MISY 5325 - Cybersecurity Management - Midterm Exam
Tonya is performing a quantitative risk assessment for a piece of software. The single loss expectancy (SLE) is $500, and the associated annual rate of occurrence (ARO) is 3. What is the annual loss expectancy (ALE)?
1500
What is the minimum number of nodes required by a failover cluster?
2
Kevin is a disgruntled employee who was recently laid off from a major technology company. He wants to launch an attack on the company. Where might Kevin learn about vulnerabilities that he can exploit?
A blog
Carl is a security specialist. He is updating the organization's hardware inventory in the asset management system. Which of the following would be least helpful to record?
A competitor's product
Which of the following is most likely to be warez?
A file on your computer of a new TV episode you downloaded for free
What is a security policy? A. A method of patch management B. A high-level overview of security goals C. An access control D. A method of configuration management
A high-level overview of security goals
What is a whitelist?
A list of approved email addresses or domains
Which of the following is best described as attackers who focus on a specific target, have high levels of expertise, have almost unlimited resources, and are often sponsored by nation-states or terrorist groups? A. Vandals B. Saboteurs C. Advanced persistent threats (APTs) D. Disgruntled employees
Advanced persistent threats (APTs)
What is a publicly traded company? A. A company that is subsidized with public funds B. A company that must comply only with regulations under which federal agencies must comply C. A private company that enables public services, such as private hospitals or schools D. Any company that has stock that outside investors can buy or sell
Any company that has stock that outside investors can buy or sell
How can you determine the importance of a system?
By how the system is used
Jonathan is a security professional. He is part of a small group of people launching a startup company that will handle patient medical information. Jonathan is attempting to determine threats the company may face, criteria that will allow each threat to succeed, and the potential result. Which of the following would be most useful to Jonathan?
Cause and effect diagram
Which of the following is not a way that you can measure the value of a system when determining if the system requires five nines?
Confidentiality
What are the elements of the security triad?
Confidentially, integrity, and availability
Carl is a security professional preparing to perform a risk assessment on database servers. He is reviewing the findings of a previous risk assessment. He is trying to determine which controls should be in place but were not implemented. Which of the following is typically found in a risk assessment report and would address Carl's needs?
Current status of accepted recommendations
Alice is an aspiring hacker. She wants to get information on computer and network vulnerabilities and ways to exploit applications. Which of the following is the best source? A. Common Vulnerabilities and Exposures (CVE) list B. Dark web C. United States Computer Emergency Readiness Team (US-CERT) website D. National Institute of Standards and Technology (NIST) website
Dark web
Lin is writing a risk management report. Of the major categories of reporting requirements, which one becomes the actual risk response plan?
Documenting and tracking implementation of accepted recommendations
When should you establish objectives for a risk management plan?
During the planning phase of a project
Aditya is assessing the value of IT systems. His company sells sporting goods online. One factor of his evaluation is the required availability of each system. Some systems must be available 24/7, while others must be available during regular business hours Monday through Friday. Which of the following would have the highest availability requirements?
E-commerce website server
In a quantitative risk assessment, what describes the loss that will happen to the asset as a result of a threat?
Exposure factor (EF)
Which of the following is a law that ensures that federal agencies protect their systems and data, comply with all elements of the law, and integrate security in all processes?
Federal Information Security Modernization Act (FISMA)
Jiang has been working on a risk management plan for his government agency. What information should he include in the report to management when he presents his risk management recommendations?
Findings, recommendation cost and time frame, and cost-benefit analysis (CBA)
In a risk management plan, how should you complete the step of describing the procedures and schedules for accomplishment? A. Create an affinity diagram and a threat-likelihood-impact matrix; assign the task to a stakeholder; and submit the official schedule to management. B. Present stakeholders with a list of vulnerabilities that need addressing and the steps involved with fixing each vulnerability; ask them to assess how long it will take them to address each of those vulnerabilities; and create an official schedule for the stakeholders based on their estimated timetable. C. For any threat or vulnerability, recommend a solution that attempts to mitigate associated risks; justify your recommendation; list the tasks necessary for addressing the vulnerability; and provide management with an estimate of how long it will take to complete the recommendation.
For any threat or vulnerability, recommend a solution that attempts to mitigate associated risks; justify your recommendation; list the tasks necessary for addressing the vulnerability; and provide management with an estimate of how long it will take to complete the recommendation.
What are the steps of a business continuity plan (BCP)?
Identify scope, identify key business areas, identify critical functions, identify dependencies between key business areas and critical functions, determine acceptable downtime, and create a plan to maintain operations
The following are major components of risk assessments, except:
Identifying insurance options
_______ are acts that are hostile to an organization.
Intentional threats
All of the following terms have the same meaning, except:
Internal network zone
Which of the following best describes the purpose of the Health Insurance Portability and Accountability Act (HIPAA)?
It helps to protect health information
Kyle works for the IT department. He is working in the asset management system. He is assigning the relevant IT infrastructure domain to each asset. Which is the best domain to assign to elements used to connect systems and servers together, such as hubs, switches, and routers?
