Info Assurance Midterm Study
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? A. Polymorphic virus B. Stealth virus C. Cross-platform virus D. Multipartite virus
A
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take? a. Reduce b. Transfer c. Accept d. Avoid
A
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure
A
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? A. Evil twin B. Wardriving C. Bluesnarfing D. Replay attack
A
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput? A. OC-12 B. DS1 C. DS3 D. OC-3
A
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
A
Brian notices an attack taking place on his network. when he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging media access control addresses. which type of attack is most likely taking place? A. address resolution protocol (ARP) poisoning B. Internet Protocol IP Spoofing C. URL Hijacking D. Christmas Attack
A
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? A. Security risks will increase. B. Security risks will decrease. C. Security risks will stay the same. D. Security risks will be eliminated.
A
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control (RBAC)
A
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? A. Risk management guide for information technology systems (NIST SP800-30 B. CCTA Risk analysis and management method (CRAMM) C. Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) D. ISO/IEC 27005, "Information Security Risk Management"
A
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? A. Security information and event management (SIEM) B. Intrusion prevention systems (IPS) C. Data loss prevention (DLP) D. Virtual private network (VPN)
A
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? a. Supervisory Control and Data Acquisition (SCADA) b. Embedded c. Mobile d. Mainframe
A
Juan's web server was down for an entire day last september. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month? A. 96.67% B. 3.33% C. 99.96% D. .04%
A
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance
A
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales? A. Opportunity cost B. Replacement cost C. Manpower cost D. Cost of good sold
A
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. A. Security kernel B. CPU C. Memory D. Co-processor
A
The process for proving the remote user is who he claims to be is _________________. A. Authentication B. Accessing C. Accountability D. Authorization
A
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? A. Security Assertion Markup Language (SAML) B. Secure European System for Applications in a Multi-Vendor Environment (SESAME) C. User Datagram Protocol (UDP) D. Password Authentication Protocol (PAP)
A
What term describes the longest period of time that a business can survive without a particular critical system? a. Maximum tolerable downtime (MTD) b. Recovery time objective (RTO) c. Recovery point objective (RPO) d. Emergency operations center (EOC)
A
What term is used to describe the probability that a potential vulnerability might be exercised within the construct of an associated threat environment? A. Likelihood B. Detective control C. Incident D. Event
A
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? A. Whois B. Simple Network Management Protocol (SNMP) C. Ping D. Domain Name System (DNS)
A
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements? A. Applying security updates promptly B. Using encryption for communications C. Removing IoT devices from the network D. Turning IoT devices off when not in use
A
Which activity manages the baseline settings for a system or device? A. Configuration control B. Reactive change management C. Proactive change management D. Change control
A
Which approach to cryptography provides the strongest theoretical protection? A. Quantum cryptography B. Asymmetric cryptography C. Elliptic curve cryptography D. Classic cryptography
A
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? A. Checklist B. Interviews C. Questionnaires D. Observation
A
Which classification level is the highest level used by the U.S. federal government? A. Top Secret B. Secret C. Confidential D. Private
A
Which element of the security policy framework requires approval from upper management and applies to the entire organization? A. Policy B. Standard C. Guideline D. Procedure
A
Which item is an auditor least likely to review during a system controls audit? A. Resumes of system administrators B. Incident records C. Application logs D. Penetration test results
A
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations? A. Password Protection B. Antivirus Software C. Deactivating USB Ports D. Vulnerability Scanning
A
Which network device is capable of blocking network connections that are identified as potentially malicious? A. Intrusion Prevention Sytem (IPS) B. Intrusion Detection System (IDS) C. Demilitarized Zone (DMZ) D. Web Server
A
Which of the following is NOT an example of store-and-forward messaging? A. Telephone call B. Voicemail C. Unified Messaging D. Email
A
Which of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries? A. Technical and industry development B. Confidentiality of personal information C. Network security devices D. Broadband capacity
A
Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture
A
Which one of the following is NOT a commonly accepted best practice for password security? A. Use at least six alphanumeric characters. B. Do not include usernames in passwords. C. Include a special character in passwords. D. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
A
Which one of the following is an example of a reactive disaster recovery control? A. Moving to a warm site B. Disk mirroring C. Surge suppression D. Antivirus Software
A
Which one of the following is typically used during the identification phase of a remote access connection? A. Username B. Password C. Token D. Fingerprint
A
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)? A. Distributed denial of service (DDoS) B. Lost productivity C. Firewall configuration error D. Unauthorized remote access
A
Which type of attack involves the creation of some deception in order to trick unsuspecting users? A. Fabrication B. Modification C. Interruption D. Interception
A
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? A. Home Agent (HA) B. Foreign Agent (FA) C. Care of Address (COA) D. Correspondent Node (CN)
