Prepare for Exam1 Security
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege
True
The primary task of an organization's ___________ team is to control access to systems or resources. a. Management b. Security administration c. Compliance liaison d. Software development
b. Security administration
System life cycle (SLC)
A method used in systems engineering to describe the phases of a system's existence, including design, development, deployment, operation, and disposal
Compliance liaison
A person whose responsibility it is to ensure that employees are aware of and comply with an organization's security policies.
Business Continuity Plan
A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________.
Disaster Recovery Plan
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________.
Clean desk/clear screen policy
A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation.
Vulnerability testing
A process of finding the weaknesses in a system and determining which places may be attack points.
Operating system fingerprinting
A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer
False
A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system
Waterfall model
A software development model that defines how development activities progress from one distinct phase to the next.
True
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.
Procedures do NOT reduce mistakes in a crisis
False
Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.
False
Regarding security controls, the four most common permission levels are poor, permissive, prudent, and paranoid.
False
Risk refers to the amount of harm a threat exploiting a vulnerability can cause.
False
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files.
False
Charles has obtained a user/password database and will attempt to crack the passwords. The passwords are hashed (encrypted). Charles has a huge list of precomputed hashes to compare to the encrypted passwords to see if he gets any matches. This password cracking technique utilizes:
Rainbow Tables
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
True
The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. t/f
Configuration control
The process of controlling changes to items that have been baselined.
Change control
The process of managing changes to computer/device configuration or application software.
Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP).
False
system configurations
What is NOT generally a section in an audit report?
SSL
Which VPN technology allows users to initiate connections over the Web?
Report writing
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
report writing
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Configuration Control
Which activity manages the baseline settings for a system or device?
Memorandum of Understanding (MOU)
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Fuzzing
Which software testing method provides random input to see how software handles unexpected data?
Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.
False
Configuration changes can be made at any time during a system life cycle and no process is required.
False
The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.
True
Which security model does NOT protect the integrity of information?
Bell-LaPadula
Alice's private key
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Black-box test
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?
Today, people working in cyberspace must deal with new and constantly evolving ________.
Threats
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
True
Bob's public key
Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.
False
Passphrases are less secure than passwords.
False
WPA
What technology is the most secure way to encrypt wireless communications?
A ___________ gives priorities to the functions an organization needs to keep going.
business continuity plan (BCP)
Which of the following is likely to be a consequence of cloud computing in the future? A) Organizations will prefer to setup their own computing infrastructure. B) The cost of obtaining elastic resources will decrease. C) Jobs related to server operations at small organizations will increase. D) The number of technology-based startups will stagnate.
the cost of obtaining elastic resources will decrease
Agile development
A method of developing software that is based on small project iterations, or sprints, instead of long project schedules.
Black-box testing
A method of security testing that isn't based directly on knowledge of a program's architecture.
Fuzzing
A software testing method that consists of providing random input to software to see how it handles unexpected data.
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to archive?
Access to a high level of expertise
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
Service level agreement (SLA)
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
A __________ tries to break IT security and gain access to systems with no authorization, in order to prove technical prowess.
Black-hat hacker
False
The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis. t/f
A personnel safety plan should include an escape plan.
True
In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.
True
In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.
True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
True
IT Infrastructure Library
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
IT Infrastructure Library (ITIL)
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
Assume that information should be free
What is NOT a good practice for developing strong professional ethics?
An organization should share its information
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
An organization should share its information.
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
System configurations
What is NOT generally a section in an audit report?
Request, impact assessment, approval, build/test, implement, monitor
What is the correct order of steps in the change control process?
Presentation
What layer of the OSI Reference Model is most commonly responsible for encryption?
Managers should include their responses to the draft report for the final audit report
When should an organization's managers have an opportunity to respond to the findings in an audit?
Checklist
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
chosen plaintext
Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?
Personal Information Protection and Electronic Documents Act
Which regulatory standard would NOT require audits of companies in the United States?
Network Mapping
Which security testing activity uses tools that scan for services running on systems?
Network mapping
Which security testing activity uses tools that scan for services running on systems?
switch
Which simple network device helps to increase network performance by using the MAC address to send network traffic only to its intended destination?
Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
Wi-Fi
What type of network connects systems over the largest geographic area?
Wide area network (WAN)
Baseline
a benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products
Functional policy
a statement of an organization's management direction for security in such specific functional areas as email, remote access, and internet surfing.
Job rotation
a strategy to minimize risk by rotating employees between various systems or duties
A small company is likely to choose IaaS as it does not require much technical expertise to load operating systems on a server.
false
Security Information and Event Management system (SIEM)
software and devices that assist in collecting, storing, and analyzing the contents of log files
A vendor providing SaaS usually makes the software available as a thin-client
true
Which organization created a standard version of the widely used C programming language in 1989?
