Term
Which of the following terms indicates that information is to be read only by those people for whom it is intended? a) confidentiality b) integrity c) availability d) accounting |
|
Definition
Answer: a Difficulty: medium Section Reference: Understanding Confidentiality Explanation: Confidentiality is a concept we deal with frequently in real life. For instance, we expect our doctors to keep our medical records confidential, and we trust our friends to keep our secrets confidential. The business world defines confidentiality as the characteristic of a resource that ensures access is restricted only to permitted users, applications, or computer systems. |
|
|
Term
2. What technology is not used to implement confidentiality? a) encryption b) access controls c) auditing d) authentication |
|
Definition
Answer: c Difficulty: Easy Section Reference: Understanding Confidentiality Explanation: Confidentiality is particularly critical in today’s environment. Several technologies support confidentiality in an enterprise security implementation: • Strong encryption • Strong authentication • Stringent access controls |
|
|
Term
3. Which of the following makes sure that data is not changed when it not supposed to be? a) confidentiality b) integrity c) availability d) accounting |
|
Definition
Answer: Integrity Difficulty: Medium Section Reference: Understanding IntegrityExplanation: In the information security context, integrity is defined as the consistency, accuracy, and validity of data. One goal of a successful information security program is to ensure that data is protected against any unauthorized or accidental changes. |
|
|
Term
4. Which of the following is not a response when dealing with a risk? a) avoidance b) mitigation c) transfer d) patching |
|
Definition
Answer: d Difficulty: Medium Section Reference: Defining Threats and Risk Management Explanation: After you prioritize your risks, you can choose from among the four generally accepted responses to these risks: • Avoidance • Acceptance • Mitigation • Transfer |
|
|
Term
5. What do you call the security discipline that requires that a user is given no more privilege necessary to perform his or her job? a) defense in depth b) reduction of attack surface c) risk transfer d) principle of least privilege |
|
Definition
Answer: d Difficulty: Easy Section Reference: Understanding the Principle of Least Privilege Explanation: The principle of least privilege is a security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job. The principle of least privilege has been a staple in the security arena for a number of years, and many organizations have struggled to implement it successfully. |
|
|
Term
6. What do you call the scope that hacker can use to break into a system? a) defense in depth b) attack surface c) principle of least privilege d) risk mitigation |
|
Definition
Answer: b Difficulty: Easy Section Reference: Understanding Attack Surface Explanation: An attack surface consists of the set of methods and avenues an attacker can use to enter a system and potentially cause damage. The larger the attack surface of a particular environment, the greater the risk of a successful attack. |
|
|
Term
7. What method used by a hacker relies on the trusting nature of the person being attacked? a) social engineering b) attack surface c) principle of least privilege d) risk avoidance |
|
Definition
Answer: a Difficulty: Easy Section Reference: Understanding Social Engineering Explanation: Social engineering is a method used to gain access to data, systems, or networks, primarily through misrepresentation. This technique typically relies on the trusting nature of the person being attacked. In a typical social engineering attack, the attacker will try to appear as harmless or respectful as possible. These attacks can be perpetrated in person, through email, or via phone. Attackers will try techniques ranging from pretending to be a help desk or support department staffer, claiming to be a new employee, or (in some cases) even offering credentials that identify them as an employee of the company. |
|
|
Term
8. What is the best way to protect against social engineering? a) stronger encryption b) stronger authentication c) employee awareness d) risk mitigation |
|
Definition
Answer: c Difficulty: Easy Section Reference: Understanding Social Engineering Explanation: The key to thwarting a social engineering attack is employee awareness. If your employees know what to watch for, an attacker will find little success. |
|
|
Term
9. What is needed to highly secure a system? a) lots of time b) more money c) system update d) disabled administrator account |
|
Definition
Answer: b Difficulty: Medium Section Reference: Linking Cost with Security Explanation: Security costs money. Typically, the more money you spend, the more secure your information or resources will be (up to a point). So, when looking at risk and threats, you need to consider how valuable certain confidential data or resources are to your organization and also how much money you are willing to spend to protect those data or resources. |
|
|
Term
10. What is the first line of defense when setting up a network? a) physically secure the network b) configure authentication c) configure encryption d) configure an ACL |
|
Definition
Answer: a Difficulty: Easy Section Reference: Looking at Physical Security as the First Line of Defense Explanation: If someone can get physical access to a server where confidential data is stored, with the right tools and enough time, that person can bypass any security the server uses to protect the data. |
|
|
Term
11. Which concept determines what resources users can access after they log on? a) authentication b) auditing c) access control d) defense in depth |
|
Definition
11. Which concept determines what resources users can access after they log on? a) authentication b) auditing c) access control d) defense in depth Answer: c Difficulty: Easy Section Reference: Understanding Access Control Explanation: Access control is a key concept when thinking about physical security. It can also be a little confusing, because you frequently hear the phrase used when discussing information security. In the context of physical security, access control is the process of restricting access to a resource to only permitted users, applications, or computer systems. |
|
|
Term
12. What is used to provide protection when one line of defense is breached? a) defense in depth b) attack surface c) principle of least privilege d) risk mitigation |
|
Definition
Answer: a Difficulty: Easy Section Reference: Understanding Access Control Explanation: The term defense in depth means using multiple layers of security to defend your assets. That way, even if an attacker breaches one layer of your defense, you have additional layers to keep that person out of the critical areas of your environment. |
|
|
Term
13. What is used to identify a person before giving access? a) authentication b) encryption c) access control d) auditing |
|
Definition
Answer: a Difficulty: Easy Section Reference: Understanding Access Control Explanation: Site security must address the need to identify and authenticate the people who are permitted access to an area. The first step is authentication, which proves that a person who is logging on is actually that person. |
|
|
Term
14. What is used to verify that an administrator is not accessing data that he should not be accessing? a) authentication b) encryption c) access control d) auditing |
|
Definition
Answer: d Difficulty: Easy Section Reference: Understanding Access Control Explanation: Site security must also provide the ability to audit activities within the facility. This can be done by reviewing camera footage, badge reader logs, visitor registration logs, or other mechanisms. |
|
|
Term
15. What type of device can be easily lost or stolen or can be used for espionage? a) processors b) RAM chips c) removable devices d) servers |
|
Definition
Answer: c Difficulty: Easy Section Reference: Using Removable Devices and Drives Explanation: A removable storage device or drive is designed to be taken out of a computer without turning the computer off. Three basic types of security issues are associated with removable storage: loss, theft, and espionage. The loss of a storage device is one of the most common security issues you will encounter. |
|
|
Term
16. What is a physical or logical device used to capture keystrokes? a) USB flash drive b) PDA c) Smartphone d) keylogger |
|
Definition
Answer: d Difficulty: Easy Section Reference: Understanding Keyloggers Explanation: A keylogger is a physical or logical device used to capture keystrokes. An attacker will either place a device between the keyboard and the computer or install a software program to record each keystroke taken, and then she can use software to replay the data and capture critical information such as user IDs and passwords, credit-card numbers, Social Security numbers, or even confidential emails or other data. |
|
|
Term
17. In dealing with risks, which response is done by buying insurance to protect your bottom line if such a disaster or threat is realized? a) risk avoidance b) risk acceptance c) risk mitigation d) risk transfer |
|
Definition
Answer: d Difficulty: Medium Section Reference: Defining Threats and Risk Management Explanation: Risk transfer is the act of taking steps to move responsibility for a risk to a third party through insurance or outsourcing. For example, you risk having an accident while driving your car. You transfer this risk by purchasing insurance so that in the event of an accident, your insurance company is responsible for paying most of the associated costs. |
|
|
Term
18. A ___________ is generally defined as the probability that an event will occur that can cause harm to a computer system, service, or network. |
|
Definition
Answer: risk Difficulty: Medium Section Reference: Defining Threats and Risk Management Explanation: A risk is generally defined as the probability that an event will occur. In reality, businesses are concerned about only risks that would negatively affect the computing environment. For instance, you might risk winning the lottery on Friday—but that’s not a risk your company is going to actively address, because it would be something positive. |
|
|
Term
19. Over the last couple of years, small ___________________ devices have been become one of the largest challenges facing security professionals. |
|
Definition
Answer: mobile devices Difficulty: Medium Section Reference: Understanding Mobile Devices Security Explanation: Mobile devices are one of the largest challenges facing many security professionals today. Mobile devices such as laptops, PDAs (personal digital assistants), and smartphones are used to process information, send and receive mail, store enormous amounts of data, surf the Internet, and interact remotely with internal networks and systems. |
|
|
Term
20. What do the initials CIA stand for in relation to security? |
|
Definition
Answer: confidentiality, integrity, and availability Difficulty: Hard Section Reference: Introducing Security Explanation: When you are working in the information security field, one of the first acronyms you will encounter is CIA—but don’t confuse this with a government agency. Rather, in this context, CIA represents the core goals of an information security program: Confidentiality, Integrity, and Availability. |
|
|