Quiz2_Answers Flashcards

1
Q
  1. Database transactions must be durable. This means that…
    a) Transactions are executed separately from each other
    b) All or none of the instructions in a transaction must be executed
    c) When the transaction is complete, the database must again be consistent with the rules, as it was before the transaction was executed
    d) Once transactions have been committed to the database, their effects must be preserved
A

d) Once transactions have been committed to the database, their effects must be preserved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Which one of the following statements is true?
    a) Qualitative analysis requires specific dollar valuations of assets
    b) Quantitative analysis requires subjective inputs from analysts
    c) A purely quantitative risk analysis is usually not sufficient since there are aspects that cannot be quantified
A

c) A purely quantitative risk analysis is usually not sufficient since there are aspects that cannot be quantified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following mechanisms can reduce the risk of collusion? Check all that apply. Pick 2.
    a) Background checks
    b) Separation of duties
    c) Job rotation
    d) Nondisclosure agreements
A

b) Separation of duties c) Job rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Which of the following protocols are used by email clients to retrieve email messages from an email server? Check all that apply.
    a) Post Office Protocol version 3 (POP3)
    b) Simple Mail Transfer Protocol (SMTP)
    c) Internet Message Access Protocol (IMAP)
A

a) Post Office Protocol version 3 (POP3) c) Internet Message Access Protocol (IMAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which one of the following types of documents provides a step-by-step description of the actions necessary to implement specific security solutions?
    a) Security policy
    b) Standards
    c) Baselines
    d) Guidelines
    e) Procedures
A

e) Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Which of the following statements about Network Address Translation (NAT) are correct? Check all that apply.
    a) NAT is a mechanism for converting internal IP addresses in a private network into public IP addresses for transmission over the Internet
    b) When a packet is received from a client, NAT changes the source address to the NAT’s address
    c) Dynamic NAT permanently assigns a specific external IP address to an internal host
    d) Stateful NAT operates by maintaining a mapping between requests made by internal clients, a client’s internal IP address, and the IP address of the Internet service contacted
A

a) NAT is a mechanism for converting internal IP addresses in a private network into public IP addresses for transmission over the Internet
b) When a packet is received from a client, NAT changes the source address to the NAT’s address
d) Stateful NAT operates by maintaining a mapping between requests made by internal clients, a client’s internal IP address, and the IP address of the Internet service contacted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. The first step of risk analysis is asset inventory. This phase includes (check all that apply) …
    a) Listing all assets
    b) Calculating the likelihood of each threat.
    c) Listing all countermeasures for each threat.
    d) Assigning a dollar value to each asset
A

a) Listing all assets d) Assigning a dollar value to each asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. The percentage loss an asset’s value would experience in the event that a threat becomes realized is called …
    a) Annualized loss expectancy(ALE)
    b) Annualized rate of occurrence (ARO)
    c) Single loss expectancy(SLE)
    d) Exposure factor (EF)
A

d) Exposure factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which one of the following methods puts a system into a high level of security upon detection of a failure?
    a) Limitchecks
    b) Fail-secure
    c) Fail-Open
A

b) Fail-secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. You are a software development manager starting a new development project. You want to focus the development process around user stories. The development process must be efficient and have multiple iterations as changes and requirements are discovered. Which development methodology should you use?
    a) Agile
    b) Waterfall
    c) Spiral
    d) Rapid application development
A

a) Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. The information system security plan is an important deliverable in which of the following processes?
    a) Configurationmanagement
    b) System development life cycle
    c) Networkmonitoring
    d) Continuous assessment
A

b) System development life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Risk management activities are performed for periodic system re-authorization in which of the following system development life cycle (SDLC) phases?
    a) Initiation
    b) Development/Acquisition
    c) Implementation
    d) Operation/maintenance
A

d) Operation/maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. From a risk mitigation viewpoint, which of the following is not an example of system protection controls that are part of supporting technical security controls?
    a) Modularity
    b) Layering
    c) Need-to-know
    d) Access controls
A

d) Access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What is the main feature of software configuration management (SCM)?
    a) Tracing of all software changes
    b) Identifying individual components
    c) Using computer-assisted software engineering tools
    d) Using compilers and assemblers
A

a) Tracing of all software changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of the following are not the responsibilities of the configuration control review board?
  2. Discussing change requests
  3. Conducting impact analysis of changes
  4. Requesting funding to implement changes
  5. Notifying users of system changes
    a) 1and2 b) 1and3 c) 2and4 d) 3and4
A

c) 2and4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. In the application security environment, system or network transparency is achieved through which of the following security principles?
    a) Process isolation and hardware segmentation
    b) Abstraction and accountability
    c) Security kernel and reference monitor
    d) Complete mediation and open design
A

