Group 4 Flashcards by TheKake Unknown

Discretionary Access Control (DAC) restricts access according to

A. data classification labeling.
B. page views within an application.
C. authorizations granted to the user.
D. management accreditation.

How well did you know this?

Not at all

Perfectly

Retaining system logs for six months or longer can be valuable for what activities?

A. Disaster recovery and business continuity
B. Forensics and incident response
C. Identity and authorization management
D. Physical and logical access control

Answer: B

How well did you know this?

Not at all

Perfectly

Which of the following statements is TRUE regarding value boundary analysis as a functional software testing technique?

A. It is useful for testing communications protocols and graphical user interfaces.
B. It is characterized by the stateless behavior of a process implemented in a function.
C. Test inputs are obtained from the derived threshold of the given functional specifications.
D. An entire partition can be covered by considering only one representative value from that partition.

Answer: C

How well did you know this?

Not at all

Perfectly

Data leakage of sensitive information is MOST often concealed by which of the following?

A. Secure Sockets Layer (SSL)
B. Secure Hash Algorithm (SHA)
C. Wired Equivalent Privacy (WEP)
D. Secure Post Office Protocol (POP)

Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following is a reason to use manual patch installation instead of automated patch management?

A. The cost required to install patches will be reduced.
B. The time during which systems will remain vulnerable to an exploit will be decreased.
C. The likelihood of system or application incompatibilities will be decreased.
D. The ability to cover large geographic areas is increased.

Answer: C

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST important element of change management documentation?

A. List of components involved
B. Number of changes being made
C. Business case justification
D. A stakeholder communication

Answer: C

How well did you know this?

Not at all

Perfectly

Which Web Services Security (WS-Security) specification negotiates how security tokens will be issued, renewed and validated? Click on the correct specification in the image below.

WS-Trust

How well did you know this?

Not at all

Perfectly

The PRIMARY outcome of a certification process is that it provides documented

A. system weaknesses for remediation.
B. standards for security assessment, testing, and process evaluation.
C. interconnected systems and their implemented security controls.
D. security analyses needed to make a risk-based decision.

Answer: D

How well did you know this?

Not at all

Perfectly

Which of the following standards/guidelines requires an Information Security Management System (ISMS) to be defined?

A. International Organization for Standardization (ISO) 27000 family
B. Information Technology Infrastructure Library (ITIL)
C. Payment Card Industry Data Security Standard (PCIDSS)
D. ISO/IEC 20000

Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following PRIMARILY contributes to security incidents in web-based applications?

A. Systems administration and operating systems
B. System incompatibility and patch management
C. Third-party applications and change controls
D. Improper stress testing and application interfaces

Answer: C

How well did you know this?

Not at all

Perfectly

In which order, from MOST to LEAST impacted, does user awareness training reduce the occurrence of the events below?

How well did you know this?

Not at all

Perfectly

What is the process called when impact values are assigned to the security objectives for information types?

A. Qualitative analysis
B. Quantitative analysis
C. Remediation
D. System security categorization

Answer: D

How well did you know this?

Not at all

Perfectly

Data remanence refers to which of the following?

A. The remaining photons left in a fiber optic cable after a secure transmission.
B. The retention period required by law or regulation.
C. The magnetic flux created when removing the network connection from a server or personal computer.
D. The residual information left on magnetic storage media after a deletion or erasure.

Answer: D

How well did you know this?

Not at all

Perfectly

Which of the following describes the BEST configuration management practice?

A. After installing a new system, the configuration files are copied to a separate back-up system and hashed to detect tampering.
B. After installing a new system, the configuration files are copied to an air-gapped system and hashed to detect tampering.
C. The firewall rules are backed up to an air-gapped system.
D. A baseline configuration is created and maintained for all relevant systems.

Answer: D

How well did you know this?

Not at all

Perfectly

How does Encapsulating Security Payload (ESP) in transport mode affect the Internet Protocol (IP)?

A. Encrypts and optionally authenticates the IP header, but not the IP payload
B. Encrypts and optionally authenticates the IP payload, but not the IP header
C. Authenticates the IP payload and selected portions of the IP header
D. Encrypts and optionally authenticates the complete IP packet

Answer: B

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST likely cause of a non-malicious data breach when the source of the data breach was an un-marked file cabinet containing sensitive documents?

A. Ineffective data classification
B. Lack of data access controls
C. Ineffective identity management controls
D. Lack of Data Loss Prevention (DLP) tools

Answer: A

How well did you know this?

Not at all

Perfectly

Drag the following Security Engineering terms on the left to the BEST definition on the right.

How well did you know this?

Not at all

Perfectly

A security professional has been asked to evaluate the options for the location of a new data center within a multifloor building. Concerns for the data center include emanations and physical access controls.

Which of the following is the BEST location?

A. On the top floor
B. In the basement
C. In the core of the building
D. In an exterior room with windows

Answer: C

How well did you know this?

Not at all

Perfectly

In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?

LAN 4

How well did you know this?

Not at all

Perfectly

Which of the following is the PRIMARY concern when using an Internet browser to access a cloud- based service?

A. Insecure implementation of Application Programming Interfaces (API)
B. Improper use and storage of management keys
C. Misconfiguration of infrastructure allowing for unauthorized access
D. Vulnerabilities within protocols that can expose confidential data

Answer: D

How well did you know this?

Not at all

Perfectly

After a thorough analysis, it was discovered that a perpetrator compromised a network by gaining access to the network through a Secure Socket Layer (SSL) Virtual Private Network (VPN) gateway. The perpetrator guessed a username and brute forced the password to gain access. Which of the following BEST mitigates this issue?

A. Implement strong passwords authentication for VPN
B. Integrate the VPN with centralized credential stores
C. Implement an Internet Protocol Security (IPSec) client
D. Use two-factor authentication mechanisms

Answer: D

How well did you know this?

Not at all

Perfectly

For an organization considering two-factor authentication for secure network access, which of the following is MOST secure?

A. Challenge response and private key
B. Digital certificates and Single Sign-On (SSO)
C. Tokens and passphrase
D. Smart card and biometrics

Answer: D

How well did you know this?

Not at all

Perfectly

If an identification process using a biometric system detects a 100% match between a presented template and a stored template, what is the interpretation of this result?

A. User error
B. Suspected tampering
C. Accurate identification
D. Unsuccessful identification

Answer: B

How well did you know this?

Not at all

Perfectly

Regarding asset security and appropriate retention, which of the following INITIAL top three areas are important to focus on?

A. Security control baselines, access controls, employee awareness and training
B. Human resources, asset management, production management
C. Supply chain lead time, inventory control, encryption
D. Polygraphs, crime statistics, forensics

Answer: A

How well did you know this?

Not at all

Perfectly

Discretionary Access Control (DAC) is based on which of the following? A. Information source and destination B. Identification of subjects and objects C. Security labels and privileges D. Standards and guidelines

Answer: B

By carefully aligning the pins in the lock, which of the following defines the opening of a mechanical lock without the proper key? A. Lock pinging B. Lock picking C. Lock bumping D. Lock bricking

Answer: B

An organization has decided to contract with a cloud-based service provider to leverage their identity as a service offering. They will use Open Authentication (OAuth) 2.0 to authenticate external users to the organization's services. As part of the authentication process, which of the following must the end user provide? A. An access token B. A username and password C. A username D. A password

Answer: A

How does an organization verify that an information system's current hardware and software match the standard system configuration? A. By reviewing the configuration after the system goes into production B. By running vulnerability scanning tools on all devices in the environment C. By comparing the actual configuration of the system against the baseline D. By verifying all the approved security patches are implemented

Answer: C

The goal of a Business Continuity Plan (BCP) training and awareness program is to A. enhance the skills required to create, maintain, and execute the plan. B. provide for a high level of recovery in case of disaster. C. describe the recovery organization to new employees. D. provide each recovery team with checklists and procedures.

Answer: A

Which of the following disaster recovery test plans will be MOST effective while providing minimal risk? A. Read-through B. Parallel C. Full interruption D. Simulation

Answer: D

An organization has developed a major application that has undergone accreditation testing. After receiving the results of the evaluation, what is the final step before the application can be accredited? A. Acceptance of risk by the authorizing official B. Remediation of vulnerabilities C. Adoption of standardized policies and procedures D. Approval of the System Security Plan (SSP)

Answer: A

What is one way to mitigate the risk of security flaws in custom software? A. Include security language in the Earned Value Management (EVM) contract B. Include security assurance clauses in the Service Level Agreement (SLA) C. Purchase only Commercial Off-The-Shelf (COTS) products D. Purchase only software with no open source Application Programming Interfaces (APIs)

Answer: B

Which of the following is the BEST example of weak management commitment to the protection of security assets and resources? A. poor governance over security processes and procedures B. immature security controls and procedures C. variances against regulatory requirements D. unanticipated increases in security incidents and threats

Answer: A

What does an organization FIRST review to assure compliance with privacy requirements? A. Best practices B. Business objectives C. Legal and regulatory mandates D. Employee's compliance to policies and standards

Answer: C

Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach? A. A strong breach notification process B. Limited collection of individuals' confidential data C. End-to-end data encryption for data in transit D. Continuous monitoring of potential vulnerabilities

Answer: B

An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement? A. Application Manager B. Database Administrator C. Privacy Officer D. Finance Manager

Answer: C

Which of the following analyses is performed to protect information assets? A. Business impact analysis B. Feasibility analysis C. Cost benefit analysis D. Data analysis

Answer: A

Place in order, from BEST (1) to WORST (4), the following methods to reduce the risk of data remanence on magnetic media.

Which of the following methods can be used to achieve confidentiality and integrity for data in transit? A. Multiprotocol Label Switching (MPLS) B. Internet Protocol Security (IPSec) C. Federated identity management D. Multi-factor authentication

Answer: B

Secure Sockets Layer (SSL) encryption protects A. data at rest. B. the source IP address. C. data transmitted. D. data availability.

Answer: C

Which of the following are Systems Engineering Life Cycle (SELC) Technical Processes? A. Concept, Development, Production, Utilization, Support, Retirement B. Stakeholder Requirements Definition, Architectural Design, Implementation, Verification, Operation C. Acquisition, Measurement, Configuration Management, Production, Operation, Support D. Concept, Requirements, Design, Implementation, Production, Maintenance, Support, Disposal

Answer: B

Which of the following BEST describes a Protection Profile (PP)? A. A document that expresses an implementation independent set of security requirements for an IT product that meets specific consumer needs. B. A document that is used to develop an IT security product from its security requirements definition. C. A document that expresses an implementation dependent set of security requirements which contains only the security functional requirements. D. A document that represents evaluated products where there is a one-to-one correspondence between a PP and a Security Target (ST).

Answer: A

Which of the following BEST describes a rogue Access Point (AP)? A. An AP that is not protected by a firewall B. An AP not configured to use Wired Equivalent Privacy (WEP) with Triple Data Encryption Algorithm (3DES) C. An AP connected to the wired infrastructure but not under the management of authorized network administrators D. An AP infected by any kind of Trojan or Malware

Answer: C

The 802.1x standard provides a framework for what? A. Network authentication for only wireless networks B. Network authentication for wired and wireless networks C. Wireless encryption using the Advanced Encryption Standard (AES) D. Wireless network encryption using Secure Sockets Layer (SSL)

Answer: B

Single Sign-On (SSO) is PRIMARILY designed to address which of the following? A. Confidentiality and Integrity B. Availability and Accountability C. Integrity and Availability D. Accountability and Assurance

Answer: D

Which of the following is the PRIMARY security concern associated with the implementation of smart cards? A. The cards have limited memory B. Vendor application compatibility C. The cards can be misplaced D. Mobile code can be embedded in the card

Answer: C

Which of the following is a function of Security Assertion Markup Language (SAML)? A. File allocation B. Redundancy check C. Extended validation D. Policy enforcement

Answer: D

What is an important characteristic of Role Based Access Control (RBAC)? A. Supports Mandatory Access Control (MAC) B. Simplifies the management of access rights C. Relies on rotation of duties D. Requires two factor authentication

Answer: B

A Simple Power Analysis (SPA) attack against a device directly observes which of the following? A. Static discharge B. Consumption C. Generation D. Magnetism

Answer: B

Which of the following is an essential step before performing Structured Query Language (SQL) penetration tests on a production system? A. Verify countermeasures have been deactivated. B. Ensure firewall logging has been activated. C. Validate target systems have been backed up. D. Confirm warm site is ready to accept connections.

Answer: C

Which of the following activities BEST identifies operational problems, security misconfigurations, and malicious attacks? A. Policy documentation review B. Authentication validation C. Periodic log reviews D. Interface testing

Answer: C

What is the GREATEST challenge of an agent-based patch management solution? A. Time to gather vulnerability information about the computers in the program B. Requires that software be installed, running, and managed on all participating computers C. The significant amount of network bandwidth while scanning computers D. The consistency of distributing patches to each participating computer

Answer: B

Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the A. security impact analysis. B. structured code review. C. routine self assessment. D. cost benefit analysis.

Answer: A

Disaster Recovery Plan (DRP) training material should be A. consistent so that all audiences receive the same training. B. stored in a fire proof safe to ensure availability when needed. C. only delivered in paper format. D. presented in a professional looking manner.

Answer: A

The MAIN reason an organization conducts a security authorization process is to A. force the organization to make conscious risk decisions. B. assure the effectiveness of security controls. C. assure the correct security organization exists. D. force the organization to enlist management support.

Answer: A

During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant. What is the best approach for the CISO? A. Document the system as high risk B. Perform a vulnerability assessment C. Perform a quantitative threat assessment D. Notate the information and move on

Answer: B

During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant. What is the best approach for the CISO? Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan. Drag the remaining BC\DR phases to the appropriate corresponding location.

The World Trade Organization's (WTO) agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) requires authors of computer software to be given the A. right to refuse or permit commercial rentals. B. right to disguise the software's geographic origin. C. ability to tailor security parameters based on location. D. ability to confirm license authenticity of their works.

Answer: A

What is the GREATEST challenge to identifying data leaks? A. Available technical tools that enable user activity monitoring. B. Documented asset classification policy and clear labeling of assets. C. Senior management cooperation in investigating suspicious behavior. D. Law enforcement participation to apprehend and interrogate suspects.

Answer: B

While investigating a malicious event, only six days of audit logs from the last month were available. What policy should be updated to address this problem? A. Retention B. Reporting C. Recovery D. Remediation

Answer: A

Who is ultimately responsible to ensure that information assets are categorized and adequate measures are taken to protect them? A. Data Custodian B. Executive Management C. Chief Information Security Officer D. Data/Information/Business Owners

Answer: B

A mobile device application that restricts the storage of user information to just that which is needed to accomplish lawful business goals adheres to what privacy principle? A. Onward transfer B. Collection Limitation C. Collector Accountability D. Individual Participation

Answer: B

Which of the following is the PRIMARY benefit of implementing data-in-use controls? A. If the data is lost, it must be decrypted to be opened. B. If the data is lost, it will not be accessible to unauthorized users. C. When the data is being viewed, it can only be printed by authorized users. D. When the data is being viewed, it must be accessed using secure protocols.

Answer: C

A health care provider is considering Internet access for their employees and patients. Which of the following is the organization's MOST secure solution for protection of data? A. Public Key Infrastructure (PKI) and digital signatures B. Trusted server certificates and passphrases C. User ID and password D. Asymmetric encryption and User ID

Answer: A

Match the objectives to the assessment questions in the governance domain of Software Assurance Maturity Model (SAMM).

Which of the following BEST describes the purpose of the security functional requirements of Common Criteria? A. Level of assurance of the Target of Evaluation (TOE) in intended operational environment B. Selection to meet the security objectives stated in test documents C. Security behavior expected of a TOE D. Definition of the roles and responsibilities

Answer: C

Application of which of the following Institute of Electrical and Electronics Engineers (IEEE) standards will prevent an unauthorized wireless device from being attached to a network? A. IEEE 802.1F B. IEEE 802.1H C. IEEE 802.1Q D. IEEE 802.1X

Answer: D

The PRIMARY security concern for handheld devices is the A. strength of the encryption algorithm. B. spread of malware during synchronization. C. ability to bypass the authentication mechanism. D. strength of the Personal Identification Number (PIN).

Answer: C

Which of the following is the BIGGEST weakness when using native Lightweight Directory Access Protocol (LDAP) for authentication? A. Authorizations are not included in the server response B. Unsalted hashes are passed over the network C. The authentication session can be replayed D. Passwords are passed in cleartext

Answer: D

A global organization wants to implement hardware tokens as part of a multifactor authentication solution for remote access. The PRIMARY advantage of this implementation is A. the scalability of token enrollment. B. increased accountability of end users. C. it protects against unauthorized access. D. it simplifies user access administration.

Answer: C

Which of the following could elicit a Denial of Service (DoS) attack against a credential management system? A. Delayed revocation or destruction of credentials B. Modification of Certificate Revocation List C. Unauthorized renewal or re-issuance D. Token use after decommissioning

Answer: B

What security risk does the role-based access approach mitigate MOST effectively? A. Excessive access rights to systems and data B. Segregation of duties conflicts within business applications C. Lack of system administrator activity monitoring D. Inappropriate access requests

Answer: A

Which of the following questions can be answered using user and group entitlement reporting? A. When a particular file was last accessed by a user B. Change control activities for a particular group of users C. The number of failed login attempts for a particular user D. Where does a particular user have access within the network

Answer: D

A network scan found 50% of the systems with one or more critical vulnerabilities. Which of the following represents the BEST action? A. Assess vulnerability risk and program effectiveness. B. Assess vulnerability risk and business impact. C. Disconnect all systems with critical vulnerabilities. D. Disconnect systems with the most number of vulnerabilities.

Answer: B

Which of the following command line tools can be used in the reconnaisance phase of a network vulnerability assessment? A. dig B. ifconfig C. ipconfig D. nbtstat

Answer: A

An organization has hired a security services firm to conduct a penetration test. Which of the following will the organization provide to the tester? A. Limits and scope of the testing. B. Physical location of server room and wiring closet. C. Logical location of filters and concentrators. D. Employee directory and organizational chart.

Answer: A

When planning a penetration test, the tester will be MOST interested in which information? A. Places to install back doors B. The main network access points C. Job application handouts and tours D. Exploits that can attack weaknesses

Answer: D

After acquiring the latest security updates, what must be done before deploying to production systems? A. Use tools to detect missing system patches B. Install the patches on a test system C. Subscribe to notifications for vulnerabilities D. Assess the severity of the situation

Answer: B

Software Code signing is used as a method of verifying what security concept? A. Integrity B. Confidentiality C. Availability D. Access Control

Answer: A

Which of the following BEST describes the purpose of performing security certification? A. To identify system threats, vulnerabilities, and acceptable level of risk B. To formalize the confirmation of compliance to security policies and standards C. To formalize the confirmation of completed risk mitigation and risk analysis D. To verify that system architecture and interconnections with other systems are effectively implemented

Answer: B

Are companies legally required to report all data breaches? A. No, different jurisdictions have different rules. B. No, not if the data is encrypted. C. No, companies' codes of ethics don't require it. D. No, only if the breach had a material impact.

Answer: A

What is the PRIMARY difference between security policies and security procedures? A. Policies are used to enforce violations, and procedures create penalties B. Policies point to guidelines, and procedures are more contractual in nature C. Policies are included in awareness training, and procedures give guidance D. Policies are generic in nature, and procedures contain operational details

Answer: D

For privacy protected data, which of the following roles has the highest authority for establishing dissemination rules for the data? A. Information Systems Security Officer B. Data Owner C. System Security Architect D. Security Requirements Analyst

Answer: B

Which of the following controls is the FIRST step in protecting privacy in an information system? A. Data Redaction B. Data Minimization C. Data Encryption D. Data Storage

Answer: B

Which of the following BEST avoids data remanence disclosure for cloud hosted resources? A. Strong encryption and deletion of the keys after data is deleted. B. Strong encryption and deletion of the virtual host after data is deleted. C. Software based encryption with two factor authentication. D. Hardware based encryption on dedicated physical servers.

Answer: A

What is the MOST efficient way to secure a production program and its data? A. Disable default accounts and implement access control lists (ACL) B. Harden the application and encrypt the data C. Disable unused services and implement tunneling D. Harden the servers and backup the data

Answer: B

If compromised, which of the following would lead to the exploitation of multiple virtual machines? A. Virtual device drivers B. Virtual machine monitor C. Virtual machine instance D. Virtual machine file system

Answer: B

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)? A. Application interface entry and endpoints B. The likelihood and impact of a vulnerability C. Countermeasures and mitigations for vulnerabilities D. A data flow diagram for the application and attack surface analysis

Answer: D

Which one of the following operates at the session, transport, or network layer of the Open System Interconnection (OSI) model? A. Data at rest encryption B. Configuration Management C. Integrity checking software D. Cyclic redundancy check (CRC)

Answer: D

Which of the following secures web transactions at the Transport Layer? A. Secure HyperText Transfer Protocol (S-HTTP) B. Secure Sockets Layer (SSL) C. Socket Security (SOCKS) D. Secure Shell (SSH)

Answer: B

Which of the following is the MOST effective method of mitigating data theft from an active user workstation? A. Implement full-disk encryption B. Enable multifactor authentication C. Deploy file integrity checkers D. Disable use of portable devices

Answer: D

The BEST method to mitigate the risk of a dictionary attack on a system is to A. use a hardware token. B. use complex passphrases. C. implement password history. D. encrypt the access control list (ACL).

Answer: A

Which of the following is an advantage of on-premise Credential Management Systems? A. Improved credential interoperability B. Control over system configuration C. Lower infrastructure capital costs D. Reduced administrative overhead

Answer: B

Which of the following prevents improper aggregation of privileges in Role Based Access Control (RBAC)? A. Hierarchical inheritance B. Dynamic separation of duties C. The Clark-Wilson security model D. The Bell-LaPadula security model

Answer: B

The implementation of which features of an identity management system reduces costs and administration overhead while improving audit and accountability? A. Two-factor authentication B. Single Sign-On (SSO) C. User self-service D. A metadirectory

Answer: C

Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program? A. Review automated patch deployment reports B. Periodic third party vulnerability assessment C. Automated vulnerability scanning D. Perform vulnerability scan by security team

Answer: B

Which methodology is recommended for penetration testing to be effective in the development phase of the life-cycle process? A. White-box testing B. Software fuzz testing C. Black-box testing D. Visual testing

Answer: A

A software security engineer is developing a black box-based test plan that will measure the system's reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match the functional testing techniques on the left with the correct input parameters on the right.

Which of the following is most helpful in applying the principle of LEAST privilege? A. Establishing a sandboxing environment B. Setting up a Virtual Private Network (VPN) tunnel C. Monitoring and reviewing privileged sessions D. Introducing a job rotation program

Answer: A

Which of the following explains why record destruction requirements are included in a data retention policy? A. To comply with legal and business requirements B. To save cost for storage and backup C. To meet destruction guidelines D. To validate data ownership

Answer: A