(5) Assets, Threats, and Vulnerabilities Flashcards
What is a risk?
Anything that can impact the confidentiality, integrity, or availability of an asset
The practice of labeling assets based on sensitivity and importance to an organization
A weakness that can be exploited by a threat
Any circumstance or event that can negatively impact assets
Anything that can impact the confidentiality, integrity, or availability of an asset
A risk is anything that can impact the confidentiality, integrity, or availability of an asset.
A security professional discovers a rogue access point on their company WiFi that is not managed by the networking team. The rogue device is altering and deleting sensitive records without authorization. What is the rogue device in this scenario?
Threat
Asset
Vulnerability
Risk
Threat
The rogue device is a threat because it is negatively impacting the company’s assets.
A product team is storing customer survey data for a new project in a cloud drive. The data is only accessible to product team members while the project is in development. What is this data’s asset type?
Public
Confidential
Customer data
Internal demo
Confidential
This data is confidential. Confidential assets such as this customer survey data can only be accessed by those working on a specific project.
What is the practice of labeling assets based on sensitivity and importance to an organization?
Asset management
Asset inventory
Asset restriction
Asset classification
Asset classification
Asset classification is the practice of labeling assets based on sensitivity and importance to an organization.
What is the practice of keeping data in all states away from unauthorized users?
Network
Cybersecurity
Asset
Information security
Information security
Information security, or InfoSec, is the practice of keeping data in all states away from unauthorized users.
An employee is promoted to a new role, so their workstation is transferred to a different office. As the employee’s workstation is being relocated, what data state are its files in?
At rest
In transit
In use
In storage
At rest
The files are at rest. Data is at rest when it is not being accessed. In this scenario, moving the workstation does not change the data state.
What is an example of data in transit?
A sent email is traveling over the network to reach its destination.
A manager is editing a report on their computer.
A spreadsheet file is saved on an employee’s hard drive.
A user logs in to their online account to review their messages.
A sent email is traveling over the network to reach its destination.
An email traveling over a network to its destination is an example of data in transit.
Fill in the blank: Data is in use when it is being _____ by one or more users.
accessed
ignored
transported
classified
accessed
Data is in use when it is being accessed by one or more users.
What types of risks do security plans address? Select three answers.
Damage to assets
Loss of information
Shift of market conditions
Disclosure of data
Damage to assets
Loss of information
Disclosure of data
What are the basic elements of a security plan? Select three answers.
Regulations
Procedures
Standards
Policies
Procedures
Standards
Policies
The basic elements of a security plan are policies, standards, and procedures. Policies are rules that reduce risk and protect information. Standards are references that inform how to set policies. And procedures are step-by-step instructions to perform a specific security task.
Fill in the blank: The NIST CSF is a _____ framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
voluntary
mandatory
limited
rigid
voluntary
The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a comprehensive framework with a flexible design that can be used in any industry.
What are some benefits of the NIST Cybersecurity Framework (CSF)? Select three answers.
It’s adaptable to fit the needs of any business.
It can be used to identify and assess risk.
It is required to do business online.
It helps organizations achieve regulatory standards.
It’s adaptable to fit the needs of any business.
It can be used to identify and assess risk.
It helps organizations achieve regulatory standards.
Some benefits of the CSF are that it’s adaptable to fit the needs of any business, it helps organizations achieve regulatory standards, and it can be used to identify and assess risk.
An attacker spreads malicious software within an organization, which executes unauthorized actions on the organization’s systems. What does this scenario describe?
Procedure
Vulnerability
Regulation
Threat
Threat
Which of the following are examples of a vulnerability? Select two answers.
Attackers causing a power outage
A malfunctioning door lock
Malicious hackers stealing access credentials
An employee misconfiguring a firewall
A malfunctioning door lock
An employee misconfiguring a firewall
Which of the following refers to the process of tracking assets and the risks that affect them?
Asset inventory
Asset administration
Asset classification
Asset management
Asset management
What is an example of confidential information? Select two answers.
Press release
Employee contacts
Project documents
Marketing strategy
Project documents
Marketing strategy
Which of the following are examples of internal-only information? Select two answers.
Credit card numbers
Business plans
Employee records
Intellectual property
Business plans
Employee records
Which of the following can be prevented with effective information security? Select three answers.
Reputational damage
Compliance with regulations
Identity theft
Financial loss
Reputational damage
Compliance with regulations
Financial loss
What is an example of digital data at rest? Select two answers.
Email messages in an inbox
Letters on a table
Contracts in a file cabinet
Files on a hard drive
Email messages in an inbox
Files on a hard drive
Who should an effective security plan focus on protecting? Select three answers.
Business partners
Competitors
Customers
Employees
Business partners
Customers
Employees
What NIST Cybersecurity Framework (CSF) tier is an indication that compliance is being performed at an exemplary standard?
Level-3
Level-2
Level-4
Level-1
Level-4
Which component of the NIST Cybersecurity Framework (CSF) is used to compare the current state of a security plan to others?
Detect
Profiles
Compliance
Core
Profiles
What are categories of security controls? Select all that apply.
Privacy
Operational
Technical
Managerial
Operational
Technical
Managerial
Categories of security controls include technical, operational, and managerial. Technical controls include the technologies used to protect assets. Operational controls relate to maintaining the day-to-day security environment. And managerial controls are centered around how technical and operational controls reduce risk.
Fill in the blank: A data _____ decides who can access, edit, use, or destroy their information.
owner
custodian
protector
handler
owner
A data owner decides who can access, edit, use, or destroy their information.
A writer for a technology company is drafting an article about new software features that are being released. According to the principle of least privilege, what should the writer have access to while drafting the article? Select all that apply.
Login credentials of the software users
Other new software that is in development
The software they are reviewing
Software developers who are knowledgeable about the product
The software they are reviewing
Software developers who are knowledgeable about the product
The writer should have access to the software they are reviewing and the software developers who can help them understand what information is appropriate to share with readers.
Which privacy regulations influence how organizations approach data security? Select three answers.
Health Insurance Portability and Accountability Act (HIPAA)
General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
Infrastructure as a Service (IaaS)
Health Insurance Portability and Accountability Act (HIPAA)
General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
GDPR, PCI DSS, and HIPAA are notable privacy regulations that influence how organizations approach their information security.
Which of the following elements are required when using encryption? Select all that apply.
Key
Certificate
Cipher
Token
Key
Cipher
A cipher and a key are required when using encryption. This enables secure information exchange.
Which technologies are used in public key infrastructure (PKI) to securely exchange information online? Select two answers.
Digital certificates
General Data Protection Regulation (GDPR)
Platform as a service (PaaS)
Encryption algorithms
Correct
PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signaling trust between the sender and receiver when exchanging encrypted data online.
Digital certificates
Encryption algorithms
PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signaling trust between the sender and receiver when exchanging encrypted data online.
Fill in the blank: _____ encryption produces a public and private key pair.
Asymmetric
Hashing
Salting
Symmetric
Asymmetric
Asymmetric encryption produces a public and private key pair that are used to encrypt and decrypt information. The public key is shared with others while the data owner manages the private key.
An attacker gains access to a database where user passwords are secured with the SHA-256 hashing algorithm. Can the attacker decrypt the user passwords?
Yes. Hash algorithms produce a decryption key.
No. Hash algorithms do not produce decryption keys.
No. Hash algorithms do not produce decryption keys.
The attacker cannot decrypt the user passwords because they are stored as a hash value that is irreversible. Only symmetric and asymmetric encryption algorithms produce decryption keys.
What term describes being unable to deny that information is authentic?
Availability
Confidentiality
Integrity
Non-repudiation
Non-repudiation
Non-repudiation means that the authenticity of information cannot be denied. It also confirms that the sender of data is who they claim to be.
What factors do authentication systems use to verify a user’s identity? Select three answers.
Characteristic
Authorization
Knowledge
Ownership
Correct
Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.
Characteristic
Knowledge
Ownership
Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.
How do businesses benefit from implementing single sign-on (SSO) technology? Select two answers.
By providing a better user experience
By streamlining HTTP traffic between servers
By requiring multiple forms of identification
By simplifying their user management
Correct
Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.
By providing a better user experience
By simplifying their user management
Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.
A retail company has one employee that’s in charge of purchasing goods, another employee that’s in charge of approving new purchases, and a third employee that’s in charge of paying invoices. What security principle is the retail company implementing?
Authentication, authorization, and accounting (AAA)
Separation of duties
Least privilege
Non-repudiation
Separation of duties
The retail company is implementing the separation of duties principle. Separation of duties is the security principle that users should not be given levels of authorization that would allow them to misuse a system.
