quiz 10 Flashcards
Risk management can be defined as the identification, assessment, and prioritization of risks.
True—Risk management is defined as the identification, assessment, and prioritization of risks, and mitigating and monitoring those risks.
One of the strategies an organization might employ when managing a particular risk is to accept none of the risk.
False—There are four general strategies an organization might employ including transferring the risk, avoiding the risk, reducing the risk, and accepting some or all the consequences of a risk. It is not possible to accept none of the risk.
The ultimate goal of risk management is to reduce all risk to a level acceptable to the organization.
True—It is impossible to remove all risk, but the ultimate goal of risk management is to reduce risk to an acceptable level.
. Qualitative risk assessment measures risk by using exact monetary values.
False—Qualitative risk assessment assigns numeric values to the probability of a risk. Quantitative risk assessment measures risk by using exact monetary values.
SLE X ALE = ARO
False—SLE X ARO = ALE.
Passive security analysis is when actual hands-on tests are run on a system.
False—Passive security analysis is when servers and other devices are not affected by your scans. Actual hands-on tests are run during active security analysis.
. In the five steps of vulnerability management, prioritizing vulnerabilities should happen before mitigation of vulnerabilities.
True—In the five steps of vulnerability management, prioritization is third and mitigation is fourth, followed up by monitoring.
OVAL is a type of penetration testing.
False—OVAL is not a type of penetration testing; it is a standard designed to regulate the transfer of secure public information across networks.
LAN Surveyor is a type of vulnerability scanner.
False—LAN Surveyor is a type of network mapping tool.
A cryptanalysis attack is a type of password-cracking method.
True—A cryptanalysis attack is one of the strongest types of password-cracking methods.
Which of the following is when a prearranged list of likely words is attempted one at a time? A. Brute force attack B. Dictionary attack C. Cryptanalysis attack D. Guessing
B. A dictionary attack uses a prearranged list of likely words, trying each one at a time.
Which of the following is a protocol analyzer? A. Nessus B. Cain and Abel C. Wireshark D. John the Ripper
C. Wireshark is a protocol analyzer. Nessus is a vulnerability scanner. Cain and Abel and John the Ripper are password-cracking tools.
You are contracted to conduct a forensics analysis of the computer. What should you do first? A. Back up the system. B. Analyze the files. C. Scan for viruses. D. Make changes to the operating system.
A. Back up the system before you do anything else. This way, you have a backup copy in the case that anything goes wrong when you analyze or make changes to the system.
Which of the following is a vulnerability assessment tool? A. John the Ripper B. AirSnort C. Nessus D. Cain & Abel
C. Nessus is a vulnerability assessment tool. AirSnort is used to crack wireless encryption codes. John the Ripper and Cain and Abel are password-cracking programs.
What do hackers use malicious port scanning to accomplish?
A. The “fingerprint” of the operating system
B. The topology of the network
C. All the computer names on the network
D. All the usernames and passwords
A. Port scanning can be used in a malicious way to find out all the openings to a computer’s operating system; this is known as the “fingerprint” of the operating system. Port scanning cannot find out the topology of the network, computer names, usernames, or passwords.
