InfoSec exam 1
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)2
Which of the following is NOT used to categorize some types of law?
international
Any court can impose its authority over an individual or organization if it can establish which of the following?
jurisdiction
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.
justification
A type of attack where the adversary intercepts network packets, modifies them, and inserts them back into the network is called a ____________.
man-in-the-middle
In the __________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network
man-in-the-middle
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.
management guidance, technical specifications
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective is known as a ____________.
methodology
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________
methodology
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective, is known as a(n) ____________.
methodology
Access control list user privileges include all but which of these?
operate
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organiztion
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) __________.
penetration tester
Which function of InfoSec management encompasses security personnel as well as aspects of the SETA program?
people
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
portable
Which of the following is NOT a primary function of information security management?
projects
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________, which can be indexed and quickly searched using the hash value, allowing the corresponding plaintext password to be determined.
rainbow table
An attack that uses phishing techniques along with specialized forms of malware to encrypt the victim's data files is known as __________.
ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.
reading level
Which of the following is compensation for a wrong committed by an individual or organization?
restitution
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
search warrant
"4-1-9" fraud is an example of a __________ attack.
social engineering
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property, is called __________.
software piracy
When creating a __________, each level of each division translates its goals into more specific goals for the level below it.
strategic plan
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
team leader
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer?
theft
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________.
threat
The basic outcomes of InfoSec governance should include all but which of the following?
time management by aligning resources with personnel schedules and organizational objectives
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.
trespass
A clearly directed strategy flows from top to bottom rather than from bottom to top.
true
A maintenance model is intended to focus ongoing maintenance efforts so as to keep systems usable and secure.
true
Deterrence is the best method for preventing an illegal or unethical activity. ____________
true
Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
true
Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs. ____________
true
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
true
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system
true
The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.
true
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. __________
true
Today's InfoSec systems need constant monitoring, testing, modifying, updating, and repairing.
true
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
true(i think)
Which law extends protection to intellectual property, which includes words published in electronic formats?
us copyright law
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
In which SDLC model does the work product from each phase transition into the next phase to serve as its starting point while allowing movement back to a previous phase should the project require it?
waterfall
Which statement defines the differences between a computer virus and a computer worm?
worm exists and propagates on a computer network while a virus needs the host to be active to survive and need people's lack of awareness to propagate
What are the two general approaches for controlling user authorization for the use of a technology?
Access control lists and capability tables
What function will an audit log provide when it is configured to track user activity on an information system?
Accountability
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
Policy __________ means the employee must agree to the policy.
Compliance
Which of the following are instructional codes that guide the execution of the system when information is passing through it?
Configuration rules
Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-service (DoS)
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?
Deontological ethics
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
Deontological ethics
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past, attempting to answer the question, what do others think is right?
Descriptive ethics
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.
Deterrence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
Due diligence
Which policy is the highest level of policy and is usually created first?
EISP
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
Electronic Communications Privacy Act
"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. __________
False
Ethics carry the sanction of a governing authority.
False
ISACA is a professional association with a focus on authorization, control, and security. ________
False - auditing(maybe)
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
A law that addresses privacy and security concerns associated with the electronic transmission of Personal Healthcare Information is the ____________?
Health Information Technology for Economic and Clinical Health Act
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
Identifying relevant items of evidentiary value.
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?
Implementation
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
Implementation
__________ is the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair edge over them.
Industrial espionage
Which of the following is a common element of the enterprise information security policy?
Information on the structure of the InfoSec organization
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is not one of them?
Malice
Which of the following explicitly declares the business of the organization and its intended areas of operations?
Mission statement
The protection of voice and data components, connections, and content is known as __________ security.
Network
Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
Policy should be agreed upon by all employees and management
Which of the following is not one of the basic rules that must be followed when shaping a policy?
Policy should be agreed upon by all employees and management.
Which of the following is recognition that data used by an organization should only be used for the purposes stated by the information owner at the time it was collected?
Privacy
Which of the following is NOT an approach to password cracking?
Ransomware
Which of the following is the first step in the problem-solving process?
Recognize and define the problem
When solving problems, what is the first step?
Recognize and define the problem.
Which type of document is a more detailed statement of what must be done to comply with a policy?
Standard
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
Tactical
Which law is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?
The penalties for violation of the policy
A malware program that hides its true nature and reveals its designed behavior only when activated is called a ____________.
Trojan horse
According to the CGTF, the organization should treat InfoSec as an integral part of the system life cycle. ____________
True
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
Which of the following is NOT a step in the problem-solving process?
Use trial and error in a problem
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
Violations of Policy
Which statement defines the differences between a computer virus and a computer worm?
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate.
What do audit logs that track user activity on an information system provide?
accountability
The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
analysis
The most complex part of an investigation is usually __________.
analysis for potential EM
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.
attack
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
authentication
A process that defines what the user is permitted to do is known as __________.
authorization
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
A long-term interruption in electrical power availability is known as a ____________.
blackout
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemintation, enforcement, and review
A high-level executive such as a CIO or VP-IT, who will provide political support and influence for a specific project, is known as a(n) _________.
champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.
chief information security officer
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
data owners
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
Internal and external stakeholders, such as customers, suppliers, or employees who interact with information in support of their organization's planning and operations, are known as
data users
According to the Corporate Governance Task Force (CGTF), during which phase of the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
establishing
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
evidentiary material (EM)
A technique used to compromise a system is known as a(n) __________.
exploit
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of systems.
false
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
false
Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex.
false
Corruption of information can occur only while information is being stored.
false
DoS attacks cannot be launched against routers.
false
Examples of actions that illustrate compliance with policies are known as laws. __________
false
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.
false
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. __________
false
The authorization process takes place before the authentication process.
false
The first step in solving problems is to gather facts and make assumptions.
false
A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. __________
false - sniffer
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
forensics
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly is known as __________.
governance
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________.
hoaxes
The protection of confidentiality, integrity, and availability of data regardless of its location is known as __________ security.
information
Blackmail threat of informational disclosure is an example of which threat category?
information extortion
Force majeure includes all of the following EXCEPT:
Armed robbery
The C.I.A. triad for computer security includes which of these characteristics?
Availability
Which phase of the SDLC should see clear articulation of goals?
Investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
Issue-specific
