Fund. Info. Security ch.5-8 quiz & txt book questions

When you use a control that costs more than the risk involved, you're making a poor management decision True/False

True

A SOC 1 report primarily focuses on security. True/False

False

A hardened configuration is a system that has had unnecessary services enabled. True/False

False

Passphrases are less secure than passwords. T/F

False

Risk refers to the amount of harm a threat exploiting a vulnerability can cause. True/False

False

User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity. T/F

False

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? a. SOC 1 b. SOC 2 c. SOC 3 d. SOC 4

SOC 3

The _____________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. A. Memory B. CPU C. co-processor D. Security kernel

Security kernel

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime? a. Redundant Array of Inexpensive Disks (RAID) b. Warm site c. Clustering d. Load balancing

Warm site

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)? a. $2,000 b. $20,000 c. $200,000 d. $2,000,000

$2,000,000

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? a. 1 b. 2 c. 3 d. 4

2

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? A. Authentication B. Accountability C. Identification D. Authorization

Accountability

Post-audit activities include which of the following? A. Presenting findings to management B. Data analysis C. Exit interviews D. Reviewing of auditor's findings E. All of the above

All of the above

The incident-handling process includes which of the following? A. Documentation B. Response C. Notification D. Recovery and followup E. All of the above

All of the above

During which phase of the access control process does the system answer the question, "What can the requestor access?" A. Authentication B. Accountability C. Identification D. Authorization

Authorization

Physical access, security bypass, and eavesdropping are examples of how access controls can be __________. A. Stolen B. Compromised C. Audited D. Authorized

Compromised

Forensics and incident respons are examples of ___________ controls. a. Detective b. Preventive c. Deterrent d. Corrective

Corrective

An IDS is what type of control? A. Detective control B. Preventive control C. Corrective control D. Compensating control E. All of the above

Detective control

What is a key principle of risk management programs? a. Risk avoidance is superior to risk mitigation. b. Don't spend more to protect an asset than it is worth. c. Security controls should be protected through the obscurity of their mechanisms. d. Apply controls in ascending order of risk.

Don't spend more to protect an asset than it is worth

A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations. True/False

False

Access controls cannot be implemented in various forms, restriction levels, or different levels within the computing environment. T/F

False

Deterrent controls identify that a threat has landed in your system. True/False

False

Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test. True/False

False

Temporal isolation is commonly used in combination with rule-based access control. T/F

False

The number of failed logon attempts that trigger an account action is called an audit logon event. T/F

False

The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis. True/False

False

What is a set of concepts and policies for managing IT infrastructure, development and operations? a. NIST Cybersecurity Framework (CSF) b. ISO 27002 c. Control Objectives for Information and related Technology (COBIT) d. IT Infrastructure Library (ITIL)

IT Infrastructure Library (ITIL)

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? a. Incident b. Event c. Outage d. Incursion

Incident

What term describes the longest period of time that a business can survive without a particular critical system? a. Recovery point objective (RPO) b. Maximum tolerable downtime (MTD) c. Recovery time objective (RTO) d. Emergency operations center (EOC)

Maximum tolerable downtime (MTD)

Which security testing activity uses tools that scan for services running on systems? a. Reconnaissance b. Penetration testing c. Network mapping d. Vulnerability testing

Network mapping

Which data source comes first in the order of volatility when conducting a forensic investigation? a. RAM b. Data files on disk c. Logs d. Swap and paging files

RAM

A common platform for capturing and analyzing log entries is __________. A. Intrusion detection system (IDS) B. Honeypot C. Security Information and Event Management (SIEM) D. HIPAA E. All of the above

Security Information and Event Management (SIEM)

A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely. True/False

True

A vulnerability is any exposure that could allow a threat to be realized. True/False

True

Access controls are policies or procedures used to control access to certain items. T/F

True

Physical access controls deter physical access to resources, such as buildings or gated parking lots. T/F

True

Policy sets the tone and culture of the organization. True/False

True

The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws. True/False

True

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? a. $2,000 b. $20,000 c. $200,000 d. $2,000,000

$20,000

A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above

Business continuity plan (BCP)

A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above

Disaster recovery plan (DRP)

A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure. True/False

False

The four main types of logs that you need to keep to support security auditing include event, access, user and security. True/False

False

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis? a. Quantitative b. Financial c. Qualitative d. Objective

