ISSA Quiz 3

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions? a) Value b) Threat c) Sensitivity d) Criticality

b) Threat

Which intrusion detection system strategy relies on pattern matching? a) Traffic-based detection b) Behavior detection c) Signature detection d) Statistical detection

c) Signature detection

Which of the following is an example of a level of permissiveness? a) Prudent b) Permissive c) Promiscuous d) Paranoid e) All of these are correct

e) All of these are correct

Which of the following is an example of social engineering? a) an emotional appeal for help b) a phishing attack c) intimidation d) name-dropping e) all of these correct

e) all of these correct

T/F Security administration is the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan.

true

A hardened configuration is a system that has had unnecessary services enabled.

False

T/F: An organization does not have to comply with both regulatory standards and organizational standards.

False

T/F When you use a control that costs more than the risk involved, you are making a poor management decision.

True

T/F: Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system throughout the system life cycle.

True

T/F: Data classification is the responsibility of the person who owns the data

True

T/F: Policy sets the tone and culture of the organization.

True

T/F: Some of the tools and techniques used in security monitoring include baselines, alarms, closed-circuit TV, and honeypots.

True

Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called? a) Compartmentalized b) Exclusive c) Assured d) Public

a) Compartmentalized

Lin is conducting an audit of an identity management system. Which question is not likely to be in the scope of her audit? a) Does the firewall properly block unsolicited network connection attempts? b) Who grants approval for access requests? c) Is the password policy uniformly enforced? d) Does the organization have an effective password policy?

a) Does the firewall properly block unsolicited network connection attempts?

Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called? a) Encouraging the adoption of ethical guidelines and standards b) Understanding common assumptions that lead computer users to unethical behavior c) Informing users through security awareness training d) Communicating the freedom to access all system resources

a) Encouraging the adoption of ethical guidelines and standards

Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on? a) Event logs b) Professional ethics c) Remediation d) Certification

a) Event logs

An effective audit report gets right to the point and often begins with a summary followed by the details. Because the summary may find its way outside the organization's leadership, what should auditors take care not to do? a) Expose security weaknesses b) Establish baselines c) List the timeline for implementation of changes d) Set a follow-up schedule

a) Expose security weaknesses

Host isolation is the isolation of internal networks and the establishment of a(n): a) HIDS b) DMZ c) IDS d) IPS

b) DMZ

_______ direct the process of implementing the same hardware and software configurations across an organization to minimize security risk. a) policies b) standards c) procedures d) baselines

b) standards

There are several types of software development methods, but most traditional methods are based on the _______ model. a) modification b) waterfall c) developer d) integration

b) waterfall

What is a set of concepts and policies for managing IT infrastructure, development, and operations? The information is published in a series of books, each covering a separate IT management topic. a) Control Objectives for Information and Related Technology (COBIT) b) ISO 27002 c) National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) d) IT Infrastructure Library (ITIL)

d) IT Infrastructure Library (ITIL)

Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred? a) Intimidation b) Phishing c) Name dropping d) Appeal for help

a) Intimidation

Which agreement type is typically less formal than other agreements and expresses areas of common interest? a) Memorandum of understanding (MOU) b) Interconnection security agreement (ISA) c) Service-level agreement (SLA) d) Blanket purchase agreement (BPA)

a) Memorandum of understanding (MOU)

Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing? a) Ownership b) Privacy c) Risk d) Adherence to policy

a) Ownership

Christopher is designing a security policy for his mid-size company. He would like to use an approach that allows a reasonable list of activities but prohibits all other activities. Which level of permission is he planning to use? a) Prudent b) Permissive c) Promiscuous d) Paranoid

a) Prudent

What is the least likely goal of an information security awareness program? a) Punish users who violate policy b) Inform users about trends and threats in security c) Motivate users to comply with security policy d) Teach users about security objectives

a) Punish users who violate policy

_______ is used when it is not as critical to detect and respond to incidents immediately. a) non-real-time monitoring b) a logical access control c) real-time monitoring d) none of these is correct.

a) non-real-time monitoring

Because __________, auditing every part of an organization and extending into all outsourcing partners may not be possible. a) of resource constraints b) all users should be informed they are being audited c) all users should not be informed they are being audited d) such an extensive audit is outside of best practices recommendations

a) of resource constraints

In ________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern matching and stateful matching a) signature-based b) anomaly-based c) heuristic scanning d) all of these are correct.

a) signature-based

More and more organizations use the term ________ to describe the entire change and maintenance process for applications. a) system development life cycle (SDLC) b) system life cycle (SLC) c) system maintenance life cycle (SMLC) d) None of these is correct

a) system development life cycle (SDLC)

Takako is a security engineer for her company's IT department. She has been tasked with developing a security monitoring system for the company's infrastructure to determine when any network activity occurs outside the norm. What essential technique does she start with? a) Covert acts b) Baselines c) Intrusion detection system (IDS) d) Alarms

b) Baselines

Antonio is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? a) Clipping error b) False positive error c) Remote administration error d) False negative error

b) False positive error

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data? a) Repeatedly overwriting data b) Formatting c) Degaussing d) Physical destruction

b) Formatting

Which software testing method provides random input to see how software handles unexpected data? a) Injection b) Fuzzing c) Valid error input d) boundary input

b) Fuzzing

When should an organization's managers have an opportunity to respond to the findings in an audit? a) Managers should write a report after receiving the final audit report. b) Managers have the opportunity to respond to a draft copy of the audit report. Auditors then put that response in the final report. c) Managers should not have an opportunity to respond to audit findings. d) Managers should write a letter to the Board following receipt of the audit report.

b) Managers have the opportunity to respond to a draft copy of the audit report. Auditors then put that response in the final report.

In 1989, the IAB issued a statement of policy about Internet ethics. The document is known as: a) OECD b) RFC 1087 c) CompTIA Candidate Code of Ethics. d) None of these are correct

b) RFC 1087

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? a) Intrusion prevention system (IPS) b) Security information and event management (SIEM) system c) Virtual private network (VPN) d) Data loss prevention (DLP) system

b) Security information and event management (SIEM) system

Log files can help provide evidence of normal and abnormal system activity, as well as valuable information on how well security controls are doing their jobs. Regulation, policy, or log volume might dictate how much log information to keep. If a log file is subject to litigation, how long must a company keep it? a) A minimum of seven years b) Until the case is over c) Until litigation starts d) At least one year

b) Until the case is over

An audit examines whether security controls are appropriate, installed correctly, and: a) current b) addressing their purpose c) authorized d) cost effective

b) addressing their purpose

Cherilyn is a security consultant hired by a company to develop its system auditing protocols. She and the company's chief information officer (CIO) agree that audits are an important consideration. In her report to the CIO and other C-level officers of the corporation, she recommends that the security policy include audit categories and ______________ for conducting audits. a) appropriate security levels b) frequency requirements c) permissions protocols d) data security standards

b) frequency requirements

Which of the following is true of procedures? a) They increase mistakes in a crisis b) the provide for places within the process to conduct assurance checks c) they result in important steps being overlooked d) None of these is correct e) All of these are correct.

b) the provide for places within the process to conduct assurance checks

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? a) Building internal knowledge b) Developing in-house talent c) Access to a higher level of expertise d) Higher degree of privacy

c) Access to a higher level of expertise

What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)? a) An organization should collect only what it needs. b) An organization should keep its information up to date. c) An organization should share its information. d) An organization should properly destroy its information when it is no longer needed.

c) An organization should share its information.

In an accreditation process, who has the authority to approve a system for implementation? a) Certifier b) System owner c) Authorizing official (AO) d) System administrator

c) Authorizing official (AO)

Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following? a) Separation of duties b) Job rotation c) Need to know d) Security awareness

c) Need to know

Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? a) System design specification b) Functional requirements and definition c) Project initiation and planning d) Operations and maintenance

c) Project initiation and planning

What is the correct order of change control procedures regarding changes to systems and networks? a) Request, approval, impact assessment, build/test, monitor, implement b) Request, impact assessment, approval, build/test, monitor, implement c) Request, impact assessment, approval, build/test, implement, monitor d) Request, approval, impact assessment, build/test, implement, monitor

c) Request, impact assessment, approval, build/test, implement, monitor

Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing? a) Mandatory vacations b) Limiting access c) Separation of duties d) Job rotation

c) Separation of duties

A _______ is a standard used to measure how effective a system is as it relates to industry expectations. a) control objective b) configuration c) benchmark d) policy

c) benchmark

Leola is a cybersecurity consultant hired by a company to test the effectiveness of its network's defenses. She has something in common with the malicious people who would perform the same tasks involved in _________________, except that, unlike Leola, they would not have consent to perform this action against the system. a) stateful matching b) network access control c) penetration testing d) system hardening

c) penetration testing

A common platform for capturing and analyzing log entries is: a) anomaly-based intrusion detection system b) honeypot c) security information and event management (SIEM) d) pattern-based intrusion detection system e) all of these are correct

c) security information and event management (SIEM)

A(n) ____________ is a formal contract between an organization and a third-party external organization that details the specific services the firm will provide. a) security event log b) incident response c) service level agreement (SLA) d) compliance report

c) service level agreement (SLA)

Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create? a) Policy b) Procedure c) Guideline d) Baseline

d) Baseline

Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include? a) System life cycle b) Change control management c) Impact assessment d) Copies of all software configurations for routers and switches

d) Copies of all software configurations for routers and switches

Applications represent the most common avenue for users, customers, and attackers to access data, which means you must build the software to enforce the security policy and to ensure compliance with regulations, including the privacy and integrity of both data and system processes. Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called? a) Structured Query Language (SQL) injection b) Distributed denial of service (DDoS) c) Cross-site scripting (XSS) d) Cross-site request forgery (XSRF)

d) Cross-site request forgery (XSRF)

What is a goal of vulnerability testing? a) Bypassing controls b) Exploiting vulnerabilities c) Identifying threats d) Documenting the lack of security control or misconfiguration

d) Documenting the lack of security control or misconfiguration

Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy? a) Supporting mechanisms b) Environment c) Organizational security policy d) Functional policies in support of organization policy

d) Functional policies in support of organization policy

Security controls place limits on activities that might pose a risk to an organization. Ricky, a security engineer for his company, is performing a review and measurement of all controls to capture changes to any environment component. What is this called? a) Securing b) Auditing c) Remediating d) Monitoring

d) Monitoring

Which regulatory standard would not require audits of companies in the United States? a) Sarbanes-Oxley Act (SOX) b) Health Insurance Portability and Accountability Act (HIPAA) c) Payment Card Industry Data Security Standard (PCI DSS) d) Personal Information Protection and Electronic Documents Act (PIPEDA)

d) Personal Information Protection and Electronic Documents Act (PIPEDA)

Jermaine is a security administrator for his company. He is developing a defense against attacks based on network-mapping methods. He prevents the Internet Control Message Protocol (ICMP) from operating to stop attackers from using ping packets to discover the network layout, but he must also guard against operating system fingerprinting since many attacks are tailored to specific operating systems. What must Jermaine be concerned about? a) Snapshots b) Zone transfers c) Unnecessary services d) Port mapping

d) Port mapping

___________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties. a) Mandatory vacations b) Separation of duties c) Job rotation d) Principle of least privilege e) None of these is correct

d) Principle of least privilege

Aditya is a network technician. He is collecting system data for an upcoming internal system audit. He is currently performing vulnerability testing to determine what weaknesses may exist in the network's security. What form of assessment is he conducting? a) Observation b) Configuration review c) Checklists d) Security testing

d) Security testing

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? a) Service Organization Control (SOC) 1 b) Service Organization Control (SOC) 2 c) Statement on Auditing Standards (SAS) 70 d) Service Organization Control (SOC) 3

d) Service Organization Control (SOC) 3

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? a) Data loss prevention b) Network intrusion detection system (IDS) c) Closed-circuit TV d) System integrity monitoring

d) System integrity monitoring

The security program requires documentation of: a) the security process. b) the policies, procedures, and guidelines adopted by the organization. c) the authority of the persons responsible for security. d) all of these are correct e) none of these is correct

d) all of these are correct

The change management process includes ________ control and ________ control. a) clearance; classification b) document; data c) hardware inventory; software development d) configuration; change

d) configuration; change

The review of the system to learn as much as possible about the organization, its systems, and networks is known as: a) penetration testing b) vulnerability testing c) network mapping d) reconnaissance

d) reconnaissance

The objective of classifying information include which of the following? a) to identify data value in accordance with organization policy b) to identify information protection requirements c) to standardize classification labeling throughout the organization d) to comply with privacy law, regulations, and so on e) All of these are correct

e) All of these are correct

Post-audit activities include which of the following: a) Presenting findings to management b) data analysis c) exit interviews d) reviewing of auditor's findings e) all of these are correct

e) all of these are correct

When developing software, you should ensure the application does which of the following? a) Has edit checks, range checks, validity checks, and other similar controls b) check user authorization c) check user authentication to the application d) has procedures for recovering database integrity in the event of system failure e) all of these are correct

e) all of these are correct