1. Which of the following is an example of a
"something you know" authentication factor?
o
User ID
o Password
o
Fingerprint
2.
Within the organization, who can identify risk?
o
The security manager
o
Any security team member
o
Senior management
o Anyone
3.
A vendor sells a particular operating system
(OS). In order to deploy the OS securely on different platforms, the vendor
publishes several sets of instructions on how to install it, depending on which
platform the customer is using. This is an example of a .......
o
Law
o Procedure
o
Standard
o
Policy
4.
Of the following, which would probably not be
considered a threat?
o
Natural disaster
o
Unintentional damage to the system caused by a
user
o A
laptop with sensitive data on it
o
An external attacker trying to gain unauthorized
access to the environment
5.
For which of the following assests is integrity
probably the most important security aspect?
o
One frame of a streaming video
o The
file that contains passwords used to authenticate users
o
The color scheme of a marketing website
o
Software that checks the spelling of product
descriptions for a retail website
6.
Kerpak works in the security office of a
medium-sized entertainment company. Kerpak is asked to assess a particular
threat, and he suggests that the best way to counter this threat would be to
purchase and implement a particular security solution. This is an example of
......
o
Acceptance
o
Avoidance
o Mitigation
o
Transference
7.
The Triffid Corporation publishes a policy that
states all personnel will act in a manner that protects health and human
safety. The security office is tasked with writing a detailed set of processes
on how employees should wear protective gear such a hardhat and gloves when in
haradous areas. This detailed set of process is a ......
o
Policy
o Procedure
o
Standard
o
Law
8.
The city of Grampon wants to know where all its
public vehicles (garbage trucks, police cars, etc.) are at all times, so the
city has GPS transmitters installed in all the vehicles. What kind of control
is this?
o
Administrative
o
Entrenched
o
Physical
o Technical
9.
The Payment Card Industry (PCI) Council is a
committee made up of representatives from major credit card providers (Visa,
Mastercard, American Express) in the United States. The PCI Council issues
rules that merchants must follow if the merchants choose to accept payment via
credit card. These rules describe best practices for securing credit card
processing technology, activities for securing credit card information, and how
to protect customers' personal data. This set of rules is a _____.
o
Law
o
Policy
o Standard
o
Procedure
10.
Grampon municipal code requires that all
companies that operate within city limits will have a set of processes to
ensure employees are safe while working with hazardous materials. Triffid
Corporation creates a checklist of activities employees must follow while
working with hazardous materials inside Grampon city limits. The municipal code
is a ______, and the Triffid checklist is a ________.
o Law,
procedure
o
Standard, law
o
Law, standard
o
Policy, Standard
o
Policy, law
11.
For which of the following systems would the
security concept of availability probably be most important?
o
Medical systems that store patient data
o
Retail records of past transactions
o
Online streaming of camera feeds that display
historical works of art in museums around the world
o Medical
systems that monitor patient condition in an intensive care unit
12.
A bollard is a post set securely in the ground
in order to prevent a vehicle from entering an area or driving past a certain
point. Bollards are an example of ______ controls.
o Physical
o
Administrative
o
Drastic
o
Technical
13.
A system that collects transactional information
and stores it in a record in order to show which users performed which actions
is an example of providing ________.
o Non-repudiation
o
Multifactor authentication
o
Biometrics
o
Privacy
14.
A software firewall is an application that runs
on a device and prevents specific types of traffic from entering that device.
This is a type of ________ control.
o
Physical
o
Administrative
o
Passive
o Technical
15.
In risk management concepts, a(n) _________ is
something a security practitioner might need to protect.
o
Vulnerability
o Asset
o
Threat
o
Likelihood
16.
Which of the following is an example of a
"something you are" authentication factor?
o
A credit card presented to a cash machine
o
Your password and PIN
o
A user ID
o A
photograph of your face
17.
