Chapter 1,2,3,4,5,

DIAMETER is a research and development project funded by the European Commission.

False

Which term describes any action that could damage an asset? a. Likelihood b. Countermeasure c. Vulnerability d. Threat

D. Threat

A bricks-and-mortar strategy includes marketing and selling goods and services on the Internet.

False

Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.

False

Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.

False

IoT devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.

False

Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device.

False

The auto industry has not yet implemented the Internet of Things (IoT).

False

The main difference between a virus and a worm is that a virus does not need a host program to infect.

False

A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match.

True

A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.

True

Access control lists (ACLs) are used to permit and deny traffic in an IP router.

True

An alteration threat violates information integrity.

True

Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.

True

Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.

True

Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.

True

Encrypting the data within databases and storage devices gives an added layer of security.

True

In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data.

True

Metadata of Internet of Things (IoT) devices can be sold to companies seeking demographic marketing data about users and their spending habits.

True

Screen locks are a form of endpoint device security control.

True

The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.

True

The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.

True

When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks.

True

Lidia would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? Select one: a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Rule-based access control d. Role-based access control (RBAC)

a. Discretionary access control (DAC)

Which one of the following is an example of a disclosure threat? Select one: a. Espionage b. Alteration c. Denial d. Destruction

a. Espionage

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? Select one: a. Evil twin b. Wardriving c. Bluesnarfing d. Replay attack

a. Evil twin

With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? Select one: a. Home agent (HA) b. Foreign agent (FA) c. Care of address (COA) d. Correspondent node (CN)

a. Home agent (HA)

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that will have the shortest switchover time even though it may be costly. What would be the best option in this situation? Select one: a. Hot site b. Warm site c. Cold site d. Primary site

a. Hot site

Which element of the security policy framework requires approval from upper management and applies to the entire organization? Select one: a. Policy b. Standard c. Guideline d. Procedure

a. Policy

Which group is the most likely target of a social engineering attack? Select one: a. Receptionists and administrative assistants b. Information security response team c. Internal auditors d. Independent contractors

a. Receptionists and administrative assistants

Fernando is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? Select one: a. Risk Management Guide for Information Technology Systems (NIST SP 800-30) b. CCTA Risk Analysis and Management Method (CRAMM) c. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) d. ISO/IEC 27005, "Information Security Risk Management"

a. Risk Management Guide for Information Technology Systems (NIST SP 800-30)

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? Select one: a. Security Assertion Markup Language (SAML) b. Secure European System for Applications in a Multi-Vendor Environment (SESAME) c. User Datagram Protocol (UDP) d. Password Authentication Protocol (PAP)

a. Security Assertion Markup Language (SAML)

From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? Select one: a. Security risks will increase. b. Security risks will decrease. c. Security risks will stay the same. d. Security risks will be eliminated.

a. Security risks will increase.

Which one of the following is an example of two-factor authentication? Select one: a. Smart card and personal identification number (PIN) b. Personal identification number (PIN) and password c. Password and security questions d. Token and smart card

a. Smart card and personal identification number (PIN)

Which classification level is the highest level used by the U.S. federal government? Select one: a. Top Secret b. Secret c. Confidential d. Private

a. Top Secret

Which one of the following is typically used during the identification phase of a remote access connection? Select one: a. Username b. Password c. Token d. Fingerprint

a. Username

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. Select one: a. security kernel b. CPU c. memory d. co-processor

a. security kernel

Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement? Select one: a. Privacy b. Bring Your Own Device (BYOD) c. Acceptable use d. Data classification

b. Bring Your Own Device (BYOD)

Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer? a. Federal Information Security Management Act (FISMA) b. Health Insurance Portability and Accountability Act (HIPAA) c. Children's Internet Protection Act (CIPA) d. Gramm-Leach-Bliley Act (GLBA)

b. Health Insurance Portability and Accountability Act (HIPAA)

Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet? Select one: a. Internet Society b. Internet Engineering Task Force c. Internet Association d. Internet Authority

b. Internet Engineering Task Force

Which network device is capable of blocking network connections that are identified as potentially malicious? Select one: a. Intrusion detection system (IDS) b. Intrusion prevention system (IPS) c. Demilitarized zone (DMZ) d. Web server

b. Intrusion prevention system (IPS)

Which type of authentication includes smart cards? Select one: a. Knowledge b. Ownership c. Location d. Action

b. Ownership

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals? Select one: a. Health Insurance Portability and Accountability Act (HIPAA) b. Payment Card Industry Data Security Standard (PCI DSS) c. Federal Information Security Management Act (FISMA) d. Federal Financial Institutions Examination Council (FFIEC)

b. Payment Card Industry Data Security Standard (PCI DSS)

Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri? Select one: a. Cracker b. White-hat hacker c. Black-hat hacker d. Grey-hat hacker

b. White-hat hacker

During which phase of the access control process does the system answer the question,"What can the requestor access?" Select one: a. Identification b. Authentication c. Authorization d. Accountability

c. Authorization

Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate? Select one: a. Encryption b. Decryption c. Deidentification d. Aggregation

c. Deidentification

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers? Select one: a. FFIEC b. FISMA c. HIPAA d. PCI DSS

c. HIPAA

Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)? Select one: a. Virtual workplace b. Infrastructure monitoring c. Health monitoring d. Supply chain management

c. Health monitoring

Which one of the following is NOT a good technique for performing authentication of an end user? Select one: a. Password b. Biometric scan c. Identification number d. Token

c. Identification number

Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion? Select one: a. Security b. Privacy c. Interoperability d. Compliance

c. Interoperability

Which one of the following measures the average amount of time that it takes to repair a system, application, or component? Select one: a. Uptime b. Mean time to failure (MTTF) c. Mean time to repair (MTTR) d. Recovery time objective (RTO)

c. Mean time to repair (MTTR)

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? Select one: a. Remote Authentication Dial-In User Service (RADIUS) b. Terminal Access Controller Access Control System Plus (TACACS+) c. Redundant Array of Independent Disks (RAID) d. DIAMETER

c. Redundant Array of Independent Disks (RAID)

Ernie is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? Select one: a. Description of the risk b. Expected impact c. Risk survey results d. Mitigation steps

c. Risk survey results

What is NOT one of the three tenets of information security? Select one: a. Confidentiality b. Integrity c. Safety d. Availability

c. Safety

n which type of attack does the attacker attempt to take over an existing connection between two systems? Select one: a. Man-in-the-middle attack b. URL hijacking c. Session hijacking d. Typosquatting

c. Session hijacking

As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct? Select one: a. Checklist test b. Parallel test c. Simulation test d. Structured walk-through

c. Simulation test

What type of malicious software masquerades as legitimate software to entice the user to run it? Select one: a. Virus b. Worm c. Trojan horse d. Rootkit

c. Trojan horse

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? Select one: a. Accuracy b. Reaction time c. Dynamism d. Acceptability

d. Acceptability

Malek wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Malek concerned about? Select one: a. Identification b. Authentication c. Authorization d. Accountability

d. Accountability

Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality? Select one: a. Securing wiring closets b. Applying patches promptly c. Implementing LAN configuration standards d. Applying strong encryption

d. Applying strong encryption

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? Select one: a. Dictionary attack b. Rainbow table attack c. Social engineering attack d. Brute-force attack

d. Brute-force attack

Aaliyah would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs? Select one: a. Voice over IP (VoIP) b. Audio conferencing c. Video conferencing d. Collaboration

d. Collaboration

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices? Select one: a. Support ownership b. Onboarding/offboarding c. Forensics d. Data ownership

d. Data ownership

Which one of the following is an example of a direct cost that might result from a business disruption? Select one: a. Damaged reputation b. Lost market share c. Lost customers d. Facility repair

d. Facility repair

Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States? Select one: a. Gramm-Leach-Bliley Act (GLBA) b. Health Insurance Portability and Accountability Act (HIPAA) c. Family Educational Rights and Privacy Act (FERPA) d. Federal Information Security Management Act (FISMA)

d. Federal Information Security Management Act (FISMA)

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? Select one: a. Secure European System for Applications in a Multi-Vendor Environment (SESAME) b. Lightweight Directory Access Protocol (LDAP) c. Security Assertion Markup Language (SAML) d. Kerberos

d. Kerberos

What level of technology infrastructure should you expect to find in a cold site alternative data center facility? Select one: a. Hardware and data that mirror the primary site b. Hardware that mirrors the primary site, but no data c. Basic computer hardware d. No technology infrastructure

d. No technology infrastructure

Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing? Select one: a. Active wiretap b. Between-the-lines wiretap c. Piggyback-entry wiretap d. Passive wiretap

d. Passive wiretap

Faisal's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Faisal should implement before accepting credit card transactions? Select one: a. Health Insurance Portability and Accountability Act (HIPAA) b. Family Educational Rights and Privacy Act (FERPA) c. Communications Assistance for Law Enforcement Act (CALEA) d. Payment Card Industry Data Security Standard (PCI DSS)

d. Payment Card Industry Data Security Standard (PCI DSS)

Which one of the following is NOT an advantage of biometric systems? Select one: a. Biometrics require physical presence. b. Biometrics are hard to fake. c. Users do not need to remember anything. d. Physical characteristics may change.

d. Physical characteristics may change.

Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing? Select one: a. Policy b. Standard c. Guideline d. Procedure

d. Procedure

Which tool can capture the packets transmitted between systems over a network? Select one: a. Wardialer b. OS fingerprinter c. Port scanner d. Protocol analyzer

d. Protocol analyzer

Which term describes an action that can damage or compromise an asset? Select one: a. Likelihood b. Vulnerability c. Countermeasure d. Threat

d. Threat

Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? Select one: a. SQL injection b. Cross-site scripting c. Cross-site request forgery d. Zero-day attack

d. Zero-day attack