LAN Domain
In which of the following domains does the IT infrastructure link to a wide area network (WAN) and the Internet? A. WAN Domain B. Systems/Applications Domain C. LAN Domain D. LAN-to-WAN Domain
LAN-to-WAN Domain
Which formula is used to determine the cost-benefit of a control, such as antivirus software? A. Loss after control implementation - Loss before control implementation - Cost of control B. Loss before control implementation - Loss after control implementation - Cost of control C. Loss before control implementation - Loss after control implementation × Cost of control D. Loss after control implementation - Loss before control implementation × Cost of control
Loss before control implementation - Loss after control implementation - Cost of control
Which of the following is not a vulnerability that might affect the website of an online company?
Loss of Internet connectivity
In a risk assessment, which of the following refers to how responsibilities are assigned?
Management Structure
Which of the following is a division of the U.S. Department of Commerce and publishes the Risk Management Framework (RMF) 800 special publication series
National Instittue of Standard and Technology (NIST)
When a fiduciary does not exercise due diligence, it can be considered:
Negligence
When should you perform a risk assessment?
Periodically after a control has been implemented
POAM stands for: A. processes of accountable management. B. plan of accurate mitigation. C. procedures of accident management. D. plan of action and milestones.
Plan of Action and Milestones
Isabelle is a project manager. Her company is regulated and subject to regular audits for compliance. One regulation the company needs to comply with is Health Insurance Portability and Accountability Act (HIPAA). Isabelle needs a tool for tracking the company's progress in meeting HIPAA compliance. The tool should also enable her to assign responsibility for tasks, and it should provide management an easy way to check the status of the project. Which of the following would be most useful in this situation?
Plan of action and milestones (POAM)
Which of the following allows one person to act for another for legal issues and sometimes is used if someone becomes mentally incapacitated? A. Power of attorney B. Acceptable use policy C. Due care D. Fiduciary responsibility
Power of attorney
What are the four major categories of risk management reporting requirements? A. Present recommendations; document management response to recommendations; document and track implementation of accepted recommendations; and create a plan of action and milestones (POAM) B. Present management responses; present justifications; present procedures; and present timelines C. Affinity diagrams, threat-likelihood-impact matrices, cost-benefit analyses (CBAs), and key stakeholders D. Risk management, risk evaluation, risk assessment, and risk mitigation
Present recommendations; document management response to recommendations; document and track implementation of accepted recommendations; and create a plan of action and milestones (POAM)
Hajar is a security professional for a government contractor. Her company recently hired three new employees for a special project, all of whom have a security clearance for Secret data. Rather than granting the employees access to all files and folders in the data repository, she is granting them access only to the data they need for the project. What principle is Hajar following?
Principle of need to know
What are the seven components of Control Objectives for Information and Related Technology (COBIT)?
Principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
_____________ is the likelihood that a threat will exploit a vulnerability.
Probability
Which of the following is a type of control that is implemented with a written document?
Procedural
Isabella is a risk management specialist for her organization. She is training Arturo, a new hire, on aspects of risk management. Arturo asks her what factors he should consider when assigning a value to an asset. Which of the following does Isabella tell him is the least useful?
Qualitative risk assessment
What are the two primary methods used to create a risk assessment?
Quantitative and qualitative
____________ assessments are objective, while ___________ assessments are subjective.
Quantitative, qualitative
________ help(s) prevent a hard drive from being a single point of failure. __________ help(s) prevent a server from being a single point of failure. _________ help(s) prevent a person from being a single point of failure.
RAID, Failover clusters, Cross-training
Isabella works as a risk specialist for her company. She wants to determine which risks should be managed and which should not by applying a test to each risk. Risks that don't meet the test are accepted. What type of test does she apply? A. Control test B. Vulnerability test C. Reasonableness test D. Cost assessment
Reasonableness test
What is one source of risk reduction?
Reducing the impact of the loss
Oscar works for a health insurance company. He is creating a Health Insurance Portability and Accountability Act (HIPAA) compliance plan. In the section on monitoring, what should Oscar specify to be continuously monitored for changes?
Regulations and risks
Which of the following is not a common classification of data?
Risk
What is the practice of identifying, assessing, controlling, and mitigating risks? A. Social engineering B. Risk management C. Risk mitigation D. Vulnerability scanning
Risk management
Rodrigo is a network security specialist. He wants to perform real-time analysis of security data gathered from networked systems. Which of the following is the best solution for Rodrigo to implement?
Security information and event management (SIEM)
What is a major type of vulnerability for the User Domain?
Social engineering
What is the safeguard value in a quantitative risk assessment?
The cost of a control
The formulas used in a quantitative risk assessment typically look at a single year. The calculations can become quite complex if other costs are included. Which of the following is not usually included in the calculations?
The cost to maintain a control
Hajar is a security specialist. Her organization has about 500 systems that must be tracked for inventory purposes. She is preparing an email to her manager that describes the benefits of including specific details about software in the inventory, as well as the use of an automated asset management system. Which of the following is not one of those benefits?