All of the following are important ways to
practice an organization disaster recovery (DR) effort, which one is the most
important?
o
Practice restoring data from backups
o Facility
evacuation drills
o
Desktop/tabletop testing of the plan
o
Running the alternate operating site to
determine if it could handle critical functions in times of emergency
18.
When should a business continuity plan (BCP) be
activated?
o
As soon as possible
o
At the very beginning of a disaster
o When
senior management decides
o
When instructed to do so by regulators
19.
An attacker outside the organization attempts to
gain access to the organization's internal files. This is an example of a(n)
______.
o Intrusion
o
Exploit
o
Disclosure
o
Publication
20.
You are reviewing log data from a router; there
is an entry that shows a user sent traffic through the router at 11:45 am,
local time, yesterday. This is an example of a(n) _______.
o
Incident
o Event
o
Attack
o
Threat
21.
Who approves the incident response policy?
o
ISC
o Senior
management
o
The security manager
o
Investor
22.
True of False? Business continuity planning is a
reactive procedure that restores business operations after a disruption occurs.
o
TRUE
o FALSE
23.
Which of the following is likely to be included
in the business continuity plan?
o Alternate
work areas for personnel affected by a natural disaster
o
The organization's strategic security approach
o
Last year's budget information
o
Log data from all systems
24.
Tekila works for a government agency. All data
in the agency is assigned a particular sensitivity level, called a
"classification." Every person in the agency is assigned a
"clearance" level, which determines the classification of data each
person can access. What is the access control model being
implemented in Tekila's agency?
o MAC
(mandatory access control)
o
DAC (discretionary access control)
o
RBAC (role-based access control)
o
FAC (formal access control)
25.
In order for a biometric security to function
properly, an authorized person's physiological data must be ______.
o
Broadcast
o Stored
o
Deleted
o
Modified
26.
Handel is a senior manager at Triffid, Inc., and
is in charge of implementing a new access control scheme for the company.
Handel wants to ensure that operational managers have the utmost personal
choice in determining which employees get access to which systems/data. Which
method should Handel select?
o
Role-based access controls (RBAC)
o
Mandatory access controls (MAC)
o Discretionary
access controls (DAC)
o
Security policy
27.
Which of the following roles does not typically
require privileged account access?
o
Security administrator
o Data
entry professional
o
System administrator
o
Help Desk technician
28.
A human guard monitoring a hidden camera could
be considered a ______ control.
o Detective
o
Preventive
o
Deterrent
o
Logical
29.
A _____ is a record of something that has
occurred.
o
Biometric
o
Law
o Log
o
Firewall
30.
All of the following are typically perceived as
drawbacks to biometric systems, except:
o Lack
of accuracy
o
Potential privacy concerns
o
Retention of physiological data past the point
of employment
o
Legality
31.
Prachi works as a database administrator for
Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to
read or modify the data in the database itself. When Prachi logs onto the
system, an access control list (ACL) checks to determine which permissions
Prachi has. In this situation, what is the database?
o The
object
o
The role
o
The subject
o
The site
32.
Which of the following is not an appropriate
control to add to privileged accounts?
o
Increased logging
o
Multifactor authentication
o
Increased auditing
o Security
deposit
33.
Prachi works as a database administrator for
Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to
read or modify the data in the database itself. When Prachi logs onto the
system, an access control list (ACL) checks to determine which permissions
Prachi has. In this situation, what is the ACL?
o
The subject
o
The object
o The
rule
o
The firmware
34.
Visitors to a secure facility need to be
controlled. Controls useful for managing visitors include all of the following
except:
o
Sign-in sheet/tracking log
o Fence
o
Badges that differ from employee badges
o
Receptionist
35.
Which of the following will have the most impact
on determining the duration of log retention?
o
Personal preference
o Applicable
laws
o
Industry standards
o
Type of storage media
36.
Prachi works as a database administrator for
Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to
read or modify the data in the database itself. When Prachi logs onto the
system, an access control list (ACL) checks to determine which permissions
Prachi has. In this situation, what is Prachi?
o The
subject
o
The rule
o
The file
o
The object
37.
