
Access to high level of expertise
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? Options Menu: Question Text
Baseline
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? Options Menu: Question Text
Brute-Force attack
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? Options Menu: Question Text
CER
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
CN
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? Options Menu: Question Text
Checklist
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
Deidentification
What is the first step in a disaster recovery effort?
Ensure that everyone is safe
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?
FISMA
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility Repair
A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system. Options Menu: Question Text
False
An SOC 1 report primarily focuses on security. Options Menu: Question Text
False
An attacker uses exploit software when wardialing.
False
Connectivity is one of the five critical challenges that the Internet of Things (IoT) has to overcome.
False
Mandatory vacations minimize risk by rotating employees among various systems or duties. Options Menu: Question Text
False
Most enterprises are well prepared for a disaster should one occur.
False
Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets. Options Menu: Question Text
False
Spam is some act intended to deceive or trick the receiver, normally in email messages.
False
Store-and-forward communications should be used when you need to talk to someone immediately
False
The four main types of logs that you need to keep to support security auditing include event, access, user, and security. Options Menu: Question Text
False
The main difference between a virus and a worm is that a virus does not need a host program to infect.
False
The term "data owner" refers to the person or group that manages an IT infrastructure. Options Menu: Question Text
False
Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software. Options Menu: Question Text
False
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? Options Menu: Question Text
Formatting
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health Monitoring
Which network device is capable of blocking network connections that are identified as potentially malicious?
IPS
Which of the following would NOT be considered in the scope of organizational compliance efforts? Options Menu: Question Text
Laws
Which of the following is NOT a benefit of cloud computing to organizations? Options Menu: Question Text
Lower dependence on outside vendors
Which of the following is an example of a hardware security control? Options Menu: Question Text
MAC filtering
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?
Passive Wiretap
Which one of the following is an example of a logical access control? Options Menu: Question Text
Password
Which one of the following is NOT an advantage of biometric systems? Options Menu: Question Text
Physical characteristics may change
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? Options Menu: Question Text
Report Writing
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? Options Menu: Question Text
SLA
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? Options Menu: Question Text
Separation of duties
A surge protector is an example of a preventative component of a disaster recovery plan (DRP).
True
Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.
True
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies. Options Menu: Question Text
True
Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it. Options Menu: Question Text
True
Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets. Options Menu: Question Text
True
Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device.
True
The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems.
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.
True
The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services.
True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
Which one of the following is an example of a reactive disaster recovery control?
moving to a warm site
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? Options Menu: Question Text
Accountability
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil Twin
A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.
False
Bricks-and-mortar stores are completely obsolete now.
False
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system. Options Menu: Question Text
False
Change doesn't create risk for a business. Options Menu: Question Text
False
Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages
False
IoT devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.
False
Passphrases are less secure than passwords. Options Menu: Question Text
False
Regarding security controls, the four most common permission levels are poor, permissive, prudent, and paranoid. Options Menu: Question Text
False
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files. Options Menu: Question Text
False
The Sarbanes-Oxley (SOX) Act requires all types of financial institutions to protect customers' private financial information.
False
The anti-malware utility is one of the most popular backdoor tools in use today.
False
The auto industry has not yet implemented the Internet of Things (IoT).
False
The term risk methodology refers to a list of identified risks that results from the risk-identification process.
False
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? Options Menu: Question Text
Is the security control likely to become obsolete in the near future
Which type of authentication includes smart cards? Options Menu: Question Text
Ownership
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?
PCI DSS
Which regulatory standard would NOT require audits of companies in the United States? Options Menu: Question Text
PIPEDA
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? Options Menu: Question Text
Phishing
Which tool can capture the packets transmitted between systems over a network?
Protocol Analyzer
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? Options Menu: Question Text
Prudent
What is NOT a goal of information security awareness programs? Options Menu: Question Text
Punish users who violate policy
Which scenario presents a unique challenge for developers of mobile applications?
Selecting multiple items from a list
Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?
Standard
Which one of the following principles is NOT a component of the Biba integrity model? Options Menu: Question Text
Subjects cannot change objects that have a lower integrity level
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? Options Menu: Question Text
System Integrity Monitoring
What is NOT generally a section in an audit report? Options Menu: Question Text
System configurations
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? Options Menu: Question Text
Threat
Which term describes any action that could damage an asset?
Threat
Which formula is typically used to describe the components of information security risks?
Threat X Likelihood
Which classification level is the highest level used by the U.S. federal government?
Top Secret
A IT security policy framework is like an outline that identifies where security controls should be used
True
A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
True
A bricks-and-mortar strategy includes marketing and selling goods and services on the Internet.
True
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans. Options Menu: Question Text
True
A trusted operating system (TOS) provides features that satisfy specific government requirements for security. Options Menu: Question Text
True
After audit activities are completed, auditors perform data analysis. Options Menu: Question Text
True
An SOC 1 report is commonly implemented for organizations that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA). Options Menu: Question Text
True
An alteration threat violates information integrity.
True
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured. Options Menu: Question Text
True
An example of a threat to access control is in a peer-to-peer (P2P) arrangement in which users share their My Documents folder with each other by accident. Options Menu: Question Text
True
Anomaly-based intrusion detection systems compare current activity with stored profiles of normal (expected) activity. Options Menu: Question Text
True
Authentication controls include passwords and personal identification numbers (PINs).
True
Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.
True
Bring Your Own Device (BYOD) opens the door to considerable security issues.
True
Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones.
True
During the planning and execution phases of an audit, an auditor will most likely review risk analysis output. Options Menu: Question Text
True
E-commerce systems and applications demand strict confidentiality, integrity, and availability (CIA) security controls
True
Each 4G device has a unique Internet Protocol (IP) address and appears just like any other wired device on a network.
True
Metadata of Internet of Things (IoT) devices can be sold to companies seeking demographic marketing data about users and their spending habits.
True
One advantage of using a security management firm for security monitoring is that it has a high level of expertise. Options Menu: Question Text
True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
True
The director of IT security is generally in charge of ensuring that the Workstation Domain conforms to policy
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege. Options Menu: Question Text
True
Unified messaging allows you to download both voice and email messages to a smartphone or tablet.
True
Using Mobile IP, users can move between segments on a local area network (LAN) and stay connected without interruption.
True
Using a secure logon and authentication process is one of the six steps used to prevent malware.
True
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
Which one of the following is NOT a commonly accepted best practice for password security? Options Menu: Question Text
Use at least 6 alphanumerical characters
Which one of the following is typically used during the identification phase of a remote access connection?
Username
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White Hat Hacker
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-Day Attack
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?
applying strong encryption
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
checklist test
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
simulation test
Many jurisdictions require audits by law. Options Menu: Question Text
True
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
13
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? Options Menu: Question Text
An organization should share its information
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
BYOD
Which security model does NOT protect the integrity of information? Options Menu: Question Text
Bell-LaPudula
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday Attacks
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? Options Menu: Question Text
Black-Box test
Which activity manages the baseline settings for a system or device? Options Menu: Question Text
Configuration Control
What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?
Content Filter
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? Options Menu: Question Text
DAC
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?
DDoS
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
What information should an auditor share with the client during an exit interview? Options Menu: Question Text
Details on major issues
Which one of the following is NOT an area of critical infrastructure where the Internet of Things (IoT) is likely to spur economic development in less developed countries?
E-Commerce
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? Options Menu: Question Text
Enforcing the integrity of computer based information
Which one of the following is an example of a disclosure threat?
Espionage
A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource.
False
A hardware configuration chart should NOT include copies of software configurations. Options Menu: Question Text
False
A phishing attack "poisons" a domain name on a domain name server.
False
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies. Options Menu: Question Text
False
A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer.
False
Authorization controls include biometric devices.
False
Configuration changes can be made at any time during a system life cycle and no process is required. Options Menu: Question Text
False
Continuity of critical business functions and operations is the first priority in a wellbalanced business continuity plan (BCP).
False
Cryptography is the process of transforming data from cleartext into ciphertext.
False
DIAMETER is a research and development project funded by the European Commission. Options Menu: Question Text
False
Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.
False
During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system. Options Menu: Question Text
False
Procedures do NOT reduce mistakes in a crisis. Options Menu: Question Text
False
Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.
False
Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events. Options Menu: Question Text
False
Regarding the Internet of Things (IoT), a business involved in utilities, critical infrastructure, or environmental services can benefit from traffic-monitoring applications.
False
Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device.
False
Service-level agreements (SLAs) are optical backbone trunks for private optical backbone networks
False
Temporal isolation is commonly used in combination with rule-based access control. Options Menu: Question Text
False
The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios.
False
The four central components of access control are users, resources, actions, and features. Options Menu: Question Text
False
The number of failed logon attempts that trigger an account action is called an audit logon event. Options Menu: Question Text
False
Vishing is a type of wireless network attack.
False
Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP).
False
You should use easy-to-remember personal information to create secure passwords. Options Menu: Question Text
False
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? Options Menu: Question Text
False Positive Error
Which one of the following is NOT a market driver for the Internet of Things (IoT)?
Global adoption of non-IP networking
Which element of the security policy framework offers suggestions rather than mandatory actions?