Qualitive

Risk that remains even after risk mitigation efforts have been implemented is known as __________ risk. A. Qualitative B. Quantitative C. Residual D. None of the above

Residual

What term describes the risk that exists after an organization has performed all planned countermeasures and controls? a. Residual risk b. Total risk c. Business risk d. Transparent risk

Residual risk

Purchasing an insurance policy is an example of the _____________________ risk management strategy. a. avoid b. accept c. transfer d. reduce

Transfer

The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. True/False

True

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? a. An organization should keep its information up to date. b. An organization should properly destroy its information when it is no longer needed. c. An organization should share its information. d. An organization should collect only what it needs.

An organization share its information

Which security model does NOT protect the integrity of information? A. Clark-Wilson B. Brewer and Nash C. Bell-LaPadula D. Biba

Bell-LaPadula

A __________ is a standard used to measure how effective your system is as it relates to industry expectations. A. Control objective B. Configuration C. Benchmark D. Policy

Benchmark

Any event that either violates or threatens to violate your security policy is known as a(n) __________. A. Countermeasure B. Impact C. Risk D. Incident

Incident

__________ is the limit of time that a business can survive without a particular critical system. A. Recovery time objective (RTO) B. Critical business function (CBF) C. Maximum tolerable downtime (MTD) D. None of the above

Maximum tolerable downtime (MTD)

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? a. Mainframe b. Mobile c. Embedded d. Supervisory Control and Data Acquisition (SCADA)

Supervisory Control and Data Acquisition (SCADA)

More and more organizations use the term ________ to describe the entire change and maintenance process for applications. A. System development life cycle (SDLC) B. System life cycle (SLC) C. System maintenance life cycle (SMLC) D. None of the above

System development life cycle (SDLC)

The process of identifying, quantifying, and prioritizing the vulnerabilities in a system is known as a __________. A. Vulnerability policy B. Vulnerability deterrent C. Vulnerability authorization D. Vulnerability assessment

Vulnerability assessment

There are several types of software development methods, but most traditional methods are based on the ________ model. A. Modification B. Waterfall C. Developer D. Integration

Waterfall

When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access by the system. This is an example of __________. A. Physical access controls B. Logical access controls C. Group membership policy D. The Biba integrity model E. None of the above

Logical access controls

Which of the following is an example of a hardware security control? A. ID badge B. NTFS permission C. MAC Filtering D. Security policy

MAC FILTERING

Which agreement type is typically less formal than other agreements and expresses areas of common interest? a. Interconnection security agreement (ISA) b. Service level agreement (SLA) c. Blanket purchase agreement (BPA) d. Memorandum of understanding (MOU)

Memorandum of understanding (MOU)

Which answer best describes the identification component of access control? A. Identification is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. B. Identification is the method a subject uses to request access to a system. C. Identification is the process of determining who is approved for access and what resources they are approved for. D. Identification is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

Identification is the method a subject uses to request access to a system.

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? A. Secure European System for Applications in a Multi-Vendor Environment (SESAME) B. Security Assertion Markup Language (SAML) C. Kerberos D. Lightweight Directory Access Protocol (LDAP)

Kerberos

Which of the following would NOT be considered in the scope of organizational compliance efforts? a. Laws b. Company policy c. Internal audit d. Corporate culture

Laws

__________ is used when it's not as critical to detect and respond to incidents immediately. A. Non-real-time monitoring B. A logical access control C. Real-time monitoring D. None of the above

Non-real-time monitoring

Which of the following is true of procedures? A. They increase mistakes in a crisis. B. They provide for places within the process to conduct assurance checks. C. Important steps are often overlooked. D. None of the above E. All of the above

They provide for places withing the process to conduct assurance checks

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? a. Value b. Sensitivity c. Threat d. Criticality

Threat

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing. True/False

True

A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation and back-out plans. True/False

True

Classification scope determines what data you should classify; classification process determines how you handle classified data. True/False

True

Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies. True/False

True

Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system throughout the system life cycle. True/False

True

Data classification is the responsibility of the person who owns the data. True/False

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets. True/False

True

Security administration is the group of individuals responsible for the planning, design, implementation, and monitoring of an organization's security plan. True/False

True

Some of the tools and techniques used in security monitoring include baselines, alarms, closed-circuit TV, and honeypots True/False

True

The security kernel enforces access control of computer systems. T/F

True

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? a. Waterfall b. Agile c. Spiral d. Lean

Waterfall

Which software testing method provides random input to see how software handles unexpected data? A. Injection B. Fuzzing C. Valid error input D. Boundary input

Fuzzing

Which answer best describes the accountability component of access control? A. Accountability is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. B. Accountability is the method a subject uses to request access to a system. C. Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. D. Accountability is the process of determining who is approved for access and what resources they are approved for.

Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

An audit examines whether security controls are appropriate, installed correctly, and __________. A. Current B. Addressing their purpose C. Authorized D. Cost effective

Addressing their purpose

Challenges to access control include which of the following? A. Laptop loss B. Exploiting hardware C. Eavesdropping D. Exploiting applications E. All of the above

All of the above

The objectives of classifying information include which of the following? A. To identify data value in accordance with organization policy B. To identify information protection requirements C. To standardize classification labeling throughout the organization D. To comply with privacy law, regulations, and so on E. All of the above

All of the above

The security program requires documentation of: A. The security process B. The policies, procedures, and guidelines adopted by the organization C. The authority of the persons responsible for security D. All of the above E. None of the above

All of the above

When developing software, you should ensure the application does which of the following? A. Has edit checks, range checks, validity checks, and other similar controls B. Checks user authorization C. Checks user authentication to the application D. Has procedures for recovering database integrity in the event of system failure E. All of the above

All of the above

When it comes to privacy, organizations are concerned about which of the following? A. Liability in harassment suits B. Skyrocketing losses from employee theft C. Productivity losses from employees shopping or performing other nonwork-related tasks online D. All of the above

All of the above

Which of the following is an example of a level of permissiveness? A. Prudent B. Permissive C. Promiscuous D. Paranoid E. All of the above

All of the above

Which of the following is an example of social engineering? A. An emotional appeal for help B. A phishing attack C. Intimidation D. Name-dropping E. All of the above

All of the above

Which answer best describes the authentication component of access control? A. Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. B. Authentication is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. C. Authentication is the process of determining who is approved for access and what resources they are approved for. D. Authentication is the method a subject uses to request access to a system.

Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access.

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? a. Authorization b. Authentication c. Accountability d. Identification

Authorization

Which answer best describes the authorization component of access control? A. Authorization is the method a subject uses to request access to a system. B. Authorization is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited. C. Authorization is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access. D. Authorization is the process of determining who is approved for access and what resources they are approved for.

Authorization is the process of determining who is approved for access and what resources they are approved for.

In an accreditation process, who has the authority to approve a system for implementation? a. Certifier b. System owner c. System administrator d. Authorizing official (AO)

Authorizing official (AO)

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? a. Guideline b. Baseline c. Policy d. Procedure

Baseline

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? a. Black-box test b. White-box test c. Grey-box test d. Blue-box test

Black-box test

Which activity manages the baseline settings for a system or device? a. Change control b. Reactive change management c. Proactive change management d. Configuration control

Configuration control

The change management process includes ________ control and ________ control. A. Clearance, classification B. Document, data C. Hardware inventory, software development D. Configuration, change

Configuration, change

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? A. Crossover error rate (CER) B. False acceptance rate (FAR) C. Reaction time D. False rejection rate

Crossover error rate (CER)

Host isolation is the isolation of internal networks and the establishment of a(n) __________. A. HIDS B. DMZ C. IDS D. IPS

DMZ

What information should an auditor share with the client during an exit interview? a. Final copy of the audit report b. Draft copy of the audit report c. Details on major issues d. The auditor should not share any information with the client at this phase.

Details on major issues

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? A. Rule-based access control B. Mandatory access control (MAC) C. Discretionary access control (DAC) D. Role-based access control (RBAC)

Discretionary access control (DAC)

When the owner of the resource determines the access and changes permissions as needed, it's known as __________. A. Mandatory access control (MAC) B. Discretionary access control (DAC) C. Nondiscretionary access control D. Content-dependent access control E. Role-based access control

Discretionary access control (DAC)

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? a. Who grants approval for access requests? b. Does the organization have an effective password policy? c. Does the firewall properly block unsolicited network connection attempts? d. Is the password policy uniformly enforced?

