160 midterm
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
Which type of authentication includes smart cards?
Ownership
Which control is not designed to combat malware?
Firewalls
In what type of attack does the attacker send unauthorized commands directly to a database?
SQL injection
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Access to a high level of expertise
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address Resolution Protocol (ARP) poisoning
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
What is NOT a good practice for developing strong professional ethics?
Assume that information should be free
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil twin
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?
Federal Information Security Management Act (FISMA)
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic attack
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity cost
Which one of the following is an example of a logical access control?
Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change.
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Project initiation and planning
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
What is NOT a goal of information security awareness programs?
Punish users who violate policy
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
What is the correct order of steps in the change control process?
Request, impact assessment, approval, build/test, implement, monitor
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
What is NOT one of the three tenets of information security?
Safety
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
Security Kernal
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase.
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service level agreement (SLA)
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
Which term describes an action that can damage or compromise an asset?
Threat
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
Warm site
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Waterfall
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack