computers Finals quiz questions

Using monoalphabetic substitution with a passcode the plain text: "HOPE" was encrypted into "LSTI". Therefore, which one is the passcode employed?

4

Among the terms below, which one is a process within internal environment monitoring task of the security maintenance model? Select one: difference analysis remediation risk assessment data collection detecting differences

difference analysis

The acronym PCI DSS relates to which of the following terms? Select one or more: Copyright laws Rainbow tables Prevention of buffer overruns Electronic payment using credit cards Protect cardholder data

electronic Payment using credit cards Protect Cardholder data.

Associate the categories to the examples of aspects that can be changed in the implementation of a new information security system. encryption firewalls training classification policies servers

encryption → software, firewalls → hardware, training → people, classification → data, policies → procedures, servers → hardware

In an information security environment a software was changed from version A to version B. Considering the following options of version numbering (values of A and B) below, you need to indicate which kind of change has occurred. from A numbered 5.3.2 to B numbered 5.5.2 from A numbered 3.7.3 to B numbered 3.7.4 from A numbered 4.5.1 to B numbered 4.6.1 from A numbered 1.2.5 to B numbered 3.2.6 from A numbered 8.3.1 to B numbered 8.11.4 from A numbered 2.4.2 to B numbered 3.4.1

from A numbered 5.3.2 to B numbered 5.5.2 → There was a minor release change, from A numbered 3.7.3 to B numbered 3.7.4 → There was a build change, from A numbered 4.5.1 to B numbered 4.6.1 → There was a minor release change, from A numbered 1.2.5 to B numbered 3.2.6 → There was a major release change, from A numbered 8.3.1 to B numbered 8.11.4 → There was a minor release change, from A numbered 2.4.2 to B numbered 3.4.1 → There was a major release change

Which of the following options is NOT a fire suppression system? Select one: water mist systems gaseous emission systems humid-pipe systems wet-pipe systems dry-pipe systems

humid-pipe systems

What critical characteristics of information defines an attribute of information that describes how data is whole, complete, and uncorrupted? Select one: consistency integrity authenticity reliability utility

integrity

What kind of method is the Caesar Cipher? Select one: polyalphabetic substitution monoalphabetic substitution exclusive OR polyalphabetic transposition monoalphabetic transposition

monoalphabetic substitution

What kind of cipher method is the Vigenere Cipher with password? Select one: polyalphabetic substitution exclusive OR monoalphabetic transposition polyalphabetic transposition monoalphabetic substitution

polyalphabetic substitution

Which of the attacks listed below can be identified as social engineering? Select one or more: pretexting ransonware phishing privilege escalation spear phishing

pretexting phishing spear phishing

What is called a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan? Select one: organizational feasibility considerations priority considerations request for proposal gap analysis project scope

project scope

Associate the correlated terms with respect to Implementation, Monitoring, and Assessment of Risk Controls. metrics-based measures process-based measures

quantitative assessment, qualitative assessment

Among the options below, mark the ones that ARE NOT critical characteristics of information according to the textbook author. Select one or more: accuracy authenticity availability confidentiality integrity possession utility reliability rarity vulnerability

reliability rarity vulnerability

How is called the amount of risk an organization is willing to accept? Select one: Risk Appetite Residual Risk Disclosed Risk Tolerated Risk Uncontrolled Risk

risk appetite

Which of the options below is(are) lattice-based access control? (mark all correct options) Select one or more: asset-based access controls attribute-based access controls task-based access controls subject-based access controls role-based access controls Feedback

role-based access controls, task-based access controls, attribute-based access controls

Mark all options below that ARE internal control strategies mentioned in the textbook. Select one or more: garden leave separation of duties two-person control least privilege task rotation

separation of duties, two-person control, task rotation, least privilege, garden leave

Organize the different levels of Information Security Plannings from the higher to the lowest level of abstraction. Medium level of abstraction Lower level of abstraction Higher level of abstraction

tactical planning operational planning stratigic planning

Associate the following tasks to control levels in security architecture. Intrusion detection and prevention systems Risk management VPN Firewall Incident response Disaster recovery

technical control manageril control technical control technical control operational control operational control

Despite the TVA triples being the basic information to build a TVA worksheet, there are only two dimensions in a TVA worksheet. Which are the two dimensions (rows and columns) of a TVA worksheet? Select one: tasks - vulnerabilities tasks - assets assets - vulnerabilities threats - assets threats - vulnerabilities

threats - assets

What of the following options better characterize the difference between "de facto standard" and "de jure standard"? Select one: "De jure standard" and "De facto standard" are synonyms. "De jure standard" is enforced by the organization management, while "De facto standard" is enforced by a governmental agency. "De jure standard" is enforced by a governmental agency, while "De facto standard" is enforced by the organization management. "De jure standard" is just a guideline, while "De facto standard" is more like an enforced policy. "De jure standard" is ratified by a formal standard organization, while "De facto standard" is informally adopted by a public group.

