Week Two Midterm

Ace your homework & exams now with Quizwiz!

True

Common methods used to identify a user to a system include username, smart card, and biometrics.

True

During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.

True

Fingerprints, palm prints, and retina scans are types of biometrics.

Risk Management Guide for Information Technology Systems (NIST SP800-30)

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?

True

Many jurisdictions require audits by law.

False

Passphrases are less secure than passwords.

True

The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.

False

The main difference between a virus and a worm is that a virus does not need a host program to infect.

An organization should share its information.

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

System configurations

What is NOT generally a section in an audit report?

Security Assertion Markup Language (SAML)

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?

True

A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.

True

A degausser creates a magnetic field that erases data from magnetic storage media.

Recovery time objective (RTO)

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

True

Classification scope determines what data you should classify; classification process determines how you handle classified data.

True

Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.

True

Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.

Warm site

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?

True

In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

True

Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

Opportunity cost

Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than just in individual packets.

False

Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.

Audit

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Phishing

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

True

Screen locks are a form of endpoint device security control.

True

Social engineering is deceiving or using people to get around security controls.

Trojan horse

What type of malicious software masquerades as legitimate software to entice the user to run it?

Memorandum of understanding (MOU)

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Firewalls

Which control is not designed to combat malware?

Bell-LaPadula

Which security model does NOT protect the integrity of information?

Network mapping

Which security testing activity uses tools that scan for services running on systems?

Logic attack

Which type of denial of service attack exploits the existence of software flaws to disrupt a service?

White-hat hacker

Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?

Payment Card Industry Data Security Standard (PCI DSS)

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?

True

An SOC 1 report is commonly implemented for organizations that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA).

True

An example of a threat to access control is in a peer-to-peer (P2P) arrangement in which users share their My Documents folder with each other by accident.

Baseline

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Address Resolution Protocol (ARP) poisoning

Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?

Does the firewall properly block unsolicited network connection attempts?

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

False

The term "data owner" refers to the person or group that manages an IT infrastructure.

True

The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.

False

User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity.

True

Using a secure logon and authentication process is one of the six steps used to prevent malware.

Data ownership

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

Facility repair

Which one of the following is an example of a direct cost that might result from a business disruption?

Fabrication

Which type of attack involves the creation of some deception in order to trick unsuspecting users?

Ownership

Which type of authentication includes smart cards?


Related study sets

8.1.9 Corporate and Datacenter Networks

View Set

Stacy/Ellington, Fabric of a Nation 1E - Chapters 1-8

View Set

FINA 4200 Fall 2019 Final Exam Review

View Set

Week Eighteen - Exploratory Factor Analysis

View Set

Thinking, Reasoning, and Decision-Making

View Set

Chapter 9 accounting Exam Review

View Set

Constraints, SQL Exam 2: Chap 3, 5, 10, 11, 12 HANDS-ON

View Set