Quiz 2 Flashcards

1
Q

Which of the following is not a denial-of-service attack?
Exploiting a flaw in a program to consume 100 percent of the CPU
Sending malformed packets to a system, causing it to freeze
Performing a brute-force attack against a known user account
Sending thousands of emails to a single address

A

Performing a brute-force attack against a known user account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is spam so difficult to stop?
filters are ineffective at blocking inbound messages.
The source address is usually spoofed.
It is an attack requiring little expertise.
Spam can cause denial-of-service attacks.

A

The source address is usually spoofed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not a benefit of NAT?
Hiding the internal IP addressing scheme
Sharing a few public Internet addresses with a large number of
internal clients
Using the private IP addresses from RFC 1918 on an internal
network
filtering network traffic to prevent brute-force attacks

A

filtering network traffic to prevent brute-force attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Which of the following can prevent e-mail spoofing?
Pretty good privacy
Point-to-point protocol
Microcom networking protocol
Password authentication protocol
A

Pretty good privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Countermeasures against sniffers do not include which of the
following?
Using recent version of secure shell protocol.
Applying end-to-end encryption.
Using packet filters.
Implementing robust authentication techniques.

A

Using packet filters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
A virtual private network (VPN) cannot provide or improve which of
the following security services?
Availability
Confidentiality
Integrity
Replay protection
A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In a distributed computing environment, system security takes on
an important role. Two types of network attacks exist: passive and
active. Which of the following is an example of a passive attack?
Attempting to log in to someone else’s account
Installing a wiretap on a network cable to generate false
messages
Denying services to legitimate users
Sniffng a system password when the user types it

A

Sniffng a system password when the user types it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
Which of the following cannot protect non-IP protocols?
IPsec
PPTP
L2TP
L2F
A

IPsec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A major risk involving the use of packet-switching networking is that:
It is possible that some packets can arrive at their destinations
out of sequence.
It is not possible to vary the routing of packets depending on
network conditions.
Terminals attached to a public data network may not have
enough intelligence.
Terminals attached to a public data network may not have
enough storage capacity.

A

It is possible that some packets can arrive at their destinations
out of sequence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Frame relay and X.25 networks are part of which of the following?
Circuit-switched services
Cell-switched services
Packet-switched services
Dedicated digital services
A

Packet-switched services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
What is it called when email itself is used as an attack mechanism?
Masquerading
Spoofing
Mail-bombing
Smurf attack
A

Mail-bombing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
What are the two common data classification schemes?
Military and private sector
Personal and government
Private sector and unrestricted sector
Classified and unclassified
A

Military and private sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
When seeking to hire new employees, what is the first step?
Create a job description.
Set position classification.
Screen candidates.
Request resumes
A

Create a job description.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is a primary purpose of an exit interview?
To return the exiting employee’s personal belongings
To review the nondisclosure agreement
To evaluate the exiting employee’s performance
To cancel the exiting employee’s network access accounts

A

To review the nondisclosure agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following statements is not true?
IT security can provide protection only against logical or technical
attacks.
The process by which the goals of risk management are achieved is
known as risk analysis.
Risks to an IT infrastructure are all computer based.
An asset is anything used in a business process or task.

A

Risks to an IT infrastructure are all computer based.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
When a safeguard or a countermeasure is not present or is not sufficient, what remains?
Vulnerability 
Exposure 
Risk
Penetration
A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How is single loss expectancy (SLE) calculated?

Threat + vulnerability
Asset value ($) * exposure factor
Annualized rate of occurrence * vulnerability
Annualized rate of occurrence * asset value * exposure factor

A

Asset value ($) * exposure factor

18
Q

How is the value of a safeguard to a company calculated?

  • ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard
  • ALE before safeguard * ARO of safeguard
  • ALE after implementing safeguard – annual cost of safeguard – controls gap
  • Total risk – controls gap
A

ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard

19
Q
Which of the following methods for handling risk involves a third
party?
Accepting Risk 
Eliminating risk
Reducing risk
Transferring risk
A

Transferring risk

20
Q
Which of the following assists in complying with others?
Policy
Procedure
Standard
Guideline
A

Procedure

21
Q

Which of the following is not the major reason for conducting risk
assessment?
It is a good security practice.
It is required by law or regulation.
It is integrated into the system development life-cycle process.
It supports the business objectives.

A

It is required by law or regulation.

22
Q

Which of the following is not a goal of the risk management
evaluation and assessment process in ensuring that the system
continues to operate in a safe and secure manner?
Implement a strong configuration management program.
Monitor the system security on a continuous basis.
Eliminate all potential threats, vulnerabilities, and risks to the
system.
Track findings from the security control assessment process.