Guideline
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
HA
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
Which one of the following governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals?
HIPAA
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?
HIPPA
What is a set of concepts and policies for managing IT infrastructure, development, and operations? Options Menu: Question Text
ITIL
Which one of the following is NOT a good technique for performing authentication of an end user?
Identification Number
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?
Integrity
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? Options Menu: Question Text
Kerberos
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic Attack
Which agreement type is typically less formal than other agreements and expresses areas of common interest? Options Menu: Question Text
MOU
Which one of the following measures the average amount of time that it takes to repair a system, application, or component?
MTTR
When should an organization's managers have an opportunity to respond to the findings in an audit? Options Menu: Question Text
Managers should include their responses to the draft audit report in the final audit report.
Which security testing activity uses tools that scan for services running on systems? Options Menu: Question Text
Network Mapping
What is NOT a commonly used endpoint security technique?
Network firewall
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?
OC-12
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity Cost
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
Password Protection
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?
Procedure
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? Options Menu: Question Text
RAID
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
RTO
Which group is the most likely target of a social engineering attack?
Receptionists and Administrative Assistants
What is the correct order of steps in the change control process? Options Menu: Question Text
Request impact assessment approval build/test implement monitor
Which item is an auditor least likely to review during a system controls audit? Options Menu: Question Text
Resumes of system administrator
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk Survey Results
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? Options Menu: Question Text
SAML
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? Options Menu: Question Text
SIEM
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? Options Menu: Question Text
SOC 3
In what type of attack does the attacker send unauthorized commands directly to a database? Options Menu: Question Text
SQL injection
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? Options Menu: Question Text
SSL
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
SaaS
What is NOT one of the three tenets of information security?
Safety
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. Options Menu: Question Text
Security Kernel
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? Options Menu: Question Text
Separation of Duties
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session Hijacking
Which intrusion detection system strategy relies upon pattern matching? Options Menu: Question Text
Signature Detection
Which one of the following is an example of two-factor authentication? Options Menu: Question Text
Smart card and PIN
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries?
Technical and Industry Development
Which one of the following is NOT an example of store-and-forward messaging?
Telephone Call
Which term describes an action that can damage or compromise an asset?
Threat
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan Horse
A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side. Options Menu: Question Text
True
A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks.
True
A degausser creates a magnetic field that erases data from magnetic storage media. Options Menu: Question Text
True
A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match. Options Menu: Question Text
True
A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster.
True
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
True
A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader. Options Menu: Question Text
True
Cars that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer
True
Classification scope determines what data you should classify; classification process determines how you handle classified data. Options Menu: Question Text
True
Common methods used to identify a user to a system include username, smart card, and biometrics. Options Menu: Question Text
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it. Options Menu: Question Text
True
During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences. Options Menu: Question Text
True
Encrypting the data within databases and storage devices gives an added layer of security.
True
Failing to prevent an attack all but invites an attack.
True
Fingerprints, palm prints, and retina scans are types of biometrics. Options Menu: Question Text
True
For businesses and organizations under recent compliance laws, data classification standards typically include private, confidential, internal use only, and public domain categories.
True
Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in cleartext.
True
In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data.
True
In e-business, secure web applications are one of the critical security controls that each organization must implement to reduce risk
True
In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done. Options Menu: Question Text
True
In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks. Options Menu: Question Text
True
In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.
True
IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations.
True
Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used. Options Menu: Question Text
True
One of the first industries to adopt and widely use mobile applications was the healthcare industry
True
Organizations should start defining their IT security policy framework by defining an asset classification policy.
True
Rootkits are malicious software programs designed to be hidden from normal methods of detection.
True
SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers. Options Menu: Question Text
True
Screen locks are a form of endpoint device security control.
True
Simple Network Management Protocol (SNMP) is used for network device monitoring, alarm, and performance
True
Single sign-on (SSO) can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords. Options Menu: Question Text
True
Some vending machines are equipped with a cellular phone network antenna for secure credit card transaction processing.
True
Spyware gathers information about a user through an Internet connection, without his or her knowledge
True
Standards are used when an organization has selected a solution to fulfill a policy goal. Options Menu: Question Text
True
The System/Application Domain holds all the mission-critical systems, applications, and data
True
The asset protection policy defines an organization's data classification standard.
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
True
With proactive change management, management initiates the change to achieve a desired goal. Options Menu: Question Text
True
Written security policies document management's goals and objectives. Options Menu: Question Text
True
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? Options Menu: Question Text
Waterfall
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
warm site
Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation?
Secure
Policies that cover data management should cover transitions throughout the data life cycle. Options Menu: Question Text
True
When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks.
True