Midterm Review
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? A. Network IDS B. System integrity monitoring C. CCTV D. Data loss prevention
B. System integrity monitoring
A security analyst a. Handles security incidents, reviews logs during the response process b. Approves the changes to application configuration required for logging and log review c. Administers security controls on one or more systems or applications d. Handles operational security processes, accesses security systems and analyzes logs and other data
a. Handles security incidents, reviews logs during the response process
The language of Networks and the Internet is: a. TCP/IP b. HTTP/HTTPS c. DNS d. Internet Message Access Protocol (IMAP) e. Simple Network Management Protocol (SNMP)
a. TCP/IP
HIPAA was designed to protect: a. consumers. b. doctors. c. hospitals. d. insurance companies.
a. consumers.
Post-audit activities include which of the following? A. All of the above B. reviewing of auditor's findings C. exit interviews D. presenting findings to management E. data analysis
A. All of the above
My web browser can handle encrypted traffic because of: A. HTTP/HTTPS B. TCP/IP C. DNS D. Simple Network Management Protocol (SNMP) E. Internet Message Access Protocol (IMAP)
A. HTTP/HTTPS
_____ defines the ranges of an organization's acceptance for specific risks. A. Risk tolerance B. Risk aversion C. Probability D. Risk appetite
A. Risk tolerance
What best practice helps to prevent unauthorized change to a computer system? A. SCM B. CCTV C. Data loss prevention D. NSM
A. SCM
Which of the following defines the goals for an audit? A. Audit objective B. Audit scope C. Audit frequency D. Audit report
A. Audit objective
Consider the following: I. List tasks along one axis and personnel or roles along the other axis. II. Assign a level or responsibility for each role and task. III. Assign each person or role a level of responsibility and accountability for each task. The above three steps pertain to the creation of the ____________________ A. RACI matrix B. separation of duties matrix C. MAC matrix D. compliance matrix
A. RACI matrix
You are concerned that an attacker can gain access to your Web server, make modifications to the system after the log files to hide his actions. Which of the following actions would beset protect the log files? A. Use syslog to send log entries to another server B. Keep all logs local to the host C. Use Windows Event Manager D.Use a proprietary logging language so the hacker can't understand it
A. Use syslog to send log entries to another server
______________ are mechanisms that repair damage caused by an undesired action and limit further damage, such as the procedure to remove viruses or using a firewall to block an attacking system. A. corrective controls B. secure systems C. detective controls D. preventive controls
A. corrective controls
______________ are mechanisms that keep an undesired action from happening, such as locked doors or computer access controls. A. preventive controls B. corrective controls C. secure systems D. detective controls
A. preventive controls
Phishing attack
An attempt to mimic a specific brand to get confidential info from users by tricking them
In the discussion reading "Creating and Maintaing a SOC" a system should be set up by the organization to ensure quick attention is paid to incidents. The system consisted of two attributes: A. Priority and Impact B. Priority and Severity C. Importance and Impact D. Importance and Urgency
B. Priority and Severity
A common platform for capturing and analyzing log entries is ____________. A. Intrusion Detection System (IDS) B. Security Information and Event Management (SIEM) C. Loghost D. Firewall
B. Security Information and Event Management (SIEM)
A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets is called: A. Signature Matching B. Stateful Matching C. Anomaly Matching D. Traffic Level Matching
B. Stateful Matching
In an IT security assessment report, the _______________ provides a complete outline of potential threat sources and associated activities. A. summary B. system threat statement C. risk characterization D. system characterization
B. system threat statement
Which of the following is the LEAST likely method for conducting a security control assessment? A. Verify, inspect, or review assessment objects B. Allow an attacker to attempt to breach an assessment object C. Test assessment objects under specific conditions D. Discuss assessment objects with groups or individuals
B. Allow an attacker to attempt to breach an assessment object
Incorrectly identifying normal activity as abnormal is: A. False state B. False Positive C. Anomalistic D. False Negative
B. False Positive
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? A. Remote administration error B. False positive error C. Clipping error D. False negative error
B. False positive error
