382Quiz
What is NOT a good practice for developing strong professional ethics?
Assume that information should be free
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?
2
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
22
Which activity manages the baseline settings for a system or device?
Configuration Control
What is NOT a goal of information security awareness programs?
Punish users who violate policy
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Qualitative
Which scenario presents a unique challenge for developers of mobile applications?
Selecting multiple items from a list
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
Which term describes any action that could damage an asset?
Threat
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
Is the security control likely to become obsolete in the near future?
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which of the following is NOT a benefit of cloud computing to organizations?
Lower dependence on outside vendors
When should an organization's managers have an opportunity to respond to the findings in an audit?
Managers should include their responses to the draft audit report in the final audit report.
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
Which one of the following measures the average amount of time that it takes to repair a system, application, or component?
Mean time to repair (MTTR)
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
Password protection
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Report Writing
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Which item is an auditor least likely to review during a system controls audit?
Resumes of system administrators
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Security information and event management (SIEM)
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase.
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service level agreement (SLA)
Which intrusion detection system strategy relies upon pattern matching?
Signature detection
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
System integrity monitoring
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
separation of duties
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
$2,000,000
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Does the firewall properly block unsolicited network connection attempts?
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Mark is considering outsourcing security functions to a third-party provider. What benefit is he most likely to achieve?
Access to high level of expertise
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing official (AO)
Which security model does NOT protect the integrity of information?
Bell-LaPadula
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
Checklist
What information should an auditor share with the client during an exit interview?
Details on major issues
What is a key principle of risk management programs?
Don't spend more to protect an asset than it is worth.
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
Enforcing the integrity of computer-based information
What is the first step in a disaster recovery effort?
Ensure that everyone is safe.
Which one of the following is an example of a disclosure threat?
Espionage
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Formatting
Which one of the following is NOT a market driver for the Internet of Things (IoT)?
Global adoption of non-IP networking
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Which network device is capable of blocking network connections that are identified as potentially malicious?
Intrusion prevention system (IPS)
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic Attack
Which of the following is an example of a hardware security control?
MAC filtering
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
Which security testing activity uses tools that scan for services running on systems?
Network mapping
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?
Payment Card Industry Data Security Standard (PCI DSS)
Which regulatory standard would NOT require audits of companies in the United States?
Personal Information Protection and Electronic Documents Act (PIPEDA)
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change.
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?
Reduce
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
What is the correct order of steps in the change control process?
Request, impact assessment, approval, build/test, implement, monitor
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
SOC 3
Which one of the following principles is NOT a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Supervisory Control and Data Acquisition (SCADA)
What is NOT generally a section in an audit report?
System configurations
Which one of the following is NOT an example of store-and-forward messaging?
Telephone call
Which one of the following is NOT a commonly accepted best practice for password security?
Use at least 6 alphanumeric characters
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Warm Site
Forensics and incident response are examples of __________ controls.
corrective
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
Which one of the following is an example of two-factor authentication?
smart card and pin
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?
96.67%
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
An organization should share its information.
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?
Applying strong encryption
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
Audit
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?
Black-box test
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
False positive error
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?
Integrity
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum tolerable downtime (MTD)
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity cost
Which type of authentication includes smart cards?
Ownership
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Parallel test
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventive
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Project initiation and planning
Which tool can capture the packets transmitted between systems over a network?
Protocol Analyzer
Which data source comes first in the order of volatility when conducting a forensic investigation?
RAM
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
SSL
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
Security Assertion Markup Language (SAML)
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
Which term describes an action that can damage or compromise an asset?
Threat
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Waterfall
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
white-hat hacker
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$20,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?
20 percent
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?
Passive Wiretap
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-Force
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?
Distributed denial of service (DDoS)
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility Repair
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?
Health Insurance Portability and Accountability Act (HIPAA)
Which recovery site option provides readiness in minutes to hours?
Hot site
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
IT Infrastructure Library (ITIL)
Which one of the following is an example of a logical access control?
Password
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
Prudent
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
In what type of attack does the attacker send unauthorized commands directly to a database?
SQL injection
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
Warm site