Studied by 68 people
Looks like no one added any tags here yet for you.
Information security is specific to securing information, whereas information systems security is focused on the security of the systems that house the information.
A. True
B. False
A. True
When selling software, software manufacturers limit their liability using which of the following?
A. End-User License Agreements
B. Confidentiality agreements
C. Software development agreements
D. By developing error-free software and code so there is no liability
E. None of the above
A. End-User License Agreements
The __________ tenet of information systems security is concerned with the recovery time objective.
A. Confidentiality
B. Integrity
C. Availability
D. All of the above
E. None of the above
C. Availability
A publicly traded company or U.S. federal government agency must go public and announce that it has had a data breach and inform the impacted individuals of that data breach.
A. True
B. False
A. True
Which security control would reduce the likelihood of an attacker’s gaining unauthorized access to a user’s login ID?
A. VPN
B. Two-factor authentication
C. Encrypting all stored data
D. Firewall
B. Two-factor authentication
The __________ is the weakest link in an IT infrastructure.
A. System/Application Domain
B. LAN-to-WAN Domain
C. WAN Domain
D. Remote Access Domain
E. User Domain
E. User Domain
Which of the following security controls can help mitigate malicious email attachments?
A. Email filtering and quarantining
B. Email attachment antivirus scanning
C. Verifying with users that email source is reputable
D. Holding all incoming emails with unknown attachments
E. All of the above
E. All of the above
Which security control would be implemented to stop attackers from intercepting and reading sensitive email messages?
A. An acceptable use policy
B. A data classification standard
C. An IT security policy framework
D. A VPN for remote access
E. Secure access controls
D. A VPN for remote access
Encrypting email communications is needed when sending confidential information within an email message through the public Internet.
A. True
B. False
A. True
Using security policies, standards, procedures, and guidelines helps organizations decrease risks and threats.
A. True
B. False
A. True
A data classification standard is usually part of which policy definition?
A. Asset classification policy
B. Acceptable use policy
C. Vulnerability assessment and management policy
D. Security awareness policy
E. Threat assessment and monitoring policy
A. Asset classification policy
A data breach typically occurs after which of the following?
A. Unauthorized access to systems and application is obtained
B. Vulnerability assessment scan
C. Configuration change request
D. Implementation of a new data center
E. Implementation of a web application update
A. Unauthorized access to systems and application is obtained
Maximizing availability primarily involves minimizing __________.
A. The amount of downtime recovering from a disaster
B. The mean time to repair a system or application
C. Downtime by implementing a business continuity plan
D. The recovery time objective
E. All of the above
E. All of the above
Which of the following is not a U.S. compliance law or act?
A. CIPA
B. FERPA
C. FISMA
D. PCI DSS
E. HIPAA
D. PCI DSS
Internet IP packets are to cleartext what encrypted IP packets are to __________.
A. Confidentiality
B. Ciphertext
C. Virtual private networks
D. Cryptography algorithms
E. None of the above
B. Ciphertext
The Internet is an open, public network shared by the entire planet. Anyone can connect to the Internet with a computer and a valid Internet connection and browser.
A. True
B. False
A. True
Which of the following are challenges that the IoT industry must overcome?
A. Security and privacy
B. Interoperability and standards
C. Legal and regulatory compliance
D. E-commerce and economic development
E. All of the above
E. All of the above
Which phenomenon helped drive near real-time, high-speed broadband connectivity to the endpoint device?
A. Internet connectivity
B. Email
C. VoIP
D. Social media sharing
E. All of the above
A. Internet connectivity
Which of the following requires an IoT-connected automobile?
A. Near real-time access to household controls and systems
B. Ability to track the whereabouts of your children through location-finder GPS applications
C. Real-time alerts regarding reminders to pay bills on time
D. Online e-commerce and online shopping with direct delivery
E. Traffic monitoring sensors that provide real-time updates for traffic conditions
E. Traffic monitoring sensors that provide real-time updates for traffic conditions
Which of the following are impacts of the IoT on our business lives?
A. E-commerce
B. Integrated supply chain with front-end sales order entry
C. Companies now offering delivery services for products and services with real-time updates
D. Customer reviews providing consumers with product and service reviews online and with more information about customer satisfaction
E. All of the above
E. All of the above
Which of the following helps support remote teleworking?
A. Presence/availability
B. IM chat
C. Video conferencing
D. Collaboration
E. All of the above
E. All of the above
What is a security challenge that IoT deployments must overcome?
A. Congestion of mobile IP traffic
B. Secure communication with other IoT devices
C. Liability of an IoT device failing to send an update message
D. Pricing for software licensing in the IoT device
E. Privacy data use sharing agreement
B. Secure communication with other IoT devices
Unified messaging provides what functionality for users on the go?