When analyzing threats, which of the following would be classified a low threat? A. A terrorist attack on a building in California B. Hurricane damage to an electrical generating facility in Iowa C. A social engineering attack on a Centers for Disease Control and Prevention lab D. A flood in a Florida data center
B. Hurricane damage to an electrical generating facility in Iowa
Which of the following terms defines a strategy in which you grant access that allows a user to complete assigned tasks and nothing else? A. Need to know B. Least privilege C. Separation of duties D. User clearance
B. Least privilege
Which of the following best describes corrective controls? A. The components, including people, information, and conditions, that support business objectives B. Mechanisms that repair damage caused by an undesired action and limit further damage C. Access control methods based on data classification and user clearance D. Access permissions based on roles, or groups, that allows object owners and administrators to grant access rights at their discretion
B. Mechanisms that repair damage caused by an undesired action and limit further damage
When performing a security assessment, which is the best choice for identifying communication paths and determining an Ethernet network's architecture? A. Port scanner B. Network discovery tool C. Vulnerability scanner D. Wireless scanner/sniffer
B. Network discovery tool
Which regulatory standard would NOT require audits of companies in the United States? A. Sarbanes-Oxley Act (SOX) B. Personal Information Protection and Electronic Documents Act (PIPEDA) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standard (PCI DSS)
B. Personal Information Protection and Electronic Documents Act (PIPEDA)
A person wants to withdraw funds from a personal banking account. She presents a driver's license to the bank teller, but the teller doesn't believe the driver's license belongs to the customer. Which of the following provides guidance for addressing this situation? A. Payment Card Industry Data Security Standard (PCI DSS) B. Red Flags Rule C. Sarbanes-Oxley (SOX) Act D. Gramm-Leach-Bliley Act (GLBA)
B. Red Flags Rule
Which of the following describes what is examined in a Privilege Audit to guard against creeping privilege and access? A. Privacy data including PII and PHI B. Rights and privileges of users and groups C. Mandatory Access Control only D. Discretionary Access Controls only
B. Rights and privileges of users and groups
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? A. Transmission Control Protocol/Internet Protocol (TCP/IP) B. Secure Sockets Layer (SSL) C. Domain Name System (DNS) D. Dynamic Host Configuration Protocol (DHCP)
B. Secure Sockets Layer (SSL)
According the Designing and Building Security Operations Center document you read, Log Management Systems should have all of the following attributes except: A. Large storage and back-up capabilities B. Security Incident and Event Management C.Have advanced search and reporting capabilities for auditors D.Long term protection and storage of complete raw event data
B. Security Incident and Event Management
You want to be able to identify the services running on a set of servers on your network. Which tool would best give you the information you need? A. Port Scanner B. Vulnerability Scanner C. OS Fingerprinter D. Network Mapper
B. Vulnerability Scanner
The plan for establishing the basic standard of system configurations and the management of configuration items is called __________. A. risk management B. baseline configuration management C. configuration control management D. configuration change control
B. baseline configuration management
In terms of Network Security Monitoring (NSM) versus Continuous Monitoring (CM) is, CM is more: A. threat-centric B. vulnerability centric C. Risk-centric D. reliability-centric
B. vulnerability centric
Commonly used log message formats include all of the following except: A.Syslog B. Windows Event Log C. Excel D. SNMP E. Database
C. Excel
What does SOX compliance and IS security have in common?
Both require internal controls
What is the Public Company Accounting Oversight Board (PCAOB)? A. A Department of Defense (DoD) information security strategy the ensures that DoD contractors follow federal regulations B. An act of Congress to recognize the importance of information security United States interests and public company accountants C. An organization that provides oversight for public accounting firms and defines the process for compliance audits established by the Sarbanes-Oxley Act and oversees the rules that apply to publicly traded companies. D. Industry-created standards to prevent payment card theft and fraud and ensure that accounting companies follow the rules
C. An organization that provides oversight for public accounting firms and defines the process for compliance audits established by the Sarbanes-Oxley Act and oversees the rules that apply to publicly traded companies.
A hardened configuration is a system that has: A. Had unnecessary services enabled. B. Had necessary services disabled. C. Had unnecessary services disabled. D. Had optional services disabled.
