Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Google Cybersecurity Quizes > (5) Assets, Threats, and Vulnerabilities > Flashcards

(5) Assets, Threats, and Vulnerabilities Flashcards

1
Q

What is a risk?

Anything that can impact the confidentiality, integrity, or availability of an asset

The practice of labeling assets based on sensitivity and importance to an organization

A weakness that can be exploited by a threat

Any circumstance or event that can negatively impact assets

A

Anything that can impact the confidentiality, integrity, or availability of an asset

A risk is anything that can impact the confidentiality, integrity, or availability of an asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security professional discovers a rogue access point on their company WiFi that is not managed by the networking team. The rogue device is altering and deleting sensitive records without authorization. What is the rogue device in this scenario?

Threat

Asset

Vulnerability

Risk

A

Threat

The rogue device is a threat because it is negatively impacting the company’s assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A product team is storing customer survey data for a new project in a cloud drive. The data is only accessible to product team members while the project is in development. What is this data’s asset type?

Public

Confidential

Customer data

Internal demo

A

Confidential

This data is confidential. Confidential assets such as this customer survey data can only be accessed by those working on a specific project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the practice of labeling assets based on sensitivity and importance to an organization?

Asset management

Asset inventory

Asset restriction

Asset classification

A

Asset classification

Asset classification is the practice of labeling assets based on sensitivity and importance to an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the practice of keeping data in all states away from unauthorized users?

Network

Cybersecurity

Asset

Information security

A

Information security

Information security, or InfoSec, is the practice of keeping data in all states away from unauthorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An employee is promoted to a new role, so their workstation is transferred to a different office. As the employee’s workstation is being relocated, what data state are its files in?

At rest

In transit

In use

In storage

A

At rest

The files are at rest. Data is at rest when it is not being accessed. In this scenario, moving the workstation does not change the data state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is an example of data in transit?

A sent email is traveling over the network to reach its destination.

A manager is editing a report on their computer.

A spreadsheet file is saved on an employee’s hard drive.

A user logs in to their online account to review their messages.

A

A sent email is traveling over the network to reach its destination.

An email traveling over a network to its destination is an example of data in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Fill in the blank: Data is in use when it is being _____ by one or more users.

accessed

ignored

transported

classified

A

accessed

Data is in use when it is being accessed by one or more users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What types of risks do security plans address? Select three answers.

Damage to assets

Loss of information

Shift of market conditions

Disclosure of data

A

Damage to assets

Loss of information

Disclosure of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the basic elements of a security plan? Select three answers.

Regulations

Procedures

Standards

Policies

A

Procedures

Standards

Policies

The basic elements of a security plan are policies, standards, and procedures. Policies are rules that reduce risk and protect information. Standards are references that inform how to set policies. And procedures are step-by-step instructions to perform a specific security task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fill in the blank: The NIST CSF is a _____ framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

voluntary

mandatory

limited

rigid

A

voluntary

The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a comprehensive framework with a flexible design that can be used in any industry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some benefits of the NIST Cybersecurity Framework (CSF)? Select three answers.

It’s adaptable to fit the needs of any business.

It can be used to identify and assess risk.

It is required to do business online.

It helps organizations achieve regulatory standards.

A

It’s adaptable to fit the needs of any business.

It can be used to identify and assess risk.

It helps organizations achieve regulatory standards.

Some benefits of the CSF are that it’s adaptable to fit the needs of any business, it helps organizations achieve regulatory standards, and it can be used to identify and assess risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An attacker spreads malicious software within an organization, which executes unauthorized actions on the organization’s systems. What does this scenario describe?

Procedure

Vulnerability

Regulation

Threat

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following are examples of a vulnerability? Select two answers.

Attackers causing a power outage

A malfunctioning door lock

Malicious hackers stealing access credentials

An employee misconfiguring a firewall

A

A malfunctioning door lock

An employee misconfiguring a firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following refers to the process of tracking assets and the risks that affect them?

