Information Security
The weakest link in the security of an IT infrastructure is the server.
False
Screen locks are a form of endpoint device security control.
True
Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.
True
Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.
True
Encrypting the data within databases and storage devices gives an added layer of security.
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
What is NOT one of the three tenets of information security?
Safety
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Malek wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Malek concerned about?
Accountability
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?
Applying strong encryption
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Aaliyah would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
Deidentification
Which one of the following is an example of a disclosure threat?
Espionage
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
A bricks-and-mortar strategy includes marketing and selling goods and services on the Internet.
False
DIAMETER is a research and development project funded by the European Commission.
False
Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.
False
Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.
False
Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device.
False
The auto industry has not yet implemented the Internet of Things (IoT).
False
The main difference between a virus and a worm is that a virus does not need a host program to infect.
False
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?
Federal Information Security Management Act (FISMA)
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health monitoring
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that will have the shortest switchover time even though it may be costly. What would be the best option in this situation?
Hot site
Which one of the following is NOT a good technique for performing authentication of an end user?
Identification number
Which one of the following measures the average amount of time that it takes to repair a system, application, or component?
Mean time to repair (MTTR)
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Which type of authentication includes smart cards?
Ownership
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?
Passive wiretap
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Faisal's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Faisal should implement before accepting credit card transactions?
Payment Card Industry Data Security Standard (PCI DSS)
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
Fernando is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP 800-30)
Ernie is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
Security Assertion Markup Language (SAML)
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test
Which one of the following is an example of two-factor authentication?
Smart card and personal identification number (PIN)
Which term describes an action that can damage or compromise an asset?
Threat
Which term describes any action that could damage an asset?
Threat
Which classification level is the highest level used by the U.S. federal government?
Top Secret
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match.
True
A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.
True
Access control lists (ACLs) are used to permit and deny traffic in an IP router.
True
An alteration threat violates information integrity.
True
In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data.
True
Metadata of Internet of Things (IoT) devices can be sold to companies seeking demographic marketing data about users and their spending habits.
True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
True
When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks.
True
Which one of the following is typically used during the identification phase of a remote access connection?
Username
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-hat hacker
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
Lidia would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil twin
IoT devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.
False
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
Which network device is capable of blocking network connections that are identified as potentially malicious?
Intrusion prevention system (IPS)
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?
Procedure
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer