IS 607: Intro to Information/Cyber Security
What is the maximum value for any octet in an IPv4 IP address
255
A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans.
True
During the planning and execution phases of an audit, an auditor will most likely review risk analysis output.
True
Fencing and mantraps are examples of physical controls.
True
The goal of a command injection is to execute commands on a host operating system
True
During which phase of the access control process does the system answer the question "What can the requester access"?
Authorization
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?
Consumer
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y?
Customer
Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)?
Encryption
A packet filtering firewall remembers information about the status of a network communication
False
A private key cipher is also called an asymmetric key cipher
False
An SOC1 report primarily focuses on security
False
Deterrent controls identify that a threat has landed in your system.
False
Mandatory vacations minimize risk by rotating employees among various systems or duties.
False
Most enterprises are well prepared for a disaster should one occur.
False
Product cipher is an encryption algorithm that has no corresponding decryption algorithm
False
Regarding security controls, the four most common permission levels are poor, permissive, prudent, and paranoid
False
Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device
False
The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies
False
The auto industry has not yet implemented the Internet of Things (IoT).
False
The first step in the risk management process is to monitor and control deployed countermeasures
False
Voice pattern bio-metrics are accurate for authentication because voices can't easily be replicated by computer software.
False
Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP)
False
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?
Nmap
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?
OC-12
Which of the following is an example of a logical access control?
Password
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventative
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?
Publicly traded companies
What is NOT a symmetric encryption algorithm
Rivest-Shamir-Adelman (RSA)
Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of IoT innovation?
Secure
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged into Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?
Session hijacking
In which type of attack does the attacker attempt to take over an existing connection between two systems
Session hijacking
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
A salt value is a set of random characters you can combine with an actual input key to create the encryption key.
True
A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.
True
Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
True
Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents
True
Examples of major disruptions include extreme weather, application failure, and criminal activity.
True
Payment Card Data Security Standard (PCI DSS) version 3.2 defines 12 requirements for compliance, organized into six groups called control objectives.
True
Simple Network Management Protocol (SNMP) is used for network device monitoring, alarm, and performance.
True
Standards are used when an organization has selected a solution to fulfill a policy goal.
True
The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.
True
Which activity manages the baseline settings for a system or device?
Configuration control
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Trojan horse
Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage devices to networks using IP for its transport layer.
True
Some vending machines are equipped with a cellular phone network antenna for secure credit card transaction processing.
True
The term risk methodology refers to a list of identified risks that results from the risk-identification process
True
Which one of the following is typically used during the identification phase of a remote access connection?
Username
What wireless security technology contains significant flaws and should never be used?
Wired Equivalent Privacy (WEP)
The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool, which can be used as a self-assessment tool for identifying a bank or financial institution's cyber security maturity.
True
Joey would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
BYOD
American National Standards Institute (ANSI) was formed in 1918 through the merger of five engineering societies and three government agencies.
True
When should an organization's managers have an opportunity to respond to the findings in an audit?
Mangers should include their responses to the draft audit report in the final audit report.
What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities
800
Which item in a BYOD policy helps resolve intellectual property issues that may arise as the result of business use of personal devices ?
Data ownership
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil twin
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
False positive error
An IT security policy framework is like an outline that identifies where security controls should be used.
True
Implementing and monitoring risk responses are part of the risk management process.
True
In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.
True
The International Telecommunication Union (ITU) was formed in 1865 as the International Telegraph Union to develop international standards for the emerging telegraph communications industry.
True
The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
True
Using a secure logon and authentication process is one of the six steps used to prevent malware
True
Bob has a high-volume virtual private network (VPN). He would like to use a device that would best hangle the required processing power. What type of device should he use?
VPN concentrator