"De jure standard" is ratified by a formal standard organization, while "De facto standard" is informally adopted by a public group.

Associate the appropriate firewall kind that act over each OSI layer.

The correct answer is: Layer 7 → Application layer firewall, Layer 6 → Application layer firewall, Layer 5 → Application layer firewall, Layer 4 → SPI or Packet filtering firewall, Layer 3 → SPI or Packet filtering firewall, Layer 2 → MAC firewall, Layer 1 → MAC firewall

Which of the following statements related to penetration testing are TRUE? Select one or more: "Penetration testing" is a technique to simulate an attack to physical security devices, as outside doors or fences. "Penetration test" is a form of vulnerability test that is performed from outside the organization. "Penetration test" is also called "pen test". "Penetration test" is a sophisticated form of vulnerability testing. There are two kinds of penetration tests: the "white box" testing and the "black box" testing.

"Penetration test" is also called "pen test"., "Penetration test" is a sophisticated form of vulnerability testing., "Penetration test" is a form of vulnerability test that is performed from outside the organization., There are two kinds of penetration tests: the "white box" testing and the "black box" testing.

The term "Sunset Clause" in the information security domain relates to which of the following options? Select one: A component of a policy that defines an expected start date for its applicability. A component of a policy that defines an expected end date for its applicability. A threat to information assets that happens due to a shortage of electric power. A component of a policy only applicable within a specified time frame close to the end of the policy applicability. A component of a policy that does not apply within a specified time frame close to the end of the policy applicability.

A component of a policy that defines an expected end date for its applicability

Considering the cost-benefit analysis, what is the relation between ALE and ARO? Select one: ALE and ARO are not related. ALE and ARO are synonyms. ALE is one of the components to compute ARO. ARO is one of the components to compute ALE. ARO is not important to Cost Benefit Analysis. ALE is not important to Cost Benefit Analysis. Neither ALE, nor ARO are important to Cost Benefit Analysis.

ARO is one of the components to compute ALE

A contingency plan is the appropriate response to which kind of event? Select one: Disaster Cyberterrorism Incident Password break Adverse event

Adverse event

What is the difference between vulnerability and exposure? Select one: None, they are synonyms. Vulnerabilities are caused by users. Exposures are caused by administrators. An exposure is a vulnerability known to an attacker. Vulnerability is the probability of an unwanted occurrence. An exposure is the probability of a known risk. Vulnerability and exposure are two completely different and unrelated terms.

An exposure is a vulnerability known to an attacker.

Which of the following options is a better match to the concepts of "Access Control Matrix"? Select one: A synonym of Capability Table, a specification of an organization's users and the information assets that may access. A table with all known treats and their counter measures. A synonym of Access Control List, a specification of an organization's information assets and the users that may access and use it. An integration of Access Control Lists and Capability Tables. A table with all known vulnerabilities and their counter measures.

An integration of Access Control Lists and Capability Tables

Which of the following options is a better match to the concepts of "Access Control Matrix"? Select one: A table with all known vulnerabilities and their counter measures. An integration of Access Control Lists and Capability Tables. A synonym of Access Control List, a specification of an organization's information assets and the users that may access and use it. A synonym of Capability Table, a specification of an organization's users and the information assets that may access. A table with all known treats and their counter measures.

An integration of Access Control Lists and Capability Tables.

Biometric devices are mostly used in which of the access control mechanisms? Select one: Auditability Identification Authorization Authentication Accountability

Authentication

Which of the following definitions concerning critical characteristics of information is NOT accurate, according to our textbook? Select one: The utility of information is the quality or state of having value given a purpose or an end. The possession of information is the quality or state of ownership or control, independent of its format or its other characteristics. Authenticity of information is the quality or state of being genuine, or original. Actually, authenticity of information is the quality or state of being genuine, or original, rather than a reproduction or fabrication. Therefore, the definition stated in this option is fairly correct. Information has accuracy when it is free from mistakes or errors and has the value that the user expects. Information has confidentiality when it is protected from disclosure or exposure to unauthorized entities. Availability enables the access to information in the required format. Information has integrity when it is whole, complete, and uncorrupted in any way.