Which of the following would be considered a
logical access control?
o
An iris reader that allows an employee to enter
a controlled area
o
A fingerprint reader that allows an employee to
enter a controlled area
o A
fingerprint reader that allows an employee to access a laptop computer
o
A chain attached to a laptop computer that
connects it to furniture so it cannot be taken
38.
Trina is a security practitioner at Triffid,
Inc. Trina has been tasked with selecting a new product to serve as a security
control in the environment. After doing some research, Trina selects a
particular product. Before that product can be purchased, a manager must review
Trina's selection and determine whether to approve the purchase. This is a
description of:
o
Two-person integrity
o Segregation
of duties
o
Software
o
Defense in depth
39.
Larry and Fern both work in the data center. In
order to enter the data center to begin their workday, they must both present
their own keys (which are different) to the key reader, before the door to the
data center opens. Which security concept is being applied in this
situation?
o
Defense in depth
o
Segregation of duties
o
Least privilege
o Dual
control
40.
At Parvi's place of work, the perimeter of the
property is surrounded by a fence; there is a gate with a guard at the
entrance. All inner doors only admit personnel with badges, and cameras monitor
the hallways. Sensitive data and media are kept in safes when not in use. This
is an example of:
o
Two-person integrity
o
Segregation of duties
o Defense
in depth
o
Penetration testing
41.
To adequately ensure availability for a data
center, it is best to plan for both resilience and _______ of the elements in
the facility
o
Uniqueness
o
Destruction
o Redundancy
o
Hue
42.
Triffid, Inc., has deployed anti-malware
solutions across its internal IT environment. What is an additional task
necessary to ensure this control will function properly?
o
Pay all employees a bonus for allowing
anti-malware solutions to be run on their systems
o Update
the anti-malware solution regularly
o
Install a monitoring solution to check the
anti-malware solution
o
Alert the public that this protective measure
has been taken
43.
"Wiring _____" is a common term
meaning "a place where wires/conduits are often run, and equipment can be
placed, in order to facilitate the use of local networks."
o
Shelf
o Closet
o
Bracket
o
House
44.
Barry wants to upload a series of files to a
web-based storage service, so that people Barry has granted authorization can
retrieve these files. Which of the following would be Barry's preferred
communication protocol if he wanted this activity to be efficient and secure?
o
SMTP (Simple Mail Transfer Protocol)
o
FTP (File Transfer Protocol)
o SFTP
(Secure File Transfer Protocol)
o
SNMP (Simple Network Management Protocol)
45.
Which of the following is not a typical benefit
of cloud computing services?
o
Reduced cost of ownership/investment
o
Metered usage
o
Scalability
o Freedom
from legal constraints
46.
Gary is an attacker. Gary is able to get access
to the communication wire between Dauphine's machine and Linda's machine and
can then surveil the traffic between the two when they're communicating. What
kind of attack is this? (D4.2 L4.2.1)
o
Side channel
o
DDOS
o On-path
o
Physical
47.
The concept that the deployment of multiple
types of controls provides better security than using a single type of control.
o
VPN
o
Least privilege
o
Internet
o Defense
in depth
48.
Which common cloud service model only offers the
customer access to a given application?
o
Lunch as a service (LaaS)
o
Infrastructure as a service (IaaS)
o
Platform as a service (PaaS)
o Software
as a service
49.
Inbound traffic from an external source seems to
indicate much higher rates of communication than normal, to the point where the
internal systems might be overwhelmed. Which security solution can often
identify and potentially counter this risk?
o Firewall
o
Turnstile
o
Anti-malware
o
Badge system
50.
A tool that filters inbound traffic to reduce
potential threats.
o
NIDS (network-based intrusion-detection systems)
o
Anti-malware
o
DLP (data loss prevention)
o Firewall
0 Komentar
Berkomentar dengan bijak