The frequency of operating system upgrades will be reduced.
What is the primary reason to avoid risk?
The impact of the risk outweighs the benefit of the asset
What can you control about threat/vulnerability pairs?
The vulnerability only
_________ is the process of creating a list of threats.
Threat identification
A technician in a large corporation fixes a printer that was not receiving an IP address automatically by manually assigning it an address. The address was assigned to a server that was offline and being upgraded. When the server was brought online, it was no longer accessible. How could this problem have been avoided?
Through change management
Jiang has been working on a risk management plan for his government agency. He collected data on risks and recommendations, included that information in a report, and submitted it to management. What is the purpose of the report? A. To avoid several time-consuming presentations about each individual recommendation B. To inform management of the progress of the risk management task C. To help management decide which recommendations to use D. To help management assess how much of the risk was mitigated by the proposed solution
To help management decide which recommendations to use
What is the function of job rotation?
To prevent or reduce fraudulent activity
When the Federal Trade Commission (FTC) was created in 1914, what was its primary goal?
To prevent unfair methods of competition
What is the purpose of a mandatory vacation?
To reduce fraud and embezzlement
What is the primary security professionals automate some processes?
To reduce human error
What is the purpose of a plan of action and milestones (POAM)?
Tracks risk response actions
__________ damage for the sake of doing damage, and they often choose targets of opportunity. A. Vandals B. Saboteurs C. Advanced persistent threats (APTs) D. Disgruntled employees
Vandals
When does a threat/vulnerability pair occur?
When a threat exploits a vulnerability
A new company does not have a lot of revenue for the first year. Installing antivirus software for all the company's computers would be very costly, so the owners decide to forgo purchasing antivirus software for the first year of the business. In what domain of a typical IT infrastructure is a vulnerability created?
Workstation Domain
A warm site is:
a compromise between a hot site and a cold site.
The Family Educational Rights and Privacy Act (FERPA) applies to all of the following, except:
a medical center that hired recent nursing graduates.
A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.
business continuity
A business impact analysis (BIA) is an important part of a _____________, and it can also be part of a __________.
business continuity plan, disaster recovery plan
A(n) _____________ is a process used to determine how to manage risk.
cost-benefit analysis (CBA)
A ___________ plan can help you identify steps needed to restore a failed system.
disaster recovery
When compliance is mandated by law, companies often participate in _______, which provide third-party verification that requirements are being met.
external audits
According to the World Intellectual Property Organization (WIPO), the two categories of intellectual property (IP) are _______________ and _______________.
industrial property, copyright
All of the following are reasons why configuration management is an important risk management process, except:
it reduces unintended outages.
The term "big data" is most closely associated with:
large databases.
It is common to focus the scope of a risk assessment on system ownership, because doing so:
makes it easier to implement recommendations.
Threat ___________ is a process used to identify possible threats on a system.
modeling
Email addresses or domains ______________ are automatically marked as spam.
on a blacklist
All of following are examples of hardware assets, except:
operating system.
A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.
patch management
An exploit assessment is also known as a(n):
penetration test.
Qualitative risk assessments determine the level of risk based on the __________ and _________ of risk.
probability, impact
A(n) _________ is the likelihood that something unexpected is going to occur.
risk
A(n) ___________________ is performed to identify and evaluate risks.
risk assessment
Another term for risk mitigation is:
risk reduction.
Companies use risk assessment strategies to differentiate ___________ from _________.
severe risks, minor risks
When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with:
the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA).
Hardening a server refers to: A. expanding its attack surface. B. a type of attack that removes the authorization to access a company's systems from high-level employees in a corporation. C. the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation. D. a type of attack that deletes vital data from a server.
the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation.
Regarding risk assessments, _____________ define(s) what a system does.
the mission of the system
All of the following are true of risk assessment scope identification, except: A. the scope identifies the boundary of a risk assessment. B. when participants understand the scope, they are less likely to change it. C. identifying the scope of a risk assessment helps keep it on track. D. the system or network administrator ultimately decides what is included in the scope of a risk assessment.
the system or network administrator ultimately decides what is included in the scope of a risk assessment.
Total risk equals: A. threat × vulnerability. B. threat × vulnerability × asset value. C. benefit - cost. D. (benefit - cost) × asset value.
threat × vulnerability × asset value.
What is Total Risk?
threat × vulnerability × asset value.
A(n) _________ provides secure access to a private network over a public network such as the Internet.
virtual private network (VPN)
All of the following are true of risk assessment critical area identification, except: A. identifying critical areas helps the risk assessment team focus on what's important. B. when critical areas are identified, areas that are least critical to the business should be the first priority. C. the risk assessment needs to balance potential profits and losses. D. losses that threaten an organization's survivability are critical.
when critical areas are identified, areas that are least critical to the business should be the first priority.
A __________ is a computer joined to a botnet.
zombie
