Question 1

The device that connects an organization's information system to the Internet is a&#10;A)Demilitarized zone&#10;B)Firewall&#10;C)Gateway&#10;D)Router

Accepted Answer

D

Question 2

Which of the following is an example of a detective control?&#10;A)Physical access controls&#10;B)Encryption&#10;C)Log analysis&#10;D)Emergency response teams

Accepted Answer

Log analysis is an example of a detective control as it involves reviewing logs to identify any suspicious activity that may have occurred. Detective controls are implemented to detect and respond to security incidents after they have occurred. Physical access controls (A) are an example of a preventive control, which aim to prevent unauthorized access to resources. Encryption (B) is an example of a technical control or a preventive control, which is used to protect data from unauthorized access. Emergency response teams (D) are an example of a corrective control, which are implemented to mitigate the impact of security incidents that have already occurred.

Question 3

An access control matrix&#10;A)Does not have to be updated.&#10;B)Is a table specifying which portions of the system users are permitted to access.&#10;C)Is used to implement authentication controls.&#10;D)Matches the user's authentication credentials to his authorization.

Accepted Answer

An access control matrix is a table or list that specifies which portions of the system users are permitted to access. It must be regularly updated as new users are added or old ones are removed. While it is used to implement authentication controls, it does not match the user's authentication credentials to his authorization, as that is the role of the authentication system.

Question 4

If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack,then security is

A)effective
B)ineffective
C)overdone
D)undermanaged

Accepted Answer

This is because if the time it takes for an attacker to break through preventive controls is greater than the time it takes to detect and respond to the attack, it means that the preventive controls put in place are effective in delaying the attacker. This gives the security team a chance to detect and respond to the attack before any damage is done. Therefore, security is effective.

Question 5

Preventive controls require two related functions,which are:&#10;A)Access and control&#10;B)Authentication and authorization&#10;C)Detection and correction&#10;D)Physical access and logical access

Accepted Answer

Preventive controls require both authentication and authorization functions. Authentication ensures that the user is who they claim to be, while authorization ensures that the user has been granted access to the specific resources they need to use. This helps to prevent unauthorized access or misuse of resources. While the other options may be important for overall security measures, they are not specifically related to preventive controls.

Question 6

According to SysTrust,the reliability principle of integrity is achieved when&#10;A)the system is available for operation and use at times set forth by agreement.&#10;B)the system is protected against unauthorized physical and logical access.&#10;C)the system can be maintained as required without affecting system availability,security,and integrity.&#10;D)system processing is complete,accurate,timely,and authorized.

Accepted Answer

The reliability principle of integrity is defined as ensuring the completeness, accuracy, and timeliness of system processing, which is fulfilled by choice D. Choice A relates to availability, choice B relates to security, and choice C relates to maintainability, which are not directly related to the principle of integrity.

Question 7

Which of the following is an example of a corrective control?&#10;A)Physical access controls&#10;B)Encryption&#10;C)Intrusion detection&#10;D)Emergency response teams

Accepted Answer

Emergency response teams are an example of a corrective control because they are activated after a security incident has occurred in order to mitigate the damage and prevent further harm. Physical access controls, encryption, and intrusion detection are all examples of preventative controls that seek to avoid security incidents from happening in the first place.

Question 8

Because planning is more effective than reacting,this is an important criteria for successfully implementing systems reliability:&#10;A)Policy development&#10;B)Effective communication of policies&#10;C)Design/use of control procedures&#10;D)Monitoring and remedial action

Accepted Answer

The answer of Because planning is more effective than reacting,this...

Question 9

Giving users regular,periodic reminders about security policies and training in complying with them is an example of which of the following trust services criteria?&#10;A)Policy development&#10;B)Effective communication of policies&#10;C)Design/use of control procedures&#10;D)Monitoring and remedial action

Accepted Answer

Effective communication of policies involves providing regular reminders and training to ensure that users comply with security policies. This helps to reinforce the importance of security policies and creates a culture of security awareness within an organization. Policy development involves creating security policies, design/use of control procedures involves implementing security controls, and monitoring and remedial action involves detecting and addressing security incidents. While all of these are important trust services criteria, they do not specifically address the regular reminders and training aspect of effective communication of policies.

Question 10

Which of the following is not one of the three fundamental information security concepts?&#10;A)Information security is a technology issue that hinges on prevention.&#10;B)Security is a management issue,not a technology issue.&#10;C)The idea of defense-in-depth employs multiple layers of controls.&#10;D)The time-based model of security focuses on the relationship between preventive,detective and corrective controls.

Accepted Answer

The three fundamental information security concepts are confidentiality, integrity, and availability. Information security is not just a technology issue; it involves people, processes, and policies as well. Prevention is just one aspect of information security; other aspects include detection, response, and recovery.

Question 11

The trust services framework identifies four essential criteria for successfully implementing each of the principles that contribute to systems reliability.Which of the following is not one of those four essential criteria?

A)Developing and documenting policies
B)Effectively communicating policies to all outsiders
C)Designing and employing appropriate control procedures to implement policies
D)Monitoring the system and taking corrective action to maintain compliance with policies

Accepted Answer

The answer of The trust services framework identifies four essential...

Question 12

Which of the following is not a requirement of effective passwords?&#10;A)Passwords should be changed at regular intervals.&#10;B)Passwords should be no more than 8 characters in length.&#10;C)Passwords should contain a mixture of upper and lowercase letters,numbers and characters.&#10;D)Passwords should not be words found in dictionaries.

Accepted Answer

The answer of Which of the following is not a...

Question 13

Verifying the identity of the person or device attempting to access the system is&#10;A)Authentication&#10;B)Authorization&#10;C)Identification&#10;D)Threat monitoring

Accepted Answer

The answer of Verifying the identity of the person or...

Question 14

Which of the following preventive controls are necessary to provide adequate security that deals with social engineering?&#10;A)Controlling remote access&#10;B)Encryption&#10;C)Host and application hardening&#10;D)Training

Accepted Answer

The answer of Which of the following preventive controls are...

Question 15

Which of the following is not one of the five basic principles that contribute to systems reliability according to the Trust Services framework.&#10;A)Confidentiality&#10;B)Processing speed&#10;C)Security&#10;D)System availability

Accepted Answer

The answer of Which of the following is not one...

Question 16

Restricting access of users to specific portions of the system as well as specific tasks,is&#10;A)Authentication&#10;B)Authorization&#10;C)Identification&#10;D)Threat monitoring

Accepted Answer

The answer of Restricting access of users to specific portions...

Question 17

Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security.&#10;A)Training&#10;B)Controlling physical access&#10;C)Controlling remote access&#10;D)Host and application hardening

Accepted Answer

The answer of Perimeter defense is an example of which...

Question 18

The AICPA and the CICA have created an evaluation service known as SysTrust.SysTrust follows four principles to determine if a system is reliable.The reliability principle that states that users must be able to enter,update,and retrieve data during agreed-upon times is known as

A)availability.
B)security.
C)maintainability.
D)integrity.

Accepted Answer

The answer of The AICPA and the CICA have created...

Question 19

Which of the following is an example of a preventive control?&#10;A)Encryption&#10;B)Log analysis&#10;C)Intrusion detection&#10;D)Emergency response teams

Accepted Answer

The answer of Which of the following is an example...

Question 20

Multi-factor authentication&#10;A)Involves the use of two or more basic authentication methods.&#10;B)Is a table specifying which portions of the systems users are permitted to access.&#10;C)Provides weaker authentication than the use of effective passwords.&#10;D)Requires the use of more than one effective password.

Accepted Answer

The answer of Multi-factor authentication&#10;A)Involves the use of two or...

Question 21

A process that takes plaintext of any length and transforms it into a short code.&#10;A)Asymmetric encryption&#10;B)Encryption&#10;C)Hashing&#10;D)Symmetric encryption

Accepted Answer

The answer of A process that takes plaintext of any...

Question 22

This screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header..&#10;A)Access control list&#10;B)Deep packet inspection&#10;C)Stateful packet filtering&#10;D)Static packet filtering

Accepted Answer

The answer of This screens individual IP packets based solely...

Question 23

This is designed to identify and drop packets that are part of an attack.&#10;A)Deep packet inspection&#10;B)Intrusion prevention system&#10;C)Stateful packet filtering&#10;D)Static packet filtering

Accepted Answer

The answer of This is designed to identify and drop...

Question 24

A special purpose hardware device or software running on a general purpose computer which filters information that is allowed to enter and leave the organization's information system.&#10;A)Demilitarized zone&#10;B)Intrusion detection system&#10;C)Intrusion prevention system&#10;D)Firewall

Accepted Answer

The answer of A special purpose hardware device or software...

Question 25

The most common input-related vulnerability is&#10;A)Buffer overflow attack&#10;B)Hardening&#10;C)War dialing&#10;D)Encryption

Accepted Answer

The answer of The most common input-related vulnerability is&#10;A)Buffer overflow...

Question 26

Which of the following is not one of the three important factors determining the strength of any encryption system?&#10;A)Key length&#10;B)Key management policies&#10;C)Encryption algorithm&#10;D)Privacy

Accepted Answer

The answer of Which of the following is not one...

Question 27

The process of turning off unnecessary features in the system is known as&#10;A)Deep packet inspection&#10;B)Hardening&#10;C)Intrusion detection&#10;D)War dialing

Accepted Answer

The answer of The process of turning off unnecessary features...

Question 28

This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.&#10;A)Access control list&#10;B)Internet protocol&#10;C)Packet switching protocol&#10;D)Transmission control protocol

Accepted Answer

The answer of This protocol specifies the structure of packets...

Question 29

Compatibility tests utilize a(n)__________,which is a list of authorized users,programs,and data files the users are authorized to access or manipulate.&#10;A)validity test&#10;B)biometric matrix&#10;C)logical control matrix&#10;D)access control matrix

Accepted Answer

The answer of Compatibility tests utilize a(n)__________,which is a list...

Question 30

These systems use the same key to encrypt and to decrypt.&#10;A)Asymmetric encryption&#10;B)Hashing encryption&#10;C)Public key encryption&#10;D)Symmetric encryption

Accepted Answer

The answer of These systems use the same key to...

Question 31

The final layer of preventive controls.&#10;A)Authentication&#10;B)Authorization&#10;C)Encryption&#10;D)Intrusion detection

Accepted Answer

The answer of The final layer of preventive controls.&#10;A)Authentication&#10;B)Authorization&#10;C)Encryption&#10;D)Intrusion detection...

Question 32

This determines which packets are allowed entry and which are dropped..&#10;A)Access control list&#10;B)Deep packet inspection&#10;C)Stateful packet filtering&#10;D)Static packet filtering

Accepted Answer

The answer of This determines which packets are allowed entry...

Question 33

Which of the following descriptions is not associated with symmetric encryption?&#10;A)A shared secret key&#10;B)Faster encryption&#10;C)Lack of authentication&#10;D)Separate keys for each communication party.

Accepted Answer

The answer of Which of the following descriptions is not...

Question 34

The process of transforming normal text into cipher text&#10;A)Encryption&#10;B)Decryption&#10;C)Filtering&#10;D)Hardening

Accepted Answer

The answer of The process of transforming normal text into...

Question 35

Which of the following is not associated with asymmetric encryption?&#10;A)No need for key exchange&#10;B)Public keys&#10;C)Private keys&#10;D)Speed

Accepted Answer

The answer of Which of the following is not associated...

Question 36

This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.&#10;A)Access control list&#10;B)Internet protocol&#10;C)Packet switching protocol&#10;D)Transmission control protocol

Accepted Answer

The answer of This protocol specifies the procedures for dividing...

Question 37

This processes involves the firewall examining the data in the body of an IP packet.&#10;A)Access control list&#10;B)Deep packet inspection&#10;C)Stateful packet filtering&#10;D)Static packet filtering

Accepted Answer

The answer of This processes involves the firewall examining the...

Question 38

These are used to create digital signatures.&#10;A)Asymmetric encryption and hashing&#10;B)Hashing and packet filtering&#10;C)Packet filtering and encryption&#10;D)Symmetric encryption and hashing

Accepted Answer

The answer of These are used to create digital signatures.&#10;A)Asymmetric...

Question 39

This maintains a table that lists all established connections between the organization's computers and the Internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer..

A)Access control list
B)Deep packet inspection
C)Stateful packet filtering
D)Static packet filtering

Accepted Answer

The answer of This maintains a table that lists all...

Question 40

This is used to identify rogue modems (or by hackers to identify targets).&#10;A)War chalking&#10;B)War dialing&#10;C)War driving&#10;D)None of the above

Accepted Answer

The answer of This is used to identify rogue modems...

Question 41

Information encrypted with the creator's private key that is used to authenticate the sender is.&#10;A)Asymmetric encryption&#10;B)Digital certificate&#10;C)Digital signature&#10;D)Public key

Accepted Answer

The answer of Information encrypted with the creator's private key...

Question 42

Encryption has a remarkably long and varied history.Spies have been using it to convey secret messages ever since there were secret messages to convey.One powerful method of encryption uses random digits.Two documents are prepared with the same random sequence of numbers.The spy is sent out with one and the spy master retains the other.The digits are used as follows.Suppose that the word to be encrypted is SPY and the random digits are 352.Then S becomes V (three letters after S),P becomes U (five letters after P),and Y becomes A (two letters after Y,restarting at A after Z).The spy would encrypt a message and then destroy the document used to encrypt it.This is an early example of

A)a hashing algorithm.
B)asymmetric key encryption.
C)symmetric key encryption.
D)public key encryption.

Accepted Answer

The answer of Encryption has a remarkably long and varied...

Question 43

In recent years,many of the attacks carried out by hackers have relied on this type of vulnerability in computer software.&#10;A)Code mastication&#10;B)Boot sector corruption&#10;C)Weak authentication&#10;D)Buffer overflow

Accepted Answer

The answer of In recent years,many of the attacks carried...

Question 44

Meaningful Discussions is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits.As a consequence,the size of the information technology department has been growing very rapidly,with many new hires.Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility.This is an example of a(an)

A)authentication control.
B)biometric device.
C)remote access control.
D)authorization control.

Accepted Answer

The answer of Meaningful Discussions is a social networking site...

Question 45

In a private key system the sender and the receiver have __________,and in the public key system they have __________.&#10;A)different keys; the same key&#10;B)a decrypting algorithm; an encrypting algorithm&#10;C)the same key; two separate keys&#10;D)an encrypting algorithm; a decrypting algorithm

Accepted Answer

The answer of In a private key system the sender...

Question 46

The ___________ disseminates information about fraud,errors,breaches and other improper system uses and their consequences.&#10;A)Chief information officer&#10;B)Chief operations officer&#10;C)Chief security officer&#10;D)Computer emergency response team

Accepted Answer

The answer of The ___________ disseminates information about fraud,errors,breaches and...

Question 47

This uses automated tools to identify whether a given system possesses any well-known security problems.&#10;A)Intrusion detection system&#10;B)Log analysis&#10;C)Penetration test&#10;D)Vulnerability scan

Accepted Answer

The answer of This uses automated tools to identify whether...

Question 48

In 2007,a major U.S.financial institution hired a security firm to attempt to compromise its computer network.A week later,the firm reported that it had successfully entered the system without apparent detection and presented an analysis of the vulnerabilities that had been found.This is an example of a

A)preventive control.
B)detective control.
C)corrective control.
D)standard control.

Accepted Answer

The answer of In 2007,a major U.S.financial institution hired a...

Question 49

Using a combination of symmetric and asymmetric key encryption,Chris Kai sent a report to her home office in Syracuse,New York.She received an email acknowledgement that the document had been received and then,a few minutes later,she received a second email that indicated that the hash calculated from the report differed from that sent with the report.This most likely explanation for this result is that&#10;A)the public key had been compromised.&#10;B)the private key had been compromised.&#10;C)the symmetric encryption key had been compromised.&#10;D)the asymmetric encryption key had been compromised.

Accepted Answer

The answer of Using a combination of symmetric and asymmetric...

Question 50

The system and processes used to issue and manage asymmetric keys and digital certificates.&#10;A)Asymmetric encryption&#10;B)Certificate authority&#10;C)Digital signature&#10;D)Public key infrastructure

Accepted Answer

The answer of The system and processes used to issue...

Question 51

Encryption has a remarkably long and varied history.The invention of writing was apparently soon followed by a desire to conceal messages.One of the earliest methods,attributed to an ancient Roman emperor,was the simple substitution of numbers for letters,for example A = 1,B = 2,etc.This is an example of&#10;A)a hashing algorithm.&#10;B)symmetric key encryption.&#10;C)asymmetric key encryption.&#10;D)a public key.

Accepted Answer

The answer of Encryption has a remarkably long and varied...

Question 52

A more rigorous test of the effectiveness of an organization's computer security.&#10;A)Intrusion detection system&#10;B)Log analysis&#10;C)Penetration test&#10;D)Vulnerability scan

Accepted Answer

The answer of A more rigorous test of the effectiveness...

Question 53

Which of the following describes one weakness of encryption?&#10;A)Encrypted packets cannot be examined by a firewall.&#10;B)Encryption protects the confidentiality of information while in storage.&#10;C)Encryption protects the privacy of information during transmission.&#10;D)Encryption provides for both authentication and non-repudiation.

Accepted Answer

The answer of Which of the following describes one weakness...

Question 54

One way to circumvent the counterfeiting of public keys is by using&#10;A)a digital certificate.&#10;B)digital authority.&#10;C)encryption.&#10;D)cryptography.

Accepted Answer

The answer of One way to circumvent the counterfeiting of...

Question 55

It was 9:08 A.M.when Jiao Jan,the Network Administrator for Folding Squid Technologies,was informed that the intrusion detection system had identified an ongoing attempt to breach network security.By the time that Jiao had identified and blocked the attack,the hacker had accessed and downloaded several files from the company's server.Using the notation for the time-based model of security,in this case&#10;A)P > D&#10;B)D > P&#10;C)C > P&#10;D)P > C

Accepted Answer

The answer of It was 9:08 A.M.when Jiao Jan,the Network...

Question 56

An electronic document that certifies the identity of the owner of a particular public key.&#10;A)Asymmetric encryption&#10;B)Digital certificate&#10;C)Digital signature&#10;D)Public key

Accepted Answer

The answer of An electronic document that certifies the identity...

Question 57

These are established to deal with major security breaches.&#10;A)CERTs&#10;B)CSOs&#10;C)FIRSTs&#10;D)Intrusion detection systems

Accepted Answer

The answer of These are established to deal with major...

Question 58

Which of the following is commonly true of the default settings for most commercially available wireless access points?&#10;A)The security level is set at the factory and cannot be changed.&#10;B)Wireless access points present little danger of vulnerability so security is not a concern.&#10;C)Security is set to the lowest level that the device is capable of.&#10;D)Security is set to the highest level that the device is capable of.

Accepted Answer

The answer of Which of the following is commonly true...

Question 59

This is an authorized attempt by an internal audit team or an external security consultant to break into the organization's information system.&#10;A)Intrusion detection system&#10;B)Log analysis&#10;C)Penetration test&#10;D)Vulnerability scan

Accepted Answer

The answer of This is an authorized attempt by an...

Question 60

This creates logs of network traffic that was permitted to pass the firewall&#10;A)Intrusion detection system&#10;B)Log analysis&#10;C)Penetration test&#10;D)Vulnerability scan

Accepted Answer

The answer of This creates logs of network traffic that...

Question 61

Explain social engineering.

Accepted Answer

The answer of Explain social engineering....

Question 62

How does an intrusion detection system work?

Accepted Answer

The answer of How does an intrusion detection system work?...

Question 63

When new employees are hired by Folding Squid Technologies,they are assigned user names and appropriate permissions are entered into the information system's access control matrix.This is an example of a(an)&#10;A)authentication control.&#10;B)biometric device.&#10;C)remote access control.&#10;D)authorization control.

Accepted Answer

The answer of When new employees are hired by Folding...

Question 64

Which of the following is the most effective method of protecting against social engineering attacks on a computer system?&#10;A)stateful packet filtering.&#10;B)employee training.&#10;C)a firewall.&#10;D)a demilitarized zone.

Accepted Answer

The answer of Which of the following is the most...

Deck 7: Infromation System Controls for Systems Reliability