ITC560 Exam 2 Review Questions (Chapters 6-10)
Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Which security model does not protect the integrity of information?
Bell-La Padula
Tonya would like to protect her users and the network when users browse to known dangerous sites. She plans to maintain a list of those sites and drop messages from those websites. What type of approach is Tonya advocating?
Blacklisting
Which cryptographic attack is relevant in only asymmetric key systems and hash functions?
Chosen ciphertext
Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
Copies of all software configs for routers and switches
Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
Copies of all software configurations for routers and switches
Maria receives a ciphertext message from her colleague Wen. What type of function does Maria need to use to read the plaintext message?
Decryption
Alice and Bob would like to communicate with each other using a session key, but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Diffie-Hellman
Security objectives add value to relationships between businesses or between businesses and their customers. Which objective binds a message or data to a specific entity?
Digital Signature
What type of attack occurs in real time and is often conducted against a specific target?
Direct Attacks
True or False? A best practice is the standard collection of configuration settings or performance metrics to which a system is compared to determine whether it is securely configured.
False
True or False? A port-scanning tool enables an attacker to escalate privileges on a network server.
False
Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she preents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
Ownership
Christopher is designing a security policy for his mid-size company. He would like to use an approach that allows a reasonable list of activities but prohibits all other activities. Which level of permission is he planning to use?
Prudent
Which approach to cryptography uses highly parallel algorithms that could solve problems in a fraction of the time needed by conventional computers?
Quantum Cryptography
Bob is developing a web application that depends on a backend database. What type of attack could a malicious individual use to send commands through his web application to the database?
SQL Injection
Aditya is a network technician. He is collecting system data for an upcoming internal system audit. He is currently performing vulnerability testing to determine what weaknesses may exist in the network's security. What form of assessment is he conducting?
Security Testing
True or False? AN American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 3 reports is intended for public consumption.
True
True or False? Transport Layer Security (TLS)is an example of a transport encryption protocol.
True
Which information security objective verifies the action to create an object or verifies an object's existence by an entity other than the creator?
Witnessing
Because ________, auditing every part of an organization and extending into all outsourcing partners may not be possible.
of resource constraints
Mark is considering outsourcing security functions to a third-party service provider. What benfit is he most likely to achieve?
Access to high level of expertise
Jackson is a cybercriminal. He is attempting to keep groups of a company's high-level users from accessing their work network accounts by abusing a policy designed to protect employee accounts. Jackson attempts to log in to their work accounts repeatedly using false passwords. What security method is he taking advantage of?
Account Lockout Policies
What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)?
An organization should share its info
What file type is least likely to be impacted by a file infector virus?
.docx File infectors attack programs with .exe file extensions
True or False? American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 2 reports are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
True
True or False? American Institute of Certified Public Accounts (AIPCA) Service Organization Control (SOC) 2 reports are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
True
True or False? An American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 3 report is intended for public consumption.
True
True or False? An algorithm is a repeatable process that produces the same output when it receives the same input
True
True or False? Attackers have established thousands of botnets, which they use to distribute malware and spam and to launch denial of service (DoS) attacks against organizations or even countries.
True
True or False? Attacks against confidentiality and privacy, data integrity, and availability of services are all ways malicious code can threaten businesses.
True
True or False? Because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders do, they can place logic bombs more easily.
True
True or False? Change control is the management of changes to the configuration of a system.
True
True or False? Common methods used to identify a user to a system include username, smart card, and biometrics.
True
True or False? Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents.
True
True or False? During an IT audit, all security controls are checked to ensure they are effective, reliable, and functioning as required and expected.
True
True or False? During an IT audit, security controls are checked to ensure they are effective, reliable, and functioning as required and expected.
True
True or False? During the planning and execution phases of an audit, an auditor will most likely review risk analysis output.
True
True or False? Elliptic curve cryptography (ECC) relies on algebraic structures of elliptic curves over finite fields.
True
True or False? If a company informs employees that email sent over the company's network is monitored, the employees can no longer claim to have an expectation of privacy.
True
True or False? Log files are one way to prove accountability on a system or network.