ANSI
Symmetric
An encryption cipher that uses the same key to encrypt and decrypt is called a(n) __________ key.
Anomaly-based IDS
An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.
Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Asymmetric encryption algorithm
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
BYOD
With adequate security controls and defenses, an organization can often reduce its risk to zero.
False
An organization's internal IS that does not provide elasticity is still considered a cloud-based technology.
false
As standard practice, customers are regularly updated by cloud vendors about the location and number of copies made of their data.
false
Request, approval, impact assessment, build/test, monitor, implement
What is the correct order of steps in the change control process?
Signature detection
Which intrusion detection system strategy relies upon pattern matching?
Resumes of system administrators
Which item is an auditor least likely to review during a system controls audit?
Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?
World Wide Web Consortium (W3C)
Standards
________ involve the standardization of the hard- ware and software solutions used to address a security risk throughout the organization.
Principles of least privilege
________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties.
Standard
a mandated requirement for a hardware or software solution that is used to deal with security risk throughout the organization
Privacy policy
a policy that specifies how your organization collects, uses, and disposes of information about individuals
Guideline
a recommendation for how to use or how to purchase a product or system.
Event logs
a software or application-generated record that some action has occured.
Among common recovery location options, this is one that can take over operation quickly. It has all the equipment and data already staged at the location, though you may need to refresh or update the data. a. Hot site b. Alternate processing center c. Warm site d. Cold site
a. Hot site
Biometrics is another ________ method for identifying subjects.
access control
Because personnel are so important to solid security, one of the best security controls you can develop is a strong security _____________ and awareness program. a. Guidelines b. Training c. Environment d. Documentation
b. Training
______________ is an authorization method in which access to resources is decided by the user's formal status. a. Knowledge b. Decentralized access control c. Authority-level policy d. Physically constrained user interface
c. Authority-level policy
A routing server determines which CDN server should respond to a request in real-time.
true
Firewall
The basic job of a __________ is to enforce an access control policy at the border of a network.
nonrepudiation
__________ corroborates the identity of an entity, whether the sender, the sender's computer, some device, or some information.
Benchmark
the standard by which your computer or device is compared to determine if it's securely configured
Certification
the technical evaluation of a system to provide assurance that you have implemented it correctly.
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer
If an organization opts for software as a service (SaaS), it will have to ________. A) install an operating system on the server B) purchase licenses for software replication C) transfer data and develop procedures D) install a DBMS
transfer data and develop procedures
A VPC allows organizations to gain the advantages of cloud storage for the portion of data that need not be physically controlled.
true
A content delivery network (CDN) provides a specialized type of PaaS.
true
A private internet uses cloud standards.
true
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?
20 percent
Authorizing official (AO)
A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation
SQL injection
A form of web application attack in which a hacker submits SQL (structured query language) expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell.
Emergency operations group
A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies.
Change control committee
A group that oversees all proposed changes to systems and networks.
True
A secure virtual private network (VPN) creates an authenticated and encrypted channel across some form of public network. t/f
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address Resolution Protocol (ARP) poisoning
Threat
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Covert act
An act carried out in secrecy.
Memorandum of understanding (MOU)
An agreement between two or more parties that expresses areas of common interests that result in shared actions
Blanket purchase agreement (BPA)
An agreement that defines a streamlined method of purchasing supplies or services
Cipher
An algorithm used for cryptographic purposes is known as a __________.
Real-time monitoring
Analysis of activity as it is happening.
Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?
Approved scanning vendor (ASV)
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
Audit
Which information security objective allows trusted entities to endorse information?
Certification
False
Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
Which activity manages the baseline settings for a system or device?
Configuration Control
True
Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system through- out the system life cycle. t/f
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Decryption
________ is the basis for unified communications and is the protocol used by real-time applications such as IM chat, conferencing, and collaboration.
Dense wavelength division multiplexing (DWDM)
What information should an auditor share with the client during an exit interview?
Details on major issues
SOC 3
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.
False
A hardware configuration chart should NOT include copies of software configurations.
False
A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.
False
IoT devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.
False
Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.
False
The four central components of access control are users, resources, actions, and features.
False
The four main types of logs that you need to keep to support security auditing include event, access, user, and security.
False
True or False: Voice mail and e-mail are examples of real-time communications.
False
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Formatting
In popular usage and in the media, the term ________ often describes someone who breaks into a computer system without authorization.
Hacker
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
DMZ
Host isolation is the isolation of internal net- works and the establishment of a(n) __________.