Does the firewall properly block unsolicited connection attempts

An organization does not have to comply with both regulatory standards and organizational standards. True/False

False

Certification is the formal agreement by an authorizing official to accept the risk of implementing a system. True/False

False

DIAMETER is a research and development project funded by the European Commission. T/F

False

During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system. True/False

False

Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files. T/F

False

The four central components of access control are users, resources, actions, and features. T/F

False

Often an extension of a memorandum of understanding (MOU) , the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets. True/False

Flase

________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties. A. Mandatory vacations B. Separation of duties C. Job rotation D. Principle of least privilege E. None of the above

Principle of least privilege

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking? a. Project initiation and planning b. Operations and maintenance c. System design specification d. Functional requirements and definition

Project initiation and planning

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? a. Prudent b. Permissive c. Permiscuous d. Paranoid

Prudent

In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________. A. OECD B. RFC 1087 C. (ISC)2 Code of Ethics D. Canons CompTIA Candidate Code of Ethics E. None of the above

RFC 1087

The review of the system to learn as much as possible about the organization, its systems, and networks is known as __________. A. Penetration testing B. Vulnerability testing C. Network mapping D. Reconnaissance

Reconnaissance

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? A. DIAMETER B. Terminal Access Controller Access Controller Access Control System Plus (TACACS+) C. Remote Authentication Dial-in User Service (RADIUS) D. Redundant Array of Independent Disks (RAID)

Redundant Array of Independent Disks (RAID)

What is the correct order of steps in the change control process? a. Request, approval, impact assessment, build/test, implement, monitor b. Request, approval, impact assessment, build/test, monitor, implement c. Request, impact assessment, approval, build/test, implement, monitor d. Request, impact assessment, approval, build/test, monitor, implement

Request, impact assessment, approval, build/test, implement, monitor

In what type of attack does the attacker send unauthorized commands directly to a database? a. Database dumping b. Cross-site request forgery c. SQL injection d. Cross-site scripting

SQL injection

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? a. Transmission Control Protocol/Internet Protocol (TCP/IP) b. Dynamic Host Configuration Protocol (DHCP) c. Secure Sockets Layer (SSL) d. Domain Name System (DNS)

Secure Sockets Layer (SSL)

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? a. Secure European System for Applications in a Multi-Vendor Environment (SESAME) b. User Datagram Protocol (UDP) c. Security Assertion Markup Language (SAML) d. Password Authentication Protocol (PAP)

Security Assertion Markup Language (SAML)

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? a. Data loss prevention (DLP) b. Virtual private network (VPN) c. Intrusion prevention system (IPS) d. Security information and event management (SIEM)

Security information and event management (SIEM)

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? a. Job rotation b. Need-to-know c. Least privilege d. Separation of duties

Separation of duties

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? A. Need to know B. Least privilege C. Separation of duties D. Security through obscurity

Separation of duties

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type. a. Interconnection security agreement (ISA) b. Memorandum of understanding (MOU) c. Blanket purchase agreement (BPA) d. Service level agreement (SLA)

Service level agreement (SLA)

A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide. A. Security event log B. Incident response C. Service-level agreement (SLA) D. Compliance report

Service-level agreement

Which intrusion detection system strategy relies upon pattern matching? a. Statistical detection b. Signature detection c. Traffic-based detection d. Behavior detection

Signature detection

In __________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern matching and stateful matching. A. Signature-based B. Anomaly-based C. Heuristic scanning D. All of the above

Signature-based

Which one of the following is an example of two-factor authentication A. Token and smart card B. Personal identification number (PIN) and password C. Smart card and personal identification number (PIN) D. Password and security questions

Smart card and personal identification (PIN)

________ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization. A. Policies B. Standards C. Procedures D. Baselines

Standards

Which one of the following principles is NOT a component of the Biba integrity model? A. Subjects at a given integrity level can call up only subjects at the same integrity level or lower B. Subjects cannot change subjects that have a lower integrity level C. A subject may not ask for service from subjects that have a higher integrity level D. Subjects cannot read objects that have a lower of integrity than the subject

Subjects cannot change objects that have a lower integrity level.

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? a. System integrity monitoring b. Data loss prevention c. Network IDS d. CCTV

System integrity monitoring

Which of the following is an example of a formal model of access control? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Nondiscretionary access control D. The Clark and Wilson integrity model E. All of the above

The Clark and Wilson integrity model