Week Two Midterm
True
Common methods used to identify a user to a system include username, smart card, and biometrics.
True
During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.
True
Fingerprints, palm prints, and retina scans are types of biometrics.
Risk Management Guide for Information Technology Systems (NIST SP800-30)
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
True
Many jurisdictions require audits by law.
False
Passphrases are less secure than passwords.
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.
False
The main difference between a virus and a worm is that a virus does not need a host program to infect.
An organization should share its information.
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
System configurations
What is NOT generally a section in an audit report?
Security Assertion Markup Language (SAML)
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
True
A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
True
A degausser creates a magnetic field that erases data from magnetic storage media.
Recovery time objective (RTO)
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
True
Classification scope determines what data you should classify; classification process determines how you handle classified data.
True
Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.
True
Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.
Warm site
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
True
In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.
True
Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used.
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
Opportunity cost
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
True
Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets.
False
Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.
Audit
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
Phishing
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
True
Screen locks are a form of endpoint device security control.
True
Social engineering is deceiving or using people to get around security controls.
Trojan horse
What type of malicious software masquerades as legitimate software to entice the user to run it?
Memorandum of understanding (MOU)
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Firewalls
Which control is not designed to combat malware?
Bell-LaPadula
Which security model does NOT protect the integrity of information?
Network mapping
Which security testing activity uses tools that scan for services running on systems?
Logic attack
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
White-hat hacker
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
Payment Card Industry Data Security Standard (PCI DSS)
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
True
An SOC 1 report is commonly implemented for organizations that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA).
True
An example of a threat to access control is in a peer-to-peer (P2P) arrangement in which users share their My Documents folder with each other by accident.
Baseline
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Address Resolution Protocol (ARP) poisoning
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Does the firewall properly block unsolicited network connection attempts?
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
False
The term "data owner" refers to the person or group that manages an IT infrastructure.
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
False
User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity.
True
Using a secure logon and authentication process is one of the six steps used to prevent malware.
Data ownership
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Facility repair
Which one of the following is an example of a direct cost that might result from a business disruption?
Fabrication
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Ownership
Which type of authentication includes smart cards?