Question Description

Multiple Choice questions, (2 points each)

1.Which of the following describes the first step in establishing an encrypted session using a Data Encryption Standard (DES) key?

A. Key clustering

B. Key compression

C. Key signing

D. Key exchange

2. When an employee transfers within an organization …

A. The employee must undergo a new security review.

B. The old system IDs must be disabled.

C. All access permission should be reviewed.

D. The employee must turn in all access devices.

3. Company X is planning to implement rule based access control mechanism for controlling access to its information assets, what type of access control is this usually related to?

A. Discretionary Access Control

B. Task-initiated Access Control

C. Subject-dependent Access Control

D. Token-oriented Access Control

4. As an information systems security manager (ISSM), how would you explain the purpose for a system security policy?

A. A definition of the particular settings that have been determined to provide optimum security

B. A brief, high-level statement defining what is and is not permitted during the operation of the system

C. A definition of those items that must be excluded on the system

D. A listing of tools and applications that will be used to protect the system

5. Configuration management provides assurance that changes…?

A. to application software cannot bypass system security features.

B. do not adversely affect implementation of the security policy.

C. to the operating system are always subjected to independent validation and verification.

D. in technical documentation maintain an accurate description of the Trusted Computer Base.

6. What type of cryptanalytic attack where an adversary has the least amount of information to work with?

A. Known-plaintext

B. Ciphertext-only

C. Plaintext-only

D. Chosen-ciphertext

7. Prior to installation of an intrusion prevention system (IPS), a network engineer would place a packet sniffer on the network, what is the purpose for using a packet sniffer?

A. It tracks network connections.

B. It monitors network traffic.

C. It scans network segments for cabling faults.

D. It detects illegal packets on the network.

8. What determines the assignment of data classifications in a mandatory access control (MAC) philosophy?

A. The analysis of the users in conjunction with the audit department

B. The assessment by the information security department

C. The user’s evaluation of a particular information element

D. The organization’s published security policy for data classification

9. An access control system that grants users only those rights necessary for them to perform their work is operating on which security principle?

A. Discretionary Access

B. Least Privilege

C. Mandatory Access

D. Separation of Duties

10. Which of the following is the primary goal of a security awareness program?

A. It provides a vehicle for communicating security procedures.

B. It provides a clear understanding of potential risk and exposure.

C. It provides a forum for disclosing exposure and risk analysis.

D. It provides a forum to communicate user responsibilities.

11. An information security program should include the following elements:

A. Disaster recovery and business continuity planning, and definition of access control requirements and human resources policies.

B. Business impact, threat and vulnerability analysis, delivery of an information security awareness program, and physical security of key installations.

C. Security policy implementation, assignment of roles and responsibilities, and information asset classification.

D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.

12. Which of the following refers to a series of characters used to verify a user’s identity?

A. Token serial number

B. User ID

C. Password

D. Security ticket

13. Security of an automated information system is most effective and economical if the system is…?

A. optimized prior to addition of security.

B. customized to meet the specific security threat.

C. subjected to intense security testing.

D. designed originally to meet the information protection needs.

14. Act of obtaining information of a higher level of sensitivity by combining information from lower level of sensitivity is called?

A. Aggregation

B. Data mining

C. Inference

D. Polyinstantiation

15. Which of the following is the least important information to record when logging a security violation?

A. User’s name

B. User id.

C. Type of violation

D. Date and time of the violation

16. The goal of cryptanalysis is to…?

A. forge coded signals that will be accepted as authentic.

B. ensure that the key has no repeating segments.

C. reduce the system overhead for cryptographic functions.

D. determine the number of encryption permutations required.

17. Pretty Good Privacy (PGP) provides…?

A. confidentiality, integrity, and authenticity.

B. integrity, availability, and authentication.

C. availability, authentication, and non-repudiation.

D. authorization, non-repudiation, and confidentiality.

18. Which of the following transaction processing properties ensures once a transaction completes successfully (commits), the updates survive even if there is a system failure?

A. Atomicity.

B. Consistency.

C. Isolation.

D. Durability.

19. A security policy provides a way to…?

A. establish a cost model for security activities.

B. allow management to define system recovery requirements.

C. identify and clarify security goals and objectives.

D. enable management to define system access rules.

20. Computer security is generally considered to be the responsibility of…?

A. everyone in the organization.

B. corporate management.

C. the corporate security staff.

D. everyone with computer access.

21. What is a set of step-by-step instructions used to satisfy control requirements called?

A. Policy

B. Standard

C. Guideline

D. Procedure

22. The accounting branch of a large organization requires an application to process expense vouchers. Each voucher must be input by one of many accounting clerks, verified by the clerk’s applicable supervisor, then reconciled by an auditor before the reimbursement check is produced. Which access control technique should be built into the application to best serve these requirements?

A. Mandatory Access Control (MAC)

B. Password Security

C. Role-based Access Control (RBAC)

D. Terminal Access Controller Access System (TACACS)

23. When verifying key control objectives of a system design, the security specialist should ensure that the…?

A. final system design has security administrator approval.

B. auditing procedures have been defined.

C. vulnerability assessment has been completed.

D. impact assessment has been approved.

24. Which of the followings are security concerns with distributed systems?

A. Downloaded data from the Internet via the web or through e-mail may infect other computers.

B. Desktop systems may not be properly secured.

C. Unauthorized access to a secured network could be made through remote control or terminal server programs running on a desktop.

D. A, B, and C.

25. Three principal schemes that provide a framework for managing access control are:

A. Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC).

B. Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Layer Based Access Protocol (LBAP).

C. Mandatory Access Control (MAC), Layer Based Access Protocol (LBAP), and Target Based Access Protocol (TBAP).

D. Role Based Access Control (RBAC), Layer Based Access Protocol (LBAP), and Target Based Access Protocol (TBAP).

Essay Questions (10 points each)

  • Each device on a network actually has two network-related addresses: MAC address and IP address. Describe each of these addresses and what is ARP positioning attack.
  • Describe what is SNMP (Simple Network Management Protocol)?
  • What is Reconnaissance attack?And What is port scanning? How it can be prevented?
  • What is DOS denial-of-service and DDOS distributed denial-of-service?
  • Describe how do we secure public servers? Describe how do we secure Server Farms?