Security + Chapter 1 Review Questions
37. Smart phones give the owner of the device the ability to download security updates. a. True b. False
b. False
46. Which of the following is a valid fundamental security principle? (Choose all that apply.) a. signature b. simplicity c. diversity d. layering
b. simplicity c. diversity d. layering
48. Those who wrongfully disclose individually identifiable health information can be fined up to what amount per calendar year? a. $1,500,000 b. $250,000 c. $500,000 d. $50,000
a. $1,500,000
12. Gunnar is creating a document that explains risk response techniques. Which of the following would he NOT list and explain in his document? a. Extinguish risk b. Transfer risk c. Mitigate risk d. Avoid risk
a. Extinguish risk
33. Brokers steal new product research or a list of current customers to gain a competitive advantage. a. False b. True
a. False
44. Successful attacks are usually not from software that is poorly designed and has architecture/design weaknesses. a. False b. True
a. False
18. Signe wants to improve the security of the small business where she serves as a security manager. She determines that the business needs to do a better job of not revealing the type of computer, operating system, software, and network connections they use. What security principle does Signe want to use? a. Obscurity b. Layering c. Diversity d. Limiting
a. Obscurity
28. Which of the following is a common security framework? (Choose all the apply.) a. RFC b. COBIT c. ISO d. ASA
a. RFC b. COBIT c. ISO
1. Ian recently earned his security certification and has been offered a promotion to a position that requires him to analyze and design security solutions as well as identifying users' needs. Which of these generally recognized security positions has Ian been offered? a. Security administrator b. Security manager c. Security officer d. Security technician
a. Security administrator
41. The CompTIA Security+ certification is a vendor-neutral credential. a. True b. False
a. True
4. What is a race condition? a. When a vulnerability is discovered and there is a race to see if it can be patched before it is exploited by attackers. b. When two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences. c. When an attack finishes its operation before antivirus can complete its work. d. When a software update is distributed prior to a vulnerability being discovered.
b. When two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
34. What term best describes any premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents? a. cracking b. cyberterrorism c. cybercriminal d. hacking
b. cyberterrorism
39. In what kind of attack can attackers make use of millions of computers under their control in an attack against a single server or network? a. remote b. distributed c. centered d. local
b. distributed
9. Which of the following is NOT a successive layer in which information security is achieved? a. Products b. People c. Procedures d. Purposes
d. Purposes
19. What are industry-standard frameworks and reference architectures that are required by external agencies known as? a. Compulsory b. Mandatory c. Required d. Regulatory
d. Regulatory
6. Which of the following is NOT true regarding security? a. Security is a goal. b. Security includes the necessary steps to protect from harm. c. Security is a process. d. Security is a war that must be won at all costs.
d. Security is a war that must be won at all costs.
51. Which term below is frequently used to describe the tasks of securing information that is in a digital format? a. logical security b. network security c. physical security d. information security
d. information security
27. What term is used to describe a group that is strongly motivated by ideology, but is usually not considered to be well-defined and well-organized? a. cyberterrorist b. hactivists c. script kiddies d. hacker
b. hactivists
17. What is an objective of state-sponsored attackers? a. To right a perceived wrong b. To amass fortune over of fame c. To spy on citizens d. To sell vulnerabilities to the highest bidder
c. To spy on citizens
21. Under which laws are health care enterprises required to guard protected health information and implement policies and procedures whether it be in paper of electronic format? a. USHIPA b. HLPDA c. HCPS d. HIPAA
d. HIPAA
35. What level of security access should a computer user have to do their job? a. password protected b. limiting amount c. authorized access d. least amount
d. least amount
7. Adone is attempting to explain to his friend the relationship between security and convenience. Which of the following statements would he use? a. "Security and convenience are inversely proportional." b. "Convenience always outweighs security." c. "Security and convenience are not related." d. "Whenever security and convenience intersect, security always wins."
a. Security and convenience are inversely proportional.
43. A vulnerability is a flaw or weakness that allows a threat to bypass security. a. True b. False
a. True
23. Which of the following are considered threat actors? (choose all that apply.) a. competitors b. individuals c. brokers d. administrators
a. competitors c. brokers
31. What term describes a layered security approach that provides the comprehensive protection? a. defense-in-depth b. limiting-defense c. comprehensive-security d. diverse-defense
a. defense-in-depth
22. What type of theft involves stealing another person's personal information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain? a. identity theft b. cyberterrorism c. phishing d. social scam
a. identity theft
53. Select the information protection item that ensures that information is correct and that no unauthorized person or malicious software has altered that data. a. integrity b. confidentiality c. availability d. identity
a. integrity
45. According to the U.S. Bureau of Labor Statistics, what percentage of growth for information security analysts is the available job outlook supposed to reach through 2024? a. 15 b. 18 c. 10 d. 27
b. 18
15. Which tool is most commonly associated with nation state threat actors? a. Closed-Source Resistant and Recurrent Malware (CSRRM) b. Advanced Persistent Threat (APT) c. Unlimited Harvest and Secure Attack (UHSA) d. Network Spider and Worm Threat (NSAWT)
b. Advanced Persistent Threat (APT)
8. Which of the following ensures that only authorized parties can view protected information? a. Authorization b. Confidentiality c. Availability d. Integrity
b. Confidentiality
16. An organization that practices purchasing products from different vendors is demonstrating which security principle? a. Obscurity b. Diversity c. Limiting d. Layering
b. Diversity
38. The Sarbanes-Oxley Act restricts electronic and paper data containing personally identifiable financial information. a. True b. False
b. False
47. The Security Administrator reports directly to the CIO. a. True b. False
b. False
5. Which of the following is NOT a reason why it is difficult to defend against today's attackers? a. Delays in security updating b. Greater sophistication of defense tools c. Increased speed of attacks d. Simplicity of attack tools
b. Greater sophistication of defense tools
11. Which of the following is an enterprise critical asset? a. System software b. Information c. Outsourced computing services d. Servers, routers, and power supplies
b. Information
30. One of the challenges in combating cyberterrorism is that many of the prime targets are not owned and managed by the federal government. a. False b. True
b. True
25. Which term is used to describe individuals who want to attack computers yet lack the knowledge of computers and networks needed to do so? a. hacker b. script kiddies c. cybercriminal d. cyterterrorist
b. script kiddies
36. Which position below is considered an entry-level position for a person who has the necessary technical skills? a. security administrator b. security technician c. security manager d. CEO
b. security technician
50. What type of diversity is being implemented if a company is using multiple security products from different manufacturers? a. manufacturer diversity b. vendor diversity c. multiple-product diversity d. vendor-control diversity
b. vendor diversity
20. What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments? a. Cyberterrorists b. Competitors c. Brokers d. Resource Managers
c. Brokers
29. To date, the single most expensive malicious attack occurred in 2000, which cost an estimated $8.7 billion. What was the name of this attack? a. Nimda b. Code Red c. Love Bug d. Slammer
c. Love Bug
14. Why do cyberterrorists target power plants, air traffic control centers, and water systems? a. These targets are government-regulated and any successful attack would be considered a major victory. b. These targets have notoriously weak security and are easy to penetrate. c. They can cause significant disruption by destroying only a few targets. d. The targets are privately owned and cannot afford high levels of security.
c. They can cause significant disruption by destroying only a few targets.
3. Tatyana is discussing with her supervisor potential reasons why a recent attack was successful against one of their systems. Which of the following configuration issues would NOT be covered? a. Default configurations b. Weak configurations c. Vulnerable business processes d. Misconfigurations
c. Vulnerable business processes
40. Which of the following ensures that data is accessible to authorized users? a. integrity b. confidentiality c. availability d. identity
c. availability
26. Which of the following describes various supporting structures for implementing security that provides a resource of how to create a secure IT environment? (Choose all that apply.) a. regulatory frameworks b. reference frameworks c. industry-standard frameworks d. reference architectures
c. industry-standard frameworks d. reference architectures
52. Which term below is frequently used to describe the tasks of securing information that is in a digital format? a. secure solution b. unicorn c. silver bullet d. approved action
c. silver bullet
13. Which law requires banks and financial institutions to alert customers of their policies in disclosing customer information? a. Sarbanes-Oxley Act (Sarbox) b. Financial and Personal Services Disclosure Act c. Health Insurance Portability and Accountability Act (HIPAA) d. Gramm-Leach-Bliley Act (GLBA)
d. Gramm-Leach-Bliley Act (GLBA)
2. Alyona has been asked by her supervisor to give a presentation regarding reasons why security attacks continue to be successful. She has decided to focus on the issue of widespread vulnerabilities. Which of the following would Alyona NOT include in her presentation? a. Large number of vulnerabilities b. End-of-life systems c. Lack of vendor support d. Misconfigurations
d. Misconfigurations
32. In information security, what can constitute a loss? a. a delay in transmitting information that results in a financial penalty b. the loss of good will or a reputation c. theft of information d. all of the above
d. all of the above
42. In information security, which of the following is an example of a threat actor? a. a force of nature such as a tornado that could destroy computer equipment b. a virus that attacks a computer network c. a person attempting to break into a secure computer network d. all of the above
d. all of the above
24. Select the term that best describes automated attack software? a. intrusion application b. insider software c. open-source utility d. open-source intelligence
d. open-source intelligence
49. What process describes using technology as a basis for controlling the access and usage of sensitive data? a. control diversity b. administrative controls c. vendor diversity d. technical controls
d. technical controls
10. Complete this definition of information security: That which protects the integrity, confidentiality, and availability of information ___________________. a. on electronic digital devices and limited analog devices that can connect via the Internet or through a local area network b. through a long-term process that results in ultimate security c. using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately with limited resources d. through products, people, and procedures on the devices that store, manipulate, and transmit the information
d. through products, people, and procedures on the devices that store, manipulate, and transmit the information