a) Process isolation and hardware segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. Which of the following levels of the software capability maturity model (CMM) is the most basic in establishing discipline and control in the software development process?
    a) Initiallevel
    b) Defined level
    c) Repeatablelevel
    d) Managed level
A

c) Repeatable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. The prudent man concept is related to which of the following?
    a) Due care and due permissions
    b) Due care and due rights
    c) Due care and due diligence
    d) Due care and due privileges
A

c) Due care and due diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Which of the following internetworking devices sends traffic addressed to a remote location from a local-area network (LAN) over the wide-area network (WAN) to the remote destination?
    a) Bridge
    b) Router
    c) Brouter
    d) Backbone
A

b) Router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Which of the following is implemented in the Version 3 of X.509 protocol?
    a) SSL
    b) Regular MIME
    c) SHA
    d) S/MIME
A

d) S/MIME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Which of the following can protect non-IP protocols?
    a) IPsec
    b) PPTP
    c) L2TP
    d) L2F
A

c) L2TP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. Which of the following provides the HIGHEST level of confidentiality on a wireless network?
    a) DisablingSSIDbroadcast
    b) MAC filtering
    c) WPA2
    d) Packet switching
A

c) WPA2

23
Q
  1. Mechanisms providing for several modes of system operation, thereby facilitating secure operation by restricting processes to run in the appropriate security domain are called …
    a) Process isolation mechanisms
    b) Abstraction mechanisms
    c) Protection rings
A

c) Protection rings

24
Q
  1. Database transactions must be atomic. This means that …
    a) Transactions are executed separately from each other
    b) When a transaction is complete, the database must again be consistent with the rules, as it was before the transaction was executed
    c) All or none of the instructions in a transaction must be executed
    d) Once a transaction has been committed to the database, their effect must be preserved
A

c) All or none of the instructions in a transaction must be executed

25
Q
  1. Purchasing insurance is a way of …
    a) Mitigating a risk
    b) Transferring a risk
    c) Accepting a risk
    d) Ignoring the risk
A

b) Transferring a risk

26
Q
  1. Implementing a safeguard is a way of …
    a) Mitigating a risk
    b) Transferring a risk
    c) Accepting a risk
    d) Ignoring the risk
A

a) Mitigating a risk

27
Q
  1. Which one is not a WAN technology?
    a) X.25
    b) SMDS
    c) ATM
    d) X.400
A

d) X.400

28
Q
  1. Sara, the security administrator, must configure the corporate firewall to allow all public IP addresses on the internal interface of the firewall to be translated to one public IP address on the external interface of the same firewall. Which of the following should Sara configure?
    a) PAT
    b) NAP
    c) DNAT
    d) NAC
A

a) PAT

29
Q
  1. Personally identifiable information (PII) is …
A

PII is any data item that can be easily traced back to an individual - Social security numbers - Medical information - Tax information

30
Q

Whats the Difference between VPN and Tunneling

A

A virtual private network (VPN) is a communication tunnel that provides

–point-to-point transmission of both authentication information and data traffic over an intermediary untrusted network, uses encryption.

Tunneling is a network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol

  • can be used to bypass firewalls or other traffic control devices
31
Q

What are the IP parts (AH, ESP)

A

Authentication Header

Encapsulatiing Security Payload

32
Q

Private IP Addresses

A

§Private addresses

–10.0.0.0 – 10.255.255.255: a full Class A range

–172.16.0.0 – 172.31.255.255: 16 Class B ranges

–192.168.0.0 – 192.168.255.255: 256 Class C ranges

–Routers are configured not to forward traffic to or from these addresses

33
Q

What is NAT

A

NAT is a mechanism for converting the internal IP addresses found in a private network into public IP addresses for transmission over the Internet

NAT is used for

–Hiding the identity of internal clients

–Masking the design of a private network

–Keeping public IP address leasing costs to a minimum

34
Q

What are the Different types of NAT

A

Stateful NAT

Static NAT

Dynamic NAT

35
Q

Describe Stateful NAT

A

NAT maintains information about the communication sessions between clients and external systems

NAT can operate on a one-to-one basis

–Only a single internal client is able to communicate over one of its leased public IP addresses at a time

–This configuration can result in a bottleneck if more clients attempt Internet access than there are public IP addresses

36
Q

Describe Static NAT and Dynamic NAT

A

§Static NAT

–Permanently assigns a specific external IP address to an internal host

–Enables external entities to initiate the communication with systems inside the private network, even if it is using RFC 1918 IP addresses

§Dynamic NAT

–Grants multiple internal clients access to a few leased public IP addresses

37
Q

PVC vs SVC

A

–Permanent virtual circuits (PVCs)

•A PVC is like a dedicated leased line; the logical circuit always existsand is waiting for the user to send data

–Switched virtual circuits (SVCs)

•An SVC is more like a dial-up connection because a virtual circuit has to be created before it can be used and then disassembled after the transmission is complete