A

Eliminate all potential threats, vulnerabilities, and risks to the
system.

23
Q
Which of the following is not a goal of IT security?
Confidentiality
Availability 
Integrity
Aggregation
A

Aggregation

24
Q

Risk management is a major priority of the SPK Company. The
following data has been collected for one asset in the company: Natural
threats are realized once every five years. The total asset value is
$1,000,000. Every time a threat causes damage, it cost the company an
average of $100,000. The company has the choice of getting insurance
for $10,000 per year or moving to a new location that will be a onetime
cost of $35,000. The SPK priorities in the risk management strategy
are accuracy and long-term repeatability of process.
What can be done with the residual risk?
It can be either reduced or calculated.
It can be either identified or evaluated.
It can be either assigned or accepted.
It can be either exposed or assessed

A

It can be either assigned or accepted.

25
Q

Risk management is a major priority of the SPK Company. The
following data has been collected for one asset in the company: Natural
threats are realized once every five years. The total asset value is
$1,000,000. Every time a threat causes damage, it cost the company an
average of $100,000. The company has the choice of getting insurance
for $10,000 per year or moving to a new location that will be a onetime
cost of $35,000. The SPK priorities in the risk management strategy
are accuracy and long-term repeatability of process.
Which of the following is not part of risk analysis?
Assets
Threats
Vulnerabilities
Countermeasures

A

Countermeasures

26
Q

Risk management is a major priority of the SPK Company. The
following data has been collected for one asset in the company: Natural
threats are realized once every five years. The total asset value is
$1,000,000. Every time a threat causes damage, it cost the company an
average of $100,000. The company has the choice of getting insurance
for $10,000 per year or moving to a new location that will be a onetime
cost of $35,000. The SPK priorities in the risk management strategy
are accuracy and long-term repeatability of process.
The costs and benefits of security techniques should be measured in
monetary terms where possible. Which of the following is the most
effective means to measure the cost of addressing relatively frequent
threats?
Single-occurrence losses
Annual loss expectancy
Fatal losses
Catastrophic losses

A

Annual loss expectancy

27
Q
In systems utilizing a ring protection scheme, at what level does the
security kernel reside?
Level 0
Level 1 
Level 2 
Level 3
A

Level 0

28
Q
Which one of the following is not part of the change management
process?
Request control
Release control
Configuration audit
Change control
A

Configuration audit

29
Q

What transaction management principle ensures that two transactions
do not interfere with each other as they operate on the same data?
Atomicity
Consistency
Isolation
Durability

A

Isolation

30
Q
Which of the following areas of software conguration management
(SCM) is executed last?
Identication
Change control
Status accounting
Audit
A

Audit

31
Q
Which of the following is an example of input validation error?
Access validation error
Congfiguration error
Buffer overflow error
Race condition error
A

Buffer overflow error

32
Q
What term is used to describe code objects that act on behalf of a user
and operate in an unattended manner?
Agent
Worm
Applet
Browser
A

Agent

33
Q
Which of the following protocols use many network ports?
SNMP and SMTP
TCP and UDP
ICMP and IGMP
ARP and RARP
A

TCP and UDP

34
Q
Which one of the following firewalls is simple, inexpensive, and quick to
implement?
Static packet lter rewall
Dynamic packet lter rewall
Application gateway rewall
Stateful inspection gateway rewall
A

Static packet filter firewall

35
Q
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ firewalls are known as third-generation firewalls.
Application-level gateway
Stateful inspection
Circuit-level gateway
Static packet-filtering
A

Stateful inspection

36
Q

By examining the source and destination addresses, the application
usage, the source of origin, and the relationship between current
packets with the previous packets of the same
session,_______________ firewalls are able to grant a broader range
of access for authorized users and activities and actively watch for and
block unauthorized users and activities.
Static packet-filtering
Application-level gateway
Stateful inspection
Circuit-level gateway

A

Stateful inspection

37
Q

Which of the following protocols are used by email clients to retrieve
email messages from an email server? Check all that apply.
POP3
SMTP
IMAP

A

POP3

IMAP

38
Q
Which of the following mechanisms can reduce the risk of collusion?
Check all that apply. Pick 2.
Background checks
Separation of duties
 Job rotation
Nondisclosure agreements
A

Separation of duties

Job rotation

39
Q
Which one of the following methods puts a system into a high level
of security upon detection of a failure?
Limit Checks 
Fail Secure 
Fail Open
A

Fail Secure

40
Q
Risk management activities are performed for periodic system reauthorization in which of the following system development life
cycle (SDLC) phases?
Initiation
Development/Acquisition
Implementation
Operation/maintenance
A

Operation/maintenance