Availability enables the access to information in the required format. Or Authenticity of information is the quality or state of being genuine, or original. Actually, authenticity of information is the quality or state of being genuine, or original, rather than a reproduction or fabrication. Therefore, the definition stated in this option is fairly correct.

Concerning recovery times after an event causing organization's system unavailability, it is possible to affirm that: The maximum tolerable downtime minus the work recovery time is equal to: Select one: The mean time to recover The recovery point objective The recovery time to normal operation The recovery time objective The mean time between failures

The recovery time objective

Mark all options that are TRUE concerning dictionary attacks. Select one or more: Dictionary attacks are expedite brute force attacks against password. Despite the denomination "attack", dictionary attacks are actually a form of defense mechanism to cope with password exposures. Dictionary attacks are attempts to change the dictionary tables of the DNS - Domain Name Server - in order to impersonate web pages. Dictionary attacks are unrelated to DNS tables. Dictionary attacks may only occur when there is a communication interception.

Dictionary attacks are expedite brute force attacks against password. and Dictionary attacks are unrelated to DNS tables.

Which among the options below is NOT a conversion strategy? Select one: Phased implementation Parallel operations Pilot implementation Bull's eye model Direct changeover

Bull's eye model

Associate the certifications with the offering certification provider. CISM C|CISO ISSAP GISP SC+ CGEIT CISSP SAP Security+

CISM → ISACA, C|CISO → EC Council, ISSAP → (ISC)2, GISP → SANS, SC+ → not a security certification, CGEIT → ISACA, CISSP → (ISC)2, SAP → not a security certification, Security+ → CompTIA

Among the options below what can be said about certification and accreditation? Select one: Accreditation is the evaluation of a system, usually in order to achieve its certification. Certification is the evaluation of a system, usually in order to achieve its accreditation. Accreditation is always unrelated to certification. Certification is the authorization of a system, usually in order to achieve its accreditation. Accreditation is the authorization of a system, usually in order to achieve its certification.

Certification is the evaluation of a system, usually in order to achieve its accreditation.

Associate the types of attacks with the categories of threats to establish the better possible match. Copyright Infringement Jailbreaking Phishing Cyberterrorism Trojan Horses Command Injection

Copyright infringement: Compromises to intellectual property Jailbreaking: espionage and treason Phishing: human error or failure Cyberterrorism: sabatoge or vandilism Trojan Horses: Software attacks Command Injection: Technological software failures or errors

Mark all statements that are TRUE among the options below. Select one or more: Ethics is a code of principles related to an individual, never to a group, while laws are related to a group, never to an individual. Cultural mores are the customs of a given group, therefore, the ethics of an individual within this group tends to be based on such customs. The key difference between laws and ethics is that ethics does not carry the authority of a governing body, and laws do. Laws are intended to balance the needs of a society against the individual rights to self-determination. Inside a specific organization laws and ethics are synonyms.

Cultural mores are the customs of a given group, therefore, the ethics of an individual within this group tends to be based on such customs. The key difference between laws and ethics is that ethics does not carry the authority of a governing body, and laws do. Laws are intended to balance the needs of a society against the individual rights to self-determination.

Among the options below, what is the best definition of DMZ? Select one: Demilitarized Zone - a part of the network that is outside firewall protection Device Mobility Zone - a firewall specifically designed to filter communication with mobile devices Demilitarized Zone - a firewall used on military systems to connect with untrusted networks outside military jurisdiction Datagram MAC address Zone - a MAC layer firewall that filters datagram packages Device Mobility Zone - a portion of a trusted network where mobile devices are allowed to connect without using a firewall Datagram MAC address Zone - a portion of a trusted network where a MAC layer firewall filters datagram packages

Demilitarized Zone - a part of the network that is outside firewall protection

How is called the legal standard that requires a prudent organization and its employees to act legally and ethically and know the consequences of their actions? Select one: ethic mores due diligence due care organizational laws cultural mores

Due Care

Which of the sentences below is NOT TRUE? Select one: Dumpster diving is a sort of attack that profits from failures to comply with clean desk policy. Dumpster diving is an attack that involves searching through a target organization's trash and recycling bins for sensitive information, therefore, it is a kind of attack that always involves physical objects. Dumpster diving is a sort of attack that can be successful even towards an organization that does not violate clean desk policies. Dumpster diving is a sort of attack that can potentially compromise information security of an organization. Dumpster diving is a sort of information security attack that can potentially embarrass a company.

Dumpster diving is an attack that involves searching through a target organization's trash and recycling bins for sensitive information, therefore, it is a kind of attack that always involves physical objects.

