Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompTIA security+ 701 > Exam 4 > Flashcards

Exam 4 Flashcards

1
Q

A detailed agreement between a client and a vendor that describes the work to be performed on a project is called:

A

A. MSA
B. SLA
C. WO
D. SOW
A statement of work (SOW) is a document routinely employed in the field of project management. It is the narrative description of a project’s work requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A legal contract between the holder of confidential information and another person to whom that information is disclosed restricting that other person from disclosing the confidential information to any other party is referred to as:

A

A. ISA
B. NDA
C. BPA
D. SLA

An Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system.

NDAs, or non-disclosure agreements, are legally enforceable contracts that create a confidential relationship between a person who has sensitive information and a person who will gain access to that information.

A service level agreement (SLA) is a negotiated agreement between two parties that outlines expectations of service.

A Service Level Agreement (SLA) in cybersecurity is a contract between a service provider, such as a Managed Security Service Provider (MSSP), and you, the client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the terms listed below refers to a formal contract between business partners outlining the rights, responsibilities, and obligations of each partner regarding the management, operation, and decision-making processes within the business?

A

A. MSA
B. SLA
C. BPA
D. MOA

Business partnership agreements (BPA) are legal agreements between partners. This is a legal agreement that outlines the terms, conditions, and expectations between the partners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following terms describes an investigation or assessment done upfront to ensure all facts and risks are known before proceeding?

A

A. Fiduciary duty
B. Due care
C. Standard of care
D. Due diligence

“Due Diligence” refers to the comprehensive and thorough analysis and assessment carried out by investors, before engaging in any investment activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the terms listed below is used to describe actions taken to address and mitigate already identified risks?

A

A. Due diligence
B. Standard of care
C.Due care
D. Fiduciary duty

Due care refers to the reasonable steps that an organization takes to protect its information assets from unauthorized access, use, disclosure, modification, or destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Under data privacy regulations, the individual whose personal data undergoes collection and processing is known as:

A

A. Data holder
B. Data owner
C. Data user
D. Data subject

A data holder is a business that holds consumer data and must transfer the data to an accredited data recipient at the consumer’s request.

Data users are responsible for ensuring that data is stored, processed, and handled securely, and that its integrity is maintained. This includes ensuring that data is reliable, has business value, and is of clear quality. Data users should also consider how the data will be used, how long it can be kept, and who it can be shared with.

A data subject is an individual whose personal data is being collected, used, or stored by an organization. Data subjects are also known as individuals concerned. They are entitled to specific rights and protections under data protection regulations to protect their privacy and autonomy, and to give them more control over their personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following answers refers to an entity (such as an organization or individual) that determines the purpose and means of processing personal data?

A

A. Data processor
B. Data owner
C. Data controller
D. Data subject

A data controller is any person or entity that determines the purposes and means of the processing. A data processor is any person or entity that processes personal data on behalf of a data controller. A data controller or a data processor may be a natural or legal person, public authority, agency or other body.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An entity that acts under the instructions of a controller by processing personal data on behalf of the controller is called:

A

A. Data steward
B. Data processor
C. Data subject
D. Data custodian

Data Stewards help define, implement, and enforce data management policies and procedures within their specific Data Domain. A Data Trustee may delegate to the Data Steward the authority to represent the Data Trustee in data-related policy discussions.

A data processor is an entity that processes personal data on behalf of a data controller, who is responsible for creating the contract. Data processors can be legal or natural people, agencies, public authorities, or other bodies. They can include companies, third-party companies, cloud service providers, machines, or call centers.

A data custodian is an individual or organization that manages and safeguards data for data owners. Data custodians are responsible for protecting data from unauthorized access, alteration, destruction, or usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the terms listed below refers to a legal principle that allows individuals to request the removal of personal information from Internet searches and other public sources?

A

A. De-identification
B. Right to be forgotten
C. Anonymization
D. Consent management

De-identification is the process of removing or altering information from a dataset to prevent it from being used to identify individuals. This can be done by masking, deleting, or otherwise obscuring sensitive data, such as personally identifiable information (PII). PII includes any data that can be used to directly or indirectly identify individuals, such as names, addresses, social security numbers, and dates of birth.

The “right to be forgotten” is the concept that an individual’s personal data stored by an organization or service provider has to be erased on the individual’s request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A formal declaration by an auditor that they have performed their work in accordance with all relevant standards and regulations is referred to as:

A

A. Assertion
B. Certification
C. Validation
D. Attestation

A cyber attestation is an independent review and confirmation that an organization’s cybersecurity risk management program meets the standards and requirements set out by a governing body.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In the context of audits, an attestation is typically provided by:

A

A. Regulatory body
B. External auditor
C. Audit Committee
D. Internal audit team

Attestation in security is a process that verifies the authenticity and integrity of data, software, or hardware components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In cybersecurity exercises, Red team takes on the role of:

A

A. An attacker
B. A defender
C. Both an attacker and a defender
D. An exercise overseer

A red team plays the role of the attacker by trying to find vulnerabilities and break through cybersecurity defenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In cybersecurity exercises, the defending team is known as:

A

A. Red team
B. Blue team
C. White team
D. Purple team

A blue team defends against attacks and responds to incidents when they occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In cybersecurity exercises, the role of an event overseer (i.e., the referee) is delegated to:

A

A. Red team
B. Blue team
C. White team
D. Purple team

A cybersecurity white team is a group of information security professionals who oversee simulated cyber-attack exercises, known as red teaming exercises, to assess an organization’s security posture and incident response capabilities. White teams act as neutral observers and referees, ensuring the exercises run smoothly and within the exercise’s pre-defined scope.
Their responsibilities include:
- Establishing rules of engagement
- Establishing metrics for assessing results
- Establishing procedures for providing operational security
- Preparing the final red teaming report and the remediation plan
- Providing a neutral perspective on the red team’s findings and recommendations
- Reviewing and analyzing the data collected during the exercise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In cybersecurity exercises, a purple team assumes the integrated role of all other teams (i.e., red, blue, and white).

A

True
X False

Purple teaming is a security methodology in which offensive security professionals (referred to as red teams) and Cyber Security Operations Centre (CSOC) professionals (referred to as blue teams) work closely together in order to enhance cyber capabilities through continuous feedback and knowledge transfer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A penetration test performed by an authorized professional with the full prior knowledge on how the system that is to be tested works is called:

A

A. Black-hat hacking
B. White-box testing
C. Black-box testing
D. White-hat hacking

White box testing is an approach that allows testers to inspect and verify the inner workings of a software system—its code, infrastructure, and integrations with external systems.

White hats are often referred to as security researchers and act as independent contractors to help an organization tighten its cybersecurity. Some companies employ white hat hackers to work within their company to constantly try to hack their system, exposing vulnerabilities and preventing more dangerous attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following terms is used to describe a penetration test in which the person conducting the test has limited access to information on the internal workings of the targeted system?

A

A. Black-box testing
B. Fuzz testing
C. Gray-box testing
D. White-box testing

When a white hat hacker discovers a vulnerability, they will exploit it only with permission and not tell others about it until it has been fixed. In contrast, the black hat will illegally exploit it or tell others how to do so. The gray hat will neither illegally exploit it nor tell others how to do so.

In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause

Fuzz testing or fuzzing is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

In penetration testing, active reconnaissance involves gathering any type of publicly available information that can be used later for exploiting vulnerabilities found in the targeted system.

A

True

x False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A penetration test of a computer system performed without prior knowledge of how the system that is to be tested works is referred to as black-box testing.

A

x True

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In penetration testing, passive reconnaissance relies on gathering information on the targeted system with the use of various non-invasive software tools and techniques, such as pinging, port scanning, or OS fingerprinting.

A

True

x False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

In email communication, what signs can be of help in recognizing a phishing attempt?

A

A. The message contains poor spelling and grammar
B. The message asks for personal information
C. The message includes a call to action with a sense of urgency
D. The message includes suspicious links or attachments
E. Any of the above

22
Q

What would be an appropriate user response to an email phishing attempt? (Select all that apply)

A

A. Not replying to the message or providing any personal information
B. Reporting the message to the IT or security department, if applicable
C. Deleting the message from the inbox
D. Not clicking on any links or downloading any attachments in the message
E. Forwarding the message to the sender to verify its legitimacy
F. Opening the attachment in a sandbox environment to check its safety

23
Q

Which term best describes a disgruntled employee abusing legitimate access to a company’s internal resources?

A

A. APT
B. Insider threat
C. Gray hat
D. Threat actor

24
Q

Due to added functionality in its plug, a malicious USB cable can be used for:

A

A. GPS tracking
B. Capturing keystrokes
C. Sending and receiving commands
D. Delivering and executing malware
E. Any of the above

25
Q

What is the best countermeasure against social engineering attacks?

A

A. Situational awareness
B. Implicit deny policy
C. User education
D. Strong security controls

26
Q

An estimate based on the historical data of how often a threat would be successful in exploiting a vulnerability is known as:

A

A. ALE
B. SLA
C. ARO
D. SLE

Annual Rate of Occurrence (ARO) is simply the likelihood of a risk being compromised.

27
Q

In the context of risk assessment, the Exposure Factor (EF) is defined as the percentage of loss that a realized threat would have on an asset. If an organization has an asset valued at $10,000 and the EF is determined to be 20%, what would be the SLE?

A

A. $500
B. $2,000
C. $5,000
D. $10,000

SLE = AV (Asset Value) X EF (Exposure Factor)
SLE = $10000 * 20%

28
Q

Which of the answers listed below refers to a comprehensive document used in risk management and project management to identify, assess, and track risks?

A

A. Risk register
B. Risk heat map
C. Risk matrix
D. Risk repository

A risk register is a log that lists potential risks that could impact your organization and a response plan to help you stay ahead of those threats. In the last year, 54% of organizations say they’ve experienced a cyberattack, with the finance and healthcare sectors being the top two industries at risk.

29
Q

Which of the following terms is used to describe the specific level of risk an organization is prepared to accept in pursuit of its objectives?

A

A. Risk appetite
B. Risk tolerance
C. Risk acceptance
D. Risk capacity

Risk tolerance is your ability and willingness to endure fluctuations in the value of your investments. Everyone’s risk tolerance is different, and it’s influenced by multiple factors, including your time horizon, your knowledge of the markets, and your financial goals.

Risk tolerance refers to the amount of loss an investor is prepared to handle while making an investment decision. Investors are usually classified into three main categories based on how much risk they can tolerate. They include aggressive, moderate, and conservative.

30
Q

Which of the terms listed below refers to a general term that describes an organization’s overall attitude towards risk-taking?

A

A. Risk strategy
B. Risk Control
C. Risk appetite
D. Risk tolerance

Risk Appetite is the amount of risk, at a broad level, that an organization is willing to accept in pursuit of its strategic objectives. Risk Appetite reflects the risk management philosophy that a Board wants the organization to adopt and, in turn, influences its risk culture, operating style, and decision-making.

31
Q

Contracting out a specialized technical component when the company’s employees lack the necessary skills is an example of:

A

A. Risk deterrence
B. Risk avoidance
C. Risk acceptance
D. Risk transference

Risk transference, also known as risk transfer, is a risk management strategy that involves shifting the responsibility of managing risk to a third party. This can be done through outsourcing operations, purchasing insurance, or entering into contracts. The goal is to allocate risk equitably, placing responsibility on parties that are best able to control and insure against the risk.

32
Q

Cybersecurity insurance is an example of which risk management strategy?

A

A. Risk avoidance
B. Risk deterrence
C. Risk transference
D. Risk acceptance

Risk transference is where the exposure to the risk is transferred to a third party, usually as part of a financial transaction. Purchasing insurance is the most common risk transference method, though others exist.

33
Q

In the context of risk acceptance, choosing not to apply certain controls or safeguards for a specific risk is called:

A

A. Exception
B. Evasion
C. Exemption
D. Exclusion

Risk acceptance is a decision to accept risk instead of eliminating, avoiding, or mitigating it. Accepting the recognized risk without taking any mitigation measures usually means that the risk is within the risk tolerance level of the organization.

34
Q

In the risk acceptance strategy, the practice of temporarily not complying with a standard or policy due to a specific risk scenario is referred to as:

A

A. Exclusion
B. Exception
C. Evasion
D. Exemption

A business unit wants to hire a vendor that doesn’t meet policy standards. For example, an organization might make an exception to do business with a third-party vendor that isn’t fully compliant with laws, policies, or regulations.

35
Q

Disabling certain system functions or shutting down the system when risks are identified is an example of:

A

A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk deterrence

Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization and its assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely.

36
Q

Which of the following terms describes the process of taking proactive measures to reduce the impact of identified risks?

A

A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation

Risk mitigation is the practice of reducing the impact of potential risks by developing a plan to manage, eliminate, or limit setbacks as much as possible. After management creates and carries out the plan, they’ll monitor progress and assess whether or not they need to modify any actions.

37
Q

Which of the acronyms listed below refers to a maximum allowable time to restore critical business functions after a disruption?

A

A. SLA
B. RTO
C. MTTF
D. RPO

RTO could refer to multiple things, including:
Recovery Time Objective: The maximum amount of time a business can tolerate an application, network, or system being down after a disruption. This includes the time it takes to restore the system and return data to its pre-disaster state. RTO is a service level that helps businesses avoid unacceptable consequences from a break in continuity. The amount of time that is considered acceptable can vary depending on the business and the system involved. For example, a payroll system might have an RTO of two weeks, while a financial process might have an RTO of almost zero.