What are the categories of access controls? Select three answers.
Authorization
Authentication
Administration
Accounting
Authorization
Authentication
Accounting
The three categories of access controls are authentication, authorization, and accounting.
What credential does OAuth use to authenticate users?
A session cookie
A digital certificate
A one-time passcode (OTP)
An application programming interface (API) token
An application programming interface (API) token
OAuth uses an API token to authenticate users. An API token is a digital credential that is shared between a platform and a service provider to verify a user’s identity.
Which functions would fall under the category of operational security controls? Select two answers.
Responding to an incident alert
Providing security awareness training
Establishing trust using digital certificates
Exchanging encrypted information
Responding to an incident alert
Providing security awareness training
A large hotel chain collects customer email addresses as part of a national sweepstakes. As data custodians, what are the hotel chain’s responsibilities to protect this information? Select three answers.
To protect the data while in storage
To edit the data when necessary
To safely handle the data when it’s accessed
To securely transport the data over networks
To protect the data while in storage
To safely handle the data when it’s accessed
To securely transport the data over networks
What do symmetric encryption algorithms use to encrypt and decrypt information?
A digital certificate
A single secret key
A public and private key pair
A hash value
A single secret key
A security analyst is investigating a critical system file that may have been tampered with. How might the analyst verify the integrity of the system file?
By opening the system file in word processing application and checking its version history.
By decrypting the system files secret key using Advanced Encryption Standard (AES).
By comparing the system files hash value to a known, trusted hash value.
By brute forcing the system file using a rainbow table.
By comparing the system files hash value to a known, trusted hash value.
Which of the following steps are part of the public key infrastructure process? Select two answers.
Exchange of public and private keys
Exchange of encrypted information
Transfer hash digests
Establish trust using digital certificates
Exchange of encrypted information
Establish trust using digital certificates
What factors do authentication systems use to verify a user’s identity? Select three answers.
Characteristic
Accounting
Knowledge
Ownership
Characteristic
Knowledge
Ownership
What is a key advantage of multi-factor authentication compared to single sign-on?
It is faster when authenticating users.
It can grant access to multiple company resources at once.
It streamlines the authentication process.
It requires more than one form of identification before granting access to a system.
It requires more than one form of identification before granting access to a system.
The main responsibility of a receptionist at a healthcare company is to check-in visitors upon arrival. When visitors check-in, which kinds of information should the receptionist be able to access to complete their task? Select two answers.
The patient being visited
Their medical history
Their billing information
A photo ID
The patient being visited
A photo ID
What types of user information does an API token contain? Select two answers.
A user’s site permissions
A user’s identity
A user’s secret key
A user’s password
A user’s site permissions
A user’s secret key
A customer of an online retailer has complained that their account contains an unauthorized purchase. You investigate the incident by reviewing the retailer’s access logs. Which component of the user’s session might you review?
Session cookie
Session certificate
Session API key
Session algorithm
Session cookie
Which of the following are steps in the vulnerability management process. Select two answers.
Catalog organizational assets
Prepare defenses against threats
Identify vulnerabilities
Assign a CVE® ID
Prepare defenses against threats
Identify vulnerabilities
An organization is attacked by a vulnerability that was previously unknown. What is this exploit an example of?
A perimeter layer
A zero-day
A cipher
An asset
A zero-day
A zero-day refers to an exploit that was previously unknown.
Which layer of the defense in depth strategy is a user authentication layer that mainly filters external access?
Network
Endpoint
Perimeter
Data
Perimeter
The perimeter layer consists of authentication technologies that let verified users in.
A security researcher reports a new vulnerability to the CVE® list. Which of the following criteria must the vulnerability meet before it receives a CVE® ID? Select two answers.
It must be independently fixable.
The submission must have supporting evidence.
The vulnerability must be unknown to the developer.
It must affect multiple applications.
It must be independently fixable.
The submission must have supporting evidence.
Fill in the blank: A vulnerability ____ refers to the internal review process of an organization’s security systems.
scoring
assessment
patch
scanner
assessment
A vulnerability assessment is an internal review process of an organization’s security systems.
What are the goals of a vulnerability assessment? Select two answers.
To identify existing weaknesses
To audit regulatory compliance
To detect network traffic
To reduce overall threat exposure
To identify existing weaknesses
To reduce overall threat exposure
The goals of a vulnerability assessment are to identify existing weaknesses and reduce overall threat exposure.
Which of the following remediation examples might be implemented after a vulnerability scan? Select two answers.
Installing software updates and patches
Locating vulnerabilities in workstations
Identifying misconfigurations in an application
Training employees to follow new security procedures
Installing software updates and patches
Training employees to follow new security procedures
Examples of remediations that might be performed after a vulnerability scan include training employees on new procedures and installing software updates and patches.
What are two types of vulnerability scans? Select two answers.
Risk or threat
Patch or upgrade
Limited or comprehensive
Authenticated or unauthenticated
Limited or comprehensive
Authenticated or unauthenticated
Authenticated or unauthenticated and limited or comprehensive are two types of vulnerability scans. Internal and external is another common type of vulnerability scanning.
What is the difference between an attack vector and an attack surface?
An attack surface refers to the specific pathway of exploiting a weakness; an attack vector refers to all the weaknesses of an asset that can be exploited.
An attack surface refers to all the weaknesses of an asset that can be attacked; an attack vector refers to an outdated and vulnerable network.
An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.
An attack surface refers to the specific method of attack; an attack vector refers to an outdated and vulnerable network.
An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.
What are examples of security hardening? Select three answers.
Hashing all user passwords
Restarting a crashed application
Disabling unused network ports
Keeping systems patched and updated
Hashing all user passwords
Disabling unused network ports
Keeping systems patched and updated
Disabling unused network ports, hashing all user passwords, and keeping systems patched and updated are examples of security hardening.
Which steps are applied when using an attacker mindset? Select three answers.
Determine how a target can be accessed
Evaluate a target’s attack vectors
Stay in communication with a target
Identify a target
Determine how a target can be accessed
Evaluate a target’s attack vectors
Identify a target
Identifying a target, determining how they can be accessed, and evaluating their attack vectors are steps that are applied when using an attacker mindset.
How can businesses reduce the number of attack vectors they must defend? Select three answers.
By controlling access and authorization to assets
By totally restricting information from being shared
By educating users so they can participate in preventing attacks
By implementing security controls that protect information
By controlling access and authorization to assets
By educating users so they can participate in preventing attacks
By implementing security controls that protect information
Business can reduce the number of attack vectors they have by controlling access and authorization to assets, implementing security controls that protect information, and educating users so they can participate in preventing attacks.
Consider the following scenario:
A cloud service provider has misconfigured a cloud drive. They’ve forgotten to change the default sharing permissions. This allows all of their customers to access any data that is stored on the drive.
This misconfigured cloud drive is an example of what?
An exploit
A threat
A vulnerability
A security control
A vulnerability
Why do organizations use the defense in depth model to protect information? Select two answers.
Security teams can easily determine the “who, what, when, and how” of an attack.
Threats that penetrate one level can be contained in another.
Each layer uses unique technologies that communicate with each other.
Layered defenses reduce risk by addressing multiple vulnerabilities.
Threats that penetrate one level can be contained in another.
Layered defenses reduce risk by addressing multiple vulnerabilities.
Which layer of the defense in depth model relates to user devices that have accessed a network?
Data
Endpoint
Application
Perimeter
Endpoint
Which of the following are criteria that a vulnerability must meet to qualify for a CVE® ID? Select all that apply.
It can only affect one codebase.
It must be recognized as a potential security risk.
It must pose a financial risk.
It must be submitted with supporting evidence.
It must be independent of other issues.
It can only affect one codebase.
It must be recognized as a potential security risk.
It must be submitted with supporting evidence.
It must be independent of other issues.
A security team is preparing new workstations that will be installed in an office.
Which vulnerability management steps should they take to prepare these workstations? Select three answers.
Install a suite of collaboration tools on each workstation.
Consider who will be using each computer.
Download the latest patches and updates for each system.
Configure the company firewall to allow network access.
Consider who will be using each computer.
Download the latest patches and updates for each system.
Configure the company firewall to allow network access.
A security team is conducting a periodic vulnerability assessment on their security procedures. Their objective is to review gaps in their current procedures that could lead to a data breach. After identifying and analyzing current procedures, the team conducts a risk assessment.
What is the purpose of performing a risk assessment?
To fix vulnerabilities that have been identified
To score vulnerabilities based on their severity and impact
To adjust current security procedures
To simulate attacks that could be performed against each vulnerability
To score vulnerabilities based on their severity and impact
Which of the following are types of attack surfaces? Select three answers.
