IS 413 Final Quiz Review
True
A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
Confidentiality
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?
Qualitative
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Tier 1
Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?
False
DIAMETER is a research and development project funded by the European Commission.
True
Payment Card Industry Data Security Standard (PCI DSS) version 3.2 defines 12 requirements for compliance, organized into six groups, called control objectives.
True
Under Securities and Exchange Commission (SEC) rules, internal controls over financial reporting (ICFR) are processes that provide reasonable assurance that an organization's financial reports are reliable.
Spim
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
512 bits
What is NOT a valid encryption key length for use with the Blowfish algorithm?
Warm site
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Subjects cannot change objects that have a lower integrity level.
Which one of the following principles is NOT a component of the Biba integrity model?
American National Standards Institute (ANSI)
Which organization created a standard version of the widely used C programming language in 1989?
European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)
Which organization creates information security standards that specifically apply within the European Union?
Correct Personal Information Protection and Electronic Documents Act (PIPEDA)
Which regulatory standard would NOT require audits of companies in the United States?
Brute-force attack
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
White-hat hacker
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
True
A control limits or constrains behavior.
True
A network protocol governs how networking equipment interacts to deliver data across the network.
True
Examples of major disruptions include extreme weather, application failure, and criminal activity.
Session hijacking
In which type of attack does the attacker attempt to take over an existing connection between two systems?
2
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?
True
Policies that cover data management should cover transitions throughout the data life cycle.
Audit
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
True
Social engineering is deceiving or using people to get around security controls.
False
A packet-filtering firewall remembers information about the status of a network communication.
True
A salt value is a set of random characters you can combine with an actual input key to create the encryption key.
Baseline
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Trojan horse
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Wi-Fi
Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
3389
Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?
Supervisory Control and Data Acquisition (SCADA)
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Protocol Anyalyzer
Which tool can capture the packets transmitted between systems over a network?
Transposition
Which type of cipher works by rearranging the characters in a message?
Payment Card Industry Data Security Standard (PCI DSS)
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Integrity
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?
Business Continuity Plan
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
No technology infrastructure
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
Hot site
Which recovery site option provides readiness in minutes to hours?
SOC 3
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
Business associate of a covered entity
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?
Captive portal
Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?
True
ActiveX is used by developers to create active content.
True
Attacks against confidentiality and privacy, data integrity, and availability of services are all ways malicious code can threaten businesses.
Threat
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
True
Authentication controls include passwords and personal identification numbers (PINs).
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
True
The Baldrige National Quality Program is part of the National Institute of Standards and Technology (NIST).
False
The Centers for Medicare & Medicaid Services (CMS) investigates and responds to complaints from people who claim that a covered entity has violated the Health Insurance Portability and Accountability Act (HIPAA).
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
Confidentiality, Availability, and Integrity
What are the three tenets of information security?
National Institute of Standards and Technology (NIST)
What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?"
Wired Equivalent Privacy (WEP)
What standard is NOT secure and should never be used on modern wireless networks?
Maximum tolerable downtime (MTD)
What term describes the longest period of time that a business can survive without a particular critical system?
Residual risk
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Honeypot
What type of system is intentionally exposed to attackers in an attempt to lure them out?
Managers should include their responses to the draft audit report in the final audit report.
When should an organization's managers have an opportunity to respond to the findings in an audit?
Redundant Array of Independent Disks (RAID)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Logic attack
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?