38
Q

Which of the following defines the maximum acceptable amount of data loss measured by a specific point in time before a disaster or outage?

A

A. RPO
B. MTBF
C. RTO
D. MTTR

Recovery Point Objective (RPO) is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.

39
Q

Which of the terms listed below is used to describe the average time required to repair a failed component or device?

A

A. MTBF
B. RPO
C. MTTR
D. SLA

MTTR is the amount of time it takes an organization to neutralize an identified threat or failure within their network environment.

Mean time to repair (MTTR), sometimes referred to as mean time to recovery, is a metric that is used to measure the average time it takes to repair a system or piece of equipment after it has failed. MTTR includes the time from when the failure occurs to when the system or equipment is fully functional again.

40
Q

A high MTBF value indicates that a component or system provides low reliability and is more likely to fail.

A

True
x False

MTBF (mean time between failures) is the average time between repairable failures of a technology product

41
Q

Which of the following answers refers to a contractual provision that grants one party the right to inspect the other party’s operations, facilities, processes, and records?

A

A. Right-to-audit clause
B. Oversight clause
C. Compliance verification clause
D. Transparency clause

As the name suggests, a right to audit clause is a provision in a contract that gives one party the right to audit another party to the contract. This clause is commonly included in various types of agreements, such as vendor agreements, licensing agreements, partnership agreements, and more.

42
Q

A metric that represents the average amount of time a device or system is expected to operate before experiencing its first failure is known as:

A

A. MTTR
B. SLA
C. MTBR
D. MTTF

Mean Time to Failure (MTTF) measures the average time a product or system works before experiencing a failure. Tracking MTTF helps organizations reduce breakdowns and disruptions, boost performance, and make the most of resources.

43
Q

In the context of third-party risk assessment and management, which process involves conducting thorough investigations to verify the credentials, reliability, and integrity of potential vendors?

A

A. Reference check
B. Compliance review
C. Due diligence
D. Vendor appraisal

44
Q

An agreement between a service provider and users defining the nature, availability, quality, and scope of the service to be provided is called:

A

A. SOW
B. MSA
C. SLA
D. MOU

SLA stands for service level agreement. It refers to a document that outlines a commitment between a service provider and a client, including details of the service, the standards the provider must adhere to, and the metrics to measure the performance. Typically, it is IT companies that use service-level agreements

45
Q

Which of the terms listed below refers to a situation where a party’s impartiality could be questioned due to potential personal or financial gains?

A

A. Dual relationship
B. Undue influence
C. Conflict of interest
D. Self-dealing

A faculty member accepts a board of directors’ position at a company. A professor is asked to speak at a criminology conference because of experience and knowledge and not because of a held position as Department Chair of Criminal Justice. A gift was given in recognition of service.

46
Q

Which of the following terms refers to an agreement that specifies performance requirements for a vendor?

A

A. MSA
B. SLA
C. MOU
D. SOW

47
Q

Which of the acronyms listed below refers to a formal and often legally binding document that outlines specific responsibilities, roles, and terms agreed upon by two or more parties?

A

A. SOW
B. MOA
C. MSA
D. MOU

MOA is a document written between parties to cooperatively work together on an agreed upon project or meet an agreed upon objective. The purpose of an MOA is to have a written formal understanding of the agreement between parties.

48
Q

A type of nonbinding agreement outlining mutual goals and the general framework for cooperation between two or more parties is referred to as:

A

A. MOA
B. SOW
C. MOU
D. MSA

An MOU is a written agreement designed to ensure that needed resources are available. An MOU is generally recognized as binding; however, a legal claim cannot be based on the document. It should be customized to the capability or resource for which the agreement is developed.

49
Q

A type of legally binding contract that establishes the foundational terms and conditions governing future agreements between two parties is known as:

A

A. MOU
B. SLA
C. MSA
D. SOW

Master Service Agreements (MSAs)
These contracts define the terms and conditions for transactions between a service provider and their client. They help establish a strong working relationship and ensure that security requirements are met throughout the agreement

50
Q

Which of the following acronyms refers to a document that authorizes, initiates, and tracks the progress and completion of a particular job or task?

A

A. SOW
B. WO
C. SLA
D. MSA

A work order is a document that outlines a process for completing a maintenance task, and can include details about safety concerns

CompTIA security+ 701 (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions