CISS 3360 FINAL
Unlock all answers in this set
Unlock answersquestion
1. Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
answer
22
question
2. Networks, routers, and equipment require continuous monitoring and management to keep wide area network (WAN) service available.
answer
True
question
3. Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
answer
Password protection
question
4. The System/Application Domain holds all the mission-critical systems, applications, and data.
answer
True
question
5. For businesses and organizations under recent compliance laws, data classification standards typically include private, confidential, internal use only, and public domain categories.
answer
True
question
6. Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.
answer
False
question
7. Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?
answer
Distributed denial of service (DDoS)
question
8. Which one of the following measures the average amount of time that it takes to repair a system, application, or component?
answer
Mean time to repair (MTTR)
question
9. Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in cleartext.
answer
True
question
10. In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.
answer
True
question
11. Which term describes any action that could damage an asset?
answer
Threat
question
12. The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services.
answer
True
question
13. Which classification level is the highest level used by the U.S. federal government?
answer
Top Secret
question
14. Cryptography is the process of transforming data from cleartext into ciphertext.
answer
True
question
15. Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?
answer
Standard
question
16. The weakest link in the security of an IT infrastructure is the server.
answer
False
question
1. One of the first industries to adopt and widely use mobile applications was the healthcare industry.
answer
True
question
2. In e-business, secure web applications are one of the critical security controls that each organization must implement to reduce risk.
answer
True
question
3. Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones.
answer
True
question
4. Unified messaging allows you to download both voice and email messages to a smartphone or tablet.
answer
True
question
5. IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations.
answer
True
question
6. Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
answer
Bring Your Own Device (BYOD)
question
7. Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
answer
Software as a Service (SaaS)
question
8. Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
answer
Applying security updates promptly
question
9. Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.
answer
True
question
10. From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
answer
Security risks will increase.
question
11. Metadata of Internet of Things (IoT) devices can be sold to companies seeking demographic marketing data about users and their spending habits.
answer
True
question
12. Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation?
answer
Secure
question
13. Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
answer
Health monitoring
question
14. Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
answer
Deidentification
question
15. Regarding the Internet of Things (IoT), a business involved in utilities, critical infrastructure, or environmental services can benefit from traffic-monitoring applications.
answer
False
question
16. In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
answer
Correspondent node (CN)
question
17. The auto industry has not yet implemented the Internet of Things (IoT).
answer
False
question
18. Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
answer
Collaboration
question
19. Bring Your Own Device (BYOD) opens the door to considerable security issues.
answer
True
question
20. Bricks-and-mortar stores are completely obsolete now.
answer
False
question
1. Which password attack is typically used specifically against password files that contain cryptographic hashes?
answer
Birthday attacks
question
2. Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
answer
Logic attack
question
3. Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
answer
White-hat hacker
question
4. When servers need operating system upgrades or patches, administrators take them offline intentionally, so they can perform the necessary work without risking malicious attacks.
answer
True
question
5. The anti-malware utility is one of the most popular backdoor tools in use today.
answer
False
question
6. A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
answer
True
question
7. Which control is not designed to combat malware?
answer
Firewalls
question
8. Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
answer
80
question
9. Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
answer
Address Resolution Protocol (ARP) poisoning
question
10. A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.
answer
True
question
11. Spyware gathers information about a user through an Internet connection, without his or her knowledge.
answer
True
question
12. A phishing attack "poisons" a domain name on a domain name server.
answer
False
question
13. Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
answer
Spim
question
14. An alteration threat violates information integrity.
answer
True
question
15. Rootkits are malicious software programs designed to be hidden from normal methods of detection.
answer
True
question
16. In which type of attack does the attacker attempt to take over an existing connection between two systems?
answer
Session hijacking
question
17. Which tool can capture the packets transmitted between systems over a network?
answer
Protocol analyzer
question
18. Using a secure logon and authentication process is one of the six steps used to prevent malware.
answer
True
question
19. A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks.
answer
True
question
20. Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
answer
Zero-day attack
question
1. Which one of the following is the best example of an authorization control?
answer
Access control lists
question
2. The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
answer
True
question
3. Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.
answer
False
question
4. The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
answer
13
question
5. Screen locks are a form of endpoint device security control.
answer
True
question
6. The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
answer
True
question
7. What is the first step in a disaster recovery effort?
answer
Ensure that everyone is safe.
question
8. Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
answer
HIPAA
question
9. The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
answer
True
question
10. Which formula is typically used to describe the components of information security risks?
answer
Correct Risk = Threat X Vulnerability
question
11. What is NOT one of the three tenets of information security?
answer
Safety
question
12. Which one of the following is an example of a reactive disaster recovery control?
answer
Moving to a warm site
question
13. As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
answer
Simulation test
question
14. Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device.
answer
False
question
15. The term risk methodology refers to a list of identified risks that results from the risk-identification process.
answer
False
question
16. What is NOT a commonly used endpoint security technique?
answer
Network firewall
question
17. A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster.
answer
True
question
18. The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems.
answer
True
question
19. Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
answer
Parallel test
question
20. Which one of the following is an example of a direct cost that might result from a business disruption?
answer
Facility repair
question
1. What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
answer
Security Assertion Markup Language (SAML)
question
2. Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
answer
Accountability
question
3. Which security model does NOT protect the integrity of information?
answer
Bell-LaPadula
question
4. The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
answer
security kernel
question
5. Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.
answer
True
question
6. Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software.
answer
False
question
7. A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side.
answer
True
question
8. Which of the following is an example of a hardware security control?
answer
MAC filtering
question
9. Which one of the following principles is NOT a component of the Biba integrity model?
answer
Subjects cannot change objects that have a lower integrity level.
question
10. Which one of the following is NOT a commonly accepted best practice for password security?
answer
Use at least six alphanumeric characters.
question
11. The four central components of access control are users, resources, actions, and features.
answer
False
question
12. Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
answer
Brute-force attack
question
13. Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
answer
Redundant Array of Independent Disks (RAID)
question
14. A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader.
answer
True
question
15. Which one of the following is an example of a logical access control?
answer
Password
question
16. Which of the following is NOT a benefit of cloud computing to organizations?
answer
Lower dependence on outside vendors
question
17. You should use easy-to-remember personal information to create secure passwords.
answer
False
question
18. Passphrases are less secure than passwords.
answer
False
question
19. Which one of the following is NOT an advantage of biometric systems?
answer
Physical characteristics may change.
question
20. A degausser creates a magnetic field that erases data from magnetic storage media.
answer
True
question
1. A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans.
answer
True
question
2. The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.
answer
True
question
3. Procedures do NOT reduce mistakes in a crisis.
answer
False
question
4. Which of the following would NOT be considered in the scope of organizational compliance efforts?
answer
Laws
question
5. In an accreditation process, who has the authority to approve a system for implementation?
answer
Authorizing official (AO)
question
6. Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.
answer
True
question
7. Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
answer
Service level agreement (SLA)
question
8. Social engineering is deceiving or using people to get around security controls.
answer
True
question
9. Which agreement type is typically less formal than other agreements and expresses areas of common interest?
answer
Memorandum of understanding (MOU)
question
10. One advantage of using a security management firm for security monitoring is that it has a high level of expertise.
answer
True
question
11. Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
answer
Access to a high level of expertise
question
12. Which activity manages the baseline settings for a system or device?
answer
Configuration control
question
13. Classification scope determines what data you should classify; classification process determines how you handle classified data.
answer
True
question
14. Mandatory vacations minimize risk by rotating employees among various systems or duties.
answer
False
question
15. Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
answer
Authorization
question
16. In what type of attack does the attacker send unauthorized commands directly to a database?
answer
SQL injection
question
17. Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.
answer
False
question
18. A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.
answer
False
question
19. Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
answer
Project initiation and planning
question
20. In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
answer
Waterfall
question
1. You must always use the same algorithm to encrypt information and decrypt the same information.
answer
False
question
2. A private key cipher is also called an asymmetric key cipher.
answer
False
question
3. Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
answer
Integrity
question
4. A salt value is a set of random characters you can combine with an actual input key to create the encryption key.
answer
True
question
5. The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).
answer
True
question
6. What mathematical problem forms the basis of most modern cryptographic algorithms?
answer
Factoring large primes
question
7. The financial industry created the ANSI X9.17 standard to define key management procedures.
answer
True
question
8. What is NOT a symmetric encryption algorithm?
answer
Rivest-Shamir-Adelman (RSA)
question
9. A physical courier delivering an asymmetric key is an example of in-band key exchange.
answer
False
question
10. Which type of cipher works by rearranging the characters in a message?
answer
Transposition
question
11. Which approach to cryptography provides the strongest theoretical protection?
answer
Quantum cryptography
question
12. What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
answer
Hash
question
13. Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
answer
Alice's public key
question
14. What is NOT an effective key distribution method for plaintext encryption keys?
answer
Unencrypted email
question
15. Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
answer
Online Certificate Status Protocol (OCSP)
question
16. When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
answer
Nonrepudiation
question
17. A person demonstrates anonymity when posting information to a web discussion site without authorities knowing who he or she is.
answer
True
question
18. A substitution cipher replaces bits, characters, or blocks of information with other bits, characters, or blocks.
answer
True
question
19. In a chosen-ciphertext attack, cryptanalysts submit data coded with the same cipher and key they are trying to break to the decryption device to see either the plaintext output or the effect the decrypted message has on some system.
answer
True
question
20. What is the only unbreakable cipher when it is used properly?
answer
Vernam
question
1. Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?
answer
Application proxying
question
2. A packet-filtering firewall remembers information about the status of a network communication.
answer
False
question
3. What type of network connects systems over the largest geographic area?
answer
Wide area network (WAN)
question
4. Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
answer
Wi-Fi
question
5. A firewall is a basic network security defense tool.
answer
True
question
6. What protocol is responsible for assigning IP addresses to hosts on most networks?
answer
Dynamic Host Configuration Protocol (DHCP)
question
7. The Physical Layer of the OSI Reference Model must translate the binary ones and zeros of computer language into the language of the transport medium.
answer
True
question
8. The term "router" describes a device that connects two or more networks and selectively interchanges packets of data between them.
answer
True
question
9. IP addresses are eight-byte addresses that uniquely identify every device on the network.
answer
False
question
10. Network access control (NAC) works on wired and wireless networks.
answer
True
question
11. David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?
answer
Fibre Channel over Ethernet (FCoE)
question
12. The Transport Layer of the OSI Reference Model creates, maintains, and disconnects communications that take place between processes over the network.
answer
False
question
13. Another name for a border firewall is a DMZ firewall.
answer
False
question
14. Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?
answer
Hub
question
15. TCP/IP is a suite of protocols that operates at both the Network and Transport layers of the OSI Reference Model.
answer
True
question
16. What wireless security technology contains significant flaws and should never be used?
answer
Wired Equivalent Privacy (WEP)
question
17. A subnet mask is a partition of a network based on IP addresses.
answer
True
question
18. A network protocol governs how networking equipment interacts to deliver data across the network.
answer
True
question
19. Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage devices to networks using IP for its transport layer.
answer
True
question
20. Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?
answer
443
question
1. What file type is least likely to be impacted by a file infector virus?
answer
.docx
question
2. What ISO security standard can help guide the creation of an organization's security policy?
answer
27002
question
3. Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block?
answer
Internet Control Message Protocol (ICMP)
question
4. What is NOT a common motivation for attackers?
answer
Fear
question
5. Which type of virus targets computer hardware and software startup functions?
answer
System infector
question
6. The four primary types of malicious code attacks are unplanned attacks, planned attacks, direct attacks, and indirect attacks.
answer
False
question
7. Retro viruses counter the ability of antivirus programs to detect changes in infected files.
answer
False
question
8. What is NOT a typical sign of virus activity on a system?
answer
Unexpected power failures
question
9. A computer virus is an executable program that attaches to, or infects, other executable programs.
answer
True
question
10. An electronic mail bomb is a form of malicious macro attack that typically involves an email attachment that contains macros designed to inflict maximum damage.
answer
True
question
11. A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.
answer
False
question
12. Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?
answer
Nmap
question
13. Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?
answer
Confidentiality
question
14. Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?
answer
SQL injection
question
15. Backdoor programs are typically more dangerous than computer viruses.
answer
True
question
16. Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?
answer
Polymorphic virus
question
17. The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.
answer
True
question
18. What is NOT one of the four main purposes of an attack?
answer
Data import
question
19. The goal of a command injection is to execute commands on a host operating system.
answer
True
question
20. What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?
answer
Whois