C. Had unnecessary services disabled.
Which framework applies across the functions of a company, does not describe any IT controls, and is not prescriptive? A. COBIT B. Cybersecurity Framework C. COSO D. NIST 800-53
C. COSO
An IT auditor's finding is "The auditee had not established security protocols for controlling access through user names and passwords." Which category applies to this finding? A. Cause B. Impact C. Circumstance D. Criteria
C. Circumstance
You are banking online and a 3rd party sends out so much traffic to the bank's servers that you cannot access your bank. This type of attack is called: A. Exploits Attack B. Reconnaissance Attack C. DOS or DDOS Attack D. Password Attack E. Man in the Middle (MITM) Attack
C. DOS or DDOS Attack
You manage a firewall that connects your private network to the Internet. You would like to see a record of every packet that has been rejected by the firewall in the past month. Which tool should you use? A. Performance Monitor B. Diagnostic Tool C. Event Log D. Port Scanner
C. Event Log
You are banking online and a 3rd party communicate with you by impersonating your bank, and communicates with the bank by impersonating you receiving all of the information transferred between you and the bank. You do not notice because the 3rd party interceptor is handling the communication with the bank and you believe you are talking directly to the bank. This type of attack is called: A. Reconnaissance Attack B. DOS and DDOS Attack C. Man in the Middle (MITM) Attack D. Exploits Attack E. Password Attack
C. Man in the Middle (MITM) Attack
Any activities designed to reduce the severity of a vulnerability or remove it altogether is called A. Removal of risk B. Patching C. Mitigation D. Countermeasure
C. Mitigation
_____ is used when it's not as critical to detect and respond to incidents immediately. A. Automated monitoring B. Manual monitoring and log inspection C. Non-real-time monitoring D. Just-in-time monitoring
C. Non-real-time monitoring
You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? A. Vulnerability Scanner B. Network Mapper C. Port Scanner. D. Network Monitor
C. Port Scanner.
Consider the following: I. Which privacy laws apply to the organization? II. Are the organizational responsibilities defined and assigned? III. Are policies and procedures for creating, storing, and managing privacy data applied and followed? IV. Are specific controls implemented, and are compliance tasks being followed? All of the above questions specifically address a: A. Risk assessment B. Security assessment C. Privacy audit D. Privacy framework
C. Privacy audit
What's C&A?
Certification and accreditation - systems have to be certified before processing sensitive/classified info
Security testing that is based on knowledge of the application's design and source code is called: A. Greybox testing B. Blackbox testing C. Whitebox testing D. Pentration testing
C. Whitebox testing
Whereas ISO 27001 formally defines mandatory requirements for an information security management system (ISMS), ISO/IEC 27002 provides the ____________ within the ISMS. A. operational controls B. accounting controls C. information security controls D. auditing controls
C. information security controls
Who is Richard Scrushy?
CEO of Healthsouth Corp - the 1st company found non-compliant with SOX
Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
D. All of the above
How does an IT audit differ from a security assessment? A. An audit focuses only on controls. B.A security assessment must be performed by an independent entity. C. An audit is always performed by an external entity. D. An audit follows a more rigid approach.
D. An audit follows a more rigid approach.
An intrusion detection system that compares current activity with stored profiles of normal (expected) activity is called: A. Host Based B. Pattern Based C. Rule Based D. Anomaly Based
D. Anomaly Based
Of the four elements that constitute an audit finding, which one provides a starting point from which the auditor can recommend a correction for the situation? A. Impact B. Criteria C. Circumstance D. Cause
D. Cause
An act of Congress to protect the financial information of consumer information held by financial agencies is the definition of: A. Payment Card Industry Data Security Standard (PCI DSS) B. Payment Card Industry Data Security Council (PCI DSC) C. Federal Information Security Management Act of 2002 (FISMA) D. Gramm-Leach-Bliley Act (GLBA)
D. Gramm-Leach-Bliley Act (GLBA)
DoDD 8570.01?
DoD Directives for DoD IA training, certification, and workforce management
The National Institute of Standards and Technology (NIST) has three IT security control categories. The following are controls in one of the categories: I. Personnel and user issues II. Contingency and disaster planning III. Incident response and handling IV. Awareness, training, and education V. Computer support and operations VI. Physical and environmental security The above controls are examples of which control category? A. Technical controls B. Management controls C. Infrastructure controls D. Operational controls
D. Operational controls
In an IT infrastructure, the end users' operating environment is called the _____________. A. User Domain B. System/Application Domain C. LAN Domain D. Workstation Domain
D. Workstation Domain
What are the 4 parts of the administrative simplification requirements of HIPPA?
