Chapter 11 Practice Questions
Terms in this set (20)
A security manager needs to identify a policy that will reduce the risk of personnel within an
organization colluding to embezzle company funds. Which of the following is the BEST choice?
C. Mandatory vacations
D. Time-of-day restrictions
C. Mandatory vacations help to reduce the possibility of fraud and embezzlement. An acceptable
use policy informs users of company policies and even though users sign them, they don't deter
someone considering theft by embezzling funds. Training can help reduce incidents by ensuring
personnel are aware of appropriate policies. Time-of-day restrictions prevent users from logging on
during restricted times.
A security auditor discovered that several employees in the Accounting department can print and
sign checks. In her final report, she recommended restricting the number of people who can print
checks and the number of people who can sign them. She also recommended that no one should be
authorized to print and sign checks. What policy is she recommending?
A. Discretionary access control
B. Rule-based access control
C. Separation of duties
D. Job rotation
C. This recommendation is enforcing a separation of duties principle, which prevents any single
person from performing multiple job functions that might allow the person to commit fraud.
Discretionary access control specifies that every object has an owner, but doesn't separate duties.
Devices such as routers use a rule-based access control model, but it doesn't separate duties. Job
rotation policies rotate employees into different jobs, but they don't necessarily separate job
Your organization includes a software development division within the IT department. One
developer writes and maintains applications for the Sales and Marketing departments. A second
developer writes and maintains applications for the Payroll department. Once a year, they have to
switch roles for at least a month. What is the purpose of this practice?
A. To enforce a separation of duties policy
B. To enforce a mandatory vacation policy
C. To enforce a job rotation policy
D. To enforce an acceptable use policy
C. This practice enforces a job rotation policy where employees rotate into different jobs, and is
designed to reduce potential incidents. A separation of duties policy prevents any single person from
performing multiple job functions to help prevent fraud, but it doesn't force users to switch roles. A
mandatory vacation policy requires employees to take time away from their job. An acceptable use
policy informs users of their responsibilities when using an organization's equipment
A security manager is reviewing security policies related to data loss. Which of the following is
the security administrator MOST likely to be reviewing?
A. Clean desk policy
B. Separation of duties
C. Job rotation
D. Change management
A. A clean desk policy requires users to organize their areas to reduce the risk of possible data
theft and password compromise. A separation of duties policy separates individual tasks of an
overall function between different people. Job rotation policies require employees to change roles on
a regular basis. Change management helps reduce intended outages from changes.
Get Certified Get Ahead (GCGA) has outsourced some application development to your
organization. Unfortunately, developers at your organization are having problems getting an
application module to work and they want to send the module with accompanying data to a third-party
vendor for help in resolving the problem. Which of the following should developers consider before
A. Ensure that data in transit is encrypted.
B. Review NDAs.
C. Identify the classification of the data.
D. Verify the third party has an NDA in place.
6. Two companies have
B. Developers should review the non-disclosure agreements (NDAs) and verify that sharing data
with a third party doesn't violate any existing NDAs. Encrypting data in transit protects its
confidentiality while in transit, but it won't protect it from a third party accessing it after receiving it.
The classification of the data isn't as relevant as the NDA in this situation. An NDA between the third
party and your organization isn't relevant, if the NDA between you and the hiring organization states
you cannot share the data.
Two companies have decided to work together on a project and implemented an MOU. Which of
the following represents the GREATEST security risk in this situation?
A. An MOU doesn't define responsibilities.
B. An MOU includes monetary penalties if one party doesn't meet its responsibilities.
C. An MOU can impose strict requirements for connections.
D. An MOU doesn't have strict guidelines to protect sensitive data.
D. A memorandum of understanding (MOU) represents an agreement and it doesn't have strict
guidelines to protect sensitive data. An MOU does define responsibilities between the parties. A
service level agreement (SLA) might include monetary penalties, but an MOU does not. An
interconnection security agreement (ISA) includes strict requirements for connections and is often
used with an MOU.
Your organization is considering storage of sensitive data in a cloud provider. Your organization
wants to ensure the data is encrypted while at rest and while in transit. What type of interoperability
agreement can your organization use to ensure the data is encrypted while in transit?
D. An interconnection security agreement (ISA) specifies technical and security requirements for
secure connections and can ensure data is encrypted while in transit. None of the other agreements
address the connection. A service level agreement (SLA) stipulates performance expectations of a
vendor. A business partners agreement (BPA) is a written agreement for business partners. A
memorandum of understanding (MOU) expresses an understanding between two parties to work
A user recently worked with classified data on an unclassified system. You need to sanitize all the
reclaimed space on this system's hard drives while keeping the system operational. Which of the
following methods will BEST meet this goal?
A. Use a cluster tip wiping tool.
B. Use a file shredding tool.
C. Degauss the disk.
D. Physically destroy the disk.
A. A cluster tip wiping tool sanitizes reclaimed space on hard drives. The cluster tip is the extra
space in the last cluster of a file, which can hold remnants of data. A file shredding tool successfully
erases a file, but does not affect clusters in reclaimed space. Degaussing the disk magnetically erases
it, and physically destroying the disk is the most secure method protecting its confidentiality, but both
of these methods take the system out of operation.
A network administrator needs to update the operating system on switches used within the network.
Assuming the organization is following standard best practices, what should the administrator do
A. Submit a request using the baseline configuration process.
B. Submit a request using the incident management process.
C. Submit a request using the change management process.
D. Submit a request using the application patch management process.
C. The network administrator should submit a change using the change management process, which
is the same process that is typically used for changes to any devices or systems. A baseline
configuration identifies the starting configuration. Incident management addresses security incidents.
A regular patch management process typically includes following change management, but application
patch management does not apply to devices.
Security personnel recently released an online training module advising employees not to share
personal information on any social media web sites that they visit. What is this advice MOST likely
trying to prevent?
A. Spending time on non-work-related sites
B. Phishing attack
C. Cognitive password attacks
D. Rainbow table attack
C. A cognitive password attack utilizes information that a person would know, such as the name
of their first pet or their favorite color. If this information is available on Facebook or another social
media site, attackers can use it to change the user's password. This advice has nothing to do with
employees visiting the sites, only with what they post. Although attackers may use this information in
a phishing attack, they can also launch phishing attacks without this information. A rainbow table
attack is a password attack, but it uses a database of precalculated hashes.
Your organization blocks access to social media web sites. The primary purpose is to prevent
data leakage, such as the accidental disclosure of proprietary information. What is an additional
security benefit of this policy?
A. Improves employee productivity
B. Enables cognitive password attacks
C. Prevents P2P file sharing
D. Protects against banner ad malware
D. The primary benefit is protection against banner ad malware, also known as malvertisements.
Although the policy might result in improved employee productivity, this is not a security benefit. You
want to prevent cognitive password attacks, not enable them. Although organizations typically try to
prevent peer-to-peer (P2P) file sharing, this is done by blocking access to P2P sites, not social media
Your organization hosts a web-based server that remote administrators access via Telnet.
Management wants to increase their rights to prosecute unauthorized personnel who access this
server. Which of the following is the BEST choice?
A. Enable SSH instead of Telnet.
B. Enable banner ads.
C. Enable FTP logging.
D. Add a warning banner.
13. An incident response team is following
D. A warning banner displayed when personnel log on could inform them that unauthorized access
is restricted and is the best choice of those given. Although Secure Shell (SSH) is a more secure
alternative than Telnet, it doesn't impact the ability of prosecuting personnel. Banner ads are used on
web sites, not within a Telnet session. File Transfer Protocol (FTP) logging wouldn't log Telnet
An incident response team is following typical incident response procedures. Which of the
following phases is the BEST choice for analyzing an incident with a goal of identifying steps to
prevent a reoccurrence of the incident?
D. Lessons learned
D. You should analyze an incident during the lessons learned stage of incident response with the
goal of identifying steps to prevent reoccurrence. Preparation is a planning step done before an
incident, with the goal of preventing incidents and identifying methods to respond to incidents.
Identification is the first step after hearing about a potential incident to verify it is an incident.
Mitigation steps attempt to reduce the effects of the incident.
After a recent incident, a forensic analyst was given several hard drives to analyze. What should
the analyst do first?
A. Take screenshots and capture system images.
B. Take hashes and screenshots.
C. Take hashes and capture system images.
D. Perform antivirus scans and create chain-of-custody documents.
C. Forensic analysts capture images and take hashes before beginning analysis, and they only
analyze the image copies, not the original drive. Screenshots are taken when a computer is running.
An antivirus scan might modify the drive and chain-of-custody documents are created when evidence
A forensic expert is preparing to analyze a hard drive. Which of the following should the expert
A. Capture an image.
B. Identify the order of volatility.
C. Create a chain-of-custody document.
D. Take a screenshot.
A. Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and
then analyze the image. This protects it from accidental modifications and preserves it as usable
evidence. The order of volatility identifies what data is most volatile (such as cache) and what is
least volatile (such as hard drives). A chain-of-custody document should be created when evidence is
first collected. A screenshot is taken when a system is operational.
security analyst tagged a computer stating when he took possession of it. What is the BEST
explanation for this?
A. To calculate time offset
B. To ensure the system is decommissioned
C. To begin a chain of custody
D. To implement separation of duties
C. A chain of custody identifies who controlled evidence after it was confiscated. It can start with
a tag when a person collects the evidence. Security analysts later create a chain-of-custody log to
detail who controlled the evidence at different times. Time offset is related to different time zones or
times recorded on a video recorder. A security analyst would confiscate a computer to analyze it, not
decommission it. Separation of duties is related to people, not computers.
You are helping your organization create a security policy for incident response. Of the following
choices, what is the BEST choice to include when an incident requires confiscation of a physical
A. Ensure hashes are taken first.
B. Ensure witnesses sign an AUP.
C. Maintain the order of volatility.
D. Keep a record of everyone who took possession of the physical asset.
D. It's important to keep a chain of custody for any confiscated physical items and the chain of
custody is a record of everyone who took possession of the asset after it was first confiscated. Hashes
should be taken before capturing an image, but they are not required before confiscating equipment.
Users, not witnesses, sign an acceptable use policy (AUP). Security personnel should be aware of the
order of volatility, but there isn't any way to maintain the order.
An administrator recently learned of an attack on a Virginia-based web server from IP address
126.96.36.199 at 11:35:33 GMT. However, after investigating the logs, he is unable to see any traffic
from that IP address at that time. Which of the following is the MOST likely reason why the
administrator was unable to identify the attack?
A. He did not account for time offsets.
B. He did not capture an image.
C. The IP address has expired.
D. The logs were erased when the system was rebooted
A. The most likely reason is that he did not account for the time offset. The attack occurred at
11:35:33 Greenwich Mean Time (GMT) and the web server is in the Eastern Standard Time (EST)
zone in Virginia, which is five hours different from GMT. There is no need to capture an image to
view logs. IP addresses on the Internet do not expire. Logs are written to a hard drive or a central
location; they are not erased when a system is rebooted.
Personnel in an organization are sharing their access codes to cipher locks with unauthorized
personnel. As a result, unauthorized personnel are accessing restricted areas of the building. What is
the BEST response to reduce this risk?
A. Implement a management control.
B. Implement a technical control.
C. Implement an AUP.
D. Provide security training to personnel
D. The best response of those listed is to provide training to personnel on the importance of
keeping access codes private. Management controls include policies and assessments, but they won't
necessarily focus on sharing access codes. Technical controls won't do any good if personnel are
bypassing them, which is the case in this scenario. If an acceptable use policy (AUP) isn't
implemented, it would be a good idea to implement one. However, it addresses usage of systems, and
not necessarily cipher access codes.
Your organization has spent a significant amount of money on training employees on security
awareness. Your organization wants to validate the success of this training. Which of the following is
the BEST choice?
A. Implement role-based training.
B. Use metrics.
C. Use security policies.
D. Verify PII.
B. Metrics are measurements and you can use them to validate the success of a security awareness
program. Role-based training is targeted training, but it does not validate the success of training.
Training would typically teach employees about a security policy, but the policy doesn't provide
measurements. Personally Identifiable Information (PII) might be part of the training, but PII cannot