1. Which of the following terms indicates that information is to be read only by those people for whom it is intended? a) confidentiality b) integrity c) availability d) accounting nswer: a !ifficulty: !ifficulty: medium Section "eference: Understanding #onfidentiality $%planation: #onfidentiality is a concept we deal with fre&uently in real life. 'or instance( we e%pect our doctors to eep our medical records confidential( and we trust our friends to eep our secrets confidential. *he business world defines de fines confidentiality as confidentiality as the characteristic of a resource that ensures access is restricted only to permitted users( applications( or computer systems. +. What technology is not used to implement confidentiality? a) encryption b) access controls c) auditing d) authentication nswer: c !ifficulty: !ifficulty: $asy Section "eference: Understanding #onfidentiality $%planation: #onfidentiality is particularly critical in toda y,s environment. Several technologies support confidentiality in an enterprise security implementation: Strong encryption Strong au authentication Stringent access controls . Which of the following maes sure that data is not changed when it not supposed to be? a) confidentiality b) integrity c) availability d) accounting nswer: /ntegrity !ifficulty: !ifficulty: 0edium Section "eference: Understanding /ntegrity$%planation: /n the information security conte%t( integrity is integrity is defined as the consistency( accuracy( and validity of data. ne goal of a successful
information security program is to ensure that data is protected against any unauthori2ed or accidental changes. 3. Which of the following is not a response when dealing with a ris? a) avoidance b) mitigation c) transfer d) patching nswer: d !ifficulty: 0edium Section "eference: !efining *hreats and "is 0anagement $%planation: fter you prioriti2e your riss( you can choose from among the four generally accepted responses to these riss: voidance cceptance 0itigation *ransfer 4. What do you call the security discipline that re&uires that a user is given no more privilege necessary to perform his or her 5ob? a) defense in depth b) reduction of attac surface c) ris transfer d) principle of least privilege nswer: d !ifficulty: $asy Section "eference: Understanding the 6rinciple of Least 6 rivilege $%planation: *he principle of least privilege is a security discipline that re&uires that a particular user( system( or application be given no more privilege than necessary to perform its function or 5ob. *he principle of least privilege has been a staple in the security arena for a number of years( and many organi2ations have struggled to implement it successfully. 7. What do you call the scope that hacer can use to brea into a system? a) defense in depth b) attac surface c) principle of least privilege d) ris mitigation nswer: b !ifficulty: $asy Section "eference: Understanding ttac Surface $%planation: n attac surface consists of the set of methods and avenues an attacer can use to enter a system and potentially cause damage. *he larger the attac surface of a particular environment( the greater the ris of a successful attac.
8. What method used by a hacer relies on the trusting nature of the person being attaced? a) social engineering b) attac surface c) principle of least privilege d) ris avoidance nswer: a !ifficulty: $asy Section "eference: Understanding Social $ngineering $%planation: Social engineering is a method used to gain access to data( systems( or networs( primarily through misrepresentation. *his techni&ue typically relies on the trusting nature of the person being attaced. /n a typical social engineering attac( the attacer will try to appear as harmless or respectful as possible. *hese attacs can be perpetrated in p erson( through email( or via phone. ttacers will try techni&ues ranging from pretending to be a help des or support department staffer( claiming to be a new employee( or 9in some cases) even offering credentials that identify them as an employee of the company. . What is the best way to protect against social e ngineering? a) stronger encryption b) stronger authentication c) employee awareness d) ris mitigation nswer: c !ifficulty: $asy Section "eference: Understanding Social $ngineering $%planation: *he ey to thwarting a social engineering attac is employee awareness. /f your employees now what to watch for( an attacer will find little success. ;. What is needed to highly secure a system? a) lots of time b) more money c) system update d) disabled administrator account nswer: b !ifficulty: 0edium Section "eference: Lining #ost with Security $%planation: Security costs money. *ypically( the more money you spend( the more secure your information or resources will be 9up to a point). So( when looing at ris and threats( you need to consider how valuable certain confidential data or resources are to your organi2ation and also how much money you are willing to spend to protect those data or resources. 1<. What is the first line of defense when setting up a networ? a) physically secure the networ
b) configure authentication c) configure encryption d) configure an #L nswer: a !ifficulty: $asy Section "eference: Looing at 6hysical Security as the 'irst Line of !efense $%planation: /f someone can get physical access to a server where confidential data is stored( with the right tools and enough time( that person can bypass any security the server uses to protect the data. 11. Which concept determines what resources users can access after they log on? a) authentication b) auditing c) access control d) defense in depth nswer: c !ifficulty: $asy Section "eference: Understanding ccess #ontrol $%planation: ccess control is a ey concept when thining about physical security. /t can also be a little confusing( because you fre&uently hear the phrase used when discussing information security. /n the conte%t of physical security( access control is the process of restricting access to a resource to only permitted users( applications( or computer systems. 1+. What is used to provide protection when one line of defense is breached? a) defense in depth b) attac surface c) principle of least privilege d) ris mitigation nswer: a !ifficulty: $asy Section "eference: Understanding ccess #ontrol $%planation: *he term defense in depth means using multiple layers of security to defend your assets. *hat way( even if an attacer breaches one layer of your defense( you have additional layers to eep that person out of the critical areas of your environment. 1. What is used to identify a person before giving access? a) authentication b) encryption c) access control d) auditing nswer: a !ifficulty: $asy
Section "eference: Understanding ccess #ontrol $%planation: Site security must address the need to identify and authenticate the people who are permitted access to an area. *he first step is authentication( which proves that a person who is logging on is actually that person. 13. What is used to verify that an administrator is not accessing data that he should not be accessing? a) authentication b) encryption c) access control d) auditing nswer: d !ifficulty: $asy Section "eference: Understanding ccess #ontrol $%planation: Site security must also provide the ability to audit activities within the facility. *his can be done by reviewing camera footage( badge reader logs( visitor registration logs( or other mechanisms. 14. What type of device can be easily lost or stolen or can be used for espionage? a) processors b) "0 chips c) removable devices d) servers nswer: c !ifficulty: $asy Section "eference: Using "emovable !evices and !rives $%planation: removable storage device or drive is designed to be taen out of a computer without turning the computer off. *hree basic types of security issues are associated with removable storage: loss( theft( and espionage. *he loss of a storage device is one of the most common security issues you will encounter. 17. What is a physical or logical device used to capture eystroes? a) US= flash drive b) 6! c) Smartphone d) eylogger nswer: d !ifficulty: $asy Section "eference: Understanding >eyloggers $%planation: eylogger is a physical or logical device used to capture eystroes. n attacer will either place a device between the eyboard and the computer or install a software program to record each eystroe taen( and then she can use software to replay the data and capture
critical information such as user /!s and passwords( creditcard numbers( Social Security numbers( or even confidential emails or other da ta. 18. /n dealing with riss( which response is done by buying insurance to protect your bottom line if such a disaster or threat is reali2ed? a) ris avoidance b) ris acceptance c) ris mitigation d) ris transfer nswer: d !ifficulty: 0edium Section "eference: !efining *hreats and "is 0anagement $%planation: "is transfer is the act of taing steps to move responsibility for a ris to a third party through insurance or outsourcing. 'or e%ample( you ris having an accident while driving your car. @ou transfer this ris by purchasing insurance so that in the event of an accident( your insurance company is responsible for paying most of the associated costs. Fill in the Blank
1. AAAAAAAAAAA is generally defined as the probability that an event will occur that can cause harm to a computer system( service( or networ. nswer: ris !ifficulty: 0edium Section "eference: !efining *hreats and "is 0anagement $%planation: ris is generally defined as the probability that an event will occur. /n reality( businesses are concerned about only riss that would negatively affect the computing environment. 'or instance( you might ris winning the lottery on 'ridayBbut that,s not a ris your company is going to actively address( because it would be something positive. 1;. ver the last couple of years( small AAAAAAAAAAAAAAAAAAA devices have been become one of the largest challenges facing security professionals. nswer: mobile devices !ifficulty: 0edium Section "eference: Understanding 0obile !evices Security $%planation: 0obile devices are one of the largest challenges facing many security professionals today. 0obile devices such as laptops( 6!s 9personal digital assistants)( and smartphones a re used to process information( send and receive mail( store enormous amounts of data( surf the /nternet( and interact remotely with internal networs and systems. Short Answer
+<. What do the initials #/ stand for in relation to security?
nswer: confidentiality( integrity( and availability !ifficulty: Card Section "eference: /ntroducing Security $%planation: When you are woring in the information security field( one of the first acronyms you will encounter is #/Bbut don,t confuse this with a government agency. "ather( in this conte%t( #/ represents the core goals of an information security program: #onfidentiality( /ntegrity( and vailability.