Which recovery site option provides readiness in minutes to hours?
Hot site
False
IP addresses are assigned to computers by the manufacturer. t/f
SQL injection
In what type of attack does the attacker send unauthorized commands directly to a database?
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
Is the security control likely to become obsolete in the near future?
Security Information and Event Management (SIEM)
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
System development lifecycle
More and more organizations use the term ________ to describe the entire change and maintenance process for applications.
Which type of authentication includes smart cards?
Ownership
________ is an authentication credential that is generally longer and more complex than a password.
Passphrase
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?
Presentation
Which approach to cryptography provides the strongest theoretical protection?
Quantum cryptography
Which data source comes first in the order of volatility when conducting a forensic investigation?
RAM
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Report writing
In a ________, the attacker sends a large number of packets requesting connections to the victim computer.
SYNflood
The world needs people who understand computer-systems ________ and who can protect computers and networksfrom criminals and terrorists.
Security
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
Security Assertion Markup Language (SAML)
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?
Switch
What is NOT generally a section in an audit report?
System configurations
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
Which of the following is an accurate description of cloud computing?
The practice of using computing services that are delivered over a network.
A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.
True
Administrative controls develop and ensure compliance with policy and procedures.
True
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.
True
Fencing and mantraps are examples of physical controls.
True
Fingerprints, palm prints, and retina scans are types of biometrics.
True
Implementing and monitoring risk responses are part of the risk management process.
True
Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets.
True
While running business operations at an alternate site, you must continue to make backups of data and systems.
True
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Warm site
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Waterfall
screened subnet
What firewall topology supports the implementa- tion of a DMZ?
Details on major issues
What information should an auditor share with the client during an exit interview?
hash
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
System integrity monitoring
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
system integrity monitoring
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
nonrepudiation
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Managers should include their responses to the draft audit report in the final audit report.
When should an organization's managers have an opportunity to respond to the findings in an audit?
They provide for places within the process to conduct assurance checks.
Which of the following is true of procedures?
Laws
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Enforcing the integrity of computer-based information
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
transposition
Which type of cipher works by rearranging the characters in a message?
TCP/IP
__________ is a suite of protocols that was devel- oped by the Department of Defense to provide a highly reliable and fault-tolerant network infrastructure.
Maximum Tolerable Downtime (MTD)
__________ is the limit of time that a business can survive without a particular critical system.
nonReal-time monitoring
__________ is used when it's not as critical to detect and respond to incidents immediately.
Cryptography
__________ offers a mechanism to accomplish four security goals: confidentiality, integrity, authenti- cation, and nonrepudiation.
Overt act
an act that is open to view
To use cloud-based hosting, an organization will have to construct its own data center.
false
Which of the following statements is true about cloud services? A) Cloud service vendors tend to avoid virtualization. B) In-house hosting is generally preferable to cloud hosting. C) Cloud services always allow customers to maintain physical control over its data. D) Financial institutions are not likely to hire cloud services from a vendor.
financial institutions are not likely to hire cloud services from a vendor
Which of the following is not a type of authentication?
identification
The cloud-based service that provides the hardware and allows customers to load an operating system of their choice is known as ________. A) application virtualization B) platform as a service (PaaS) C) infrastructure as a service (IaaS) D) network functions virtualization (NFV)
infrastructure as a service (IaaS)
Remediation
the act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure
If software licensed from others is to be installed on the cloud, licenses for replication of software must be purchased.
true
Organizations that are required by law to have physical control over their data can also benefit from cloud computing.
true
Service oriented architecture (SOA) is a way of designing computer programs so that they can be combined flexibly.
true
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?
2
False
A hardened configuration is a system that has had unnecessary services enabled. t/f
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Which one of the following is the best example of an authorization control?
Access control lists
Monitoring activity in the workplace includes which of the following?
All of these could be monitored.
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
An organization should share its information. (An organization should collect only what it needs, keep its information up to date, and properly destroy its information when its no longer needed)
Baseline
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Mitigation activities
Any activities designed to reduce the severity of a vulnerability or remove it altogether.
Decryption
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Forensics and incident response are examples of __________ controls.
Corrective
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Does the firewall properly blick unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Does the firewall properly block unsolicited network connection attempts?
Reactive change management
Enacting changes in response to reported problems.
_______ is the proportion of value of a particular asset likely to be destroyed by a given risk,expressed as a percentage.
Exposure factor (EF)
A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system.
False
A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.
False
A time-based synchronization system is a mechanism that limits access to computer systems and network resources. True or False?
False
An SOC 1 report primarily focuses on security.
False
The anti-malware utility is one of the most popular backdoor tools in use today.
False
The auto industry has not yet implemented the Internet of Things (IoT).
False
The first step in the risk management process is to monitor and control deployed countermeasures.
False
The term need-to-know refers to a device used as a logon authenticator for remote users of a network. True or False?
False
True or False: The Delphi method is the estimated loss due to a specific realized threat. The formula to calculate this loss is =SLE × ARO.
False
Vishing is a type of wireless network attack.
False
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
False positive error
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?
Family Policy Compliance Office (FPCO)
Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?
Federal Communications Commission (FCC)
David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?
Fibre Channel over Ethernet (FCoE)
Integrity
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Audit
Gilfoyle is reviewing security logs to independently assess security controls. Which security review process is Gilfoyle engaging in?
Secure Sockets Layer (SSL)
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?
HIPAA
True
In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done.
Waterfall
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
waterfall
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Is the security control likely to become obsolete in the near future
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
Project Initiation and planning
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?
Masking
Sprint
One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other ways of developing software.
Which one of the following is an example of a logical (as opposed to physical) access control?
Password
Offboarding
Process of managing the way employees leave the organization.
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual Risk
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
Security Kernel
True
Security administration is the group of individu- als responsible for the planning, design, imple- mentation, and monitoring of an organization's security plan. t/f
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Security information and event management (SIEM)
White-box testing
Security testing that is based on knowledge of the application's design and source code.
Gray-box testing
Security testing that is based on limited knowledge of an application's design.
Which intrusion detection system strategy relies upon pattern matching?
Signature detection
Which one of the following is an example of two-factor authentication?
Smart card and personal identification number (PIN)
True
Some of the tools and techniques used in security monitoring include baselines, alarms, closed- circuit TV, and honeypots. t/f
Encryption
The act of scrambling plaintext into ciphertext is known as __________.
Reconnaissance
The review of the system to learn as much as possible about the organization, its systems, and networks is known as __________.
Purchasing an insurance policy is an example of the ____________ risk management strategy.
Transfer
A control limits or constrains behavior.
True
An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured. True or False?
True
Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).
True
Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.
True
Authentication controls include passwords and personal identification numbers (PINs).
True
Company-related classifications are not standard, therefore there may be some differences between the terms "private" and "confidential" in different companies
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.
True
During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.
True
Examples of major disruptions include extreme weather, application failure, and criminal activity.
True
In remote journaling, a system writes a log of online transactions to an offsite location.
True
Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.
True
Many jurisdictions require audits by law.
True
Most often passphrases are used for public and private key authentication. True or False?
True
One advantage of using a security management firm for security monitoring is that it has a high level of expertise.
True
Organizations should seek a balance between the utility and cost of various risk management options.
True
Performing security testing includes vulnerability testing and penetration testing.
True
Screen locks are a form of endpoint device security control.
True
Unified messaging allows you to download both voice and email messages to a smartphone or tablet.
True
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
Which one of the following is NOT a commonly accepted best practice for password security?
Use at least six alphanumeric characters.
True
When you use a control that costs more than the risk involved, you're making a poor management decision. t/f
Procedure
a set of step-by-step instructions
____________ is the process of managing changes to computer/device configuration or application software. a. Sprint b. Change control c. Proactive change management d. Procedure control
b. Change control
The requirement to keep information private or secret is the definition of __________.
confidentiality
A _________ has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. They represent the greatest threat to networks and information resources.
cracker
Cloud-based hosting is preferred by organizations that are required by law to have physical control over their data.
false
Content delivery networks (CDNs) increase Web sites' load time.
false
DBMS products are generally included in IaaS services
false
Large Web farms are likely to replace in-house servers used by small companies due to the benefits of cloud computing.
false
Remote action systems increase time and travel expenses.
false
Which of the following is a characteristic of a private cloud? A) Organizations define their own set of standards for interactions between programs. B) Idle servers on a private cloud can be allocated to other organizations. C) A private cloud is most likely to be built by a small organization. D) Most organizations avoid having multiple database servers in a private cloud
most organizations avoid having multiple database servers in a private cloud
Which of the following is an example of a hardware security control?
password*** security policy***
Which of the following services provides hardware, an operating system, and a database management system (DBMS) on a cloud-based offering? A) network as a service (NaaS) B) infrastructure as a service (IaaS) C) software as a service (SaaS) D) platform as a service (PaaS)
platform as a service (PaaS)
Audits also often look at the current configuration of a system as a snapshot in time to verify that it complies with ________.
standards
Proactive change management
the act of initiating changes to avoid expected problems
An elastic load balancer is a feature available in a private cloud that is not available in a private internet
true
Before the creation of personal computers, time-sharing vendors provided slices of computer time on a use-fee basis.
true
Cloud computing is likely to enable organizations to obtain elastic resources at very low costs.
true
router
A __________ is a device that interconnects two or more networks and selectively interchanges packets of data between them.