Asset inventory

Asset administration

Asset classification

Asset management

A

Asset management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an example of confidential information? Select two answers.

Press release

Employee contacts

Project documents

Marketing strategy

A

Project documents

Marketing strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following are examples of internal-only information? Select two answers.

Credit card numbers

Business plans

Employee records

Intellectual property

A

Business plans

Employee records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following can be prevented with effective information security? Select three answers.

Reputational damage

Compliance with regulations

Identity theft

Financial loss

A

Reputational damage

Compliance with regulations

Financial loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is an example of digital data at rest? Select two answers.

Email messages in an inbox

Letters on a table

Contracts in a file cabinet

Files on a hard drive

A

Email messages in an inbox

Files on a hard drive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who should an effective security plan focus on protecting? Select three answers.

Business partners

Competitors

Customers

Employees

A

Business partners

Customers

Employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What NIST Cybersecurity Framework (CSF) tier is an indication that compliance is being performed at an exemplary standard?

Level-3

Level-2

Level-4

Level-1

A

Level-4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which component of the NIST Cybersecurity Framework (CSF) is used to compare the current state of a security plan to others?

Detect

Profiles

Compliance

Core

A

Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are categories of security controls? Select all that apply.

Privacy

Operational

Technical

Managerial

A

Operational

Technical

Managerial

Categories of security controls include technical, operational, and managerial. Technical controls include the technologies used to protect assets. Operational controls relate to maintaining the day-to-day security environment. And managerial controls are centered around how technical and operational controls reduce risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Fill in the blank: A data _____ decides who can access, edit, use, or destroy their information.

owner

custodian

protector

handler

A

owner

A data owner decides who can access, edit, use, or destroy their information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A writer for a technology company is drafting an article about new software features that are being released. According to the principle of least privilege, what should the writer have access to while drafting the article? Select all that apply.

Login credentials of the software users

Other new software that is in development

The software they are reviewing

Software developers who are knowledgeable about the product

A

The software they are reviewing

Software developers who are knowledgeable about the product

The writer should have access to the software they are reviewing and the software developers who can help them understand what information is appropriate to share with readers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which privacy regulations influence how organizations approach data security? Select three answers.

Health Insurance Portability and Accountability Act (HIPAA)

General Data Protection Regulation (GDPR)

Payment Card Industry Data Security Standard (PCI DSS)

Infrastructure as a Service (IaaS)

A

Health Insurance Portability and Accountability Act (HIPAA)

General Data Protection Regulation (GDPR)

Payment Card Industry Data Security Standard (PCI DSS)

GDPR, PCI DSS, and HIPAA are notable privacy regulations that influence how organizations approach their information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following elements are required when using encryption? Select all that apply.

Key

Certificate

Cipher

Token

A

Key

Cipher

A cipher and a key are required when using encryption. This enables secure information exchange.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which technologies are used in public key infrastructure (PKI) to securely exchange information online? Select two answers.

Digital certificates

General Data Protection Regulation (GDPR)

Platform as a service (PaaS)

Encryption algorithms

Correct
PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signaling trust between the sender and receiver when exchanging encrypted data online.

A

Digital certificates

Encryption algorithms

PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signaling trust between the sender and receiver when exchanging encrypted data online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Fill in the blank: _____ encryption produces a public and private key pair.

Asymmetric

Hashing

Salting

Symmetric

A

Asymmetric

Asymmetric encryption produces a public and private key pair that are used to encrypt and decrypt information. The public key is shared with others while the data owner manages the private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An attacker gains access to a database where user passwords are secured with the SHA-256 hashing algorithm. Can the attacker decrypt the user passwords?

Yes. Hash algorithms produce a decryption key.

No. Hash algorithms do not produce decryption keys.

A

No. Hash algorithms do not produce decryption keys.

The attacker cannot decrypt the user passwords because they are stored as a hash value that is irreversible. Only symmetric and asymmetric encryption algorithms produce decryption keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What term describes being unable to deny that information is authentic?

Availability

Confidentiality

Integrity

Non-repudiation

A

Non-repudiation

Non-repudiation means that the authenticity of information cannot be denied. It also confirms that the sender of data is who they claim to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What factors do authentication systems use to verify a user’s identity? Select three answers.

Characteristic

Authorization

Knowledge

Ownership

Correct
Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.

A

Characteristic

Knowledge

Ownership

Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How do businesses benefit from implementing single sign-on (SSO) technology? Select two answers.

By providing a better user experience

By streamlining HTTP traffic between servers

By requiring multiple forms of identification

By simplifying their user management

Correct
Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.

A

By providing a better user experience

By simplifying their user management

Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A retail company has one employee that’s in charge of purchasing goods, another employee that’s in charge of approving new purchases, and a third employee that’s in charge of paying invoices. What security principle is the retail company implementing?

Authentication, authorization, and accounting (AAA)

Separation of duties

Least privilege

Non-repudiation

A

Separation of duties

The retail company is implementing the separation of duties principle. Separation of duties is the security principle that users should not be given levels of authorization that would allow them to misuse a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are the categories of access controls? Select three answers.

Authorization

Authentication

Administration

Accounting

A

Authorization

Authentication

Accounting

The three categories of access controls are authentication, authorization, and accounting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What credential does OAuth use to authenticate users?

A session cookie

A digital certificate

A one-time passcode (OTP)

An application programming interface (API) token

A

An application programming interface (API) token

OAuth uses an API token to authenticate users. An API token is a digital credential that is shared between a platform and a service provider to verify a user’s identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which functions would fall under the category of operational security controls? Select two answers.

Responding to an incident alert

Providing security awareness training

Establishing trust using digital certificates

Exchanging encrypted information

A

Responding to an incident alert

Providing security awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A large hotel chain collects customer email addresses as part of a national sweepstakes. As data custodians, what are the hotel chain’s responsibilities to protect this information? Select three answers.

To protect the data while in storage

To edit the data when necessary

To safely handle the data when it’s accessed

To securely transport the data over networks

A

To protect the data while in storage

To safely handle the data when it’s accessed

To securely transport the data over networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What do symmetric encryption algorithms use to encrypt and decrypt information?

A digital certificate

A single secret key

A public and private key pair

A hash value

A

A single secret key

40
Q

A security analyst is investigating a critical system file that may have been tampered with. How might the analyst verify the integrity of the system file?

By opening the system file in word processing application and checking its version history.

By decrypting the system files secret key using Advanced Encryption Standard (AES).

By comparing the system files hash value to a known, trusted hash value.

By brute forcing the system file using a rainbow table.

A

By comparing the system files hash value to a known, trusted hash value.

41
Q

Which of the following steps are part of the public key infrastructure process? Select two answers.

Exchange of public and private keys

Exchange of encrypted information

Transfer hash digests

Establish trust using digital certificates

A

Exchange of encrypted information

Establish trust using digital certificates

42
Q

What factors do authentication systems use to verify a user’s identity? Select three answers.

Characteristic

Accounting

Knowledge

Ownership

A

Characteristic

Knowledge

Ownership

43
Q

What is a key advantage of multi-factor authentication compared to single sign-on?

It is faster when authenticating users.

It can grant access to multiple company resources at once.

It streamlines the authentication process.

It requires more than one form of identification before granting access to a system.

A

It requires more than one form of identification before granting access to a system.

44
Q

The main responsibility of a receptionist at a healthcare company is to check-in visitors upon arrival. When visitors check-in, which kinds of information should the receptionist be able to access to complete their task? Select two answers.

The patient being visited

Their medical history

Their billing information

A photo ID

A

The patient being visited

A photo ID

45
Q

What types of user information does an API token contain? Select two answers.

A user’s site permissions

A user’s identity

A user’s secret key

A user’s password

A

A user’s site permissions

A user’s secret key

46
Q

A customer of an online retailer has complained that their account contains an unauthorized purchase. You investigate the incident by reviewing the retailer’s access logs. Which component of the user’s session might you review?

Session cookie

Session certificate

Session API key

Session algorithm

A

Session cookie

47
Q

Which of the following are steps in the vulnerability management process. Select two answers.

Catalog organizational assets

Prepare defenses against threats

Identify vulnerabilities

Assign a CVE® ID

A

Prepare defenses against threats

Identify vulnerabilities

48
Q

An organization is attacked by a vulnerability that was previously unknown. What is this exploit an example of?

A perimeter layer

A zero-day

A cipher

An asset

A

A zero-day

A zero-day refers to an exploit that was previously unknown.

49
Q

Which layer of the defense in depth strategy is a user authentication layer that mainly filters external access?

Network

Endpoint

Perimeter

Data

A

Perimeter

The perimeter layer consists of authentication technologies that let verified users in.

50
Q

A security researcher reports a new vulnerability to the CVE® list. Which of the following criteria must the vulnerability meet before it receives a CVE® ID? Select two answers.

It must be independently fixable.

The submission must have supporting evidence.

The vulnerability must be unknown to the developer.

It must affect multiple applications.

A

It must be independently fixable.

The submission must have supporting evidence.

51
Q

Fill in the blank: A vulnerability ____ refers to the internal review process of an organization’s security systems.

scoring

assessment

patch

scanner

A

assessment

A vulnerability assessment is an internal review process of an organization’s security systems.

52
Q

What are the goals of a vulnerability assessment? Select two answers.

To identify existing weaknesses

To audit regulatory compliance

To detect network traffic

To reduce overall threat exposure

A

To identify existing weaknesses

To reduce overall threat exposure

The goals of a vulnerability assessment are to identify existing weaknesses and reduce overall threat exposure.

53
Q

Which of the following remediation examples might be implemented after a vulnerability scan? Select two answers.

Installing software updates and patches

Locating vulnerabilities in workstations

Identifying misconfigurations in an application

Training employees to follow new security procedures

A

Installing software updates and patches

Training employees to follow new security procedures

Examples of remediations that might be performed after a vulnerability scan include training employees on new procedures and installing software updates and patches.

54
Q

What are two types of vulnerability scans? Select two answers.

Risk or threat

Patch or upgrade

Limited or comprehensive

Authenticated or unauthenticated

A

Limited or comprehensive

Authenticated or unauthenticated

Authenticated or unauthenticated and limited or comprehensive are two types of vulnerability scans. Internal and external is another common type of vulnerability scanning.

55
Q

What is the difference between an attack vector and an attack surface?

An attack surface refers to the specific pathway of exploiting a weakness; an attack vector refers to all the weaknesses of an asset that can be exploited.

An attack surface refers to all the weaknesses of an asset that can be attacked; an attack vector refers to an outdated and vulnerable network.

An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.

An attack surface refers to the specific method of attack; an attack vector refers to an outdated and vulnerable network.

A

An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.

56
Q

What are examples of security hardening? Select three answers.

Hashing all user passwords

Restarting a crashed application

Disabling unused network ports

Keeping systems patched and updated

A

Hashing all user passwords

Disabling unused network ports

Keeping systems patched and updated

Disabling unused network ports, hashing all user passwords, and keeping systems patched and updated are examples of security hardening.

57
Q

Which steps are applied when using an attacker mindset? Select three answers.

Determine how a target can be accessed

Evaluate a target’s attack vectors

Stay in communication with a target

Identify a target

A

Determine how a target can be accessed

Evaluate a target’s attack vectors

Identify a target

Identifying a target, determining how they can be accessed, and evaluating their attack vectors are steps that are applied when using an attacker mindset.

58
Q

How can businesses reduce the number of attack vectors they must defend? Select three answers.

By controlling access and authorization to assets

By totally restricting information from being shared

By educating users so they can participate in preventing attacks

By implementing security controls that protect information

A

By controlling access and authorization to assets

By educating users so they can participate in preventing attacks

By implementing security controls that protect information

Business can reduce the number of attack vectors they have by controlling access and authorization to assets, implementing security controls that protect information, and educating users so they can participate in preventing attacks.

59
Q

Consider the following scenario:

A cloud service provider has misconfigured a cloud drive. They’ve forgotten to change the default sharing permissions. This allows all of their customers to access any data that is stored on the drive.

This misconfigured cloud drive is an example of what?

An exploit

A threat

A vulnerability

A security control

A

A vulnerability

60
Q

Why do organizations use the defense in depth model to protect information? Select two answers.

Security teams can easily determine the “who, what, when, and how” of an attack.

Threats that penetrate one level can be contained in another.

Each layer uses unique technologies that communicate with each other.

Layered defenses reduce risk by addressing multiple vulnerabilities.

A

Threats that penetrate one level can be contained in another.

Layered defenses reduce risk by addressing multiple vulnerabilities.

61
Q

Which layer of the defense in depth model relates to user devices that have accessed a network?

Data

Endpoint

Application

Perimeter

A

Endpoint

62
Q

Which of the following are criteria that a vulnerability must meet to qualify for a CVE® ID? Select all that apply.

It can only affect one codebase.

It must be recognized as a potential security risk.

It must pose a financial risk.

It must be submitted with supporting evidence.

It must be independent of other issues.

A

It can only affect one codebase.

It must be recognized as a potential security risk.

It must be submitted with supporting evidence.

It must be independent of other issues.

63
Q

A security team is preparing new workstations that will be installed in an office.

Which vulnerability management steps should they take to prepare these workstations? Select three answers.

Install a suite of collaboration tools on each workstation.

Consider who will be using each computer.

Download the latest patches and updates for each system.

Configure the company firewall to allow network access.

A

Consider who will be using each computer.

Download the latest patches and updates for each system.

Configure the company firewall to allow network access.

64
Q

A security team is conducting a periodic vulnerability assessment on their security procedures. Their objective is to review gaps in their current procedures that could lead to a data breach. After identifying and analyzing current procedures, the team conducts a risk assessment.

What is the purpose of performing a risk assessment?

To fix vulnerabilities that have been identified

To score vulnerabilities based on their severity and impact

To adjust current security procedures

To simulate attacks that could be performed against each vulnerability

A

To score vulnerabilities based on their severity and impact

65
Q

Which of the following are types of attack surfaces? Select three answers.

Computer workstations

Malicious software

Network routers

Cloud servers

A

Computer workstations

Network routers

Cloud servers

66
Q

Fill in the blank: An attack _____ refers to the pathways attackers use to penetrate security defenses.

vector

surface

landscape

vulnerability

A

vector

67
Q

A security team is performing a vulnerability assessment on a banking app that is about to be released. Their objective is to identify the tools and methods that an attacker might use.

Which steps of an attacker mindset should the team perform to figure this out? Select three answers.

Evaluate attack vectors that can be exploited.

Identify a target.

Determine how the target can be accessed.

Consider potential threat actors.

A

Evaluate attack vectors that can be exploited.

Identify a target.

Determine how the target can be accessed.

68
Q

What are ways to protect an organization from common attack vectors? Select three answers.

By not practicing an attacker mindset

By educating employees about security vulnerabilities

By implementing effective password policies

By keeping software and systems updated

A

By educating employees about security vulnerabilities

By implementing effective password policies

By keeping software and systems updated

69
Q

Fill in the blank: _____ is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

Baiting

Whaling

Phishing

Quid pro quo

A

Phishing

Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

70
Q

What type of phishing uses electronic voice communications to obtain sensitive information or to impersonate a known source?

Tailgating

Angler phishing

Smishing

Vishing

A

Vishing

Vishing refers to the use of electronic voice communications to obtain sensitive information or impersonate a known source.

