Upgrade to remove ads
Only $35.99/year

CNA 210 - Chapter 15

Terms in this set (47)

Which of the following threats would be classified as the actions of a hactivist?

A) External threat
B) Internal threat
C) Environmental threat
D) Compliance threat
A) External threat
Which of these is NOT a response to risk?

A) mitigation
B) transference
C) resistance
D) avoidance
C) resistance
Agnella was asked to create a report that listed the reasons why a contractor should be provided penetration testing authorization. Which of the follow would she NOT list in her report?

A) Legal authorization
B) Indemnification
C) Limit retaliation
D) Access to resources
D) Access to resources
Which of the following risk control types would use video surveillance systems and barricades to limit access to secure sites?

A) operational
B) managerial
C) technical
D) strategic
C) technical
Which of the following approaches to risk calculation typically assigns a numeric value (1‒10) or label (High, Medium, or Low) represents a risk?

A) Quantitative risk calculation
B) Qualitative risk calculation
C) Rule-based risk calculation
D) Policy-based risk calculation
B) Qualitative risk calculation
Which of the following is the average amount of time that it will take a device to recover from a failure that is not a terminal failure?

A) MTTF
B) MTTR
C) FIT
D) MTBF
B) MTTR
Which of the following covers the procedures of managing object authorizations?

A) Asset management
B) Task management
C) Privilege management
D) Threat management
C) Privilege management
Which statement does NOT describe a characteristic of a policy?

A) Policies define appropriate user behavior.
B) Policies identify what tools and procedures are needed.
C) Policies communicate a unanimous agreement of judgment.
D) Policies may be helpful if it is necessary to prosecute violators.
C) Policies communicate a unanimous agreement of judgment.
Tomassa is asked to determine the expected monetary loss every time a risk occurs. Which formula will she use?

A) AV
B) ARO
C) ALE
D) SLE
D) SLE
What is a collection of suggestions that should be implemented?

A) Policy
B) Guideline
C) Standard
D) Code
B) Guideline
Simona needs to research a control that attempts to discourage security violations before they occur. Which control will she research?

A) Deterrent control
B) Preventive control
C) Detective control
D) Corrective control
A) Deterrent control
Which statement is NOT something that a security policy must do?

A) State reasons why the policy is necessary.
B) Balance protection with productivity.
C) Be capable of being implemented and enforced.
D) Be concise and easy to understand.
B) Balance protection with productivity.
What describes is the ability of an enterprise data center to revert to its former size after expanding?

A) Scalability
B) Elasticity
C) Contraction
D) Reduction
B) Elasticity
Which policy defines the actions users may perform while accessing systems and networking equipment?

A) End-user policy
B) Acceptable use policy
C) Internet use policy
D) User permission policy
B) Acceptable use policy
While traveling abroad, Giuseppe needs to use public Internet café computers to access the secure network. Which of the following non-persistence tools should he use?

A) Snapshot
B) Live boot media
C) Revert to known state
D) Secure Configuration
B) Live boot media
Bria is reviewing the company's updated personal email policy. Which of the following will she NOT find in it?

A) Employees should not use company email to send personal email messages.
B) Employees should not access personal email at work.
C) Employees should not forward company emails to a personal email account.
D) Employees should not give out their company email address unless requested.
D) Employees should not give out their company email address unless requested.
For adult learners, which approach is often preferred?

A) Pedagogical
B) Andragogical
C) Institutional
D) Proactive
B) Andragogical
Which of the following is NOT a security risk of social media sites for users?

A) Personal data can be used maliciously.
B) Users may be too trusting.
C) Social media security is lax or confusing.
D) Social media sites use popup ads.
D) Social media sites use popup ads.
Which of the following is NOT a time employee training should be conducted?

A) After monthly patch updates.
B) When a new computer is installed.
C) During an annual department retreat.
D) When an employee is promoted.
A) After monthly patch updates.
Bob needs to create an agreement between his company and a third-party organization that demonstrates a "convergence of will" between the parties so that they can work together. Which type of agreement will Bob use?

A) SLA
B) BPA
C) ISA
D) MOU
D) MOU
An attempt to address a risk by making it less serious is known as _____.
Answer: risk mitigation
A(n) ____ is a subject's access level over an object, such as a user's ability to open a payroll file.
Answer: privilege
Which risk calculation approach uses an "educated guess" based on observation?
Answer: Qualitative risk calculation
The likelihood of a risk occurring within a year is known as the ______.
Answer: Annualized Rate of Occurrence (ARO)
Tools used to ensure that a clean image is used rather than old, unwanted data are known as _____.
Answer: non-persistence tools
_____ are generally considered to be the most important information security policies.
Answer: Acceptable use policies
True or False: In the realm of IT security, "policies," "guidelines," and "standards" are synonymous.
Answer: False
This is defined as a situation that involves exposure to some type of danger.
risk
True or False: Due to its nature as a self-regulated, minimally controlled communication system, it is not necessary to have policies governing the use of social media at work.
Answer: False
____ learners learn through taking notes, being at the front of the class, and watching presentations.
Answer: Visual
True or False: Best practices for company email policies insure users that the company does not and cannot monitor private email traffic on company computers or systems.
Answer: False
This is a formal process of examining the seriousness of a potential threat as well as the likelihood that it will be carried out.
threat assessment
What are the three broad categories of threats?
environmental
manmade
internal vs external
This threat has to do with the natural surroundings of an enterprise.
environmental threat
Examples of this threat include vandalism and interpretive dance.
manmade threat
Employee theft and hacking describe this type of threat.
internal vs external
The chapter lists more specific threat classifications and so should you.
strategic
compliance
financial
operational
technical
managerial
____ ____ is the relative worth of an asset that is at risk.
Asset value
This evaluation of the examines the network that moves product from a supplier to the customer.
supply chain assessment
Choose the best answer.

Transparently adding a small coding library that intercepts calls made by the device and changes the parameters passed between the device and the device driver.

A) skimming
B) shiming
C) skiming
D) shimming
E) None of the above
D) shimming
Altering a device driver for an attack is characterized by this overly descriptive term.
device driver manipulation
The changing of the design of existing code
refactoring
To assess risk, one should include the testing of technology assets to identify any vulnerabilities through a ____ ____.
vulnerability scan
A(n) ____ ____ ____ attempts to actually penetrate a system to perform a simulated attack.
intrusive vulnerability scan
Is an intrusive vulnerability scan preferable to to a non-intrusive vulnerability scan?
Yes
A(n) ____ ____ ____ uses available information to simulate the penetration of a system to perform a simulated attack.
non-intrusive vulnerability scan
According to the book, how much in total did Target pay in fines for their security breach?
153 Million
Students also viewed