ISDS 4096 FINAL

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

Information disclosure

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

Encrypting database contents

Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?

RMM

Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?

Prudent man rule

Which of the following stakeholders is not typically included on a business continuity planning team?

CEO

Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?

NDA

Which one for the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

Student identification number

Chris' organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?

Availability

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

Patent

After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

Transfer

What principle information security stats that an organization should implement overlapping security controls whenever possible?

Defense in depth

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence

Qualitative

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rouge accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

Separation of duties

Bobbi is investigating a security incident and discovered that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

Elevation of privilege

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?

Documentation of the plan

Susan is working with the management ream in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?

Confidentiality

Francine is a security specialist for an online service provider in the United States. She

recently received a claim from a copyright holder that a user is storing information on her service that violates the third party copyright. What law governs the actions that Francine must take?

Digital Millennium Copyright Act (DMCA)

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with Human Resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Revoking electronic access rights

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

Defense contractors

Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

GLBA

Chas recently completed the development of his organization's business continuity plan. Who is the ideal person to approve an organization's business continuity plan?

Chief executive officer (CEO)

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

Risk mitigation

Who should receive initial business continuity plan training in an organization?

Everyone in the organization

Which one of the following individuals would be the most effective organizational owner for an information security program?

Chief information officer (CIO)

Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?

GLBA

Uses of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment

Quantitative Assessment

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence

Risk

Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels

Qualitative Assessment

The ability to repeat an assessment in the future, in a manner that is consistent with, and hence comparable to, prior assessments

Repeatability

An attack, via cyberspace, targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information

Cyber Attack

Portion of risk remaining after security measures have been applied

Residual Risk

Condition that exists within an organization, a mission or business process, enterprise architecture, information, system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events result in adverse impacts

Predisposing conditon

The process of identifying, estimating, and prioritizing information security risks

Risk assessment

A weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability

Likelihood of occurrence

The response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristics of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures

Threat shifting

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source

Vulnerability

Magnitude of harm that can be expected to result from the consequences from a threat event

Impact

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service

Threat

The acceptable range of losses

Risk tolerance

Graphs the probability that a loss will exceed a certain value

Loss exceedance curve

The benefit to the organization from enacting a control, should reduce likelihood or impact or both

Return on mitigation

Has a specified order with unequal or unknown distances between values (example, rating satisfaction on a scale of 1-10)

Ordinal data

Has a specified order with equal distances between values (example, temperature)

Interval data

Indicated category, not amount (example, color)

Nominal data

Has "absolute zero" allows for mathematical operations (example, weight)

Ratio data

A _____ uses a computer to generate a large number of scenarios based of probabilities for inputs

Monte Carlo simulation

According to the authors, what is a weakness of current heatmap risk matrices?

They are too vague to help decision makers

How do the HTMA authors define an "enterprise attack surface"?

Networks

Systems

Third party exposure

There is a ____chance that the median of a population is between the smallest and largest values in any random sample of five from that population

93.75%

What practical definition of measurement do the authors introduce:

Measurement as a quantitatively expresses reduction of uncertainty based on one or more observations

Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?

The cost of the sanitization process may exceed the cost of new equipment

Megan wants to prepare media to allow for its reuse in an environment operating at the same sensitivity level. Which of the following is the best option to meet her needs?

Clearing

Ben has been asked to scrub data to remove data that is no longer needed by his organization. What phase of the data lifecycle is Ben most likely operating in?

Data maintenance

Amanda has been asked to ensure that her organization's controls assessment procedures match the specific systems that they company uses. What activity best matched this task?

Tailoring

What element of asset security is often determined by identifying an asset's owners?

It identifies the individual(s) responsible for protecting the asset

How can a data retention policy help to reduce liabilities?

By ensuring that unneeded data isn't retained

Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?

Business owners

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?

Data classification

The company that Henry works for operates in the EU and collects data about their customers. They send that data to a third party to analyze and provide reports to help the company make better business decisions. What tern best describes the third-part analysis company?

The data processor

Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?

Follow the organization's purging process, and then downgrade and replace labels

Mikayla wants to identify data that should be classified that already exists in her environment. What type of tool is best suited to identifying data like Social Security numbers, credit card numbers, and similar well-understood data formats?

A sensitive data scanning tool

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline?

They provide a good starting point that can be tailored to organizational needs

Which of the following is the least effective method of removing data from media?

Erasing

Which of the following activities is not a consideration during data classification?

How much the data cost to create

Which of the following is not a common requirement for the collection of data under data privacy laws and statutes?

Data should be collected from all individuals equally

Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location?

In memory

Susan's organization performs a secure disk wipe process on hard drives before they are sent to a third=party organization to be shredded. What issue is her organization attempting to avoid?

Mishandling of drives by the third party

Juanita's company processes credit cards and wants to select appropriate data security standards. What data security standard is she most likely to need to use and comply with?

PCI-DSS

How can data retention policy help reduce liabilities?

By reducing the amount of data the may need to be produced for lawsuits

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal files servers and employee workstations. What term best describes data that is resident in system memory

Data in use

Fred wants to classify his organization's data using common labels: private, sensitive, public, and proprietary. Which of the following should he apply to his highest classification level based on common industry practices?

Proprietary

Staff in an information technology (IT) department who are delegated responsibility for day-to-day tasks hold what data role?

Custodian

What type of encryption is best suited for use on the file servers for the proprietary data, and how might you secure the data when it is in motion?

AES at rest and TLS in motion

What is the primary purpose of data classification?

It identifies the value of the data to the organization

What type of encryption is typically used for data at rest?

Symmetric encryption

Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes?

Reformatting

Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss. Which one of the following solutions would best meet his need?

Generator

Dylan believes that a database server in his environment was compromised using the SQL injection attack. Which one of the following actions would Dylan most likely take during the remediation phase of the attack?

Adding input validation to a web application

During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting?

Interview

You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your networks and those on the internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information?

NetFlow data

Carolyn is concerned that users on her network may be storing sensitive information, such as SSN, on their hard drives without proper authorization or security controls. What technology can she use to best detect this activity?

DLP

Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court rules tht the search of the apartment that resulted in the police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence?

Competence

What type of disaster recovery test activates the alternate processing facility and used it to conduct transactions but leaves the primary site up and running?

Parallel test

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?

Two-person control

Sally is building a new server for use in her environment and plans to implement RAID level 1 as a storage availability control/ What is the minimum number of physical hard disks that she needs to implement this approach?

Two

Bruce is seeing quite a bit of suspicious activity on his network. It appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in?

SSH scanning

Jim would like to identify compromised systems on his network that may be participating in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list to known servers?

NetFlow records

Tim is configuring a privileged account management solution for his organization. Which one of the following is not a privileged administrative activity that should be automatically sent to a log of superuser actions?

Logging into a workstation

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?

HIDS

Which of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?

Baseline configuration

Candace is designing a backup strategy for her organization's file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform?

Incremental backup

Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evident is Darcy being asked to provide?

Expert opinion

Connor's company recently experiences a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?

Sabotage

Alan is assessing the potential for using machine learning and artificial intelligence in his cybersecurity program. Which of the following activities is most likely to benefit from this technology?

Intrusion detection

When one of the employees of Alice's company calls in for supports, she used a code word that company agreed to use if employees were being forced to perform an action. What is this scenario called?

Duress

Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?

Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company

Grant is collecting records as part of the preparation for a possible lawsuit and is worries that his team may be spending too much time collecting information that may be irrelevant. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?

Proportionality

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?

Separation of duties

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between and service provider and a customer?

Service-level agreement (SLA)

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

Checklist review