71
Q

Fill in the blank: The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and ____.

disconnect from the target

stay informed of security trends

spread awareness with others

evaluate defenses

A

disconnect from the target

The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and disconnect from the target. Attackers typically break communications with their target after collecting the information they want. They do this to cover their tracks if they decide to target others in an organization.

72
Q

Phishing kits typically contain which of the following tools to help attackers avoid detection? Select three answers.

Email filters

Fake data-collection forms

Fraudulent web links

Malicious attachments

Correct
Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.

A

Fake data-collection forms

Fraudulent web links

Malicious attachments

Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.

73
Q

Which of the following are types of malware? Select two answers.

Viruses

Credential stuffing

Spyware

Dictionary attacks

A

Viruses

Spyware

Viruses and spyware are a type of malware. A virus is designed to interfere with a computer’s operation and cause damage to data and software. Spyware collects information from users without their consent.

74
Q

Fill in the blank: ____ are malware that automatically duplicate and spread themselves across systems.

Worms

Rootkits

Trojans

Botnets

A

Worms

Worms are malware that automatically duplicate and spread themselves across systems.

75
Q

What is it called when someone’s computing resources are illegally hijacked to mine cryptocurrencies?

Spyware

Cryptojacking

Trojan horse

Rootkit

A

Cryptojacking

Cryptojacking is a cybercrime that is used to mine cryptocurrencies.

76
Q

Which of the following are common signs of a malware infection? Select three answers.

Unusual system crashes

Increased CPU usage

Slowdowns in performance

Improved battery life

A

Unusual system crashes

Increased CPU usage

Slowdowns in performance

77
Q

Fill in the blank: _____ are malicious code or behaviors that are used to take advantage of coding flaws in a web application.

Web-based exploits

Command-line interface

Social engineering

Spear phishing

A

Web-based exploits

Web-based exploits are malicious code or behaviors that are used to take advantage of coding flaws in a web application.

78
Q

Cross-site scripting (XSS) attacks are often delivered by exploiting which of the following languages? Select two answers.

JavaScript

HTML

Python

SQL

A

JavaScript

HTML

XSS attacks are delivered by exploiting the two languages used by most websites, HTML and JavaScript.

79
Q

Fill in the blank: A _____ is a coding technique that executes SQL statements before passing them onto the database.

SQL injection

phishing kit

botnet

prepared statement

A

prepared statement

A prepared statement is a coding technique that executes SQL statements before passing them onto the database. Prepared statements are used to defend against SQL injection attacks by validating code before performing a query.

80
Q

What are two examples of when SQL injections can take place?

When a malicious script exists in the webpage a browser loads

When using the login form to access a site

When a malicious script is injected directly on the server

When a user enters their credentials

A

When using the login form to access a site

When a user enters their credentials

Two examples of when SQL injections can take place are when using the login form to access a site and when a user enters their credentials. SQL injection can take place in areas of the website that are designed to accept user input.

81
Q

In a SQL injection attack, malicious hackers attempt to obtain which of the following? Select two answers.

Categorize the environment

Gain administrative rights

Exploiting languages

Sensitive information

A

Gain administrative rights

Sensitive information

In a SQL injection attack, malicious hackers attempt to obtain sensitive information and gain administrative rights.

82
Q

Fill in the blank: Threat modeling is a process that security teams use to _____ attacks.

engineer

anticipate

remediate

conduct

A

anticipate

Threat modeling is a process security teams use to anticipate attacks by examining organizational assets from a security-related perspective.

83
Q

Which of the following are steps of a threat modeling process? Select three answers.

Characterize the environment.

Mitigate risks.

Identify threats.

Classify assets.

A

Characterize the environment.

Mitigate risks.

Identify threats.

Identify threats, characterize the environment, and mitigate risks are some steps of a typical threat modeling process. Identifying threats is the second step of the process when security teams define any potential threats to their assets.

