SEC 2nd Midterm
Which of the following statements is true regarding SQL Injection attacks?
Their likelihood can be reduced through regular testing.
Which of the following statements is true regarding cross-site scripting (XSS) attacks?
They are one of the most common web attacks.
Why do hackers often send zipped and encrypted files and attachments?
They cannot be opened by antivirus software and so they will often reach the recipient.
Network access control (NAC) works on wired and wireless networks.
True
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?
Senior System Manager
Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?
Bob's public key
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?
Business associate of a covered entity
Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications?
Certified Information Security Manager (CISM)
What is the highest level of academic degree that may be earned in the field of information security?
Doctor of philosophy (PhD)
What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)?
Subject matter expertise on routing and switching
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?
Consumer
What is NOT one of the four main purposes of an attack?
Data import
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Decryption
A professional certification is typically offered as part of an evening curriculum that leads to a certificate of completion.
False
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
Online Certificate Status Protocol (OCSP)
What is the maximum value for any octet in an IPv4 IP address?
255
________ refers to a program of study approved by the State Department of Education in the state that a school operates.
Accredited
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
What protocol is responsible for assigning IP addresses to hosts on most networks?
Dynamic Host Configuration Protocol (DHCP)
A border router can provide enhanced features to internal networks and help keep subnet traffic separate.
False
A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.
False
A subnet mask is a partition of a network based on IP addresses.
False
A worm is a self-contained program that has to trick users into running it.
False
Cryptographic key distribution is typically done by phone.
False
Federal agencies fall under the legislative branch of the U.S. government.
False
Implicit deny is when firewalls look at message addresses to determine whether a message is being sent around an unending loop.
False
System infectors are viruses that attack document files containing embedded macro programming capabilities.
False
What certification organization began as an offshoot of the SANS Institute training programs?
Global Information Assurance Certification (GIAC)
Which unit of measure represents frequency and is expressed as the number of cycles per second?
Hertz
What type of system is intentionally exposed to attackers in an attempt to lure them out?
Honeypot
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Integrity
What is the certificate management component of GPG4Win?
Kleopatra
When the key is successfully created, which of the following options sends a copy of your private key to your computer?
Make a Backup Of Your Key Pair
__________ consists of unwanted programs like Trojans and viruses.
Malware
Which of the following is a Windows local security password policy?
Maximum password age
Which of the following is a security countermeasure that could be used to protect your production SQL databases against injection attacks?
Monitor your SQL databases for unauthorized or abnormal SQL injections.
If someone sends you his public key and you import it into Kleopatra, will he be able to decrypt the encrypted messages you send him?
No because you must provide your public key to any user wanting to decrypt any message encrypted by you.
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Nonrepudiation
How can you ensure the confidentiality, integrity, and availability (CIA) of the web application and service?
Penetration testing
A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment?
Personally owned devices
How do you encrypt a text message using the keys you created in the lab?
Right-click the file and select Sign and Encrypt from the context menu.
Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs?
Systems Security Certified Practitioner (SSCP)
A firewall is a basic network security defense tool.
True
Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents.
True
Digital signatures require asymmetric key cryptography.
True
What is NOT an effective key distribution method for plaintext encryption keys?
Unencrypted email
What is NOT a typical sign of virus activity on a system?
Unexpected power failures
When the key is successfully created, which of the following options lets you store your certificate on a public Internet server?
Upload Certificate To Directory Service
What is the only unbreakable cipher when it is used properly?
Vernam
The main purpose of the __________ is to keep any deleted file for a certain period of time, so that you can make sure you do not need the file any more.
Virus Vault
What is NOT a service commonly offered by unified threat management (UTM) devices?
Wireless network access
Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?
World Wide Web Consortium (W3C)
Unless stringent security is mandated by policy, the security practitioner must always balance security with:
functionality and user adoption.
What file extension does Kleopatra add to an encrypted file?
gpg
What is the correct command syntax to force GPO settings?
gpupdate /force
It is important to bring standalone systems into the Domain because it:
helps prevent unauthorized access to network resources.
