Information Security Test 2

Which type of cipher works by rearranging the characters in a message?

transposition

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act

________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties.

Principles of least privilege

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Project Initiation and planning

What technology is the most secure way to encrypt wireless communications?

WPA

There are several types of software development methods, but most traditional methods are based on the ________ model.

Waterfall

In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________.

RFC 1087

The two basic types of ciphers are transposition and substitution t/f

True

A -----------is a generally agreed-upon technology, method or format for a given application such as TCP/IP protocol

standard

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

waterfall

What is NOT generally a section in an audit report?

System configurations

Data classification is the responsibility of the per- son who owns the data. t/f

True

Encryption ciphers fall into two general catego- ries: symmetric (private) key and asymmetric (public) key. t/f

True

Security administration is the group of individu- als responsible for the planning, design, imple- mentation, and monitoring of an organization's security plan. t/f

True

The three basic types of firewalls are packet filter- ing, application proxy, and stateful inspection. t/f

True

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

report writing

Which simple network device helps to increase network performance by using the MAC address to send network traffic only to its intended destination?

switch

An audit examines whether security controls are appropriate, installed correctly, and __________.

Addressing their purpose

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's private key

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

Alice's public key

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

A __________ is a standard used to measure how effective your system is as it relates to industry expectations.

Benchmark

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?

Black-box test

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?

Bob's public key

A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________.

Business Continuity Plan

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

An algorithm used for cryptographic purposes is known as a __________.

Cipher

Which activity manages the baseline settings for a system or device?

Configuration Control

The change management process includes ________ control and ________ control.

Configuration, change

__________ offers a mechanism to accomplish four security goals: confidentiality, integrity, authenti- cation, and nonrepudiation.

Cryptography

Host isolation is the isolation of internal net- works and the establishment of a(n) __________.

DMZ

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Decryption

What information should an auditor share with the client during an exit interview?

Details on major issues

An IDS is what type of control?

Detective Control

A __________ signature is a representation of a physical signature stored in a digital format.

Digital

A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________.

Disaster Recovery Plan

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts?

The act of scrambling plaintext into ciphertext is known as __________.

Encryption

A hardened configuration is a system that has had unnecessary services enabled. t/f

False

DHCP provides systems with their MAC addresses. t/f

False

IP addresses are assigned to computers by the manufacturer. t/f

False

The basic job of a __________ is to enforce an access control policy at the border of a network.

Firewall

Which software testing method provides random input to see how software handles unexpected data?

Fuzzing

What is a set of concepts and policies for managing IT infrastructure, development, and operations?

IT Infrastructure Library

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future?

When should an organization's managers have an opportunity to respond to the findings in an audit?

Managers should include their responses to the draft audit report in the final audit report.

__________ is the limit of time that a business can survive without a particular critical system.

Maximum Tolerable Downtime (MTD)

What technology allows you to hide the private IPv4 address of a system from the Internet?

NAT

Which security testing activity uses tools that scan for services running on systems?

Network mapping

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

What layer of the OSI Reference Model is most commonly responsible for encryption?

Presentation

What is NOT a symmetric encryption algorithm?

RSA

What is the correct order of steps in the change control process?

Request, impact assessment, approval, build/test, implement, monitor

Risk that remains even after risk mitigation efforts have been implemented is known as __________ risk.

Residual

Which item is an auditor least likely to review during a system controls audit?

Resumes of system administrators

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?

SOC 3

Which VPN technology allows users to initiate connections over the Web?

SSL

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

A common platform for capturing and analyzing log entries is __________.

Security information and event management

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

Security information and event management

A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide

Service Level Agreement

In __________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern match- ing and stateful matching.

Signature based

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

A(n) __________ is a critical element in every corpo- rate network today, allowing access to an organi- zation's resources from almost anywhere in the world.

Wide area network

A __________ is used to detect forgeries.

checksum

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?

chosen plaintext

An organization does not have to comply with both regulatory standards and organizational standards. T/F

false

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?

hash

__________ is used when it's not as critical to detect and respond to incidents immediately.

nonReal-time monitoring

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

nonrepudiation

__________ corroborates the identity of an entity, whether the sender, the sender's computer, some device, or some information.

nonrepudiation

A __________ is a device that interconnects two or more networks and selectively interchanges packets of data between them.

router

What firewall topology supports the implementa- tion of a DMZ?

screened subnet

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

False positive error

Which of the following is true of procedures?

They provide for places within the process to conduct assurance checks.

Policy sets the tone and culture of the organization. t/f

True

DES, IDEA, RC4, and WEP are examples of __________.

Symmetric algorithms

A secure virtual private network (VPN) creates an authenticated and encrypted channel across some form of public network. t/f

True

A vulnerability is any exposure that could allow a threat to be realized. t/f

True

The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis. t/f

False

Any event that either violates or threatens to violate your security policy is known as a(n) __________.

Incident

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Integrity

The basic model for how you can build and use a network and its resources is known as the __________.

Open Systems Interconnection (OSI) Refer- ence Model

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

The review of the system to learn as much as possible about the organization, its systems, and networks is known as __________.

Reconnaissance

________ involve the standardization of the hard- ware and software solutions used to address a security risk throughout the organization.

Standards

An encryption cipher that uses the same key to encrypt and decrypt is called a(n) __________ key.

Symmetric

More and more organizations use the term ________ to describe the entire change and maintenance process for applications.

System development lifecycle

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring

__________ is a suite of protocols that was devel- oped by the Department of Defense to provide a highly reliable and fault-tolerant network infrastructure.

TCP/IP

The security program requires documentation of:

The security process The policies, procedures, and guidelines adopted by the organization The authority of the persons responsible for security

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Threat

A strong hash function is designed so that a forged message cannot result in the same hash as a legitimate message. t/f

True

Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system through- out the system life cycle. t/f

True

Some of the tools and techniques used in security monitoring include baselines, alarms, closed- circuit TV, and honeypots. t/f

True

The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. t/f

True

When you use a control that costs more than the risk involved, you're making a poor management decision. t/f

True