Benchmark
A __________ is a standard used to measure how effective your system is as it relates to industry expectations.
checksum
A __________ is used to detect forgeries.
Digital
A __________ signature is a representation of a physical signature stored in a digital format.
Security information and event management
A common platform for capturing and analyzing log entries is __________.
What is meant by standard?
A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.
True
A strong hash function is designed so that a forged message cannot result in the same hash as a legitimate message. t/f
Internet Architecture Board (IAB)
A subcommittee of the IETF composed of independent researchers and professionals who have a technical interest the overall well-being of the Internet
Stateful matching
A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.
Penetration testing
A testing method that tries to exploit a weakness in the system to prove that an attacker could successfully penetrate it.
Zone transfer
A unique query of a DNS server that asks it for the contents of its zone.
Service Level Agreement
A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide
Wide area network
A(n) __________ is a critical element in every corpo- rate network today, allowing access to an organi- zation's resources from almost anywhere in the world.
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Access to a high level of expertise
Detective Control
An IDS is what type of control?
false
An organization does not have to comply with both regulatory standards and organizational standards. T/F
False positive error
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
Incident
Any event that either violates or threatens to violate your security policy is known as a(n) __________.
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
Threat
Ayo is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Does the firewall properly block unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
___________ is the duty of every government that wants to ensure its national security.
Cybersecurity
Symmetric algorithms
DES, IDEA, RC4, and WEP are examples of __________.
False
DHCP provides systems with their MAC addresses. t/f
True
Data classification is the responsibility of the per- son who owns the data. t/f
What is a key principle of risk management programs?
Don't spend more to protect an asset than it is worth.
True
Encryption ciphers fall into two general catego- ries: symmetric (private) key and asymmetric (public) key. t/f
Which practice is NOT considered unethical under RFC-1087 issued by the Internet Architecture Board (IAB)?
Enforcing the integrity of computer-based information (Seeking to gain unauthorized access to resources,Disrupting intended use of the Internet, Compromising the privacy of users)
Formatting
Erik is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Access to a high level of expertise
Everett is considering outsourcing security functions to a third-party service provider (which is a kind of risky for a CIA agent :). What benefit is he most likely to achieve?
An attacker uses exploit software when wardialing.
False
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health Monitoring
What organization offers a variety of security certifications that are focused on the requirements of auditors?
ISACA
Security information and event management
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Is the security control likely to become obsolete in the near future?
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws (Company policy, Internal audit, Corporate culture)
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum Tolerable Downtime
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
Service Level Agreement (SLA)
Nakia is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?
National Institute of Standards and Technology (NIST)
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change.
True
Policy sets the tone and culture of the organization. t/f
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
Prudent
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?
Publicly traded companies
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Qualitative
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?
Reduce
True
Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets. True/False?
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Authorization
Richard is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Audit
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Residual
Risk that remains even after risk mitigation efforts have been implemented is known as __________ risk.
Phishing
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Role-based access control (RBAC)**** Rule-based access control****
Jennifer is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?
SAQ C
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Secure European System for Applications in a Multi-Vendor Environment (SESAME)****
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for a timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service level agreement (SLA)
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service level agreement (SLA)
Which one of the following principles is NOT a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Supervisory Control and Data Acquisition (SCADA)
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
System integrity monitoring
Which one of the following is NOT an example of store-and-forward messaging?
Telephone call
Onboarding
The process that a company uses to integrate new employees into an organization.
The security process The policies, procedures, and guidelines adopted by the organization The authority of the persons responsible for security
The security program requires documentation of:
Hardened configuration
The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
True
The three basic types of firewalls are packet filter- ing, application proxy, and stateful inspection. t/f
True
The two basic types of ciphers are transposition and substitution t/f
Waterfall
There are several types of software development methods, but most traditional methods are based on the ________ model.
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these types of classification decisions?
Threat (Value, sensitivity, criticality are)
Which type of cipher works by rearranging the characters in a message?
Transposition
Residual risk is the risk that remains after you have installed countermeasures and controls. True or False?
True
SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
True
Social engineering is deceiving or using people to get around security controls.
True
Standards are used when an organization has selected a solution to fulfill a policy goal.
True
The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems.
True
Which one of the following is NOT a commonly accepted best practice for password security?
Use no more than eight characters.
Network mapping
Using tools to determine the layout and services running on an organization's systems and networks.
Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?
Virtual LAN (VLAN)
Black-hat hackers generally poke holes in systems, but do not attempt to disclose __________ they find to the administrators of those systems.
Vulnerabilities
Punish users who violate policy
What is NOT a goal of information security awareness programs?
NAT
What technology allows you to hide the private IPv4 address of a system from the Internet?
The ____________ team's responsibilities include handling events that affect your computers and networks and ultimately can respond rapidly and effectively to any event. a. Management b. Compliance liaison c. IT Group d. Security administration
d. Security administration
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems. a. Physical access control b. authentication c. Event-based synchronous system d. Security kernel
d. Security kernel
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
A content delivery network (CDN) services a user's request using the geographically closest server.
false
Cloud vendors do not benefit from economies of scale.
false
An online service allows users to integrate their phonebook with their social media profiles and stores it on the cloud. The phonebook is updated with pictures of contacts when they are uploaded on social media sites. Which of the following cloud-based offerings is being provided to the users? A) network as a service (NaaS) B) platform as a service (PaaS) C) infrastructure as a service (IaaS) D) software as a service (SaaS)
software as a service (SaaS)
Phobas Inc. offers an online service which stores notes made by customers on the cloud. When a customer enters notes on one device, it gets updated in all the devices he/she owns. Which of the following cloud-based offerings is being provided to the customers? A) virtual private cloud B) platform as a service (PaaS) C) software as a service (SaaS) D) infrastructure as a service (IaaS)
software as a service (SaaS)
What term is used to describe communication that doesn't happen in real time but rather consists of messages (voice or e-mail) that are stored on a server and downloaded to endpoint devices?
store-and-forward communications
A security awareness program includes ________.
teaching employees about security objectives, motivatingusers to comply with security policies, informing users about trends and threats in society
A system uses cameras and motion-sensing equipment to issue tickets for traffic violations. This system is an example of ________. A) videotelephony B) telesurgery C) telelaw enforcement D) GPS augmentation
telelaw enforcement
standard
A -----------is a generally agreed-upon technology, method or format for a given application such as TCP/IP protocol
Connecting your computers or devices to the ________ immediately exposes them to attack.
Internet
Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.
50
Which of the following is an example of a hardware security control?
MAC filtering
RSA
What is NOT a symmetric encryption algorithm?
Which of the following is an advantage of using a private cloud over a virtual private cloud (VPC)? A) Unlike a VPC, the infrastructure required for a private cloud can be built and operated easily. B) A VPC gains significantly by using an elastic load balancer, whereas a private cloud does not use an elastic load balancer. C) A VPC cannot be accessed from outside the organization, but a private cloud can be accessed from outside the organization. D) Unlike a VPC, a private cloud does not require permission from regulating bodies to host sensitive data.
unlike a VPC, a private cloud does not require permission from regulating bodies to host sensitive data
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
$2,000,000
Addressing their purpose
An audit examines whether security controls are appropriate, installed correctly, and __________.
RFC 1087
In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________.
Signature based
In __________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern match- ing and stateful matching.
False negative
Incorrectly identifying abnormal activity as normal.
False positive
Incorrectly identifying normal activity as abnormal.
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Integrity
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?
Integrity
When should an organization's managers have an opportunity to respond to the findings in an audit?
Managers should include their responses to the draft audit report in the final audit report.
What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?
National Security Agency (NSA)
Which regulatory standard would NOT require audits of companies in the United States?
Personal Information Protection and Electronic Documents Act (PIPEDA)
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventative
Separation of Duties
Ramonda is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Project initiation and planning
Shuri is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
What is meant by annual rate of occurrence (ARO)?
The annual probability that a stated threat will be realized.
Accreditation
the formal acceptance by the authorization offical of the risk of implementing the system
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
20, 000
Deterrent controls identify that a threat has landed in your system.
False
During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
False
Most enterprises are well prepared for a disaster should one occur.
False
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?
Hub
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?
Payment Card Industry Data Security Standard (PCI DSS)
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
Secure Sockets Layer (SSL)
Which of the following statements is true of content delivery networks (CDNs)? A) They reduce users' access costs by delivering data faster. B) They distribute data on different servers without any data replication. C) Users receive content from the CDN server that is geographically closest. D) A routing server decides which server should deliver content on an hourly basis.
they reduce users' access costs by delivering data faster
What is NOT a good practice for developing strong professional ethics?
Assume that information should be free (Set the example by demonstrating ethics in daily activities, Encourage adopting ethical guidelines and standards, Inform users through security awareness training)
Alice's public key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
Checklist
Prudent
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
True
Classification scope determines what data you should classify; classification process determines how you handle classified data. True/False?
Phishing
T'Challa's organization received a mass email message that attempted to trick vibranium engineers into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Open Systems Interconnection (OSI) Refer- ence Model
The basic model for how you can build and use a network and its resources is known as the __________.
Configuration, change
The change management process includes ________ control and ________ control.
Which of the following is the definition of access control?
The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.
A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match.
True
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing
True
A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
True
Telediagnosis uses telecommunications to link surgeons to robotic equipment at distant
false
Clipping level
A value used in security monitoring that tells the security operations personnel to ignore activity that falls below a stated value
True
A vulnerability is any exposure that could allow a threat to be realized. t/f
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Nonrepudiation
Sireus Corp. is availing a cloud-based service. It plans to install a software package that will offer cloud services to its users. If it would like to avoid installing an operating system on the server, which of the following services should it choose? A) network as a service (NaaS) B) infrastructure as a service (IaaS) C) platform as a service (PaaS) D) software as a service (SaaS)
PLATFORM AS A SERVICE (PaaS)
Which one of the following is an example of a logical access control?
Password
Which of the following statements is true of a virtual private cloud (VPC)? A) A VPC does not make use of a VPN (virtual private network). B) An organization generally stores its most sensitive data on a VPC. C) A VPC can be accessed only from within an organization. D) A VPC can be built on public cloud infrastructure.
a VPC can be built on public cloud infrastructure
Which of the following is a difference between a virtual private network (VPN) and a virtual private cloud (VPC)? A) Unlike a VPN, a VPC uses encrypted connections between the users and the server. B) A VPN can be accessed over the Internet, but a VPC cannot be accessed over the Internet. C) Unlike a VPC, a VPN connects users to an organization's internal IS. D) A VPC provides the advantages of cloud storage, but a VPN by itself cannot provide these
a VPC provides the advantages of cloud storage, but a VPN by itself cannot provide these advantages
Which of the following is true of a VPN (virtual private network)? A) A VPN communication is secure even though it is transmitted over the public Internet. B) One disadvantage of a VPN is that it does not encrypt messages. C) Remote access is difficult in case of a VPN. D) It is a physical, private pathway over a public or shared network from the client to the server.
a VPN communication is secure even though it is transmitted over the public internet
Service-level agreement
a contractual commitment by a service provider or support organization to its customers or users
Notification, response, recovery and follow-up, and documentation are all components of what process? a. Incident handling b. Corrective control c. Business impact analysis (BIA) d. Countermeasure
a. Incident handling
Using https instead of http ________. A) shows the other users on that network who are accessing the same site B) allows a packet sniffer to see only the site visited and nothing further C) connects a user to the version of the site hosted on a private cloud D) detects the presence of packet sniffers in the vicinity
allows a packet sniffer to see only the site visited and nothing further
Interconnection security agreement (ISA)
an interoperability agreement, often an extension of MOU, that documents technical requirements of interconnected assets
Pattern-or signature-based IDS
an intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders
Two-factor __________ should be the minimum requirement for valuable resources asit provides a higher level of security than using only one.
authentication
____________ is used to describe a property that indicates that a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification. a. Smart card b. Relationships c. Need-to-know d. Multi-tenancy
c. Need-to-know
an organization that hires cloud services _______ a. can accommodate increase in traffic from only one city b. is continually provided with the maximum possible bandwidth c. can limit the response time of its web pages d. hires a fixed number of servers
can limit the response time of its web pages
Which of the following statements is true of cloud-based and in-house hosting? A) In-house hosting makes scaling up to meet the demands of increased traffic easier. B) Cloud-based hosting involves the risk of investing in technology that may soon become obsolete. C) In-house hosting leads to loss of physical control of data. D) Cloud-based hosting reduces the visibility of the security being used to protect data.
cloud-based hosting reduces the visibility of the security being used to protect data
which of the following is a reason for the term elastic being used to define the cloud a. computing resources can be increased or decreased dynamically in cloud-based hosting b. operations staff manually allots fresh resources when the traffic increases c. customers are provided a consistent bandwidth on the cloud d. resources available for cloud-hosting are shared among customers
computing resources can be increased or decreased dynamically in cloud-based hosting
A ________ is a system of hardware and software that stores user data in many different geographical locations and makes that data available on demand. A) virtual private network B) content delivery network C) mobile virtual network D) local area network
content delivery network
A security awareness program includes _____________. a. Motivating users to comply with security policies b. Informing users about trends and threats in society c. Teaching employees about security objectives d. All of the above
d. All of the above
A(n) __________ is a measurable occurrence that has an impact on the business. a. Critical business function b. Corrective control c. Cost d. Event
d. Event
What is meant by certification? a. A strategy to minimize risk by rotating employees between various systems or duties b. The formal acceptance by the authorizing official of the risk of implementing the system c. A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies d. The technical evaluation of a system to provide assurance that you have implemented the system correctly
d. The technical evaluation of a system to provide assurance that you have implemented the system correctly
Teleaction increases the value of routine face-to-face services
false
Which of the following statements is true of private clouds? A) Private clouds are easy to build and operate. B) Several organizations pool their resources to form a private cloud. C) Private clouds provide access from outside an organization without connecting to a VPN (virtual private network). D) Idle servers in a private cloud cannot re-allocated to other organizations.
idle servers in a private cloud cannot re-allocate to other organizations
An internal information system built using Web services ________. A) is called a virtual private network B) is a cloud-based technology if it offers elasticity C) is a subset of a virtual private cloud D) is an example of platform as a service (PaaS)
is a cloud-based technology if it offers elasticity
Which of the following is a disadvantage of a content delivery network? A) It increases the load time of web pages for users. B) Its vulnerability to denial-of-service (DOS) attacks is high. C) Its reliability is decreased as data is stored on many servers. D) It is better suited to store and deliver content that seldom changes.
it is better suited to store and deliver content that seldom changes
Which of the following is a characteristic of a virtual private network (VPN)? A) It establishes a physical connection between the client and the server, called tunnel. B) It sends encrypted messages over the public Internet. C) A VPN can be accessed from only one geographical location. D) VPNs cannot be accessed over the Internet.
it sends encrypted messages over thepublic internet
What is a VPN (virtual private network)? A) It is a markup language that fixes several HTML deficiencies and is commonly used for program-to-program interaction over the Web. B) It is an add-on to browsers that was developed by Adobe and is useful for providing animation, movies, and other advanced graphics inside a browser. C) It is the most common language for defining the structure and layout of web pages. D) It uses the Internet to create secure point-to-point connections.
it uses the internet to create secure point-to-point connections
What term is used to describe a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective?
procedure
Any organization that is serious about security will view ___________ as anongoing process.
risk management
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Cross-Site request forgery (XSRF)
similar to the XSS attack, an attacker provides script code that causes a trusted user who views the input script to send malicious commands to a webs server. Exploits the trust a server has in a user
Which of the following statements is true about cloud computing a. the elastic leasing of pooled computer resources over the internet is called the cloud b. a cloud is a peer-to-peer network used to share data between users c. cloud-based hosting does not operate over the internet d. any network of servers hosted in-house by an organization for its own requirements is regarded as a cloud
the elastic leasing of pooled computer resources over the internet is called the cloud
Security administration
the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan
Certifier
the individual or team responsible for performing the security test and evaluation.
Which of the following is a reason why an internal information system (private internet) that uses Web services is not considered a cloud? A) The number of servers is fixed in a private internet and is not made elastic. B) Idle servers in a private internet are dynamically re-allocated. C) It is generally not accessible outside the organization. D) An organization maintains a private internet using its own resources.
the number of servers is fixed in a private internet and is not made elastic
System owner
the personal responsible for the daily operation of system and for ensuring that the system continues to operate in compliance with conditions set out by the authorizing official
Reconnaissance
the process of gathering information
which of the following is true of web services a. they are SOA-designed programs that comply with web service standards b. they are programs that comply with IEEE 802.3 protocol standard and cannot be used for cloud processing c. they are programs that comply with web service standards and can only run as an independent program d. they can be used only with other programs from the same vendor
they are SOA-designed programs that comply with web service standards
A tunnel is a virtual, private pathway over a public or shared network from the VPN (virtual private network) client to the VPN server.
true
A user may receive various pieces of a web page from different servers on a content delivery network (CDN).
true
Cloud computing is likely to lead to an increase in the number of technology-based startups
true
Cloud resources are pooled because many different organizations use the same physical hardware.
true
Content delivery networks (CDNs) are used to store and deliver content that rarely changes
true
The connection between a VPN client and a VPN server is called a tunnel.
true
To use software as a service (SaaS), the user has to just sign up for the service.
true
Which of the following statements is true about the increase in popularity of cloud hosting? A) Data communication is more expensive now than earlier. B) Virtualization allows instantaneous creation of new virtual machines. C) Internet-based standards have led to loss of flexibility in processing capabilities. D) The technology prevalent in the 1960s was more favorable for the construction of enormous
virtualization allows instantaneous creation of new virtual machines