True
True or False? One way to harden a system is to turn off or disable unnecessary services.
True
True or False? Policies that cover data management should cover transitions throughout the data's life cycle.
True
True or False? Revocation is a security measure that stops authorization for access to data.
True
True or False? Standards are mandated requirements for hardware and software solutions used to address security risk throughout an organization.
True
True or False? The function of homepage hijacking is to change a browser's homepage to point to the attacker's site.
True
True or False? The idea that users should only be granted the levels of permission they need to perform their duties is called the principle of least privilege.
True
True or False? The purpose of a security audit is to make sure computing environemnts and security controls work as expected.
True
True or False? The purpose of a security audit is to make sure computing environments and security controls work as expected.
True
True or False? The success of Trojans is due to their reliance on social engineering to spread and operate; they have to trick users into running them.
True
True or False? The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.
True
True or False? Unlike viruses, worms do not require a host program to survive and replicate.
True
True or False? Using the names of superiors to convince another person that a higher authority has allowed access to information is a form of social engineering.
True
True or False? When planning an It audit, one must ensure that the areas not reviewed in the current audit will be subject to another audit.
True
True or False? You can break a cipher by analyzing the ciphertext to find the plaintext or key or by analyzing the ciphertex and its associated plaintext to find the key.
True
True or False? You can break a cipher by analyzing the ciphertext to find the plaintext or key or by analyzing the ciphertext and its associated plaintext to find the key.
True
Wen is a network engineer. For several months, he has been designing a system of controls to allow and restrict access to network assets based on various methods and information. He is currently configuring the authentication method. What does this method do?
Verifies that requestors are who they claim to be
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of Understanding (MOU)
Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?
Need to know
Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
Ownership
Which type of authentication includes smart cards?
Ownership
An automatic teller machine (ATM) uses a form of constrained user interface to limit the user's ad ty to access resources in the system. Specifically for ATMs, which method is being used?
Physically constrained user interface. User can't poke around the ATM (without using force or having necessary keys)
Specifically for ATMs, which method is being used?
Physically constrained user interface. User can't poke around the ATM (without using force or having necessary keys)
What is the least likely goal of an information security awareness program?
Punish users who violate policy
What is the correct order of change control procedures regarding changes to systems and networks?
Request, impact assessment, approval, build/test, implement, monitor
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
SOC 3
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Seperation of duties
What is an example of two-factor authentication (2FA)?
Smart card and PIN number both being required to access something.
Which of the following principles is not a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
System integrity monitoring
True or False? A Chinese wall security policy defines a barrier and develops a set of rules to ensure that no subject gets to objects on the other side.
TRUE
Which type of cipher works by rearranging the characters in a message?
Transposition
Lin installed a time-management utility that she downloaded from the internet. Now several applications are not responding to normal commands. What type of malware did she likely encounter?
Trojan horse
Which of the following is the point at which two error rates of a biometric system are equal and is the measure of the system's accuracy expressed as a percentage?
Crossover Error Rate. The point at which False Acceptance Rate and False Rejection Rate are equal
What program, released in 2013, is an example of ransomware?
CryptoLocker
True or False? Authentication by characteristics/biometrics is based on something you have, such as a smart card, a key, a badge, or either a synchronous or asynchronous token.
False
True or False? Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.
False
True or False? Hijacking refers to the uses of social engineering to obtain access to credentials, such as usernames and passwords.
False
True or False? In mandatory access control (MAC), access rules are closely managed by the security administrator and not by the system owner or ordinary users for their own files.
False
True or False? Ina known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data and has no choice as to what that data might be.
False
True or False? Kerberos is an example of a biometric method.
False
True or False? Passphrases are less secure than passwords.
False
True or False? Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.
False
True or False? Stealth viruses attack countermeasures, such as antivirus signature files or integrity databases, by searching for these data files and deleting or altering them.
False
True or False? The U.S. Government currently has no standard for creating cryptographic keys for classified applications.
False
True or False? The U.S. government currently has no standard for creating cryptographic keys for classified applications.
False
True or False? The four central components of access control are users, resources, actions, and features.
False
True or False? The term "data owner" refers to the person or group that manages an IT infrastructure.
