Chapter 13 Flashcards
The second step in a vulnerability assessment is to determine the assets that need to be protected.
(T/F)
False
Which item below is the standard security checklist against which systems are evaluated for a security posture?
a) control
b) baseline
c) profile
d) threat
b) baseline
What security goal do the following common controls address: hashing, digital signatures, certificates, nonrepudiation tools?
a) safey
b) availability
c) confidentiality
d) integrity
d) integrity
What is the name of the process that basically takes a snapshot of the current security of an organization?
a) risk assessment
b) threat analysis
c) threat assessment
d) vulnerability appraisal
d) vulnerability appraisal
If a user uses the operating system’s “delete” command to erase data, what type of data removal procedure was used?
a) degaussing
b) purging
c) data sanitation
d) wiping
b) purging
Which of the following is used to replicate attacks during a vulnerability assessment by providing a structure of exploits and monitoring tools?
a) replication image
b) penetration framework
c) assessment image
d) exploitation framework
d) exploitation framework
List at least four things that a vulnerability scanner can do.
four things:
1) alernt when new systems are added to the network
2) detect when an application is compromised or subverted
3) detect when an internal system begins to port scan other systems
4) maintain log of all interactive network sessions
A risk management assessment is a systematic and methodical evaluation of the security posture of the enterprise.
(T/F)
False
An administrator needs to view packets and decode and analyze their contents. What type of application should the adminstrator use?
a) protocol analyzer
b) threat profiler
c) application analyzer
d) system analyzer
a) protocol analyzer
A port in what state below implies that an applicatio or service assigned to that port is listening for any instructions?
a) open port
b) close port
c) interruptible system
d) empty port
a) open port
At what point in a vulnerability assessment would an attack tree be utilized?
a. Vulnerability appraisal
b. Risk assessment
c. Risk mitigation
d. Threat evaluation
d. Threat evaluation
Which of the following is NOT true about privacy?
a. Today, individuals can achieve any level of privacy that is desired.
b. Privacy is difficult due to the volume of data silently accumulated by technology.
c. Privacy is freedom from attention, observation, or interference based on your decision.
d. Privacy is the right to be left alone to the degree that you choose.
a. Today, individuals can achieve any level of privacy that is desired.
Which of the following is NOT a risk associated with the use of private data?
a. Individual inconveniences and identity theft
b. Associations with groups
c. Statistical inferences
d. Devices being infected with malware
d. Devices being infected with malware
Which of the following is NOT an issue raised regarding how private data is gathered and used?
a. The data is gathered and kept in secret.
b. By law, all encrypted data must contain a “backdoor” entry point.
c. Informed consent is usually missing or is misunderstood.
d. The accuracy of the data cannot be verified.
b. By law, all encrypted data must contain a “backdoor” entry point.
Which of the following is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, and any other entity that could cause potential harm?
a. Vulnerability assessment
b. Penetration test
c. Vulnerability scan
d. Risk appraisal
a. Vulnerability assessment
Which of these should NOT be classified as an asset?
a. Business partners
b. Buildings
c. Employee databases
d. Accounts payable
d. Accounts payable
Which of the following command-line tools tests a connection between two network devices?
a. Netstat
b. Ping
c. Nslookup
d. Ifconfig
b. Ping
Which statement regarding vulnerability appraisal is NOT true?
a. Vulnerability appraisal is always the easiest and quickest step.
b. Every asset must be viewed in light of each threat.
c. Each threat could reveal multiple vulnerabilities.
d. Each vulnerability should be cataloged.
a. Vulnerability appraisal is always the easiest and quickest step.
Which of the following constructs scenarios of the types of threats that assets can face to learn who the attackers are, why they attack, and what types of attacks may occur?
a. Vulnerability prototyping
b. Risk assessment
c. Attack assessment
d. Threat modeling
d. Threat modeling
Which of the following tools is a Linux command-line protocol analyzer?
a. Wireshark
b. Tcpdump
c. IP
d. Arp
b. Tcpdump
Which of the following is a command-line alternative to Nmap?
a. Netcat
b. Statnet
c. Mapper
d. Netstat
a. Netcat
Which of these is NOT a state of a port that can be returned by a port scanner?
a. Open
b. Busy
c. Blocked
d. Closed
b. Busy
Which of the following data sensitivity labels is the highest level of data sensitivity?
a. Ultra
b. Confidential
c. Private
d. Secret
b. Confidential
Which of the following data sensitivity labels has the lowest level of data sensitivity?
a. Unrestricted
b. Public
c. Free
d. Open
b. Public