38
Q

Name 3 WAN Connection Technologies

A

§CSU/DSU, DTE/DCE

–Convert LAN signals into the format used by the WAN carrier network and vice versa

§X.25

–An older PVC-based packet-switching technology that was widely used in Europe

§Frame Relay

–A packet-switching technology that also uses PVCs

§ATM

–A cell-switching WAN communication technology

•It fragments communications into fixed-length 53-byte cells

§SMDS

–A connectionless packet-switching technology

§Specialized protocols

–SDLC, HDLC, HSSI

39
Q

Email sec solutions

A

§Secure Multipurpose Internet Mail Extensions (S/MIME) -> x.509

§MIME Object Security Services (MOSS) -> MD5, RSA, DES

§Privacy Enhanced Mail (PEM) -> RSA, DES, x.509

§Pretty Good Privacy (PGP)

40
Q

What is Security Policies

A

§A security policy is a document that

–defines the scope of security needed by the organization

–discusses the assets that need protection and the extent to which security solutions should go in order to provide necessary protection

–outlines the security goals and practices that should be employed to protect the organization’s vital interests

–defines roles, responsibilities, compliance requirements

–defines acceptable risk levels

§Security policies demonstrate due care and due diligence

§Security policies are mandatory

§Security policies can be classified as

–Organizational, issue-specific, or system-specific

–Regulatory, advisory, or informative

41
Q

Mention 4 Protection Mechanisms

A

Layering

Abstraction

Data Hiding

Encryption

42
Q

What is Nonrepudiation

A

§Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred

§It is made possible through identity, authentication, authorization, accountability, and auditing

§Nonrepudiation is an essential part of accountability

43
Q

Describe Quantitative Risk Analysis

A

§Quantitative risk analysis creates a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards

§A purely quantitative analysis is not possible

§The process of quantitative risk analysis starts with asset valuation and threat identification

§This information is then used to calculate various cost functions that are used to evaluate safeguards

44
Q

Describe Cost Functions

A

§Exposure Factor (EF) or loss potential

–The percentage of loss that an organization would experience if a specific asset were violated by a realized risk

§Single Loss Expectancy (SLE)

–The cost associated with a single realized risk against a specific asset

§Annualized Rate of Occurrence (ARO)

–The expected frequency with which a specific threat or risk will occur

§Annualized Loss Expectancy (ALE)

–The possible yearly cost of all instances of a specific realized threat against a specific asset

45
Q

6 Steps of Quantitative Analysis

A
  1. Inventory assets, and assign value (AV)
  2. List all possible threats for assets
  3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year (ARO)
  4. Calculating the annualized loss expectancy (ALE) to Derive the overall loss potential per threat
  5. Inventory countermeasures for each threat
  6. Perform cost/benefit analysis, and select the most appropriate response to each threat for each asset
46
Q

Qualitative Risk Analysis

A

§Qualitative risk analysis is scenario based

§The process of performing qualitative risk analysis involves judgment, intuition, and experience

§Qualitative techniques for risk analysis include

–Brainstorming

–Delphi technique

–Storyboarding

–Focus groups

47
Q

Difference of Applet vs Agent

A

–Applets are code objects sent from a server to a client to perform some action. Self-contained programs that execute independently of the server

–Agents (aka bots) are intelligent code objects performing actions on behalf of a user

48
Q

What is an Aggregation Attack

A

–Aggregation attacks are used to collect numerous non-sensitive data items and combine them to derive some more sensitive information

49
Q

What is Inference Attack

A

§Inference attacks

–Pose threats similar to the threat of data aggregation

•Combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level

However, inference makes use of the human mind’s deductive capacity

50
Q

Phases of Agile

A

Requirements

Design

Develop

Test

Deploy

Review

51
Q

Phases of IDEAL

A

I: Initiating

D: Diagnosing

E: Establishing

A: Acting

L: Learning

52
Q

CMMI Levels

A

Level 1: Initial - Little or no defined software development process

Level 2: Repetable - Basic life cycle management processes are introduced, •repeatable results are expected from similar projects

Level 3: Defined - Software developers operate according to a set of formal, documented software development processes

Level 4: Managed - Quantitative measures are utilized to gain a detailed understanding of the development process

Level 5: Optimizing - –A process of continuous improvement occurs, through feedback mechanisms between phases to improve future results

53
Q

Describe 4 Security Controls Architecture

A

–Process isolation mechanisms ensure that each process has its own isolated memory space for storage of data and execution of application code

–Hardware segmentation is a technique that implements process isolation at the hardware level by enforcing memory access constraints

–Abstraction hides details not necessary to perform certain activities

–Protection rings provide for several modes of
system operation, thereby facilitating secure
operation by restricting processes to running in
the appropriate security ring