No security program is complete without:
host-based security measures.
Integrating Linux with Active Directory:
is almost always a simple task.
Information Systems Security Certification Consortium, Inc. (ISC)2 is the baseline for federal and DoD work-role definitions.
False
Product cipher is an encryption algorithm that has no corresponding decryption algorithm.
False
The National Institute of Standards and Technology (NIST) is the main United Nations agency responsible for managing and promoting information and technology issues.
False
The four main areas in NIST SP 800-50 are awareness, training, certification, and professional development.
False
A certification is an official statement that validates that a person has satisfied specific job requirements.
True
A network protocol governs how networking equipment interacts to deliver data across the network.
True
A successful denial of service (DoS) attack may create so much network congestion that authorized users cannot access network resources.
True
RSA is a global provider of security, risk, and compliance solutions for enterprise environments.
True
Security awareness training should remind employees to ensure confidentiality by not leaving any sensitive information or documents on their desks.
True
Standards provide guidelines to ensure that products in today's computing environments work together.
True
The Internet Engineering Task Force (IETF) is a collection of working groups (WGs), and each working group addresses a specific topic.
True
The National Institute of Standards and Technology (NIST) 800 Series publications cover all NIST-recommended procedures for managing information security.
True
Under the Federal Information Security Management Act (FISMA), all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT).
True
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?
Whois
What standard is NOT secure and should never be used on modern wireless networks?
Wired Equivalent Privacy (WEP)
Each time a key pair is created, Kleopatra generates:
a unique 40-character fingerprint.
The main principle of __________ is to build layers of redundant and complementary security tools, policies, controls, and practices around the organization's information and assets.
defense in depth
Database developers and administrators are responsible for:
ensuring regular backups of the database are performed.
Web application developers and software developers are responsible for:
the secure coding and testing of their application.
Each element of __________ has a specific requirement for security professionals.
the security framework
Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?
3389
How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam?
8
To complete the creation of a key, what do you need to enter in the pinentry dialog box?
A passphrase, or password
Which organization created a standard version of the widely used C programming language in 1989?
American National Standards Institute (ANSI)
Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees?
Annually
Which of the following is NOT a role described in DoD Directive 8140, which covers cyber security training?
Attack
Which organization creates information security standards that specifically apply within the European Union?
European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)
A digitized signature is a combination of a strong hash of a message and a secret key.
False
A physical courier delivering an asymmetric key is an example of in-band key exchange.
False
Another name for a border firewall is a DMZ firewall.
False
Cisco offers certifications only at the Associate, Professional, and Expert levels.
False
Master's programs are generally broad and don't focus on a particular field of study.
False
The Family Educational Rights and Privacy Act (FERPA) requires that specific information security controls be implemented to protect student records.
False
The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies.
False
The ISACA Certified in Risk and Information Systems Control (CRISC) certification targets security professionals who ensure that their organization satisfies IT governance requirements.
False
The Institute of Electrical and Electronics Engineers (IEEE) publishes or sponsors more than 13,000 standards and projects.
False
The National Institute of Standards and Technology (NIST) publishes the IEEE 802 LAN/MAN standard family.
False
The Payment Card Industry (PCI) Council has only one priority: to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data.
False
The skills necessary to manage a technical environment are the same as the skills necessary to perform technical work.
False
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?
Family Policy Compliance Office (FPCO)
What is NOT a common motivation for attackers?
Fear
Which of the following is NOT an advantage to undertaking self-study of information security topics?
Fixed pace
When is the company under additional compliance laws and standards to ensure the confidentiality of customer data?
If e-commerce or privacy data is entered into the web application
When malware is able to steal and modify data, which of the following tenets of information system security is impacted?
Integrity
Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact?
International Council of E-Commerce Consultants (EC-Council)
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?
Polymorphic virus
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?
Presentation
In the lab, what did you do before attempting the script tests that exposed the vulnerabilities?
Set the security level of DVWA to low.
Which of the following statements is true regarding an organization's password policy?
Setting a strong password policy is one of the first steps in implementing a comprehensive security program.
Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?
Smurf
Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?
Tier A
ANSI produces standards that affect nearly all aspects of IT.
True
ActiveX is used by developers to create active content.
True
American National Standards Institute (ANSI) was formed in 1918 through the merger of five engineering societies and three government agencies.
True
An algorithm is a repeatable process that produces the same result when it receives the same input.
True
Backdoor programs are typically more dangerous than computer viruses.
True
Because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders do, they can place logic bombs more easily.
True
Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage devices to networks using IP for its transport layer.
True
It is common for rootkits to modify parts of the operating system to conceal traces of their presence.
True
Juniper Networks offers vendor-specific certifications.
True
Nearly any college or university can offer an information systems security or cybersecurity-related degree program once it obtains accreditation for the curriculum from that state's board of education.
True
The Baldrige National Quality Program is part of the National Institute of Standards and Technology (NIST).
True
The Data Link Layer of the OSI Reference Model is responsible for transmitting information on computers connected to the same local area network (LAN).
True
The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).
True
The International Organization for Standardization (ISO) organizes its standards by both the International Classification for Standards (ICS) and the Technical Committee (TC) to which it assigns each standard.
True
The Internet Architecture Board (IAB) is a subcommittee of the IETF.
True
The Internet Architecture Board (IAB) serves as an advisory body to the Internet Society (ISOC).
True
The OSI Reference Model is a theoretical model of networking with interchangeable layers.
True
The Physical Layer of the OSI Reference Model must translate the binary ones and zeros of computer language into the language of the transport medium.
True
The function of homepage hijacking is to change a browser's homepage to point to the attacker's site.
True
The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.
True
The three main categories of network security risk are reconnaissance, eavesdropping, and denial of service.
True
Hackers use __________ to execute arbitrary scripts through the web browser.
cross-site scripting (XSS)
A private key cipher is also called an asymmetric key cipher.
False
All request for comments (RFC) originate from the Internet Engineering Task Force (IETF).
False
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Alice's public key
Which of the following is used to configure the Domain Name Server?
The resolv.conf file
In a corporate network it is _________ for the IT department to have more than one operating system, or different platforms.
quite common
Trojans are self-contained programs designed to propagate from one host machine to another using the host's own network communications protocols.
False
Which element is NOT a core component of the ISO 27002 standard?
Cryptography
Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?
443
Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.
50
What is NOT a valid encryption key length for use with the Blowfish algorithm?
512 bits
Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with?
Application and Session
When malware slows performance, which of the following tenets of information system security is impacted?
Availability
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?
Chief information security officer (CISO)
How can you verify that the integrity of encrypted files is maintained during the transmission to another user's computer?
Compare the decrypted file's contents with the contents of the original file.
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Cross-site scripting (XSS)
In general, security training programs are identical to security education programs with respect to their focus on skills and in their duration.
False
The four primary types of malicious code attacks are unplanned attacks, planned attacks, direct attacks, and indirect attacks.
False
Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities?
GIAC Certified Forensic Examiner (GCFE)
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
Hash
Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?
International Organization for Standardization (ISO)
Which of the following programs requires passing a standardized examination that is based upon a job-task analysis?
Professional certification
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016?
Risk Analysts
The system will generate a __________ message when the Linux machine has successfully joined the Active Directory domain.
SUCCESS
TCP/IP is a suite of protocols that operates at both the Network and Transport layers of the OSI Reference Model.
True
Which of the following Web forms can be exploited to output passwords, credit card information, and other data?
Those that are poorly designed
Keys are also referred to as:
certificates
Changes in laws, regulations, and organizational priorities mean that security policies tend to:
change over time.
Signs of __________ include degraded system performance, unusual services and network traffic, altered or removed system logs, missing or inactive anti-virus, and any number of application anomalies.
malware
Web application firewalls, security information and event management systems, access controls, network security monitoring, and change controls help to keep the "soft center" from becoming an easy target when the __________ fails.
perimeter