Which among the options below are categories of threat according to our textbook? Select one or more: Espionage or trespass Shoulder surfing Technical Software failures Spoofing Compromises to Intellectual Property Technical Hardware failures Information Extortion Theft Dictionary attacks Brute force

Espionage or trespass Technical Software failures Compromises to Intellectual Property Technical Hardware failures Information Extortion Theft

The definition below is best suitable for which of the following terms? "The codes or principles of a particular group that define acceptable behavior." Select one: Policies Laws Due care Ethics Cultural mores Feedback Your answer is correct.

Ethics

A table of hash values and their corresponding plaintext values that can be used to look up IP addresses encrypted is called Rainbow Table by hackers and the general information security community. Is this sentence true or false? Select one: True False

False

According to the textbook, is this sentence true or false? Estimated capital expenses should be taken into account within WBS, but noncapital expenses should be considered outside WBS.

False

Dictionary attacks are attempts to change the dictionary tables of the DNS - Domain Name Server - in order to impersonate web pages. Is this sentence true or false? Select one: True False

False

Is the following sentence true or false? The Freedom of Information Act allows any person to request access to, and have the access granted by, any federal agencies records or information, regardless of its status Select one: True False

False

Is the sentence below true or false? The U.S. Computer Emergency Readiness Team is a division of the U.S. Secret Service focused on information security and response. Select one: True False

False

Is the sentence below true or false? Proximity readers are used with mechanical locks.

False

Is the sentence below true or false? The loss of a mobile device can represent a threat to individuals, but not to organizations.

False

According to our textbook, which is the biggest category of threat among the following options: Select one: Human Error or Failure Forces of Nature Technical Hardware Failures or Errors Software Attacks Espionage or Trespass

Human Error or Failure

Tailgate is a form to bypass which kind(s) of major physical security control (mark all options that apply)? Select one or more: ID cards and badges Dogs Firewalls Locks and keys Walls, fencing, and gates

ID cards and badges

Which among the options below is NOT an usual trigger for alarms for physical security controls? Select one: ID detectors Contact and weight sensors Motion detectors Thermal detectors Vibration sensors

ID detectors

Concerning access control mechanisms, how is called the action responsible to verify that the supplicant is a user of the system? Select one: Accountability Identification Authorization Authentication Auditability

Identification

Concerning access control mechanisms, how is called the action responsible to verify that the supplicant is a user of the system? Select one: Authentication Accountability Identification Authorization Auditability

Identification

In the context of protocols for secure communications, specifically IPSec, what is the basic difference between "tunnel mode" and "transport mode"? Select one: In tunnel mode IP packet data are encrypted, while in transport modes they are not. There are not differences, the terms are synonyms. In transport mode IP packet data are encrypted, while in tunnel modes they are not. In transport mode IP packet headers are encrypted, while in tunnel modes they are not. In tunnel mode IP packet headers are encrypted, while in transport modes they are not.

In tunnel mode IP packet headers are encrypted, while in transport modes they are not.

NIST's security approach and the ISO/IEC 27000 series are examples of? Select one: Information Security Laws Information Security Frameworks Information Security Policies Information Security Models Information Security Guidelines

Information Security Models

Paul writes an encrypted message to Ringo and send him both the message and the key. Ringo uses the key to read Paul's message that says: "I want Yoko to get back to where she belongs". In the meantime, John intercept the encrypted message, tries to read it, but since he did not get the key, nor was able to break the code, he is unable to read it. So, John asks George to break the encrypted message. George breaks the encryption and passes the message to John: "Paul wants Yoko to get back to where she belongs". In this fictional tale, what kind of process each of the characters have used (be careful, two or more characters may have used the same process)? John- George- Paul- Yoko- Ringo-

John → cryptanalysis - decryption, George → cryptanalysis - decryption, Paul → cryptography - encryption, Yoko → none of the options, Ringo → cryptography - decryption

The Social Contract by Jean-Jacques Rousseau is one the writing works that establish that the balance between individual rights and the needs of society is defined by: Select one: Laws Ethics Jurisdiction Restitution Cultural mores

Laws

Associate the definition with the correct type of law. Laws concerning the relationships and conflicts between organizations and people. Laws addressing activities and conduct harmful to society.

Laws concerning the relationships and conflicts between organizations and people.: civil Law Laws addressing activities and conduct harmful to society. : Criminal law

In which phase of the SDLC water model the security blueprint is developed? Select one: Investigation Implementation Logical Design Analysis Physical Design

Logical Design

What is expressed as the product of the Attack success Probability and the Likelihood? Select one: Loss Frequency Residual Risk Probable Loss Loss Magnitude Uncertainty

Loss Frequency

Among the terms below, which one is the best synonym for Asset Exposure? Select one: Residual risk Vulnerability of an asset Unknown threat Uncontrolled risk Loss magnitude

Loss magnitude

Which of the following option(s) is(are) TRUE about mantrap in the context of physical information security? Select one or more: Mantraps are designed to restrain a person who fails an access authorization attempt. Mantrap is a physical lock that may rely on either a key or numerical combination. Mantrap is a confined space with separate entry and exit doors. Mantrap is an alarm sensor designed to detect movement within a defined space. Mantrap is an alarm sensor designed to detect a rate of change in the ambient temperature within a defined space.

Mantraps are designed to restrain a person who fails an access authorization attempt., Mantrap is a confined space with separate entry and exit doors.

Which one of the options below is a graphical representation of the architectural approach widely used in computer and information security? Select one: Metcalfe Cube McCumber Cube Rubik's Cube Waterfall Model SDLC Model

McCumber Cube

Classify, from the higher to the lower level of harmfulness, the classes of events that threat continuity in an organization's information security perspective

Medium level → Incident, Higher level → Disaster, Lower level → Adverse event

Which of the following careers ar usual paths towards an IS job? Select one or more: Education Military Civil engineering Law enforcement Information technology

Military, Law enforcement, Information technology

What is the method that maps IP addresses used outside the trusted network into IP addresses to be used inside the trusted network? Select one: DMZ Packet-filtering routers PAT Bastion Hosts NAT

NAT

What is the basic difference between the terms "decipher" and "decrypt"? Select one: Decipher is an algorithmic process, while decrypt can also be made manually. Decrypt is an algorithmic process, while decipher can also be made manually. Decrypt is a decipher process implemented by a computer system. None, those terms are synonyms. Decipher is a decrypt process implemented by a computer system.

None, those terms are synonyms.

The development of culture of change falls into which kind of information security system implementation aspect? Select one: Accreditation ones Certification ones Nontechnical ones Technical ones Bull's eye model ones

Nontechnical ones

Which is the best definition of "Information Asset" among the following options: Select one: Organized or structured data that has value for an organization. Raw numbers, facts and words produced by an organization. Raw numbers, facts and words collected by an organization. Organized or structured data that has value for an organization, as well as, the systems that house them. Organized or structured data known by an organization.

Organized or structured data that has value for an organization, as well as, the systems that house them.

Which kind of firewall has PAT? Select one: PAT are not used in any kind of firewall MAC firewalls VPN firewalls Packet filtering firewalls Application firewalls

Packet Filtering Firewalls

Among the following examples of attacks, mark those that may be indubitably linked to acquisition to information aiming for "identity theft". Select one or more:

Phishing attacks. Pretexting attacks

Organize the phases of the waterfall methodology Physical Design Implementation Logical Design Analysis Maintenance and Change Investigation

Physical Design: Fourth Implementation: Fifth Logical Design: third Analysis: second Maintenance and Change: sixth Investigation: first

What information security term is defined by the sentence below? "The protection of physical objects or areas from misuse and unauthorized access." Select one: Physical control Physical security Physical risk avoidance Physical risk management Physical insurance

Physical security

Which of the following phases of the implementation of information security systems includes a gap analysis? Select one: Project wrap-up Plan execution Training Champion Financial consideration

Plan execution

The term "information aggregation" is best defined by which of the following options? Select one: The hacking technique to produce public data by the aggregation of private data from different sources. An aggregated law intended to prevent privacy threats to information security. The effort to gather information about a given individual or group in order to comply with privacy laws. Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. Portions of public data that can be combined to generate information that should not be public.

Portions of Public Data that can be combined to generate information that should not be public.

Among the options below, which one is the consequence of triboelectrification? Select one: Humidity Static electricity Grounding Power failure Electromagnetic radiation

Static Electricity

The term "information aggregation" is best defined by which of the following options? Select one: An aggregated law intended to prevent privacy threats to information security. Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. The effort to gather information about a given individual or group in order to comply with privacy laws. Portions of public data that can be combined to generate information that should not be public. The hacking technique to produce public data by the aggregation of private data from different sources.

Portions of public data that can be combined to generate information that should not be public.

Mark all options below that are not OSI layers. Select one or more: Presentation Session VPN Data link Protocol Firewall Transport Application Internet Physical Network

Protocol, Firewall, VPN

What are Digital Certificates (mark all options that are TRUE)? Select one or more: A third party that operates under the trusted collaboration of the certificate authority to provide digital signatures. A third party that generates public keys. A third party that handles day-to-day certification functions. A third party that generates private keys. Public-key containers that allow key validation and user ownership.

Public-key containers that allow key validation and user ownership

How is called the amount of risk an organization is willing to accept? Select one: Risk Appetite Uncontrolled Risk Disclosed Risk Tolerated Risk Residual Risk

Risk Appetite

Mark all of the following terms that ARE NOT one of the steps of Risk Management? Select one or more: Risk Assessment Risk Strategy Risk Identification Risk Inventory Risk Control

Risk Strategy Risk Inventory

Which among the following terms does NOT refer to a hacker? Select one: Script Kiddie Rooting Packet Monkey Penetration Tester Expert Hacker

Rooting

Which among the following terms does NOT refer to a hacker? Select one: Packet Monkey Script Kiddie Expert Hacker Rooting Penetration Tester

Rooting: Packet moneky,script kiddie, expert hacker, and pentration tester is all names of hackers.

Among the options below, which one you believe is the key difference between Bastion host firewalls and Screened host firewalls? Select one: Screened host firewalls provide NAT to the trusted network machines, while Bastion host firewalls do not provide NAT. Bastion host firewalls provide NAT to the untrusted network machines, while Screened host firewalls do not NAT access. Bastion host firewalls provide NAT to the trusted network machines, while Screened host firewalls do not provide NAT. Bastion host firewalls provide proxy access to the untrusted network machines, while Screened host firewalls do not provide proxy access. Screened host firewalls provide NAT to the untrusted network machines, while Bastion host firewalls do not provide NAT. Screened host firewalls provide proxy access to the trusted network machines, while Bastion host firewalls do not provide proxy access. Screened host firewalls provide proxy access to the untrusted network machines, while Bastion host firewalls do not provide proxy access. Bastion host firewalls provide proxy access to the trusted network machines, while Screened host firewalls do not provide proxy access.

Screened host firewalls provide proxy access to the trusted network machines, while Bastion host firewalls do not provide proxy access

What are the five elements of BIA? Mark all TRUE options, and leave false options unmarked. Select one or more: Determine the Scope Know the objective Elaborate a Plan Identify Recover Priorities Determine Mission Follow-up Identify Resource Requirements Balance

Select one or more: Determine the Scope Know the objective Elaborate a Plan Follow-up Balance

Mark if those sentences are ture or false. Steganography is a form of cryptography that hides message within pictures and graphics, therefore, it is, like Vigenere cipher, a substitution cipher method. Cryptography has been used at least for the last 3900 years. Permutation cipher, unlike substitution cipher, is based on rearranging the values within a block according to an established pattern to create ciphertext.

Steganography is a form of cryptography that hides message within pictures and graphics, therefore, it is, like Vigenere cipher, a substitution cipher method. → False, Cryptography has been used at least for the last 3900 years. → True, Permutation cipher, unlike substitution cipher, is based on rearranging the values within a block according to an established pattern to create ciphertext. → True

What is the basic characteristic of symmetric encryption that distinguished it from asymmetric encryption? Select one: In symmetric encryption it is necessary a symmetric set of a private key and a public key. Symmetric encryption does not require a private key. Symmetric encryption requires the availability of PKI to properly work. Symmetric encryption uses just one key. Symmetric encryption use keys of a power of two size (16, 32, 64, ..., 4096).

Symmetric encryption uses just one key.

Which of the following ARE basic cryptographic algorithms categories? Select one or more: Book cipher Asymmetric encryption Hybrid system Diffie-Hellman key exchange Symmetric encryption

Symmetric encryption, Asymmetric encryption

An employee of an organization has violated the information security policy of his/her company by using a private memory stick in his/her organization's workstation, resulting in the spread of a computer virus in the organization's network. Which possible class of component of ISSP has this employee violated? Mark the more likely option among the options below. Select one: Prohibited use of equipment System management Limitations of liability Policy review and modification Statement of policy

System management

According to the Bull's Eye Model, what is the right order to proceed the implementation of a new information security system? Systems Policies Networks Applications

Systems → third, Policies → first, Networks → second, Applications → fourth

Which among the options below is NOT a correctly stated concern about IS staff employment policies and practices? Select one: Interviews shouldn't disclosure too much information to avoid the creation of a threat. Background checks should include a character analysis, and not only identity, education, and credentials check. On-the-job security training should include security awareness. New hire orientation should introduce the new employee to the organization culture and workflow. Termination procedures should include an inventory of offices and information used by the employee only if the termination is considered hostile departure.

Termination procedures should include an inventory of offices and information used by the employee only if the termination is considered hostile departure.

With respect to the C.I.A. triangle, mark the TRUE statement among the options below. Select one: The C.I.A. triangle is an information security protocol established by the Central Intelligence Agency during the cold war. The C.I.A. triangle terminology is outdated, because Confidentiality is no longer a concern in modern information systems. The first version of the C.I.A. triangle was proposed during World War II with the efforts to decode the ENIGMA machine. The C.I.A. triangle has been the standard for computer security in both industry and government since the development of the mainframe. The C.I.A. triangle terminology is outdated, because Availability is no longer a concern in modern information systems.

The C.I.A. triangle has been the standard for computer security in both industry and government since the development of the mainframe.

Between the CIO and CISO what can be said? Select one: The CISO never reports to the CIO. The CISO does not belong to the senior management. The CIO does not belong to the senior management. The CIO usually reports directly to the CISO. The CISO usually reports directly to the CIO.

The CISO usually reports directly to the CIO.

Mark the sentences below that are TRUE AND RELATED to Rand Report R-609. Select one or more: With the advent of the Internet the Rand Report R-609 became obsolete and have been replaced by a new protocol called SDLC. The Rand Report R-609 was public released in the 70's. All recommendations within Rand Report R-609 were formulated by a task force formed by ARPA. With the advent of the Personal Computers (PCs) the Rand Report R-609 became obsolete and have been replaced by a new protocol called SDLC. Rand Report R-609 was the first widely recognized published document to identify the role of management and policies issues in computer security.

The Rand Report R-609 was public released in the 70's. All recommendations within Rand Report R-609 were formulated by a task force formed by ARPA. Rand Report R-609 was the first widely recognized published document to identify the role of management and policies issues in computer security.

Mark all the TRUE statements below. Select one or more: The bottom-up approach for security implementation has the disadvantage to lack participant support. The bottom-up approach for security implementation starts with the technical staff. The highest probability of success in top-down approaches is because it is based on a strong technical knowledge. top-down approaches a likely to succeed, but not for technical reasons. The bottom-up approach for security implementation begins as a grassroots effort. The key advantage for bottom-up approaches for security implementation relies on the technical competence of the system administrators. The bottom-up approach for security implementation starts with the CIO (Chief Information Officer).

The bottom-up approach for security implementation has the disadvantage to lack participant support The bottom-up approach for security implementation begins as a grassroots effort.

What is the main difference between "chain of custody" and "chain of evidence"? Select one: Chain of custody is the detailed documentation of a digital crime scene, while chain of evidence is the collection of digital evidences to presentation in court. Chain of custody is a digital forensic methodology, while chain of evidence is an evidentiary procedure. Chain of evidence is a digital forensic methodology, while chain of custody is an evidentiary procedure. Chain of evidence is the detailed documentation of a digital crime scene, while chain of custody is the collection of digital evidences to presentation in court. There is no difference between these terms. They are synonyms.

There is no difference between these terms. They are synonyms.

Mark all of the following terms that ARE NOT a risk control strategy? Select one or more: Termination Training Defense Education Transfer Mitigation Acceptance

Training Education

The User Datagram Protocol operates at which level of the OSI layers? Select one: Presentation Application Session Network Transport

Transport

According to our textbook, is this sentence true or false? A resilient change culture can be either cultivated or undermined by management's approach.

True

Is the sentence below true or false? The key difference between laws and ethics is that ethics does not carry the authority of a governing body, and laws do. Select one: True False

True

Is the sentence below true or false? Guard dogs have better sense of smell and hearing than humans, so they are able to detect intrusions that cannot be detected by their human counterparts.

True

Is the sentence below true or false? Plenum is a liability for standard interior walls, but not for firewalls.

True

Vulnerability is a potential weakness in an information asset or its defensive control system(s). Is this sentence true or false? Select one: True False

True

Concerning VPNs, mark all the TRUE sentences below. Select one or more: VPNs are use to securely exchange messages through unsecured networks. VPNs require virtual passwords. VPNs are a sophisticated form of firewall. VPNs provide proxy servers. VPNs use cryptography. VPNs provide data encapsulation

VPNs use cryptography., VPNs are use to securely exchange messages through unsecured networks., VPNs provide data encapsulation.

Which among the options below is NOT one of the main tasks of security maintenance model? Select one: External monitoring Internal monitoring Vulnerability database Planning and risk assessment Readiness and review

Vulnerability database

In the context of security maintenance model, what means "war game"? Select one: "War game" is a type of rehearsal intended to create a first superficial test of the security environment. "War game" is a digital forensic technique to recreate a successful attack in order to analyze its consequences. The term "war game" does not exists in the context of security maintenance model. "War game" is a type of rehearsal intended to create a realistic test environment. "War game" is a digital forensic technique to recreate an unsuccessful attack in order to analyze its consequences.

War game" is a type of rehearsal intended to create a realistic test environment.

In a given organization there were three information assets (X, Y, and Z) with the following characteristics: Information asset X likelihood of an attack: 40% Information asset X attack success probability: 50% Information asset X value: $ 200K Information asset X probable loss: 20% Uncertainty related to information asset X: 10 % Information asset Y likelihood of an attack: 20% Information asset Y attack success probability: 75% Information asset Y value: $ 300K Information asset Y probable loss: 15% Uncertainty related to information asset Y: 10 % Information asset Z likelihood of an attack: 50% Information asset Z attack success probability: 60% Information asset Z value: $ 400K Information asset Z probable loss: 5% Uncertainty related to information asset Z: 10 % Given those parameters what can be said about risk assessment of those three information assets? What information asset has the greater risk altogether? Answer 1Choose...All information assets have equal valuesInformation assets X and Y have equal values, superior to ZInformation assets X and Z have equal values, superior to YInformation asset YInformation asset XInformation asset ZInformation assets Y and Z have equal values, superior to X What information asset has the greater loss frequency? Answer 2Choose...All information assets have equal valuesInformation assets X and Y have equal values, superior to ZInformation assets X and Z have equal values, superior to YInformation asset YInformation asset XInformation asset ZInformation assets Y and Z have equal values, superior to X What information asset has the greater loss magnitude? Answer 3Choose...All information assets have equal valuesInformation assets X and Y have equal values, superior to ZInformation assets X and Z have equal values, superior to YInformation asset YInformation asset XInformation asset ZInformation assets Y and Z have equal values, superior to X

What information asset has the greater risk altogether? → Information asset X, What information asset has the greater loss frequency? → Information asset Z, What information asset has the greater loss magnitude? → Information asset Y

Software piracy is a violation of intellectual property when you perform how many of three of the following actions: (i) duplication, (ii) installation, and (iii) distribution of copyrighted computer software? Select one: When you perform any one of those three actions. Only when you perform all of those three actions. None of these three actions relates to violation of intellectual property. When you perform at least two of those three actions. None of those three actions implies in violation, the violation only occurs when you acquire economic gains from these actions.

When you perform any one of those three actions.

In a given organization there were three information assets (X, Y, and Z) with the following characteristics: Information asset X likelihood of an attack: 25% Information asset X attack success probability: 40% Information asset X value: $ 60K Information asset X probable loss: 10% Uncertainty related to information asset X: 10 % Information asset Y likelihood of an attack: 60% Information asset Y attack success probability: 30% Information asset Y value: $ 100K Information asset Y probable loss: 5% Uncertainty related to information asset Y: 10 % Information asset Z likelihood of an attack: 15% Information asset Z attack success probability: 70% Information asset Z value: $ 80K Information asset Z probable loss: 8% Uncertainty related to information asset Z: 10 % Given those parameters what can be said about risk assessment of those three information assets? What information asset has the greater loss magnitude? Answer 1Choose...All information assets have equal valuesInformation asset ZInformation asset YInformation asset XInformation assets Y and Z have equal values, superior to XInformation assets X and Z have equal values, superior to YInformation assets X and Y have equal values, superior to Z What information asset has the greater loss frequency? Answer 2Choose...All information assets have equal valuesInformation asset ZInformation asset YInformation asset XInformation assets Y and Z have equal values, superior to XInformation assets X and Z have equal values, superior to YInformation assets X and Y have equal values, superior to Z What information asset has the greater risk altogether?

Your answer is incorrect. Applying the risk formula at page 258 of our textbook (5th edition) we obtain the following values: Loss Frequency of information asset X: 10% Loss Frequency of Information asset Y: 12% Loss Frequency of Information asset Z: 10.5% Loss Magnitude of Information asset X: $ 6K Loss Magnitude of Information asset Y: $ 5K Loss Magnitude of Information asset Z: $ 6.4K Risk for Information asset X: $ 0.7 K Risk for Information asset Y: $ 0.7 K Risk for Information asset Z: $ 0.77 K The correct answer is: What information asset has the greater loss magnitude? → Information asset X, What information asset has the greater loss frequency? → Information asset Y, What information asset has the greater risk altogether? → Information asset Z

Among the options below mark those that are part of the WBS? Select one or more: start and end dates of tasks dependencies among tasks skill sets to perform tasks amount of resources to complete the tasks estimated expenses for the tasks

amount of resources to complete the tasks, dependencies among tasks, skill sets to perform tasks, start and end dates of tasks, estimated expenses for the tasks