TestOut/Security Midterm Sec Pro Questions With Complete Solutions

TestOut/Security Midterm Sec Pro Questions With
Complete Solutions


/. A user copies files from her desktop to a USB flash drive and puts the device into her
pocket. Which of the following security risks is most pressing? - Answer-Confidentiality

/.Smart phones with cameras and internet capabilities pose a risk to which security
concept? - Answer-Confidentiality

/.By definition, which security concept ensures that only authorized parties can access
data? - Answer-Confidentiality

/.Your computer system is a participant in an asymmetric cryptography system. You've
created a message to send to another user. Before transmission, you hash the
message and encrypt the hash using your private key. You then attach this encrypted
hash to your message as a digital signature before sending it to the other user.

In this example, what protection does the hashing activity provide? - Answer-Integrity

/.Which of the following is an example of an internal threat? - Answer-A user
accidentally deletes the new product designs.

/.What is the greatest threat to the confidentiality in most secure organizations? -
Answer-USB devices

/.Which of the following is the correct definition of a threat? - Answer-Any potential
danger to the confidentiality, integrity, or availability of information or systems.

/.Which of the following in an example of a vulnerability? - Answer-A misconfigured
server.

/.By definition, which security concept uses the ability to prove that a sender sent an
encrypted message? - Answer-non-repudiation

/.Which of the following is not a valid concept to associate with integrity? - Answer-
Control access to resources to prevent unwanted access.

/.Which of the following is the best definition of the term hacker? - Answer-A general
term used to describe any individual who uses their technical knowledge to gain
unauthorized access to an organization.

,/.What is the constant change in personal habits and passwords to prevent anticipated
events and exploitation? - Answer-Randomness

/.What is defined as giving users only the access they need to do their job and nothing
more? - Answer-Principle of least privilege.

/.What is defined as diversifying layers of defense? - Answer-Variety

/.What is defined as implementing multiple security measures to protect the same
asset? - Answer-Layering

/.What is defined as eliminating single points of failure? - Answer-Layering

/.A script kiddie is a threat actor who lacks knowledge and sophistication. Script kiddie
attacks often seek to
exploit well-known vulnerabilities in systems.

What is the best defense against script kiddie attacks? - Answer-Keep systems up-to-
date and use standard security practices.

/.The IT manager in your organization proposed taking steps to protect against a
potential threat actor. The proposal includes the following:
-Create and follow on-boarding and off-boarding procedures
-Employ the principal of least privilege
-Have appropriate physical security controls in place

Which type of threat actor do these steps guard against? - Answer-Insider

/.Which of the following threat actors seeks to defame, shed light on, or cripple an
organization or government? - Answer-Hacktivist

/.What attack strategy is defined as stealing information? - Answer-Exploitation

/.What attack strategy is defined as preparing a computer to perform additional tasks in
the attack? - Answer-Staging

/.What attack strategy is defined as crashing systems? - Answer-Exploitation

/.What attack strategy is defined as gathering system hardware information? - Answer-
Reconnaissance

/.What attack strategy is defined as penetrating system defenses to gain unauthorized
access? - Answer-Breaching

/.What attack strategy is defined as configuring additional rights to do more than breach
the system? - Answer-Escalating privileges

,/.What security layer includes fences, door locks, mantraps, turnstiles, device locks, and
server cages? - Answer-Physical

/.What security layer includes each individual workstation, laptop, and mobile device? -
Answer-Host

/.What security layer includes authentication and authorization, user management, and
group policies? - Answer-Application

/.What security layer includes cameras, motion detectors, and even environmental
controls? - Answer-Physical

/.What security layer includes the implementation of VLANs, penetration testing, and the
utilization of virtualization? - Answer-Network

/.Which of the following is the single greatest threat to network security? - Answer-
Employees

/.Which of the following reduce the risk of a threat agent being able to exploit a
vulnerability? - Answer-Countermeasures

/.What security layer includes OS hardening, patch management, malware, and
password attacks? - Answer-Host

/.What security layer includes how to manage employee on-boarding and off-boarding?
- Answer-Policies, Procedures, and Awareness

/.What security layer includes cryptography and secure transmissions? - Answer-Data

/.What security layer includes user education and manageable network plans? -
Answer-Policies, Procedures, and Awareness

/.What security layer includes firewalls using ACLs and securing the wireless network? -
Answer-Perimeter

/.Which of the following is a security approach that combines multiple security controls
and defenses and is sometime called defense in depth? - Answer-Layered Security

/.Which type of media preparation is sufficient for media that will be reused in a different
security contexts within your organization> - Answer-Sanitization

/.Which of the following in an example of privilege escalation? - Answer-Creeping
privileges

, /.Which security principle prevents any one administrator from having sufficient access
to compromise the security of the overall IT solution? - Answer-Separation of duties

/.You assign access permissions so that users can only access the resources required
to accomplish their specific work tasks. Which security principle are you complying
with? - Answer-Principle of least privilege

/.An access control list (ACL) contains a list of users and allowed permissions. What is it
called if the ACL automatically prevents access to anyone NOT on the list? - Answer-
Implicit deny

/.You want to make sure that any reimbursement checks issued by your company
cannot be issued by a single person. Which security principle should you implement to
accomplish this goal? - Answer-Separation of duties

/.You are concerned that the accountant in your organization might have the chance to
modify financial information and steal from the company. You want to periodically have
another person take over all accounting responsibilities to catch any irregularities.

Which security principle are you implementing by periodically shifting accounting
responsibilities? - Answer-Job rotation

/.You want to implement an access control list where only the users you specifically
authorize have access to the resource. Anyone not on the list should be prevented from
having access.

Which of the following methods of access control will the access list use? - Answer-
Explicit allow, implicit deny

/.Which of the following principles is implemented in mandatory access control model to
determine object access by classification level? - Answer-Need to know

/.What is the primary purpose of separation of duties? - Answer-Prevent conflicts of
interest

/.Seperation of duties is an example of which types of access control? - Answer-
Preventive

/.Need to know access is required to access which types of resources? - Answer-
Compartmentalized resources

/.When a cryptographic system is used to protect the data confidentiality, what actually
takes place? - Answer-Unauthorized users are prevented from viewing or accessing the
resource