A
__________ attempts to describe risk in financial terms and put a dollar value on all the elements of a risk. a. Quantitative risk analysis b. Financial risk analysis c. Risk management d. Qualitative risk analysis
A
_____________ is an authentication credential that is generally longer and more complex than a password. a. Passphrase b. Two-factor authentication (TFA) c. Authorization d. Continuous authentication
A
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing? A. Active wiretap B. Passive wiretap C. Between-the-lines wiretap D. Piggyback-entry wiretap
B
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed? a. Detective b. Preventive c. Corrective d. Deterrent
B
What is NOT a commonly used endpoint security technique? A. Full device encryption B. Network firewall C. Remote wiping D. Application control
B
What is NOT generally a section in an audit report? A. Findings B. System configurations C. Recommendations D. Timeline for Implementation
B
What is a key principle of risk management programs? a. Security controls should be protected through the obscurity of their mechanisms. b. Don't spend more to protect an asset than it is worth. c. Apply controls in ascending order of risk. d. Risk avoidance is superior to risk mitigation.
B
What term is used to describe something built in or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit? A. Countermeasure B. Safeguard C. Detective control D. Technical control
B
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? A. Network IDS B. System integrity monitoring C. CCTV D. Data loss prevention
B
When should an organization's managers have an opportunity to respond to the findings in an audit? A. Managers should write a report after receiving the final audit report. B. Managers should include their responses to the draft audit report in the final audit report. C. Managers should not have an opportunity to respond to audit findings. D. Managers should write a letter to the Board following receipt of the audit report.
B
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? A. Vulnerability testing B. Report writing C. Penetration testing D. Configuration review
B
Which control is not designed to combat malware? A. Awareness and education efforts B. Firewalls C. Antivirus software D. Quarantine computers
B
Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used? A. Policy B. Standard C. Guideline D. Procedure
B
Which formula is typically used to describe the components of information security risks? A. Risk = Likelihood X Vulnerability B. Risk = Threat X Vulnerability C. Risk = Threat X Likelihood D. Risk = Vulnerability X Cost
B
Which group is the most likely target of a social engineering attack? A. Independent contractors B. Receptionists and administrative assistants C. Internal auditors D. Information security response team
B
Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation? A. Connect B. Secure C. Share D. Speak
B
Which of the following is a threat,risk, or vulnerability facing the workstation domain? A. User violation of AUP B. Unauthorized access to systems, applications, and data C. Rogue AI D. Download of unknown file type attachments from unknown sources
B
Which of the following is an example of a hardware security control? A. NTFS permission B. MAC filtering C. ID badge D. Security policy
B
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet? A. Internet society B. Internet engineering task force C. Internet association D. Internet authority
B
Which password attack is typically used specifically against password files that contain cryptographic hashes? A. Social engineering attacks B. Birthday attacks C. Brute-force attacks D. Dictionary attacks
B
Which regulatory standard would NOT require audits of companies in the United States? A. Sarbanes-Oxley Act (SOX) B. Personal Information Protection and Electronic Documents Act (PIPDEA) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standard (PCI DSS)
B
Which scenario presents a unique challenge for developers of mobile applications? A. Applying encryption to network communications B. Selecting multiple items from a list C. Obtaining Internet Protocol (IP) addresses D. Using checkboxes
B
Which security model does protect the confidentiality of information? A. BIBA B. Bell-LaPadula C. Brewer and Nash D. Clark-Wilson
B
Which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action
B
Which type of virus targets computer hardware and software startup functions? A. Hardware infector B. System infector C. File infector D. Data infector
B
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri? A. Cracker B. White-hat hacker C. Black-hat hacker D. Grey-hat hacker
B
______________ is exercised frequently evaluating whether countermeasures are performing as expected. a. Corrective control b. Due diligence c. Preventive control d. Detective control
B
_______________ refers to the amount of harm a threat can cause by exploiting a vulnerability. a. Risk b. Impact c. Threat d. Incident
B
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered? a. Threat b. Vulnerability c. Risk d. Impact
B
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature? A. Alice's public key B. Alice's private key C. Bob's public key D. Bob's private key
B
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using? A. Vishing B. Urgency C. Whaling D. Authority
B
An organization knows that a risk exists and has decided that the cost of reducing it is higher than the loss would be. This can include self-insuring or using a deductible. This is categorized as _______________. a. Risk avoidance b. Risk acceptance c. Risk mitigation d. Risk assignment
B
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? A. Remote administration error B. False positive error C. Clipping error D. False negative error
B
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer? A. Federal Information SecurityManagement Act (FISMA) B. Health Insurance Portability andAccountability Act (HIPAA) C. Children's Internet ProtectionAct (CIPA) D. Gramm-Leach-Bliley Act (GLBA)
B
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? A. Does the organization have an effective password policy? B. Does the firewall properly block unsolicited network connection attempts? C. Who grants approval for access requests? D. Is the password policy uniformly enforced?
B
During what phase of a remote access connection does the end user prove his or her claim of identity? A. Identification B. Authentication C. Authorization D. Tokenization
B
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve? A. Confidentiality B. Integrity C. Authentication D. Nonrepudiation
B
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? A. Transmission Control Protocol/Internet Protocol (TCP/IP) B. Secure Sockets Layer (SSL) C. Domain Name System (DNS) D. Dynamic Host Configuration Protocol (DHCP)
B
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working? A. Application B. Presentation C. Session D. Data Link
B
In what type of attack does the attacker send unauthorized commands directly to a database? A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Database dumping
B
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using? A. Platform as a Service (PaaS) B. Software as a Service (SaaS) C. Communications as a Service (CaaS) D. Infrastructure as a Service (IaaS)
B
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? A. $2,000 B. $20,000 C. $200,000 D. $2,000,000
B
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge
B
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections? A. 20 B. 22 C. 23 D. 80
B
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? a. 1 b. 2 c. 3 d. 4
B
Purchasing an insurance policy is an example of the ____________ risk management strategy. a. reduce b. transfer c. accept d. avoid
B
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate? A. Confidentiality B. Integrity C. Availability D. Nonrepudiation
B
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement? A. Privacy B. Bring Your Own Device (BYOD) C. Acceptable use D. Data classification
B
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues? A. Firewall B. Hub C. Switch D. Router
B
A control that is carried out or managed by a computer system is the definition of ______________. a. Countermeasure b. Corrective control c. Technical control d. Safeguard
C
A countermeasure, without a corresponding ______________, is a solution seeking a problem; you can never justify the cost. a. Control b. Event c. Risk d. Response
C
A measure installed to counter or address a specific threat is the definition of ____________. a. Technical control b. Administrative control c. Countermeasure d. Preventive control
C
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime. a. incident b. event c. disaster d. emergency
C
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message? A. Encryption B. Hashing C. Decryption D. Validation
C
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? A. Virus B. Worm C. Trojan horse D. Logic bomb
C
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need? a. Video surveillance b. Motion detectors c. Mantraps d. Biometrics
C
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? A. Promiscuous B. Permissive C. Prudent D. Paranoid
C
David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use? A. Internet Small Computer System Interface (iSCSI) B. Fibre Channel (FC) C. Fibre Channel over Ethernet (FCoE) D. Secure Shell (SSH)
C
During which phase of the access control process does the system answer the question,"What can the requester access?" A. Identification B. Authentication C. Authorization D. Accountability
C
Earl is preparing a risk register for his organization's management program. Which data element is LEAST likely to be included in a risk register? A. Description of the risk B. Expected impact C. Risk survey results D. Mitigation steps
C
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? A. Description of the risk B. Expected impact C. Risk survey results D. Mitigation steps
C
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C
Forensics and incident response are examples of __________ controls. a. detective b. preventive c. corrective d. deterrent
C
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? A. Checklist test B. Full interruption test C. Parallel test D. Simulation test
C
How your organization responds to risk reflects the value it puts on its ___________. a. Environment b. Technology c. Assets d. Vulnerability
C
It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as ____________________. a. Disaster plan b. Critical business function c. Business continuity plan d. Risk management plan
C
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor? a. 1 percent b. 10 percent c. 20 percent d. 50 percent
C
The __________ is a simple review of a plan by managers and the business continuity team to make sure that contact numbers are current and that the plan reflects the company's priorities and structure. A. Structured walk-through test B. Review test C. Checklist test D. Parallel test
C
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. Service level agreement (SLA)
C
Tomahawk industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter the access codes before allowing the system to engage. Which principle of security is this following? A. Least privilege B. Security through obscurity C. Need to Know D. Separation of dutuies
C
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place? A. Phishing B. Social engineering C. Spim D. Spam
C