False
True or False? The waterfall software development model works well in very dynamic environments where requirements change and are often revisited.
False
True or False? Voice pattern biometrics are accurate for authentication because voices cannot easily be replicated by computer software.
False
True or False? You must always use the same algorithm to encrypt information and decrypt the same information.
False
Antonio is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to the server using Secure Shell (SSH). What type of error is occurring?
False Positive Error
Anya is a cybersecurity engineer for a high-secrecy government installation. She is configuring biometric security that will either admit or deny entry using facial recognition software. Biometric devices have error rates and certain types of accuracy errors that are more easily tolerated depending on need. In this circumstance, which error rate is she likely to allow to be relatively high?
False Rejection Rate
Antonio is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
False positive
True or False? Temporal isolation is commonly used in combination with rule-based access control.
False. Temporal isolation restricts access to specific times (like business hours) and is used jointly with role based access control
Some ciphers, regardless of type, rely on the difficulty of solving certain mathematical problems, which is the basis for asymmetric key cryptography. Which of the following is a branch of mathematics that involves multiplicative inverses that these ciphers use?
Field theory
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?
Formatting. Formatting does not remove the data on the disk
Cherilyn is a security consultant hired by a company to develop its system auditing protocols. She and the company's chief information officer (CIO) agree that audits are an important consideration. In her report to the CIO and other C-level officers of the corporation, she recommends that the security policy include audit categories and ____ for conducting audits.
Frequency requirements
Bob is sending a message to Alice. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Integrity
Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?
Intimidation
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing Officials (AO)
Lincoln is a network security specialist. He is updating the password policy for his company's computing infrastructure. His primary method of improving password policy involves lowering the chance that an attacker can compromise and use the password before it expires. What does he do?
Enables a 30-day password change policy
Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?
Event Logs
True or False? Change does not create risk for a business.
False
True or False? In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data and has no choice as to what that data might be.
False, the above describes a ciphertext only attack.
True or False? A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.
False, this is phishing. Smurf attack is a form of DDoS attack that occurs at Layer 3
True or False? The number of failed logon attempts that trigger an account action is called an audit logon event.
False.
Bob is sending a message to Alice. He wants to ensure that nobody can read the content of the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Integrity
What is a single sign-on (550) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TG5s)?
Kerberos
Which regulatory standard would not require audits of companies in the United States?
PIPEDA- this is a Canadian law that would not apply to companies in the US
Jermaine is the security administrator for his company. He is developing a defense against attacks based on network-mapping methods. He prevents the Internet Control Message Protocol (ICMP) from operating to stop attackers from using ping packets to discover the network layout, but he must also guard against operating system fingerprinting since many attacks are tailored to specific operating systems. What must Jermaine be concerned about?
Port mapping
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
Project initiation and planning
Arturo discovers a virus on his system that resides only in the computer's memory and not in a file. What type of virus has he discovered?
Resident Virus
Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?
Separation of Roles/Duties
The chief executive officer (CEO) of a company recently fell victim to an attack. The attackers sent the CEO an email that appeared to come from the company's attorney. The email informed the CEO that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?
Spear Phishing
True or False? A backdoor is a hidden way to bypass access controls and allow access to a system or resource.
True
True or False? A host-based intrusion detection system (HIDS) can recognize an anomoly that is specific to a particular machine or user.
True
True or False? A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
True
True or False? A smart card is an example of a logical access control.
True
True or False? An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.
True
True or False? Classification scope determines what data to classify; classification process determines how to handle classified data.
True
True or False? Digital signatures require asymmetric key cryptography.
True
True or False? Worms operate by encrypting important files or even the entire storage device and making them inaccessible.
True
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registration?
Whois
Cherilyn is a security consultant hired by a company to develop its system auditing protocols. She and the company's chief information officer (CIO) agree that audits are an important consideration. In her report to the CIO and other C-level officers of the corporation, she recommends that the security policy include audit categories and ___________ for conducting audits.
data security standards
True or False? Authentication by characteristics/biometrics is based on something you have, such as a smart card, a key, a badge, or either a synchronous or asynchronous token
FALSE