Term Test 1 Flashcards

1
Q
Which of the following contains the primary goals and objectives of security?
A. A network's border perimeter
B. The CIA Triad
C. A stand-alone system
D. The Internet
A

B. The CIA Triad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
\_\_\_\_\_\_\_\_\_\_ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.
A. Seclusion
B. Concealment
C. Privacy
D. Criticality
A

C. Priv1acy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Which of the following is NOT considered a violation of confidentiality?
A. Stealing passwords
B Eavesdropping
C. Hardware destruction
D. Social engineering
A

C. Hardware destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can \_\_\_\_\_\_\_\_\_\_\_ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate
A

C.. Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership
A

D. Taking ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
What is the primary goal of change management?
A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises
A

D. Preventing security compromises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two common data classification schemes?
A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

A

A. Military and private sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
data classifications are used to focus security controls over all but which of the following?
A. Storage
B. Processing
C. Layering
D. Transfer
A

C. Layering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the folowing is not ocnsidered an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being asccessed by unauthorized visitors
C. Restricting a subject at a lower classfication level from accessing data at a higher classification level
D. Preventing an application from acessing hardware directly

A

A. Preventing an authorized reader of an object from deleting that object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following is the weakest element in any security solution?
A.Software products
B. Internet connections
C. Security policies
D. Humans
A

D. Humans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
What is the first step that individiuals responsible for the development of a business continuity plan should perform?
A. BCP team selction
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment
A

B. Business organization analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
Which one of the followiing BIA terms identifies the amount of money a business expects to lose to a given risk each year?
A. ARO
B. SLE
C. ALE
D. EF
A

C. ALE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

A

B. $2,700,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million

A

A. $750,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes

A

C. Strategy development

The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which resource should you protect first when designing continuity plan provisions and processes?

A. Physical plant
B. Infrastructure
C. Financial
D. People

A

D. People

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

A

B. $10,000,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization

A

C. Provisions and processes

In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business?

A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment

A

C. Disaster recovery plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?

A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager

A

C. Chief executive officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When an employee is to be terminated, which of the following should be done?

A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee’s network access just as they are informed of the termination.
C. Send out a broadcast email informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

A

B. Disable the employee’s network access just as they are informed of the termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is not an element of the risk analysis process?

A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

A

C. Selecting appropriate safeguards and implementing them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following would generally not be considered an asset in a risk analysis?

A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users’ personal files

A

D. Users’ personal files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?

A. Identification
B. Availability
C. Encryption
D. Layering

A

B. Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following is not a valid definition for risk?

A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure

A

B. Anything that removes a vulnerability or protects against one or more specific threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How is single loss expectancy (SLE) calculated?

A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor

A

B. Asset value ($) * exposure factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How is the value of a safeguard to a company calculated?

A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard - controls gap
D. Total risk - controls gap

A

A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What security control is directly focused on preventing collusion?

A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis

A

C. Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information

A

B. Damage to equipment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence

A

D. Annualized rate of occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system(s)?

A. Computer Security Act
B. National Infrastructure Protection Act
C. Computer Fraud and Abuse Act
D. Electronic Communications Privacy Act

A

C. Computer Fraud and Abuse Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which law first required operators of federal interest computer systems to undergo periodic training in computer security issues?

A. Computer Security Act
B. National Infrastructure Protection Act
C. Computer Fraud and Abuse Act
D. Electronic Communications Privacy Act

A

A. Computer Security Act

33
Q

What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended?

A. Government-owned systems
B. Federal interest systems
C. Systems used in interstate commerce
D. Systems located in the United States

A

C. Systems used in interstate commerce

34
Q

What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?

A. Privacy Act
B. Electronic Communications Privacy Act
C. Health Insurance Portability and Accountability Act
D. Gramm-Leach-Bliley Act

A

A. Privacy Act

35
Q

What law formalizes many licensing arrangements used by the software industry and attempts to standardize their use from state to state?

A. Computer Security Act
B. Uniform Computer Information Transactions Act
C. Digital Millennium Copyright Act
D. Gramm-Leach-Bliley Act

A

B. Uniform Computer Information Transactions Act

36
Q

Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the “transitory activities” clause of the Digital Millennium Copyright Act?

A. The service provider and the originator of the message must be located in different states.
B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider.
C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary.
D. The transmission must be originated by a person other than the provider.

A

A. The service provider and the originator of the message must be located in different states.

37
Q

What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act?

A. Health care
B. Banking
C. Law enforcement
D. Defense contractors

A

B. Banking

38
Q

Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs?

A. Copyright
B. Trademark
C. Patent
D. Trade secret

A

A. Copyright

39
Q

What is the standard duration of patent protection in the United States?

A. 14 years from the application date
B. 14 years from the date the patent is granted
C. 20 years from the application date
D. 20 years from the date the patent is granted

A

D. 20 years from the date the patent is granted

40
Q

What compliance obligation relates to the processing of credit card information?

A. SOX
B. HIPAA
C. PCI DSS
D. FERPA

A

C. PCI DSS (Payment Card Industry Data Security Standard)

41
Q

Which one of the following identifies the primary a purpose of information classification processes?

A. Define the requirements for protecting sensitive data.
B. Define the requirements for backing up data.
C. Define the requirements for storing data.
D. Define the requirements for transmitting data.

A

A. Define the requirements for protecting sensitive data.

42
Q

Which of the following statements correctly identifies a problem with sanitization methods?

A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data.
B. Even fully incinerated media can offer extractable data.
C. Personnel can perform sanitization steps improperly.
D. Stored data is physically etched into the media.

A

C. Personnel can perform sanitization steps improperly.

43
Q

Which of the following choices is the most reliable method of destroying data on a solid state drive?

A. Erasing
B. Degaussing
C. Deleting
D. Purging

A

D. Purging

44
Q

Which of the following does not erase data?

A. Clearing
B. Purging
C. Overwriting
D. Remanence

A

D. Remanence

45
Q

Which one of the following would administrators use to connect to a remote server securely for administration?

A. Telnet
B. Secure File Transfer Protocol (SFTP)
C. Secure Copy (SCP)
D. Secure Shell (SSH)

A

D. Secure Shell (SSH)

46
Q

Which one of the following data roles is most likely to assign permissions to grant users access to data?

A. Administrator
B. Custodian
C. Owner
D. User

A

A. Administrator

47
Q

Which would an administrator do to classified media before reusing it in a less secure environment?

A. Erasing
B. Clearing
C. Purging
D. Overwriting

A

C. Purging

48
Q

Which of the following best defines “rules of behavior” established by a data owner?

A. Ensuring users are granted access to only what they need
B. Determining who has access to a system
C. Identifying appropriate use and protection of data
D. Applying security controls to a system

A

C. Identifying appropriate use and protection of data

49
Q

Within the context of the European Union (EU) Data Protection law, what is a data processor?

A. The entity that processes personal data on behalf of the data controller
B. The entity that controls processing of data
C. The computing system that processes data
D. The network that processes data

A

A. The entity that processes personal data on behalf of the data controller

50
Q

What do the principles of notice, choice, onward transfer, and access closely apply to?

A. Privacy
B. Identification
C. Retention
D. Classification

A

A. Privacy

51
Q

How many keys are required to fully implement a symmetric algorithm with 10 participants?

A. 10
B. 20
C. 45
D. 100

A

A. 10

52
Q

How many possible keys exist in a 5-bit key space?

A. 4
B. 8
C. 16
D. 32

A

D. 32

53
Q

John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Integrity

A

A. Nonrepudiation

54
Q

What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?

A. 56 bits
B. 128 bits
C. 192 bits
D. 256 bits

A

A. 56 bits

55
Q

Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher

A

C. Block cipher

56
Q

What type of cipher relies on changing the location of characters within a message to achieve confidentiality?

