160 midterm

Which one of the following is an example of a direct cost that might result from a business disruption?

Facility repair

Which type of authentication includes smart cards?

Ownership

Which control is not designed to combat malware?

Firewalls

In what type of attack does the attacker send unauthorized commands directly to a database?

SQL injection

Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?

80

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a high level of expertise

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?

Address Resolution Protocol (ARP) poisoning

Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?

Applying security updates promptly

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free

During which phase of the access control process does the system answer the question,"What can the requestor access?"

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?

Bring Your Own Device (BYOD)

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

Business continuity plan (BCP)

Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?

Collaboration

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

Data ownership

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Discretionary access control (DAC)

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?

Evil twin

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?

Federal Information Security Management Act (FISMA)

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?

HIPAA

Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?

Internet Engineering Task Force

Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?

Interoperability

Which type of denial of service attack exploits the existence of software flaws to disrupt a service?

Logic attack

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

What level of technology infrastructure should you expect to find in a cold site alternative data center facility?

No technology infrastructure

Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?

Opportunity cost

Which one of the following is an example of a logical access control?

Password

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?

Payment Card Industry Data Security Standard (PCI DSS)

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change.

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Project initiation and planning

Which tool can capture the packets transmitted between systems over a network?

Protocol analyzer

What is NOT a goal of information security awareness programs?

Punish users who violate policy

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

Recovery time objective (RTO)

What is the correct order of steps in the change control process?

Request, impact assessment, approval, build/test, implement, monitor

Which formula is typically used to describe the components of information security risks?

Risk = Threat X Vulnerability

What is NOT one of the three tenets of information security?

Safety

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

Security Kernal

From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?

Security risks will increase.

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

In which type of attack does the attacker attempt to take over an existing connection between two systems?

Session hijacking

Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?

Software as a Service (SaaS)

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Threat

Which term describes an action that can damage or compromise an asset?

Threat

What type of malicious software masquerades as legitimate software to entice the user to run it?

Trojan horse

Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?

Typosquatting

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?

Warm site

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Waterfall

Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?

Zero-day attack