Test 2 Multiple Choice

Alice has completed a cost-benefit analysis (CBA) of recommended countermeasures. For a specific risk, four countermeasures have been recommended. How can Alice use the CBA to choose the countermeasure to recommend?

Choose the countermeasure with the highest countermeasure value.

The National Institute of Standards and Technology (NIST) publishes SP 800-53. This document describes a variety of IT security controls, such as access control, incident response, and configuration management. Controls are grouped into families. Which NIST control family helps an organization recover from failures and disasters?

Contingency Planning (CP)

What are the steps of a business continuity plan (BCP)?

Identify scope, identify key business areas, identify critical functions, identify dependencies between key business areas and critical functions, determine acceptable downtime, and create a plan to maintain operations

Which approach to firewall rules starts off by blocking all traffic and then adding rules to allow approved traffic?

Implicit deny

Which of the following is not true of the WAN Domain of a typical IT infrastructure?

Internal-facing servers are configured in the demilitarized zone between two firewalls.

Kyle works for the IT department. He is working in the asset management system. He is assigning the relevant IT infrastructure domain to each asset. Which is the best domain to assign to elements used to connect systems and servers together, such as hubs, switches, and routers?

LAN domain

All of the following are reasons why configuration management is an important risk management process, except:

it reduces unintended outages.

In a risk assessment, which of the following refers to how responsibilities are assigned?

management structure

What might occur if you do not include the scope when defining the risk assessment?

missed deadline

Email addresses or domains ______________ are automatically marked as spam.

on a blacklist

All of the following would be specified in a password policy, except:

password management

__________ provide the detailed steps needed to carry out ___________.

procedures, policies

In a SQL injection attack, an attacker can:

read sections of a database or a whole database without authorization.

Which of the following is not a common classification of data?

risk

__________ is the biggest problem you can face if you do not identify the scope of your risk management project.

scope creep

Functionality testing is primarily used with:

software development

Piggybacking is also known as:

tailgating

System logs and audit trails are a type of __________ control.

technical

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control.

technical, procedural

Which tool is most commonly used to prioritize mitigation efforts?

Threat likelihood/impact matrix

Why is process analysis performed?

To determine if vulnerabilities exist in the process

A technician in a large corporation fixes a printer that was not receiving an IP address automatically by manually assigning it an address. The address was assigned to a server that was offline and being upgraded. When the server was brought online, it was no longer accessible. How could this problem have been avoided?

change management

Which of the following is not a way that you can measure the value of a system when determining if the system requires five nines?

confidentiality

Bob is the project manager for his company's security countermeasure implementation project. Michael informs Bob that task #12 (implementing a failover cluster) will not finish on time. Because task #12 is on the project's __________, Bob knows that the project will not complete on time and sets up a meeting to inform the stakeholders.

critical path

You have created a risk assessment and management has approved it. What do you do next?

Create a risk mitigation plan

An access control such as a firewall or intrusion prevention system cannot protect against which of the following?

social engineering

The Remote Access Domain of a typical IT infrastructure allows __________ to access the ________ network.

remote users, private

_____________ value is the cost to purchase a new asset in place of an existing asset.

replacement

A __________ grants the authority to perform an action on a system. A __________ grants access to a resource.

right, permission

Health Insurance Portability and Accountability Act (HIPAA) fines for mistakes can be as high as __________ a year.

25k

Wen is performing a cost-benefit analysis (CBA). He needs to determine whether the organization should move workloads from the in-house data center to the cloud. The projected benefit is $50,000. The cost of the control is $1,500. What is the control value?

48,500

What is a transaction in a database?

A group of statements that either succeed or fail as a whole

What is a whitelist?

A list of approved email addresses or domains

Ideally, when should you perform threat modeling?

Before writing an application or deploying a system

Which of the following is not a true statement about AES?

AES is the primary asymmetric encryption protocol used today.

Carl is a risk specialist. He has determined the laws and regulations with which his organization must comply. What must he do next?

Determine the impact of these laws and regulations on the organization.

What are overlapping countermeasures?

Different countermeasures that attempt to mitigate the same risk

Tonya has been asked to research compliance and then provide a report to upper management. Management wants to know what the organization must do to comply with a regulation that protects the privacy of citizens in the European Union. Which of the following will Tonya research?

GDPR

MAO is sometimes referred to as:

MTPOD

After being fired, an employee becomes disgruntled. The managers never disabled his login information, and his best friend still works at the company. The disgruntled employee gives his friend his login information for the company's private network and convinces the friend to delete important files from the company's database. You are confused when you review the audit logs and see that the disgruntled employee has been logging in from within the office every day for the past week. What has been lost in this scenario?

Nonrepudiation

You plan to perform a vulnerability assessment on your company's servers. You know that your assessment may simulate the effects of a denial of service (DoS) attack for a brief period of time. What is the most important task to complete before you perform the assessment?

Obtain written permission from the proper authority.

What is the primary tool used to ensure countermeasures are implemented?

POAM

An exploit assessment is also known as a(n):

Pen Test

Isabella is a risk management specialist for her organization. She is training Arturo, a new hire, on aspects of risk management. Arturo asks her what factors he should consider when assigning a value to an asset. Which of the following does Isabella tell him is the least useful?

Qualitative Risk Assessment

________ help(s) prevent a hard drive from being a single point of failure. __________ help(s) prevent a server from being a single point of failure. _________ help(s) prevent a person from being a single point of failure.

RAID, Failover clusters, Cross-training

Which of the following is not a valuable area of consideration when defining the scope of a risk management project?

The MAO for servers

Alice is a security professional. While writing a risk assessment report, she is defining what the current email system does. She is using statements such as "Accepting email from external email servers and routing to internal clients" and "Scanning all email attachments and removing malware." Which of the following is she most likely defining?

The mission of the system

What characteristic is common to risk assessments and threat assessments?

They are both performed for a specific time

What is the purpose of a risk mitigation plan?

To implement countermeasures

Why is system testing performed?

To test individual systems for vulnerabilities

What process generally causes a plan of action and milestones (POAM) to expand?

Transforming the risk assessment into a risk mitigation plan

Which of the following terms is best defined as a weakness?

Vulnerability

Which of the following is most likely to describe how to perform test restores?

a backup plan

A warm site is:

a compromise between a hot site and a cold site

At what point in the risk mitigation process should you identify and analyze threats and vulnerabilities to your organization?

after you identify assets

You book a hotel online, and the registration process is clear and streamlined. This is an example of a(n) ______________ process that has _______________.

automated, high value to customers

A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.

business continuity

A business impact analysis (BIA) is an important part of a _____________, and it can also be part of a __________.

business continuity plan, disaster recovery plan

Which of the following is not something to consider when determining the value of an asset?

departmental ownership

A ___________ plan can help you identify steps needed to restore a failed system.

disaster recovery

Aditya is assessing the value of IT systems. His company sells sporting goods online. One factor of his evaluation is the required availability of each system. Some systems must be available 24/7, while others must be available during regular business hours Monday through Friday. Which of the following would have the highest availability requirements?

e-commerce website server

Which of the following is not one of the three primary objectives of controls?

eliminate

A(n) ____________ assessment attempts to identify vulnerabilities that can be exploited.

exploit

Which of the following is not a common category of control implementation?

functional

According to the Sarbanes-Oxley Act (SOX), who in an organization must verify and attest to the accuracy of financial data as a matter of legal compliance?

high level officers

According to the World Intellectual Property Organization (WIPO), the two categories of intellectual property (IP) are _______________ and _______________.

industrial property, copyright

Another term for data range and reasonableness checks is:

input validation

Bonding is a type of __________ that covers against losses by theft, fraud, or dishonesty.

insurance

Which of the following is an important element of following up on a risk mitigation plan?

Ensuring that security gaps are closed

You receive an email from someone named Bob in the IT department who needs to access your login information for a scheduled internal vulnerability assessment. You know an assessment is taking place because your manager notified your group last week. Normally, you wouldn't give your password or other login information to anybody, but doing so seems appropriate in this situation. Which of the following could be taking place?

social engineering

The primary risks associated with the User Domain of a typical IT infrastructure are related to:

social engineering.

Scaling _______ means that you increase resources to a server, and scaling _______ means that you add additional servers.

up, out

A __________ consists of multiple servers using ______________.

web farm, network load balancing