Computer workstations
Malicious software
Network routers
Cloud servers
Computer workstations
Network routers
Cloud servers
Fill in the blank: An attack _____ refers to the pathways attackers use to penetrate security defenses.
vector
surface
landscape
vulnerability
vector
A security team is performing a vulnerability assessment on a banking app that is about to be released. Their objective is to identify the tools and methods that an attacker might use.
Which steps of an attacker mindset should the team perform to figure this out? Select three answers.
Evaluate attack vectors that can be exploited.
Identify a target.
Determine how the target can be accessed.
Consider potential threat actors.
Evaluate attack vectors that can be exploited.
Identify a target.
Determine how the target can be accessed.
What are ways to protect an organization from common attack vectors? Select three answers.
By not practicing an attacker mindset
By educating employees about security vulnerabilities
By implementing effective password policies
By keeping software and systems updated
By educating employees about security vulnerabilities
By implementing effective password policies
By keeping software and systems updated
Fill in the blank: _____ is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.
Baiting
Whaling
Phishing
Quid pro quo
Phishing
Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.
What type of phishing uses electronic voice communications to obtain sensitive information or to impersonate a known source?
Tailgating
Angler phishing
Smishing
Vishing
Vishing
Vishing refers to the use of electronic voice communications to obtain sensitive information or impersonate a known source.
Fill in the blank: The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and ____.
disconnect from the target
stay informed of security trends
spread awareness with others
evaluate defenses
disconnect from the target
The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and disconnect from the target. Attackers typically break communications with their target after collecting the information they want. They do this to cover their tracks if they decide to target others in an organization.
Phishing kits typically contain which of the following tools to help attackers avoid detection? Select three answers.
Email filters
Fake data-collection forms
Fraudulent web links
Malicious attachments
Correct
Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.
Fake data-collection forms
Fraudulent web links
Malicious attachments
Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.
Which of the following are types of malware? Select two answers.
Viruses
Credential stuffing
Spyware
Dictionary attacks
Viruses
Spyware
Viruses and spyware are a type of malware. A virus is designed to interfere with a computer’s operation and cause damage to data and software. Spyware collects information from users without their consent.
Fill in the blank: ____ are malware that automatically duplicate and spread themselves across systems.
Worms
Rootkits
Trojans
Botnets
Worms
Worms are malware that automatically duplicate and spread themselves across systems.
What is it called when someone’s computing resources are illegally hijacked to mine cryptocurrencies?
Spyware
Cryptojacking
Trojan horse
Rootkit
Cryptojacking
Cryptojacking is a cybercrime that is used to mine cryptocurrencies.
Which of the following are common signs of a malware infection? Select three answers.
Unusual system crashes
Increased CPU usage
Slowdowns in performance
Improved battery life
Unusual system crashes
Increased CPU usage
Slowdowns in performance
Fill in the blank: _____ are malicious code or behaviors that are used to take advantage of coding flaws in a web application.
Web-based exploits
Command-line interface
Social engineering
Spear phishing
Web-based exploits
Web-based exploits are malicious code or behaviors that are used to take advantage of coding flaws in a web application.
Cross-site scripting (XSS) attacks are often delivered by exploiting which of the following languages? Select two answers.
JavaScript
HTML
Python
SQL
JavaScript
HTML
XSS attacks are delivered by exploiting the two languages used by most websites, HTML and JavaScript.
Fill in the blank: A _____ is a coding technique that executes SQL statements before passing them onto the database.
SQL injection
phishing kit
botnet
prepared statement
prepared statement
A prepared statement is a coding technique that executes SQL statements before passing them onto the database. Prepared statements are used to defend against SQL injection attacks by validating code before performing a query.
What are two examples of when SQL injections can take place?
When a malicious script exists in the webpage a browser loads
When using the login form to access a site
When a malicious script is injected directly on the server
When a user enters their credentials
When using the login form to access a site
When a user enters their credentials
Two examples of when SQL injections can take place are when using the login form to access a site and when a user enters their credentials. SQL injection can take place in areas of the website that are designed to accept user input.
In a SQL injection attack, malicious hackers attempt to obtain which of the following? Select two answers.
Categorize the environment
Gain administrative rights
Exploiting languages
Sensitive information
Gain administrative rights
Sensitive information
In a SQL injection attack, malicious hackers attempt to obtain sensitive information and gain administrative rights.
Fill in the blank: Threat modeling is a process that security teams use to _____ attacks.
engineer
anticipate
remediate
conduct
anticipate
Threat modeling is a process security teams use to anticipate attacks by examining organizational assets from a security-related perspective.
Which of the following are steps of a threat modeling process? Select three answers.
Characterize the environment.
Mitigate risks.
Identify threats.
Classify assets.
Characterize the environment.
Mitigate risks.
Identify threats.
Identify threats, characterize the environment, and mitigate risks are some steps of a typical threat modeling process. Identifying threats is the second step of the process when security teams define any potential threats to their assets.
A threat modeling team has identified potential threats and vulnerabilities that might be exploited. The team creates a diagram that maps the threats to assets. What type of diagram is this known as?
An attacker mindset
An attack tree
An attack vector
An attack surface
An attack tree
The type of diagram the team created is an attack tree. An attack tree is a diagram that maps threats to assets.
Which of the following are threat modeling frameworks? Select two answers.
XSS
NIST
Trike
PASTA
Trike
PASTA
PASTA and Trike are threat modeling frameworks. Like other threat modeling frameworks, they can be used to proactively reduce risks to a system or business process.
What are the objectives of PASTA or any other threat modeling activity? Select three answers.
Document potential risks.
Prepare fixes.
Improve security plans.
Eliminate all future attacks.
Document potential risks.
Prepare fixes.
Improve security plans.
The objectives of PASTA or any other threat modeling activity is to document potential risks, prepare fixes, and improve security plans. Threat modeling captures the current state of a security plan and highlights how it can be improved.
Which of the following could be examples of social engineering attacks? Select three answers.
A lost record of important customer information
A pop-up advertisement promising a large cash reward in return for sensitive information
An unfamiliar employee asking you to hold the door open to a restricted area
An email urgently asking you to send money to help a friend who is stuck in a foreign country
A pop-up advertisement promising a large cash reward in return for sensitive information
An unfamiliar employee asking you to hold the door open to a restricted area
An email urgently asking you to send money to help a friend who is stuck in a foreign country
What is the main difference between a vishing attack and a smishing attack?
Vishing is used to target executives at an organization.
Vishing involves a widespread email campaign to steal information.
Vishing makes use of voice calls to trick targets.
Vishing exploits social media posts to identify targets.
Vishing makes use of voice calls to trick targets.
A digital artist receives a free version of professional editing software online that has been infected with malware. After installing the program, their computer begins to freeze and crash repeatedly.
The malware hidden in this editing software is an example of which type of malware?
Spyware
Scareware
Adware
Trojan
Trojan
What are the characteristics of a ransomware attack? Select three answers.
Attackers make themselves known to their targets.
Attackers encrypt data on the device without the user’s permission.
Attackers display unwanted advertisements on the device.
Attackers demand payment to restore access to a device.
Attackers make themselves known to their targets.
Attackers encrypt data on the device without the user’s permission.
Attackers demand payment to restore access to a device.
Which of the following are common signs that a computer is infected with cryptojacking software? Select three answers.
Unusually high electricity costs
Increased CPU usage
Sudden system crashes
Modified or deleted files
Unusually high electricity costs
Increased CPU usage
Sudden system crashes
What is malicious code that is inserted into a vulnerable application called?
Injection attack
Cryptojacking
Social engineering
Input validation
Injection attack
An attacker sends a malicious link to subscribers of a sports news site. If someone clicks the link, a malicious script is sent to the site’s server and activated during the server’s response.
This is an example of what type of injection attack?
Stored
Reflected
SQL injection
DOM-based
Reflected
Which of the following are areas of a website that are vulnerable to SQL injection? Select two answers.
Pop-up advertisements
Social media feeds
Credit card payment forms
User login pages
Credit card payment forms
User login pages
A small business that sells online courses conducted a threat modeling exercise on its data systems. The team conducting the exercise started by defining the scope of the model. Then, they identified threat actors who might target the data systems. Next, the team is creating a diagram that maps threats to assets that are being protected.
What is this type of diagram called?
Attack tree
Rainbow table
User provisioning
Bug bounty
Attack tree
During which stage of the PASTA framework is an attack tree created?
Attack modeling
Vulnerability analysis
Decomposing an application
Threat analysis
Attack modeling
