Page | 1
ITN 262 MIDTERM Questions with
Detailed Verified Answers
Question: A security analyst is performing a security assessment. The analyst
should not:
Ans: take actions to mitigate a serious risk.
Question: Which of the following yields a more specific set of attacks tied to
our particular threat agents?
Ans: Attack matrix
Question: Which of the following produces a risk to an asset?
Ans: A threat agent and an attack the agent can perform
Question: Which of the following describes the effect of the Digital
Millennium Copyright Act (DMCA) on the investigation and publication of
security flaws in commercial equipment?
Ans: It restricts the publication of techniques to reverse-engineer copy
protection schemes.
Question: Which of the following most often forbids people from performing
trial-and-error attacks on computer systems?
, Page | 2
Ans: Acceptable use policies
Question: Section 1.6.2 outlines a procedure for disclosing security
vulnerabilities in a commercial device or product. Assume that we have
discovered a vulnerability in a commercial product. The vendor has not
acknowledged our initial vulnerability report or communicated with us in any
other way. They have not announced the vulnerability to the public. We wish
to warn the public of the vulnerability as soon as is ethically defensible. Given
the procedure in Section 1.6.2, which of the following is the best course of
action?
Ans: After 30 days, announce that the vulnerability exists, and describe
how to reduce a system's risk of attack through that vulnerability.
Question: Given the vulnerability disclosure procedure in Section 1.6.2 and
the story of Michael Lynn's presentation of a Cisco router vulnerability at Black
Hat 2005, which of the following most accurately describes Lynn's action?
Ans: Lynn acted ethically because the vulnerability had already been
reported and patched, and he did not describe how to exploit the
vulnerability.
Question: When disclosing a security vulnerability in a system or software, the
manufacturer should avoid:
Ans: including enough detail to allow an attacker to exploit the
vulnerability.
, Page | 3
Question: A risk assessment involves which of the following?
Ans: Identifying risks, Prioritizing Risks
Question: The character that separates directories in a Windows directory
path is:
Ans: the back slash (\).
Question: Bob has set up three user IDs on his computer. Match his login with
what happens when he creates a file.
Files belong to "Superbob"
Files belong to "Suitemates"
Files belong to "Bob"
Ans: Logged in as "Superbob"
Logged in as "Suitemates"
Logged in as " Bob "
Question: Two mechanisms to apply initial access rights are:
ITN 262 MIDTERM Questions with
Detailed Verified Answers
Question: A security analyst is performing a security assessment. The analyst
should not:
Ans: take actions to mitigate a serious risk.
Question: Which of the following yields a more specific set of attacks tied to
our particular threat agents?
Ans: Attack matrix
Question: Which of the following produces a risk to an asset?
Ans: A threat agent and an attack the agent can perform
Question: Which of the following describes the effect of the Digital
Millennium Copyright Act (DMCA) on the investigation and publication of
security flaws in commercial equipment?
Ans: It restricts the publication of techniques to reverse-engineer copy
protection schemes.
Question: Which of the following most often forbids people from performing
trial-and-error attacks on computer systems?
, Page | 2
Ans: Acceptable use policies
Question: Section 1.6.2 outlines a procedure for disclosing security
vulnerabilities in a commercial device or product. Assume that we have
discovered a vulnerability in a commercial product. The vendor has not
acknowledged our initial vulnerability report or communicated with us in any
other way. They have not announced the vulnerability to the public. We wish
to warn the public of the vulnerability as soon as is ethically defensible. Given
the procedure in Section 1.6.2, which of the following is the best course of
action?
Ans: After 30 days, announce that the vulnerability exists, and describe
how to reduce a system's risk of attack through that vulnerability.
Question: Given the vulnerability disclosure procedure in Section 1.6.2 and
the story of Michael Lynn's presentation of a Cisco router vulnerability at Black
Hat 2005, which of the following most accurately describes Lynn's action?
Ans: Lynn acted ethically because the vulnerability had already been
reported and patched, and he did not describe how to exploit the
vulnerability.
Question: When disclosing a security vulnerability in a system or software, the
manufacturer should avoid:
Ans: including enough detail to allow an attacker to exploit the
vulnerability.
, Page | 3
Question: A risk assessment involves which of the following?
Ans: Identifying risks, Prioritizing Risks
Question: The character that separates directories in a Windows directory
path is:
Ans: the back slash (\).
Question: Bob has set up three user IDs on his computer. Match his login with
what happens when he creates a file.
Files belong to "Superbob"
Files belong to "Suitemates"
Files belong to "Bob"
Ans: Logged in as "Superbob"
Logged in as "Suitemates"
Logged in as " Bob "
Question: Two mechanisms to apply initial access rights are:
