Classifying data should include which of the following definitions

Classification of information assets (data) along with a detailed inventory is the first step toward
protecting data

Owner of the data

Vertical industry designation

Upcoming software release dates

The security administrator email address

Which of the following would NOT be an example of a data classification scheme

Data classification schemes are designations or labels that define the levels of sensitivity of
information resources. Uniform data is not an appropriate label. Because it does not define a sensitivity
label

Top Secret

Public Information

Uniform Data

Private Information

Which of the following would NOT be a type of logical system access

Logical system access restricts access based on identification and authentication of the user. Locked
doors would be considered physical access

Locked doors at the data center that will only open during normal business hours

Database passwords that must contain an upper case letter, a number, and a lower case letter

Access Control Lists on the routers that deny traffic from gambling sites

Logging into a kiosk computer with a user name and password

What is key difference between mandatory access controls (MACs) and discretionary access controls
(DACs)

Discretionary Access Controls can be modified or configured by the user. On the other hand,
Mandatory Access Controls cannot be controlled or modified by the users

DACs are set by default and cannot easily be changed

MACs are stipulated by the state or federal government based on industry regulations

DACs can be configured by the users

MACs can be configured by the user

 ABC Company security policy dictates that all computer users must provide a password to access the
wireless network. The security administrator wants to implement this company-wide policy. Which of
the following tools would be used to accomplish this task?

This example illustrates a good choice for Mandatory Access Control. The security administrator can
set a default access control using MACs and these controls cannot be modified by the users. MACs are a
good choice when security controls for company wide policies

Mandatory Access Controls

Discretionary Access Controls

Terminal Access Controller Access System

Role-based Access Control

An auditor has been hired to perform an audit at a third party vendor hosting ABC Company
financial system. Which of the following might be an item of concern on the auditor report

Third party information processing facilities can introduce risks the security of an organization data.
Network connections going offline for a period of time signal potential risks to the security of the data

A contract was signed that details physicals controls at the data center

A list of authorized data center employees is maintained

Network connections to the data center may go offline for periods of time

Logical access to proxy servers, and firewalls is documented and reviewed on a quarterly basis

Which of the following would NOT be a risk associated with computer crimes perpetrated against a
business

Computer crimes can happen quickly and can be perpetrated from places around the globe. Debt
reduction is not related to computer crimes

Financial loss

Debt Reduction

Credibility loss

Reputational loss

A specific computer is targeted in a crime and the perpetrator uses another computer to launch an
attack. This is an example of what kind of computer crime

A Denial of Service (DoS) attack is usually targeted at a specific computer like a webserver or an
email server. The attacker uses one or more computers to launch the attack
 Installing key loggers

Denial of Service (DoS)

Phishing attack

War dialing

A computer attacker attempts to gain unauthorized access to an organization network. She uses
password cracking tools and keeps trying over and over again to gain access. Which of the following best
describes this type of attack

A brute-force attack is characterized by persistent, unauthorized attempts to access a resource.

Brute-force Attack

MAC Attack

Man-in-the-Middle Attack

Flooding Attack

A Spear Phishing attack is best characterized by which of the following

Phishing attacks involve the fraudulent attempt to acquire sensitive information by pretending to be
a trustworthy company. A spear phishing attack targets a very specific group. For example, an attacker
might send a spear phishing attack to the accounting department and make it appear to be from the
organization trusted banking partner. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeed

An attacker presents an identity other than the original identity to gain access to confidential data.
The attacker access token resembles a spear.

An attacker targets a very specific group of people in an organization with a specially crafted email
message.

An attacker follows an authorized person through a secure door so closely that the two people
together resemble a spear.

There is a family of viruses targeting Microsoft Windows operating systems known as Spear
Phishing viruses.

Which of the following does not help protection information assets on a peer-to-peer network

Sniffing traffic on networks helps analyze problems after they occur and does not lead to more
secure information assets

Firewalls, VLANs, and other segregated networks

Up-to-date antivirus software on the hosts

Sniffing traffic generated by hosts on the network

Up-to-date operating system s that include recent security fixes

 Instant Messaging can introduce which of the following security risks into an organization network

Instant messaging is a collaboration tool that allows users to share files. Files can potentially contain
hidden malware that steals company information.

Data Prevention

Data Leakage

Data Integrity

Data Unavailability

A corporate employee was on a social network site yesterday evening and he was researching sports
equipment. The day at work, he receives a email with a link to free sports equipment. Which of the
following best describes this attack

People share a great deal of information on social networking site. The best explanation for this
attack is that the employee used his real name and company name on the social networking site, and
was then a target of a spear phishing attack.

Spear Phishing

Man-in-the-Middle Attack

Trojan Attack

URL Spoofing

An organization computer security incident response team would be responsible for which of the
following tasks

Computer security incident response teams are primarily responsible for minimizing damages from
security incidents and to learn from these incidences. Forensic investigations are structures
investigations that determine what exactly happened on a computing device. CSIRT do not deployment
security software

Background investigations

Forensic investigations

Deployment of security information event management software

Deployment of intrusion detection sensors on the network

Which of the following best describes a botnet attack

A Botnet attack is characterized by a collection of computers running malware software and the
collection as a whole is used to attack other computers
 A group of compromised computers usually running software such as Trojans, that are used to
attack other computers

A group of compromised network devices usually creating a flood of TCP/SYN packets that lead to a
denial of service

A group of compromised computers usually running altercated binary codes used to break
cryptographic hashes

A group of compromised computers usually running zombie code that is used to cause a denial of
service attack against critical infrastructure

Authentication is a logical access control that can be categorized by all of the following attributes
EXCEPT:

Identification and authentication is the process of establishing a users identity. All of these attributes
help identify a person except who a person would know.

Someone you know

Something you know

Something you have

Something you are

Multi-Factor authentication is characterize by which of the following:

Multi-factor authentication involves two different authentication techniques; something you know,
something you are, or something you have.

Two people verifying each others identities

A user name and password

A password and a token

A Retina scan and fingerprint scan

The effectiveness of biometric devices is measured by equal error rate (EER). Which of the following
best describes this metric

Equal Error Rate (ERR) demonstrates that the false rejection rate (FRR) and the acceptance rate
(FAR) is equal

An overall metric that demonstrates that FER and Type-I rates are equal

An overall metric that demonstrates that FRR and Type-I rates are equal

An overall metric that demonstrates that the FER and FAR rates are equal

An overall metric that demonstrates the FAR and FRR rates are equal
 Which of the following is NOT a commonly used biometric device

The ear is not used as a biometric device with computer systems, but is frequently used in television
criminal science shows for ear prints. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeed

Palm

Iris

Ear

Face

Which of the following best describes a swipe card

A swipe card has a magnetic strip with embedded data that allows access to a restricted area. Most
hotel room keys are swipe cards. It is a good practice to return the swipe keys to the front desk or
destroy them. Do not leave them in the hotel room and they are encoded with personally identifiable
information

Plastic card with a magnetic strip that contains encoded data to provide access to restricted areas

A plastic card that displays a person name and his or her picture

A plastic card with a embedded chip that talks to sensor and allows access to restricted areas.

A plastic card with an embedded USB key that is synchronized with an authentication system