84
Q

A threat modeling team has identified potential threats and vulnerabilities that might be exploited. The team creates a diagram that maps the threats to assets. What type of diagram is this known as?

An attacker mindset

An attack tree

An attack vector

An attack surface

A

An attack tree

The type of diagram the team created is an attack tree. An attack tree is a diagram that maps threats to assets.

85
Q

Which of the following are threat modeling frameworks? Select two answers.

XSS

NIST

Trike

PASTA

A

Trike

PASTA

PASTA and Trike are threat modeling frameworks. Like other threat modeling frameworks, they can be used to proactively reduce risks to a system or business process.

86
Q

What are the objectives of PASTA or any other threat modeling activity? Select three answers.

Document potential risks.

Prepare fixes.

Improve security plans.

Eliminate all future attacks.

A

Document potential risks.

Prepare fixes.

Improve security plans.

The objectives of PASTA or any other threat modeling activity is to document potential risks, prepare fixes, and improve security plans. Threat modeling captures the current state of a security plan and highlights how it can be improved.

87
Q

Which of the following could be examples of social engineering attacks? Select three answers.

A lost record of important customer information

A pop-up advertisement promising a large cash reward in return for sensitive information

An unfamiliar employee asking you to hold the door open to a restricted area

An email urgently asking you to send money to help a friend who is stuck in a foreign country

A

A pop-up advertisement promising a large cash reward in return for sensitive information

An unfamiliar employee asking you to hold the door open to a restricted area

An email urgently asking you to send money to help a friend who is stuck in a foreign country

88
Q

What is the main difference between a vishing attack and a smishing attack?

Vishing is used to target executives at an organization.

Vishing involves a widespread email campaign to steal information.

Vishing makes use of voice calls to trick targets.

Vishing exploits social media posts to identify targets.

A

Vishing makes use of voice calls to trick targets.

89
Q

A digital artist receives a free version of professional editing software online that has been infected with malware. After installing the program, their computer begins to freeze and crash repeatedly.

The malware hidden in this editing software is an example of which type of malware?

Spyware

Scareware

Adware

Trojan

A

Trojan

90
Q

What are the characteristics of a ransomware attack? Select three answers.

Attackers make themselves known to their targets.

Attackers encrypt data on the device without the user’s permission.

Attackers display unwanted advertisements on the device.

Attackers demand payment to restore access to a device.

A

Attackers make themselves known to their targets.

Attackers encrypt data on the device without the user’s permission.

Attackers demand payment to restore access to a device.

91
Q

Which of the following are common signs that a computer is infected with cryptojacking software? Select three answers.

Unusually high electricity costs

Increased CPU usage

Sudden system crashes

Modified or deleted files

A

Unusually high electricity costs

Increased CPU usage

Sudden system crashes

92
Q

What is malicious code that is inserted into a vulnerable application called?

Injection attack

Cryptojacking

Social engineering

Input validation

A

Injection attack

93
Q

An attacker sends a malicious link to subscribers of a sports news site. If someone clicks the link, a malicious script is sent to the site’s server and activated during the server’s response.

This is an example of what type of injection attack?

Stored

Reflected

SQL injection

DOM-based

A

Reflected

94
Q

Which of the following are areas of a website that are vulnerable to SQL injection? Select two answers.

Pop-up advertisements

Social media feeds

Credit card payment forms

User login pages

A

Credit card payment forms

User login pages

95
Q

A small business that sells online courses conducted a threat modeling exercise on its data systems. The team conducting the exercise started by defining the scope of the model. Then, they identified threat actors who might target the data systems. Next, the team is creating a diagram that maps threats to assets that are being protected.

What is this type of diagram called?

Attack tree

Rainbow table

User provisioning

Bug bounty

A

Attack tree

96
Q

During which stage of the PASTA framework is an attack tree created?

Attack modeling

Vulnerability analysis

Decomposing an application

Threat analysis

A

Attack modeling

Google Cybersecurity Quizes (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions