info sec Chapter 3,4,5 (Midterm)
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
The four central components of access control are users, resources, actions, and features. (T/F)
False
Which term describes an action that can damage or compromise an asset?
Threat
Failing to prevent an attack all but invites an attack. (T/F)
True
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday attacks
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Description of the risk
What is the first step in a disaster recovery effort?
Ensure that everyone is safe.
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil twin
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer. (T/F)
False
An attacker uses exploit software when wardialing. (T/F)
False
Continuity of critical business functions and operations is the first priority in a well-balanced business continuity plan (BCP). (T/F)
False
Most enterprises are well prepared for a disaster should one occur. (T/F)
False
Passphrases are less secure than passwords. (T/F)
False
Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time. (T/F)
False
Spam is some act intended to deceive or trick the receiver, normally in email messages. (T/F)
False
The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios. (T/F)
False
The number of failed logon attempts that trigger an account action is called an audit logon event. (T/F)
False
You should use easy-to-remember personal information to create secure passwords. (T/F)
False
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
Which of the following is NOT a benefit of cloud computing to organizations?
Lower dependence on outside vendors
Which of the following is an example of a hardware security control?
MAC filtering
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
Which one of the following is an example of a disclosure threat?
NOT Alteration
What is NOT a commonly used endpoint security technique?
Network firewall
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Parallel test
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?
Passive wiretap
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
What is NOT one of the three tenets of information security?
Safety
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test
Which one of the following is an example of two-factor authentication?
Smart card and personal identification number (PIN)
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
Which one of the following principles is NOT a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
A surge protector is an example of a preventative component of a disaster recovery plan (DRP). (T/F)
True
Fingerprints, palm prints, and retina scans are types of biometrics. (T/F)
True
Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used. (T/F)
True
The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems. (T/F)
True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry. (T/F)
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary. (T/F)
True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable. (T/F)
True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks. (T/F)
True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks. (T/F)
True
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
Warm site
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-hat hacker
Which security model does NOT protect the integrity of information?
?
Which one of the following is the best example of an authorization control?
Access control lists
Which control is not designed to combat malware?
Firewalls
Which type of authentication includes smart cards?
Ownership
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
13
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files. (T/F)
False
The anti-malware utility is one of the most popular backdoor tools in use today. (T/F)
False
The term risk methodology refers to a list of identified risks that results from the risk-identification process. (T/F)
False
Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software. (T/F)
False
Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP). (T/F)
False
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
Which one of the following is an example of a logical access control?
Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
Security Assertion Markup Language (SAML)
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks. (T/F)
True
A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier. (T/F)
True
A degausser creates a magnetic field that erases data from magnetic storage media. (T/F)
True
A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match. (T/F)
True
A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource. (T/F)
True
A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster. (T/F)
True
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment. (T/F)
True
A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader. (T/F)
True
A trusted operating system (TOS) provides features that satisfy specific government requirements for security. (T/F)
True
An alteration threat violates information integrity. (T/F)
True
Rootkits are malicious software programs designed to be hidden from normal methods of detection. (T/F)
True
Single sign-on (SSO) can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords. (T/F)
True
When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks. (T/F)
True
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
Which one of the following is NOT a commonly accepted best practice for password security?
Use at least six alphanumeric characters.
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address Resolution Protocol (ARP) poisoning
A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats. (T/F)
False
DIAMETER is a research and development project funded by the European Commission. (T/F)
False
Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks. (T/F)
False
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Common methods used to identify a user to a system include username, smart card, and biometrics. (T/F)
True
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic attack
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity cost