IS3230 IS 3220 Final Exam (ITT Tech)
Which of the following are the elements of a well-defined access control system?
Identification, authentication, and authorization
Information, technology, and system
Process, application, and object
Policy, procedure, and tool
Which of the following statements best define the purpose of access control?
Regulating interaction between a subject and an object
Providing ability to traverse network connections
Making information available to the general public on the company’s Web site
Enforcing organizational policies
Which of the following is not a subject in an access control scenario?
Networks
Information
Systems
Applications
Which of the following components can be used to measure the confidence in any authentication system?
Password strength and uniqueness of user name
Uniqueness of individual’s characteristics and behavioral patterns
Identification of subject and amount of physical access granted by system
Type of correlation and the number of authentication factors
Which of the following attack strategies has the highest success rate of making a particular system vulnerable?
Man-in-the-middle
Heightened access
Social engineering
Password cracking
Which of the following holds true while hardening an organizational network through security controls?
It is not necessary to prioritize all efforts at mitigating threats and vulnerabilities.
100 percent access control threats cannot be eliminated.
Cost and efficiency demand a 100 percent resolution to vulnerabilities.
It is not necessary to complete a risk assessment of a critical network prior hardening.
Which of the following should be considered while implementing a layered access security approach?
Annual loss and failure rate for each component
Security of each network component
Cost of attainment of each component
Annual rate of occurrence for each component
Which of the following is the preferred method to reduce risks while managing access security controls within the system/application domain?
IP tunneling
IDS or an IPS
Application-level firewall
Patch management software
When considering access control security options to mitigate vulnerabilities within the infrastructure, it is ___________.
unnecessary to place access controls on each asset
mandatory to perform a risk assessment
implied that vulnerabilities and threats have the same meaning
absolutely necessary to place access controls on each layered asset
Which of the following acts allow anyone to get access to unclassified information through legal means?
CIPA
FOIA
FERPA
NERC
To which of the following does the Privacy Act of 1974 apply?
Local government
Federal government
State government
Private entity
Defense-in-depth is the concept and strategy of implementing __________.
access control systems with a significant degree of overlap between several defensive areas
discrete boundary-driven protection in a network
strong authentication internally and remote authentication at the network perimeter
risk assessment to identify and prioritize assets for remediation
In a data classification scheme, least privilege and need to know ensures that access to data and information is available to __________.
all users
users with specific job roles only
users with specific job roles and valid need to access the information
users with a need to protect the information to the fullest extent
What are the business reasons to classify and protect data?
Risk avoidance and competitive advantage
Government requirements and industry practices
Public community involvement and legal requirements
Confidentiality and privacy
To which of the following do the factors “the right information, to the right people, at the right time” apply?
Cost containment
Risk assessment
Audit
Operational efficiency
Which of the following is a key requirement of HIPAA for health organizations?
Encryption of all heath-related information
Encryption of private health information on public networks
Notifying a patient about sharing of his/her health information with a research institute
Disclosing all PHI and the patient is responsible for confidentiality
In which of the following forms may FERPA data appear?
Computer media
Microfilm/Microfiche
Hand-written notes in the student’s folder
Personally identifiable information in any record
Non-educational information and personal documents
3, 2, 1, 4
2, 4, 1, 5
3, 1, 5, 4
4, 2, 3, 5
Which of the following is a purely damaging attack, meant to render a system unusable?
Eavesdropping
Social engineering
DoS attacks
System exploits
What do Federal and State laws concerning unauthorized access serve as?
Deterrents to sharing data
Deterrents to data theft
Havens for spies and espionage
Central conduits for information declassification
What does an IT security policy framework consist of?
Standards, policies, and procedures
Procedures and guidelines
Policies and standards
Policies, guidelines, standards, and procedures
Which of the following holds true for DMCA?
Allows illegitimate reverse engineering to bypass copyright protection
Disallows unauthorized disclosure of data by circumventing an organization’s technology
Disallows an approved third party from trying to break an access control measure
Allows the manufacture and distribution of code breaking devices
Which of the following features should not be there in an access control system?
Allow customers to create and update their own account information
Allow customers to create orders
Allow customers to amend and update the account of their family members
Deny access to any information associated with that customer’s organization
To which of the following do the aspects of compartmentalization and dual conditions belong to?
Least privilege
Separation of responsibilities
Need to know
Business continuity
Which of the following defines how employees may use IT infrastructure supplied by an organization?
PII
AUP
Security awareness
Access control policy
Which of the following is not a right granted in the UNIX-based environment?
Read
Delete
Write
Execute
UNIX-based permissions can have an octal notation value of zero.
True
False
Which of the following is not a method to secure DIM?
SSL
Encryption
VPN
Hash
Which of the following is not a typical social engineering strategy?
Multiple contacts
Believability
Assumed identity
Communication
Separation of duties, periodic vacation, and job rotation are the ways to reduce human risk factors within an organizational structure.
True
False
Which of the following manages ACLs in a MS Windows environment?
POSIX
NFSv4
RDBMS
Active Directory
Delegated access rights exist in a mandatory access control environment.
True
False
Which of the following is the basis of granting access for an object in MAC?
Sensitivity of the object only
Sensitivity of the subject only
Sensitivity of the additional attributes of the subject
Sensitivity of both object and subject
Which of the following aspects is not considered within an RBAC system?
Role assignment
Role authorization
Transaction authorization
Role authentication
The two-factor authentication generally combines “something you have” and “something you know” or “something you have” and “something you are.”
True
False
Which of the following is not a remote authentication protocol?
PAP
RAS
CHAP
EAP
Kerberos is an example of a single sign-on system providing enterprises with scalability and flexibility.
True
False
Which of the following identifies a WLAN’s access point?
TKIP
SIEM
SSID
LDAP
What is the purpose of accounting in the AAA framework?
Provides a way of identifying the user
Determines whether a user has the right to do certain actions
Enables enforcement of polices
Enables tracking of system usage
Which of the following is the de facto standard for IPSec?
ESP
IKE
PHI
KBA
RADIUS provides flexibility for network administrators by implementing AAA components in stages as opposed to all at once.
True
False
Which of the following PKI components provide central digital signing and verification services?
Signing server
Certificate repository
Certificate validation
Certificate server
Web authentication is needed in situations where ______________ is not available.
virtual private networking
high-risk application
remote access server
organizational security policy
Which of the following does not hold true for PKI?
It is a strong authentication mechanism.
It provides integrity, confidentiality, authentication, and non-repudiation in a single framework.
It ensures that the end user can be trusted.
It does not provide authorization.
Which of the following functions of CA provide a mechanism for requesting a digital certificate?
Policy authority
Standards
Authentication service
Certificate issuer
Digital signatures allow the recipient to conclusively prove to a third party that the sender actually sent the message. In doing so, which of the following security services is ensured?
Authentication
Non-repudiation
Confidentiality
Integrity
Nonintrusive testing is often automated. What does this mean?
Some security vulnerabilities cannot be reliably tested.
Positive proof of a given vulnerability’s existence and potential damage is necessary.
Nonintrusive and intrusive testing methods should be combined.
It allows a reliable scan to be performed by IT staff that may not have extensive security training or experience.
Vulnerability assessment is the first step toward which of the following?
Network access control management
Network hardening
Gap analysis
Breach planning
The penetration test report and prior authorization separates penetration tests from hacking.
True
False
Which of following is the most accurate method of testing a breach response?
Have a real breach.
Simulate a breach with full knowledge by the team.
Use a method called the double-blind test.
Use a full-scale attack with scanning software.
Which of the following is an attack where the hacker inserts malicious code into an input field, usually on a Web application?
Collusion
Social engineering
Code injection
Spear phishing
No comments:
Post a Comment