Electronic transactions and code sets, security, unique identifiers, and privacy
Which of the following activities are typically associated with penetration testing? [ A. Hacking into the firewall configuration B. m, Running a port scanner C. Attempting social engineering D. Not informing senior management E. A&B vF. B&C G. C&D
F. B&C
A health information organization is covered by the HIPPA privacy rule. T/F
False
What is a Server Side Include (SSI) attack?
When attackers exploit a web application by injecting scripts in HTML pages manipulating SSI in use leading to the code to be executed before the web page loads. It allows hacker access to confidential info like passwords
Typical Log Message types are Informational, Debug, Warning, Errors, & Alerts. If a rule in an intrusion detection system detects that packets have originated from an IP address that is known to be malicious the following type of log message would be generated: a. Informational b. Debug c. Warning d. Error e. Alert
e. Alert
A drawback of Host Based Intrusion Detection Systems (HIDs) is: a. Can't access the internal processes of the system b. Can't access the system logs c. Needs to be patched on a regular basis d. Unable to monitor encrypted traffic e. CPU and Memory Resource can be high
e. CPU and Memory Resource can be high
What info is protected in HIPPA?
individually indentifiable health info regarding payment, health condition, and PII
It is important for health care companies to understand the __________ and its Privacy and Security rules. a. Sarbanes-Oxley (SOX) Act of 2002 b. Gramm-Leach-Bliley Act (GLBA) of 1999 c. Financial Accounting Act (FAA) of 1998 d. Health Insurance Portability and Accountability Act (HIPAA) of 1996
d. Health Insurance Portability and Accountability Act (HIPAA) of 1996
What 3 factors determine whether one must comply with HIPPA?
Electronic claims or equivalent encounter info, payment and remittance advice, claim status inquiries or responses, eligibility inquiries/responses, or referral authorization inquiries/responses
What's a PHP Remote File Include (RFI) attack?
It exploits the one of the many vulnerabilities in web applications that use Hypertext Preprocessor (PHP) scripting language; the ability to include and execute code
Which of the following caused Enron's collapse? a. A lack of skilled workers b. A downturn in the economy c. Bad investments d. An accounting scandal
d. An accounting scandal
The audit report provides the means of communicating the results of the audit. This effectively helps drive management to consider resources and appropriate steps to improve ____________ across the IT infrastructure. A. assessment B. gaps C. compliance D. controls
C. compliance
What 3 types of entities are impacted by HIPPA?
Covered entities, business associates (anyone that contracts with covered entities), and employers and sponsors of group health plans
Viruses and worms are risks from the Internet. If you purchase and install antivirus software before accessing the Internet, which of the following risk management strategies are you implementing? A. Sharing/Transference B. Avoidance C. Acceptance D. Control
D. Control
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? A. Is the level of security control suitable for the risk it addresses? B. Is the security control in the right place and working well? C. Is the security control effective in addressing the risk it was designed to address? D. Is the security control likely to become obsolete in the near future?
D. Is the security control likely to become obsolete in the near future?
Log messages are often parsed into small data elements such as timestamp, source and destination IP addresses, user and application information. One reason parsing log messages is useful is because: A. It compresses the size of log messages B. It is a form of de-duplication C. It is a form a message sanitization D. It enhances understanding the log data E. It makes it easier for the IDS to process the data
D. It enhances understanding the log data
Which intrusion detection system strategy relies upon pattern matching? A. Behavior detection B. Traffic-based detection C. Statistical detection D. Signature detection
D. Signature detection
According the article we read for discussion on NOC vs. SOC, both are responsible for identifying, investigating, prioritizing, escalating and resolving issues, but the types of issues and impact they have are considerably different. Which of the following is true according the article: A.The NOC's handles incidents and alerts that affect security of information the SOC focuses on security of the facility. B.The SOC's job is to meet service level agreements (SLAs) and manage incidents in a way that reduces downtime while the NOC's main role is to protect intellectual property and sensitive customer data. C.The SOC handles incidents and alerts that affect performance and availability while the NOC focuses on incidents and alerts that affect the security of information assets. D. The NOC handles incidents and alerts that affect performance and availability while the SOC focuses on incidents and alerts that affect the security of information assets.
