Final
Cards (53)
- Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions?
- Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?
- Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called?
- Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?
- Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?
- Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
- Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?
- In an accreditation process, who has the authority to approve a system for implementation?
- Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
- Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?
- Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
- Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
- Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?
- Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
- Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?
- Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called?
- Request, impact assessment, approval, build/test, implement, monitor
- Which agreement type is typically less formal than other agreements and expresses areas of common interest?
- What is the least likely goal of an information security awareness program? Teach users about security objectives Inform users about trends and threats in security Motivate users to comply with security policy Punish users who violate the policy
- What is not a privacy principle created by the Organisation for Economic Co-operation and Development (OECD)? An organization should share its information. An organization should collect only what it needs. An organization should keep its information up to date. An organization should properly destroy its information when it is no longer needed.
- Aditya is a network technician. He is collecting system data for an upcoming internal system audit. He is currently performing vulnerability testing to determine what weaknesses may exist in the network's security. What form of assessment is he conducting?
- Antonio is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?
- Because __________, auditing every part of an organization and extending into all outsourcing partners may not be possible.
- Cherilyn is a security consultant hired by a company to develop its system auditing protocols. She and the company's chief information officer (CIO) agree that audits are an important consideration. In her report to the CIO and other C-level officers of the corporation, she recommends that the security policy include audit categories and ______________ for conducting audits.
- Christopher is designing a security policy for his mid-size company. He would like to use an approach that allows a reasonable list of activities but prohibits all other activities. Which level of permission is he planning to use?
- Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
- Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
- Jermaine is a security administrator for his company. He is developing a defense against attacks based on network-mapping methods. He prevents the Internet Control Message Protocol (ICMP) from operating to stop attackers from using ping packets to discover the network layout, but he must also guard against operating system fingerprinting since many attacks are tailored to specific operating systems. What must Jermaine be concerned about?
- Leola is a cybersecurity consultant hired by a company to test the effectiveness of its network's defenses. She has something in common with the malicious people who would perform the same tasks involved in _________________, except that, unlike Leola, they would not have consent to perform this action against the system.
- Lin is conducting an audit of an identity management system. Which question is not likely to be in the scope of her audit?
- Log files can help provide evidence of normal and abnormal system activity, as well as valuable information on how well security controls are doing their jobs. Regulation, policy, or log volume might dictate how much log information to keep. If a log file is subject to litigation, how long must a company keep it?
- Security controls place limits on activities that might pose a risk to an organization. Ricky, a security engineer for his company, is performing a review and measurement of all controls to capture changes to any environment component. What is this called?
- Takako is a security engineer for her company's IT department. She has been tasked with developing a security monitoring system for the company's infrastructure to determine when any network activity occurs outside the norm. What essential technique does she start with?
- What is a goal of vulnerability testing?
- What is a set of concepts and policies for managing IT infrastructure, development, and operations? The information is published in a series of books, each covering a separate IT management topic.
- What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
- When should an organization's managers have an opportunity to respond to the findings in an audit?
- Which intrusion detection system strategy relies on pattern matching?
- Which regulatory standard would not require audits of companies in the United States?
- A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime (MTD).