A. Voice messages that are converted to audio files and emailed to the user’s inbox for playback while on the road
B. One-to-many communications
C. Automatic secure connections, regardless of location
D. VoIP communications and messaging
E. Transparent connection between cellular and wireless endpoints
A. Voice messages that are converted to audio files and emailed to the user’s inbox for playback while on the road
Which of the following applications can eliminate the need for in-person training?
A. Audio conferencing and video conferencing
B. Social media
C. IM chat
D. Presence/availability
E. All of the above
A. Audio conferencing and video conferencing
Why do e-commerce systems need the utmost in security controls?
A. It is a PCI DSS standard.
B. Private customer data is entered into websites.
C. Credit card data is entered into websites.
D. Customer retention requires confidence in secure online purchases.
E. All of the above
E. All of the above
Which of the following is not a challenge that must be overcome by IoT deployments?
A. Security
B. Availability
C. Legal and regulatory
D. E-commerce and economic development
E. Privacy
B. Availability
Typically, data must be _____________ to be shared or used for research purposes.
A. Encrypted
B. Hashed
C. De-identified
D. Masked out
E. In cleartext
C. De-identified
The main goal of a hacker is to circumvent access controls and potentially steal data.
A. True
B. False
A. True
Which of the following best describes intellectual property?
A. The items a business has copyrighted
B. Patents owned by a business
C. Sales and marketing plans
D. Customer lists
E. All of the above
E. All of the above
Which of the following terms best describes a person with very little hacking skills?
A. Hacker
B. Script kiddie
C. Cracker
D. Wannabe
E. All of the above
B. Script kiddie
A(n) ___________________ is a software tool that is used to capture packets from a network.
packet sniffer
Which type of attack results in legitimate users not having access to a system resource?
A. Denial
B. Disclosure
C. Alteration
D. Spoofing
A. Denial
A qualitative risk assessment assigns a subjective risk rating to assess the risk.
A. True
B. False
A. True
Which of the following is an example of social engineering?
A. SQL injection
B. XML injection
C. Security design
D. Impersonation
E. All of the above
D. Impersonation
Which of the following is an example of an administrative security control?
A. Antivirus/anti-malware protection
B. Data leakage prevention
C. Standardized workstation and laptop images
D. Security awareness training
E. All of the above
D. Security awareness training
Vulnerability assessment scanners look for software vulnerabilities in IP host devices.
A. True
B. False
A. True
Which of the following affects availability?
A. Cross-site scripting
B. SQL injection
C. Denial
D. Packet sniffing
E. None of the above
C. Denial
Which type of attack involves capturing data packets from a network and transmitting them later to produce an unauthorized effect?
A. Man in the middle
B. Denial
C. Replay
D. Phishing
E. SQL injection
C. Replay
The list of known software vulnerabilities maintained by MITRE is called:
A. National Vulnerability Database (NVD)
B. Common Vulnerabilities and Exposures (CVE)
C. Zero-Day List (ZDL)
D. Software Vulnerabilities List (SVL)
B. Common Vulnerabilities and Exposures (CVE)
Which type of malware attaches to, or infects, other programs?
A. Spyware
B. Virus
C. Worm
D. Rootkit
B. Virus
________ is any unwanted message.
spam
Which type of malicious software is a stand-alone program that propagates from one computer to another?
A. Spyware
B. Virus
C. Worm
D. Snake
C. Worm
In the context of malware, which of the following best defines the term mobile code?
A. Website active content
B. Malware targeted at tablets and smartphones
C. Software that runs on multiple operating systems
D. Malware that uses networks to propagate
A. Website active content
A(n) __________ is a network of compromised computers that attackers use to launch attacks and spread malware.
A. Black network
B. Botnet
C. Attacknet
D. Trojan store
B. Botnet
What does the TCP SYN flood attack do to cause a DDoS?
A. Causes the network daemon to crash
B. Crashes the host computer
C. Saturates the available network bandwidth
D. Fills up the pending connections table
D. Fills up the pending connections table
Which type of attack tricks a user into providing personal information by masquerading as a legitimate website?
A. Phreaking
B. Phishing
C. Trolling
D. Keystroke logging
B. Phishing
The best defense from keystroke loggers is to carefully inspect the keyboard cable before using a computer because the logger must connect to the keyboard’s cable.
A. True
B. False
B. False
How did viruses spread in the early days of malware?
A. Wired network connections
B. Punch cards
C. Diskettes
D. As program bugs
C. Diskettes
What is the most common first phase of an attack?
A. Vulnerability identification
B. Reconnaissance and probing
C. Target selection
D. Evidence containment
B. Reconnaissance and probing
Which software tool provides extensive port-scanning capabilities?
A. Ping
B. Whois
C. Rpcinfo
D. Nmap
D. Nmap
The __________ strategy ensures that an attacker must compromise multiple controls to reach any protected resource.
defense-in-depth
A honeypot is a sacrificial host with deliberately insecure services deployed at the edges of a network to act as bait for potential hacking attacks.
A. True
B. False
A. True
Risk management focuses on responding to a negative event when it occurs.
A. True
B. False
B. False
With respect to IT security, a risk can result in either a positive or a negative effect.
A. True
B. False
A. True
According to PMI, which term describes the list of identified risks?
A. Risk checklist
B. Risk register
C. Risk methodology
D. Mitigation list
E. All of the above
B. Risk register
What is the primary purpose of a business impact analysis (BIA)?
A. To identify, categorize, and prioritize mission-critical business functions
B. To provide a road map for business continuity and disaster recovery planning
C. To assist organizations with risk management
D. To assist organizations with incident response planning
E. All of the above
E. All of the above
Which of the following terms defines the maximum allowable time it takes to recover a production IT system, application, and access to data?
A. Recovery point objective
B. Recovery time objective
C. Risk exposure time
D. Production recovery time
E. None of the above
B. Recovery time objective
The recovery point objective (RPO) defines the state at which _______ processing is able to resume.
A.Recovery
B. Alternate site
C. Limited
D. Normal
D. Normal
Which of the following solutions are used for authenticating a user to gain access to systems, applications, and data?
A. Passwords and PINs
B. Smart cards and tokens
C. Biometric devices
D. Digital certificates
E. All of the above
E. All of the above
Which risk management approach requires a distributed approach with business units working with the IT organization?
A. OCTAVE
B. CRAMM
C. NIST SP800-30
D. ISO 27005
E. None of the above
A. OCTAVE
The NIST SP800-30 standard is a _______________management framework standard for performing risk management.
A. Risk
B. Threat
C. Vulnerability
D. Security
E. None of the above
A. Risk
Which term indicates the maximum amount of data loss over a time period?
A. RAI
B. ROI
C. RTO
D. RPO
E. None of the above
D. RPO
Organizations that permit their employees to use their own laptops or smartphone devices and connect to the IT infrastructure describe a policy referred to as:
A. RTO
B. MDM
C. BYOD
D. AUP
E. None of the above
C. BYOD
Which of the following are organizational concerns for BYOD and mobility?
A. Data ownership
B. Privacy
C. Lost or stolen device
D. Data wiping
E. All of the above
E. All of the above
_______________ is the U.S. security-related act that governs regulated health care information.
HIPAA
Which U.S. security-related act governs the security of data specifically for the financial industry?
A. GLBA
B. COPPA
C. HIPAA
D. FERPA
E. None of the above
A. GLBA
Which of the following business drivers are impacting businesses’ and organizations’ security requirements and implementations?
A. Mobility
B. Regulatory compliance
C. Productivity enhancements
D. Always-on connectivity
E. All of the above
E. All of the above
A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________.
A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Business continuity plan (BCP)
D. None of the above
C. Business continuity plan (BCP)
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________.
A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Business continuity plan (BCP)
D. None of the above
A. Disaster recovery plan (DRP)
What term represents processes that must be operational for an organization to carry out its core business operations?
A. CBF
B. BCM
C. DRP
D. BIA
A. CBF
Which type of backup backs up only changes since the previous backup?
A. Incremental
B. Full
C. Differential
D. Redundant
A. Incremental
__________ is the limit of time that a business can survive without a particular critical system.
A. Recovery time objective (RTO)
B. Critical business function (CBF)
C. Maximum tolerable downtime (MTD)
D. None of the above
C. Maximum tolerable downtime (MTD)
The incident-handling process includes which of the following?
A. Documentation
B. Response
C. Notification
D. Recovery and follow-up
E. All of the above
E. All of the above
The primary steps to disaster recovery include the safety of individuals, containing the damage, assessing the damage, and beginning the recovery operations.
A. True
B. False
A. True
Which type of report includes a list of functions that are critical to an organization’s operations and sets the priority for restoring those functions after a disruption?
A. CSP
B. BCM
C. CBF
D. BIA
D. BIA
What type of document includes uptime and availability guarantees for cloud service providers?
A. Reciprocal agreement
B. Service level agreement
C. Processing agreement
D. Cloud performance agreement
B. Service level agreement
Which type of disaster recovery plan test activates an alternate site but does not stop processing at the primary site?
A. Structured walk-through
B. Simulation
C. Parallel
D. Full interruption
C. Parallel
Note
Flashcard