What information should an auditor share with the client during an exit interview? A. Draft copy of the audit report B. Final copy of the audit report C. Details on major issues D. The auditor should not share any information with the client at this phase
C
What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training
C
What is NOT a typical sign of virus activity on a system? A. Unexplained decrease in available disk space B. Unexpected error messages C. Unexpected power failures D. Sudden sluggishness of applications
C
What is a set of concepts and policies for managing IT infrastructure, development, and operations? A. ISO 27002 B. Control objectives for information and related technology (COBIT) C. IT Infrastructure Library (ITIL) D. NIST Cybersecurity Framework (CSF)
C
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion? A. Security B. Privacy C. Interoperability D. Compliance
C
Which agreement type is typically less formal than other agreements and expresses areas of common interest? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnecting security agreement (ISA)
C
Which characteristic of a biometric system measures the system's accuracy using a balance of a different error types? A. False acceptance rate (FAR) B. False rejection rate (FRR) C. Crossover error rate (CER) D. Reaction time
C
Which element of the security policy framework offers suggestions rather than mandatory actions? A. Policy B. Standard C. Guideline D. Procedure
C
Which information security objective allows trusted entities to endorse information? A. Validation B. Authorization C. Certification D. Witnessing
C
Which one of the following is NOT a good technique for performing authentication of an end user? A. Password B. Biometric C. Identification Number D. Token
C
Which one of the following is an example of a business-to-consumer (B2C) application ofthe Internet of Things (IoT)? A. Virtual workplace B. Infrastructure monitoring C. Health monitoring D. Supply chain management
C
Which one of the following is an example of a disclosure threat? A. Denial B. Alteration C. Espionage D. Destruction
C
Which one of the following is an example of a logical access control? A. key for a lock B. Access card C. Password D. Fence
C
Which one of the following is not a good technique for performing authentication of an end user? A. Password B. Biometric scan C. Identification number D. Token
C
Which one of the following is the best example of an authorization control? A. Biometric device B. Digital certificate C. Access control lists D. One-time password
C
Which one of the following measures the average amount of time that it takes to repair a system, application, or component? A. Uptime B. Mean time to failure (MTTF) C. Mean time to repair (MTTR) D. Recovery time objective (RTO)
C
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? A. Seeking to gain unauthorized access to resources B. Disrupting intended use of the Internet C. Enforcing the integrity of computer-based information D. Compromising the privacy of others
C
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate? A. Encryption B. Decryption C. Deidentification D. Aggregation
C
Which type of attack involves the creation of some deception in order to trick unsuspecting users? A. Intersection B. Interruption C. Fabrication D. Modification
C
____________ is a risk management phase that includes assessment of various types of controls to mitigate the identified risks, selection of a control strategy, and justification of choice of controls. a. Identify threats and vulnerabilities b. Inventory of assets c. Risk assessment d. Risk identification
C
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? A. Health Insurance Portability and Accountability Act (HIPAA) B. Family Education Rights and Privacy Act (FERPA) C. Communications Assistance for Law Enforcement Act (CALEA) D. Payment Card Industry Data Security Standard (PCI DSS)
D
It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as _______________. a. Risk management plan b. Critical business function c. Disaster plan d. Business continuity plan
D
Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? A. Is the level of security control suitable for the risk it addresses? B. Is the security control in the right place and working well? C. Is the security control effective in addressing the risk it was designed to address? D. Is the security control likely to become obsolete in the near future?
D
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization
D
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs? A. Voice over IP (VoIP) B. Audio conferencing C. Video conferencing D. Collaboration
D
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties
D
Susie Q received an email that appeared to be from a client. She clicked on an attachment that unleashed a virus onto her computer and those connected to her computer. How might this have best been prevented? A. Intrusion Prevention system B. Web Content Filter C. Intrusion Detection System D. Email Content Filter and Quarantine System
D
What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access? A. Laptop B. Firewall C. Router D. Content filter
D
What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D
What is the first step in a disaster recovery effort? A. Respond to the disaster. B. Follow the disaster recovery plan (DRP). C. Communicate with all affected parties. D. Ensure that everyone is safe.