D. The NOC handles incidents and alerts that affect performance and availability while the SOC focuses on incidents and alerts that affect the security of information assets.
DCID 6/3 vs DIACAP?
DCID (Director of Intelligence Directive) for protecting sensitive info where as DIACAP is geared towards unclassified info
A common characteristic of signature based IDSs is that they: a. identify suspicious behavior b. are susceptible to false positives c. learn the normal traffic baseline d. use predefined rules e. can usually detect unknown attacks
d. use predefined rules
Which of the following is a collection of recorded data that may include details about logons, object access and other activities deemed important by your security policy that is often used to detect unwanted and unauthorized user activity? A. Audit Trail B. Performance Monitor C. Firewall D. Diagnostic Tool
A. Audit Trail
Which one of the following is true with regard to audits and assessments? A. Audits can result in blame being placed upon an individual. B.Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. C.An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. D. Assessments are attributive and audits are not. E. An audit is typically a precursor to an assessment.
A. Audits can result in blame being placed upon an individual.
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? A. Black-box test B. White-box test C. Grey-box test D. Blue-box test
A. Black-box test
NIST pub 800-92's purpose is to provide: A. the DOD baseline requirements for workforce certifications appropriate for the equipment and software utilized B. practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. C. a catalog of security controls for all U.S. federa information systems except those related to national security. D. federal agencies with recommended requirements for protecting the confidentiality of CUI (controlled unclassified information)
B. practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise.
Consider the following: I. Aligning risk appetite and strategy II. Enhancing risk response decisions III. Reducing operational surprises and losses IV. Identifying and managing multiple and cross-enterprise risks The above are all key components of: A. Generally Accepted Privacy Principles (GAPP) B. Enterprise risk management (ERM) C. Consensus Audit Guidelines (CAG) D. National Checklist Program (NCP)
B. Enterprise risk management (ERM)
Which of the following best describes Certification and Accreditation (C&A)? A. Builds upon the Health Insurance Portability and Accountability Act (HIPAA) by providing for increased enforcement and breach notification B. An audit of federal systems prior to being placed into a production environment C.A rule established by the Fair and Accurate Credit Transactions Act and implemented to prevent identity theft D. Actions or changes put in place to reduce a weakness or potential loss; also referred to as a countermeasure
B. An audit of federal systems prior to being placed into a production environment
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B. Audit
Which department should take the lead in User Domain compliance accountability? A. Information technology B. Security C. Human resources D. Information security
C. Human resources
The following are examples of objectives:I. Examine the existence of relevant and appropriate security policies, and procedures. II. Verify the existence of controls supporting the policies. III. Verify the effective implementation and ongoing monitoring of the controls. The above objectives are part of a(n) __________. A. risk assessment B. gap analysis C. IT audit D. compensating controls analysis
C. IT audit
Discretionary access control is based on: A. Supervisor Approval B. Need to Know C. Roles and Granted permissions D. User Discretion
C. Roles and Granted permissions
An audit examines whether security controls are appropriate, installed correctly, and ____________. A. Strategic to the organization's goals B. Cost Effective C. Addressing their purpose D. The latest technology
C. Addressing their purpose
Which of the following best describes a descriptive IT control? A. Helps standardize IT operations and tasks B. Provides a prescribed method for turning objectives into action C. Aligns IT with business goals D. Provides for governance at a specific level
C. Aligns IT with business goals
You suspect that your Web server has been the target of a denial of service attack. You would like to view information about the number of connections to the server over the past three days. Which log would you most likely examine? A. Firewall B. Monitoring C. Diagnostic D. Performance E. Port Scans
D. Performance
What is generally NOT a negative effect of noncompliance with regulations? A.Legal fees resulting from infringements contained within many regulations B.Brand damage and lost revenue as consumers abandon a business C. Negative effect upon stock price, hurting shareholder value D. Decreases in the cost of capital
D. Decreases in the cost of capital
Which law requires consent to disclose educational records other than directory information? A. Children's Internet Protection Act (CIPA) B. HITECH C. Federal Information Security Management Act (FISMA) D. Family Educational Rights and Privacy Act (FERPA)
D. Family Educational Rights and Privacy Act (FERPA)
You are interested in identifying the source of potential attacks that have recently been directed against your network but which have been successfully blocked. Which log would you check? A. Performance B. Diagnostic C. Monitoring D. Firewall E. Port Scans
D. Firewall
Which of the following is an approach for identifying security weaknesses within an organization and attempts to exploit vulnerabilities? A. Vulnerability scan B. Risk assessment C. Network scan D. Penetration test
D. Penetration test
Which of the following is not a category of IT security controls defined by NIST? A. Technical controls B. Operational controls C. Management controls D. Physical controls
D. Physical controls
The COSO enterprise risk management (ERM) framework consists of four objectives: strategic, operations, reporting, and compliance. Which objectives are typically within the control of an organization and are NOT influenced by external events? A. Compliance and operations B. Operations and reporting C. Strategic and operations D. Reporting and compliance
D. Reporting and compliance
Software and devices that assist in collecting, sorting, and analyzing the contents of log files is called a: A. Network Mapper B. Port Scanner C. Logging system D. SEIM
D. SEIM
Security assessments are grouped into different types. A _________________ provides an overall view of the information systems and is useful when examining across a broader scope. A. comprehensive security assessment B. security compliance assessment C. preproduction security assessment D. high-level security assessment
D. high-level security assessment
Consider the following: I. Weak passwords II. Inappropriate use of the Internet III. Inappropriate use of e-mail IV. Divulging confidential information The above items typically constitute employee security _________________ violations. A. procedure B. guideline C. standard D. policy
D. policy
DITSCAP vs DIACAP?
DIACAP (DoD Information Assurance Certification and Accreditation Process) replaces DITSCAP
_______ Develops the configuration and validation requirements for IT products and services.
DISA
All of the following are true with regard to Intrusion Detection Systems and Audits except: A. Intrusion Detection Systems can be part of Compliance Program B.Auditors should have some technical understanding of IDS technology C.Auditors need to understand how Intrusion Detection Systems work and how they will impact the audit D.Just like Firewalls and Routers, IDSs must be considered to be in the scope of an IT Audit E. Auditors must be able to configure Intrusion Detection Systems themselves
E. Auditors must be able to configure Intrusion Detection Systems themselves
A testing method that tries to exploit a weakness in the system to prove that an attacker could successfully gain access to it is called: A. Reconnaissance Test B. Man in the Middle (MITM) Test C. Exploits Test D. Password Hacking Test E. Penetration Test
E. Penetration Test
Effective Intrusion Detection is still a big challenge today because of all of the following contributing factors except: a. Widespread Market availability of Intrusion Detection Systems b. The internet was not designed with security in mind c. IDS's are mainly "vulnerability-centric" by design d. Intrusion Detection Systems tend to be mainly signature based e. Adversaries are changing tactics to evade detection
a. Widespread Market availability of Intrusion Detection Systems
In NSM the idea of "log preservation" refers to: a. log data should be stored in a database so that it can be preserved b. log data should not be altered in any way (especially if needed in court for evidence) c.log data should always be compressed before it is preserved d. log data should be enhanced with annotations in order to make them more readable
b. log data should not be altered in any way (especially if needed in court for evidence)
Business units in the Department of Defense (DoD) have auditing frameworks that: a. provide little guidance for government networks. b. provide baseline requirements and hardening guidelines that a government network must meet. c. guarantee that a government network cannot be compromised. d. only protect government networks from foreign attackers.
b. provide baseline requirements and hardening guidelines that a government network must meet.
Data de-duplication is: a. Detection Duplication of network data for analysis by an IDS b. A data inflation technique to allow for better log analysis c. A specialized data compression technique for eliminating copies of repeating data d. A method of removing duplicate copies of IP addresses in packet captures
c. A specialized data compression technique for eliminating copies of repeating data
The benefits of using automated audit reporting tools include all of the following except: a. Simplify Compliance b. Meet Compliance Regulations c. Don't require special purpose software d. Identify Security Incidents e. Diagnose/prevent operational problems
c. Don't require special purpose software
The following type of Network Information System Tools tells us how our network is handling traffic flow: a. Port Scanning Tools b. Monitoring Tools c. Performance Tools d. Diagnostic Tools
c. Performance Tools
In terms of Network Security Monitoring (NSM) versus Continuous Monitoring (CM) is, NSM is more: a. Risk-centric b. threat-centric c. vulnerability centric d. reliability-centric
c. vulnerability centric
Danielle recently set up a new domain for her small business. Which of the following serves as the Internet's equivalent of a phone book and maintains a directory website names and translates them into Internet Protocol (IP) addresses? A. Domain Name System (DNS) B. Secure Sockets Layer (SSL) C. Transmission Control Protocol/Internet Protocol (TCP/IP) D. Dynamic Host Configuration Protocol (DHCP)
A. Domain Name System (DNS)
An attacker continually scans for new, unprotected systems and exploits such systems to gain control of them. Which of the SANS Critical Security Controls is primarily affected? A. Inventory of authorized and unauthorized devices B. Inventory of authorized and unauthorized software C. Continuous vulnerability assessment and remediation D. Malware defenses
A. Inventory of authorized and unauthorized devices
During an IT audit, the auditor finds that individuals cannot obtain the company's privacy policies. Which privacy principle is most affected? A. Notice B. Quality C. Choice and consent D. Security for privacy
A. Notice
The auditing feature of an operating system serves as what form of control when users are informed that their actions are being monitored? A. Preventive B. Operational C. Technical D. Detective E. Corrective
A. Preventive
Parsing log messages allows you to gain a greater understanding of your log data because you can work with the piece parts of the log message for detailed analysis. All of the following could be useful attributes to extract from log messages except: A.Font size of message B. Timestamp C. Source and Destination IP addresses D. User information E. Application information
A.Font size of message
Using tools to determine the layout and services running on a organization's systems and networks is called: A. Operating system fingerprinting B. Network mapping C. Stateful Matching D. Pentration testing
B. Network mapping
A large financial organization wants to outsource its payroll function. Which of the following should the financial organization ensure the payroll company has? A. ISO/IEC 27002 certification B. Service Organization Control (SOC) Report 1 C. NIST 800-53 certification D. ISACA certification
B. Service Organization Control (SOC) Report 1
All of the of the following are common logging mistakes except: a. Not Logging at All b. Not Looking at Log Data c. Storing for Too Long a Time Period d. Prioritizing before Collection e. Ignoring Application Logs f. Only Looking for Know Bad Entries
c. Storing for Too Long a Time Period
An audit helps the organization determine how: a. to improve efficiency. b. to reduce costs. c. well an organization is adhering to its security policies. d. to secure its financial future.
c. well an organization is adhering to its security policies.
Which of the following statements is true regarding security assessments as compared to audits? a. In general, security assessments are less technical, less focused, and less targeted than an audit. b. Security assessments are generally less technical, but more focused and more targeted than an audit. c. Security assessments are generally more technical, but less focused and less targeted than an audit. d. In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit.
d. In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit.
Which of the following statements is true: a. The term "Network Security Monitoring" (NSM) predates "Intrusion Detection" IDS but, NSM is considered to be a component of modern Intrusion Detection Systems. b. The term "Network Security Monitoring" (NSM) predates "Intrusion Detection" IDS & Intrusion Detection is considered to be a component of modern NSM. c. The term "Intrusion Detection" predates "Network Security Monitoring" (NSM) & NSM is considered to be a component of modern Intrusion Detection Systems. d. The term "Intrusion Detection" predates "Network Security Monitoring (NSM)" but, Intrusion detection is considered to be a component of modern NSM.
d. The term "Intrusion Detection" predates "Network Security Monitoring (NSM)" but, Intrusion detection is considered to be a component of modern NSM.
When collecting network logs, many systems on the network have different logging systems and formats. In order to consolidate these disparate logs into a common format the process of _____________________ is utilized: a. preservation b.de-duplication c. filtering d. normalization e. Sanitization
d. normalization