SEC 2nd Midterm

Ace your homework & exams now with Quizwiz!

Which of the following statements is true regarding SQL Injection attacks?

Their likelihood can be reduced through regular testing.

Which of the following statements is true regarding cross-site scripting (XSS) attacks?

They are one of the most common web attacks.

Why do hackers often send zipped and encrypted files and attachments?

They cannot be opened by antivirus software and so they will often reach the recipient.

Network access control (NAC) works on wired and wireless networks.

True

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?

Senior System Manager

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?

Bob's public key

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?

Business associate of a covered entity

Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications?

Certified Information Security Manager (CISM)

What is the highest level of academic degree that may be earned in the field of information security?

Doctor of philosophy (PhD)

What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)?

Subject matter expertise on routing and switching

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?

Consumer

What is NOT one of the four main purposes of an attack?

Data import

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Decryption

A professional certification is typically offered as part of an evening curriculum that leads to a certificate of completion.

False

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?

Online Certificate Status Protocol (OCSP)

What is the maximum value for any octet in an IPv4 IP address?

255

________ refers to a program of study approved by the State Department of Education in the state that a school operates.

Accredited

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's private key

What protocol is responsible for assigning IP addresses to hosts on most networks?

Dynamic Host Configuration Protocol (DHCP)

A border router can provide enhanced features to internal networks and help keep subnet traffic separate.

False

A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.

False

A subnet mask is a partition of a network based on IP addresses.

False

A worm is a self-contained program that has to trick users into running it.

False

Cryptographic key distribution is typically done by phone.

False

Federal agencies fall under the legislative branch of the U.S. government.

False

Implicit deny is when firewalls look at message addresses to determine whether a message is being sent around an unending loop.

False

System infectors are viruses that attack document files containing embedded macro programming capabilities.

False

What certification organization began as an offshoot of the SANS Institute training programs?

Global Information Assurance Certification (GIAC)

Which unit of measure represents frequency and is expressed as the number of cycles per second?

Hertz

What type of system is intentionally exposed to attackers in an attempt to lure them out?

Honeypot

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Integrity

What is the certificate management component of GPG4Win?

Kleopatra

When the key is successfully created, which of the following options sends a copy of your private key to your computer?

Make a Backup Of Your Key Pair

__________ consists of unwanted programs like Trojans and viruses.

Malware

Which of the following is a Windows local security password policy?

Maximum password age

Which of the following is a security countermeasure that could be used to protect your production SQL databases against injection attacks?

Monitor your SQL databases for unauthorized or abnormal SQL injections.

If someone sends you his public key and you import it into Kleopatra, will he be able to decrypt the encrypted messages you send him?

No because you must provide your public key to any user wanting to decrypt any message encrypted by you.

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

Nonrepudiation

How can you ensure the confidentiality, integrity, and availability (CIA) of the web application and service?

Penetration testing

A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment?

Personally owned devices

How do you encrypt a text message using the keys you created in the lab?

Right-click the file and select Sign and Encrypt from the context menu.

Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs?

Systems Security Certified Practitioner (SSCP)

A firewall is a basic network security defense tool.

True

Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents.

True

Digital signatures require asymmetric key cryptography.

True

What is NOT an effective key distribution method for plaintext encryption keys?

Unencrypted email

What is NOT a typical sign of virus activity on a system?

Unexpected power failures

When the key is successfully created, which of the following options lets you store your certificate on a public Internet server?

Upload Certificate To Directory Service

What is the only unbreakable cipher when it is used properly?

Vernam

The main purpose of the __________ is to keep any deleted file for a certain period of time, so that you can make sure you do not need the file any more.

Virus Vault

What is NOT a service commonly offered by unified threat management (UTM) devices?

Wireless network access

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?

World Wide Web Consortium (W3C)

Unless stringent security is mandated by policy, the security practitioner must always balance security with:

functionality and user adoption.

What file extension does Kleopatra add to an encrypted file?

gpg

What is the correct command syntax to force GPO settings?

gpupdate /force

It is important to bring standalone systems into the Domain because it:

helps prevent unauthorized access to network resources.

No security program is complete without:

host-based security measures.

Integrating Linux with Active Directory:

is almost always a simple task.

Information Systems Security Certification Consortium, Inc. (ISC)2 is the baseline for federal and DoD work-role definitions.

False

Product cipher is an encryption algorithm that has no corresponding decryption algorithm.

False

The National Institute of Standards and Technology (NIST) is the main United Nations agency responsible for managing and promoting information and technology issues.

False

The four main areas in NIST SP 800-50 are awareness, training, certification, and professional development.

False

A certification is an official statement that validates that a person has satisfied specific job requirements.

True

A network protocol governs how networking equipment interacts to deliver data across the network.

True

A successful denial of service (DoS) attack may create so much network congestion that authorized users cannot access network resources.

True

RSA is a global provider of security, risk, and compliance solutions for enterprise environments.

True

Security awareness training should remind employees to ensure confidentiality by not leaving any sensitive information or documents on their desks.

True

Standards provide guidelines to ensure that products in today's computing environments work together.

True

The Internet Engineering Task Force (IETF) is a collection of working groups (WGs), and each working group addresses a specific topic.

True

The National Institute of Standards and Technology (NIST) 800 Series publications cover all NIST-recommended procedures for managing information security.

True

Under the Federal Information Security Management Act (FISMA), all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT).

True

What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?

Whois

What standard is NOT secure and should never be used on modern wireless networks?

Wired Equivalent Privacy (WEP)

Each time a key pair is created, Kleopatra generates:

a unique 40-character fingerprint.

The main principle of __________ is to build layers of redundant and complementary security tools, policies, controls, and practices around the organization's information and assets.

defense in depth

Database developers and administrators are responsible for:

ensuring regular backups of the database are performed.

Web application developers and software developers are responsible for:

the secure coding and testing of their application.

Each element of __________ has a specific requirement for security professionals.

the security framework

Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?

3389

How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam?

8

To complete the creation of a key, what do you need to enter in the pinentry dialog box?

A passphrase, or password

Which organization created a standard version of the widely used C programming language in 1989?

American National Standards Institute (ANSI)

Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees?

Annually

Which of the following is NOT a role described in DoD Directive 8140, which covers cyber security training?

Attack

Which organization creates information security standards that specifically apply within the European Union?

European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

A digitized signature is a combination of a strong hash of a message and a secret key.

False

A physical courier delivering an asymmetric key is an example of in-band key exchange.

False

Another name for a border firewall is a DMZ firewall.

False

Cisco offers certifications only at the Associate, Professional, and Expert levels.

False

Master's programs are generally broad and don't focus on a particular field of study.

False

The Family Educational Rights and Privacy Act (FERPA) requires that specific information security controls be implemented to protect student records.

False

The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies.

False

The ISACA Certified in Risk and Information Systems Control (CRISC) certification targets security professionals who ensure that their organization satisfies IT governance requirements.

False

The Institute of Electrical and Electronics Engineers (IEEE) publishes or sponsors more than 13,000 standards and projects.

False

The National Institute of Standards and Technology (NIST) publishes the IEEE 802 LAN/MAN standard family.

False

The Payment Card Industry (PCI) Council has only one priority: to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data.

False

The skills necessary to manage a technical environment are the same as the skills necessary to perform technical work.

False

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?

Family Policy Compliance Office (FPCO)

What is NOT a common motivation for attackers?

Fear

Which of the following is NOT an advantage to undertaking self-study of information security topics?

Fixed pace

When is the company under additional compliance laws and standards to ensure the confidentiality of customer data?

If e-commerce or privacy data is entered into the web application

When malware is able to steal and modify data, which of the following tenets of information system security is impacted?

Integrity

Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact?

International Council of E-Commerce Consultants (EC-Council)

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?

Polymorphic virus

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?

Presentation

In the lab, what did you do before attempting the script tests that exposed the vulnerabilities?

Set the security level of DVWA to low.

Which of the following statements is true regarding an organization's password policy?

Setting a strong password policy is one of the first steps in implementing a comprehensive security program.

Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?

Smurf

Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?

Tier A

ANSI produces standards that affect nearly all aspects of IT.

True

ActiveX is used by developers to create active content.

True

American National Standards Institute (ANSI) was formed in 1918 through the merger of five engineering societies and three government agencies.

True

An algorithm is a repeatable process that produces the same result when it receives the same input.

True

Backdoor programs are typically more dangerous than computer viruses.

True

Because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders do, they can place logic bombs more easily.

True

Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage devices to networks using IP for its transport layer.

True

It is common for rootkits to modify parts of the operating system to conceal traces of their presence.

True

Juniper Networks offers vendor-specific certifications.

True

Nearly any college or university can offer an information systems security or cybersecurity-related degree program once it obtains accreditation for the curriculum from that state's board of education.

True

The Baldrige National Quality Program is part of the National Institute of Standards and Technology (NIST).

True

The Data Link Layer of the OSI Reference Model is responsible for transmitting information on computers connected to the same local area network (LAN).

True

The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).

True

The International Organization for Standardization (ISO) organizes its standards by both the International Classification for Standards (ICS) and the Technical Committee (TC) to which it assigns each standard.

True

The Internet Architecture Board (IAB) is a subcommittee of the IETF.

True

The Internet Architecture Board (IAB) serves as an advisory body to the Internet Society (ISOC).

True

The OSI Reference Model is a theoretical model of networking with interchangeable layers.

True

The Physical Layer of the OSI Reference Model must translate the binary ones and zeros of computer language into the language of the transport medium.

True

The function of homepage hijacking is to change a browser's homepage to point to the attacker's site.

True

The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.

True

The three main categories of network security risk are reconnaissance, eavesdropping, and denial of service.

True

Hackers use __________ to execute arbitrary scripts through the web browser.

cross-site scripting (XSS)

A private key cipher is also called an asymmetric key cipher.

False

All request for comments (RFC) originate from the Internet Engineering Task Force (IETF).

False

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

Alice's public key

Which of the following is used to configure the Domain Name Server?

The resolv.conf file

In a corporate network it is _________ for the IT department to have more than one operating system, or different platforms.

quite common

Trojans are self-contained programs designed to propagate from one host machine to another using the host's own network communications protocols.

False

Which element is NOT a core component of the ISO 27002 standard?

Cryptography

Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?

443

Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.

50

What is NOT a valid encryption key length for use with the Blowfish algorithm?

512 bits

Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with?

Application and Session

When malware slows performance, which of the following tenets of information system security is impacted?

Availability

Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?

Chief information security officer (CISO)

How can you verify that the integrity of encrypted files is maintained during the transmission to another user's computer?

Compare the decrypted file's contents with the contents of the original file.

Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?

Cross-site scripting (XSS)

In general, security training programs are identical to security education programs with respect to their focus on skills and in their duration.

False

The four primary types of malicious code attacks are unplanned attacks, planned attacks, direct attacks, and indirect attacks.

False

Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities?

GIAC Certified Forensic Examiner (GCFE)

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?

Hash

Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?

International Organization for Standardization (ISO)

Which of the following programs requires passing a standardized examination that is based upon a job-task analysis?

Professional certification

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016?

Risk Analysts

The system will generate a __________ message when the Linux machine has successfully joined the Active Directory domain.

SUCCESS

TCP/IP is a suite of protocols that operates at both the Network and Transport layers of the OSI Reference Model.

True

Which of the following Web forms can be exploited to output passwords, credit card information, and other data?

Those that are poorly designed

Keys are also referred to as:

certificates

Changes in laws, regulations, and organizational priorities mean that security policies tend to:

change over time.

Signs of __________ include degraded system performance, unusual services and network traffic, altered or removed system logs, missing or inactive anti-virus, and any number of application anomalies.

malware

Web application firewalls, security information and event management systems, access controls, network security monitoring, and change controls help to keep the "soft center" from becoming an easy target when the __________ fails.

perimeter


Related study sets

Domestic, Foreign and Alien Insurers

View Set

CH 21: Complications Occurring Before Labor & Delivery

View Set

Anatomy and physiology- 7.3- Bone development

View Set

Priority-Setting Frameworks, Infection Control and Isolation, Health Care Delivery, ATI - Nursing Foundations Test

View Set

LabCE Modules - Microbiology Microbial Identification Using MALDI-TOF MS

View Set