D
What term describes the risk that exists after an organization has performed all planned countermeasures and controls? a. Total risk b. Business risk c. Transparent risk d. Residual risk
D
What term is used to describe communication that doesn't happen in real time but rather consists of messages (voice or email) that are stored on a server and downloaded to endpoint devices? A. Call Control B. Real-Time Communications C. Multimodal Communications D. Store-and-Forward Communications
D
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature? A. RSA B. Decryption C. Encryption D. Hash
D
Which compliance obligation includes security requirements that apply specifically tofederal government agencies in the United States? A. Gramm-Leach-Bliley Act (GLBA) B. Health Insurance Portability and Accountability Act (HIPAA) C. Family Educational Rights and Privacy Act (FERPA) D. Federal Information Security Management Act (FISMA)
D
Which data source comes first in the order of volatility when conducting a forensic investigation? a. Logs b. Data files on disk c. Swap and paging files d. RAM
D
Which intrusion detection system strategy relies upon pattern matching? A. Behavior detection B. Traffic-based detection C. Statistical detection D. Signature detection
D
Which is NOT a component of the IT security framework? A. Procedure B. Planning C. Standard D. Integrity
D
Which mitigation plan is the least appropriate to limit the risk of unauthorized access to workstations? A. Enable Password Protection B. Enable Automatic Screen lockouts C. Disable system administration rights for end user D. Install and update antivirus software
D
Which of the following is NOT a benefit of cloud computing to organizations? A. On-demand provisioning B. Improved disaster recovery C. No need to maintain a data center D. Lower dependence on outside vendors
D
Which one of the following is NOT an advantage of biometric systems? A. Biometrics require physical presence. B. Biometrics are hard to fake. C. Users do not need to remember anything. D. Physical characteristics may change.
D
Which one of the following is an example of a direct cost that might result from a business disruption? A. Damaged reputation B. Lost market share C. Lost customers D. Facility repair
D
Which recovery site option provides readiness in minutes to hours? a. Warm site b. Cold site c. Multiple sites d. Hot site
D
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality? A. Securing wiring closets B. Applying patches promptly C. Implementing LAN configuration standards D. Applying strong encryption
D
Which term describes an action that can damage or compromise an asset? A. Risk B. Vulnerability C. Countermeasure D. Threat
D
Which term describes an action that can damage or compromise an asset? A. Vulnerability B. Risk C. Countermeasure D. Threat
D
Which term describes any action that could damage an asset? A. Risk B. Countermeasure C. Vulnerability D. Threat
D
Which tool can capture the packets transmitted between systems over a network? A. Port scanner B. OS fingerprinter C. Wardialer D. Protocol analyzer
D
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? A. SQL Injection B. Cross-Site Scripting C. Cross-Site request forgery D. Zero-day Attack
D
Which type of denial of service attack exploits the existence of software flaws to disrupt a service? A. SYN flood attack B. Smurf attack C. Flooding attack D. Logic attack
D
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? A. Dictionary attack B. Rainbow table attack C. Social engineering attack D. Brute-force attack
D
____________ uses various controls to reduce identified risks. These controls might be administrative, technical, or physical. a. Risk acceptance b. Risk acceptance c. Risk assignment d. Risk mitigation
D
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? a. Event b. Outage c. Incursion d. Incident
D
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Critically C. Sensitivity D. Threat
D
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? A. Accuracy B. Reaction time C. Dynamism D. Acceptability
D
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing? A. Policy B. Standard C. Guideline D. Procedure
D
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? A. Identification B. Authentication C. Authorization D. Accountability
D
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using? A. Cross-site scripting B. Session hijacking C. SQL injection D. Typosquatting
D
Forensics and incident response are examples of _____________ controls. a. Technical b. Preventive c. Detective d. Corrective
D
A ___________ is a flaw or weakness in a system's security procedures, design, implementation, or internal controls. A. Vulnerability B. Risk C. Impact D. Threat
A
A _________________ is a software program that performs one of two functions: brute-force password attack to gain unauthorized access to a system, or recovery of passwords stored in a computer system. A. Password Cracker B. Rootkit C. Packet Sniffer D. Backdoor
A
A company can discontinue or decide not to enter a line of business if the risk level is too high. This is categorized as _____________. a. Risk avoidance b. Risk mitigation c. Risk acceptance d. Risk assignment
A
A __________ determines the extent of the impact that a particular incident would have on business operations over time. a. RTO b. BIA c. MTD d. CBF
B
A threat source can be a situation or method that might accidentally trigger a(n) ___________. a. Incident b. Control c. Event d. Vulnerability
D