A. Stream cipher
B. Transposition cipher
C. Block cipher
D. Substitution cipher

A

B. Transposition cipher

57
Q

Which one of the following cannot be achieved by a secret key cryptosystem?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Key distribution

A

A. Nonrepudiation

58
Q

When correctly implemented, what is the only cryptosystem known to be unbreakable?

A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad

A

D. One-time pad

59
Q

What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?

A. One
B. Two
C. Three
D. Four

A

A. One

60
Q

Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won’t spoil results throughout the communication?

A. Cipher Block Chaining (CBC)
B. Electronic Codebook (ECB)
C. Cipher Feedback (CFB)
D. Output Feedback (OFB)

A

D. Output Feedback (OFB)

61
Q

Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on?

A. It contains diffusion.
B. It contains confusion.
C. It is a one-way function.
D. It complies with Kerchoff’s principle.

A

C. It is a one-way function.

62
Q

Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using?

A. Split knowledge
B. M of N Control
C. Work function
D. Zero-knowledge proof

A

B. M of N Control

63
Q

How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants?

A. 10
B. 20
C. 45
D. 100

A

C. 45

64
Q

What kind of attack makes the Caesar cipher virtually unusable?

A. Meet-in-the-middle attack
B. Escrow attack
C. Frequency analysis attack
D. Transposition attack

A

C. Frequency analysis attack

65
Q

What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key?

A. Vernam cipher
B. Running key cipher
C. Skipjack cipher
D. Twofish cipher

A

B. Running key cipher

66
Q

Toby is attempting to log in to a secure system. He provides his username at the prompt and then is asked to provide a password. What stage of the access control process is taking place at that moment?

A. Identification
B. Authentication
C. Indemnification
D. Authorization

A

B. Authentication

67
Q
Which of the following storage media would not be affected by a degausser?
A. HDD
B. SSD
C. Floppy Drive
D. Tape
A

B. SSD

68
Q

What technique is most effective for removing data stored on an SSD device?

A. Erasing
B. Degaussing
C. Reformatting
D. Destruction

A

D. Destruction

69
Q

Mary recently read about a new hacking group that is using advanced tools to break into the database servers of organizations running public websites. In risk management language, how would she describe this group of hackers?

A. Risk
B. Vulnerability
C. Threat
D. Standard

A

C. Threat

70
Q

You are selecting an encryption algorithm for use in exchanging sensitive information over the Internet. Which one of the following algorithms would NOT be acceptable for use?

A. DES
B. RSA
C. AES
D. Blowfish

A

A. DES

71
Q

What is the output value of the mathematical function 18 mod 3?

A. 0
B. 1
C. 3
D. 5

A

A. 0

72
Q

Which of the following is the most secure method of deleting data on a DVD?

A. Formatting
B. Deleting
C. Destruction
D. Degaussing

A

C. Destruction

73
Q

Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make a large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs?

A. Copyright
B. Trademark
C. Patent
D. Trade secret

A

D. Trade secret

74
Q

What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware
B. Software
C. Processing time
D. Personnel

A

D. Personnel

75
Q

What is the formula used to compute the single loss expectancy for a risk scenario?

A. SLE =AV x EF
B. SLE = RO x EF
C. SLE = AV x ARO
D. SLE = EF x ARO

A

A. SLE =AV x EF

76
Q

How can a group reach an anonymous consensus while all members of that group are in the same room?

A. Delphi technique
B. Brainstorming
C. Storyboarding
D. Surveys

A

A. Delphi technique

77
Q

What is the term for the percentage of loss an asset’s value would experience in the event that a threat becomes realized?

A. Annualized loss expectancy
B. Annualized rate of occurrence
C. Single loss expectancy
D. Exposure factor

A

D. Exposure factor

78
Q

What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

A. SLE
B. EF
C. MTD
D. ARO

A

C. MTD

79
Q

When seeking to hire new emplloyees, what is the first step?

A. Create a job description
B. Set position classification
C. Screen candidates
D. Request resumes

A

A. Create a job description