Information Security Ch. 1-6, 9
Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.
False
Passphrases are less secure than passwords.
False
Which element of the security policy framework offers suggestions rather than mandatory actions?
Guideline
Which one of the following is NOT a good technique for performing authentication of an end user?
Identification Number
What is the correct order of steps in the change control process?
Request, impact assessment, approval, build/test, implement, monitor
Authentication controls include passwords and personal identification numbers (PINs)
True
Rootkits are malicious software programs designed to be hidden from normal methods of detection.
True
Which one of the following is the best example of an authorization control?
Access Control Lists
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility Repair
Which of the following is an example of a hardware security control?
MAC filtering
What is NOT a commonly used endpoint security technique?
Network Firewall
Which one of the following is an example of a logical access control?
Password
Which approach to cryptography provides the strongest theoretical protection?
Quantum cryptography
Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation?
Secure
Bring Your Own Device (BYOD) opens the door to considerable security issues.
True
Cars that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer.
True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
True
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
13
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
22
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?
96.67%
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
During which phase of the access control process does the system answer the question, "What can the requestor access?"
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday Attacks
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Which information security objective allows trusted entities to endorse information?
Certification
Which activity manages the baseline settings for a system or device?
Configuration control
What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?
Content Filter
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
Correspondent node (CN)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
Deidentification
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?
Distributed denial of service (DDoS)
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
Enforcing the integrity of computer-based information
What is the first step in a disaster recovery effort?
Ensure that everyone is safe.
Which one of the following is an example of a disclosure threat?
Espionage
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil Twin
A VPN router is a security appliance that is used to filter IP packets.
False
A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource.
False
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.
False
A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer.
False
A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.
False
Authorization controls include biometric devices.
False
Bricks-and-mortar stores are completely obsolete now.
False
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
False
Configuration changes can be made at any time during a system life cycle and no process is required.
False
Connectivity is one of the five critical challenges that the Internet of Things (IoT) has to overcome.
False
Cryptographic key distribution is typically done by phone.
False
Cryptography is the process of transforming data from cleartext into ciphertext.
False
Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.
False
In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data, and has no choice as to what that data might be.
False
In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
False
Regarding the Internet of Things (IoT), a business involved in utilities, critical infrastructure, or environmental services can benefit from traffic-monitoring applications.
False
Service-level agreements (SLAs) are optical backbone trunks for private optical backbone networks.
False
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files.
False
The Sarbanes-Oxley (SOX) Act requires all types of financial institutions to protect customers' private financial information.
False
The main difference between a virus and a worm is that a virus does not need a host program to infect.
False
The number of failed logon attempts that trigger an account action is called an audit logon event.
False
The term "data owner" refers to the person or group that manages an IT infrastructure.
False
Vishing is a type of wireless network attack.
False
Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software.
False
Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP).
False
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Formatting
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?
HIPPA
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health Monitoring
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which network device is capable of blocking network connections that are identified as potentially malicious?
Intrusion prevention system (IPS)
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which of the following is NOT a benefit of cloud computing to organizations?
Lower dependence on outside vendors
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?
OC-12
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
Online Certificate Status Protocol (OCSP)
Which type of authentication includes smart cards?
Ownership
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Parallel Test
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phising
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
Project initiation and planning
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
Which scenario presents a unique challenge for developers of mobile applications?
Selecting multiple items from a list
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session Hikacking
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries?
Technical and industry development
Which one of the following is NOT an example of store-and-forward messaging?
Telephone call
Which term describes an action that can damage or compromise an asset?
Threat
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan Horse
A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
True
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
True
A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
True
A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.
True
A person demonstrates anonymity when posting information to a web discussion site without authorities knowing who he or she is.
True
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
True
A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader.
True
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans.
True
A trusted operating systems (TOS) provides features that satisfy specific government requirements for security.
True
Common methods used to identify a user to a system include username, smart card, and biometrics.
True
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones.
True
E-commerce systems and applications demand strict confidentiality, integrity, and availability (CIA) security controls.
True
Fingerprints, palm prints, and retina scans are types of biometrics.
True
For businesses and organizations under recent compliance laws, data classification standards typically include private, confidential, internal use only, and public domain categories.
True
In e-business, secure web applications are one of the critical security controls that each organization must implement to reduce risk.
True
IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations.
True
Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used.
True
Networks, routers, and equipment require continuous monitoring and management to keep wide area network (WAN) service available.
True
One advantage of using a security management firm for security monitoring and is that it has a high level of expertise.
True
Organizations should start defining their IT security policy framework by defining an asset classification policy
True
Policies that cover data management should cover transitions throughout the data life cycle.
True
Screen locks are a form of endpoint device security control.
True
Social engineering is deceiving or using people to get around security controls.
True
Some vending machines are equipped with a cellular phone network antenna for secure credit card transaction processing.
True
The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).
True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
True
The System/Application Domain holds all the mission-critical systems, applications, and data.
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.
True
The director of IT security is generally in charge of ensuring that the Workstation Domain conforms to policy.
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
True
The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services.
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
Using Mobile IP, users can move between segments on a local area network (LAN) and stay connected without interruption.
True
When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks.
True
With proactive change management, management initiates the change to achieve a desired goal.
True
What is NOT an effective key distribution method for plaintext encryption keys?
Unencrypted email
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-hat hacker
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
typosquatting
