Assignment

Part 1

1. You are evaluating assets and come across a server that must be operational 99.99 percent of the time. What would you use to achieve this?

a. Load balancing
b. Cold site
c. Warm site
d. Failover cluster

2. Which of the following is not a valid consideration when determining if a business function must remain available 24 hours a day, 7 days a week?

a. Direct revenue
b. Indirect revenue
c. Replacement value
d. Productivity

3. Which of the following would not be considered an asset?

a. Processes that provide services
b. Hardware
c. Software
d. Costs

4. Job rotation helps employees build skills in different areas of a company. What is a security-related goal of job rotation?

a. Eliminates need to hire new personnel
b. Reduces need for cross training
c. Helps an organization detect fraudulent activities
d. Provides separation of duties

5. What are data classifications used by the U.S. government?

a. Public, Private, and Proprietary
b. Confidential, Secret, and Top Secret
c. Public, Secret, and Top Secret
d. Proprietary, Private, Secret, and Top Secret

6. Which of the following is not a step within a risk assessment?

a. Identify assets
b. Identify threats and vulnerabilities
c. Identify countermeasures
d. Implement countermeasures

7. When evaluating asset values, which of the following is not a valid method?

a. Recovery value
b. Replacement value
c. Revenue generated during peak hours
d. Cost to get an asset operational after a failure

8. Which of the following is known as an approved list of e-mail addresses or e-mail domains?

a. White hat
b. Black hat
c. Whitelist
d. Blacklist

9. During a risk assessment, you determine that a business function must be able to function if a disaster occurs. However, you must minimize costs. What type of site is the least expensive?

a. Cold site
b. Hot site
c. Warm site
d. Clustering site

10. Which of the following methods are not included in a typical vulnerability assessment?

a. Identify IP addresses
b. Identify operating systems
c. Identify users
d. Identify open ports

11. Which of the following statements regarding a risk assessment (RA) is true?

a. An RA is designed to eliminate risk
b. An RA is an ongoing process
c. An RA provides an assessment for a point in time
d. Ideally an RA will not be limited by a scope

12. A company issues laptop computers to 100 employees. The value of each laptop including hardware, software, and data is $1,000. On average, employees lose one laptop a month. Management determines that it can purchase controls for a total of $100 for each computer and reduce the number of lost laptops to four per year. Should they purchase the locks?

a. Yes, because the savings is greater than the cost of the control.
b. Yes, because the cost of the control is greater than the savings.
c. No, because the savings is greater than the cost of the control.
d. No, because the cost of the control is greater than the savings.

13. A company issues laptop computers to 100 employees. The value of each laptop including hardware, software, and data is $1,000. On average, employees lose one laptop a month. What is the ALE?

a. 12
b. 100
c. $1,000
d. $12,000

14. What type of risk assessment uses a subjective method to assess a risk?

a. Quantitative
b. Qualitative
c. Ongoing
d. Probability-based

15. You are analyzing a risk and have determined that the SLE is $1,500 and the ARO is 5. What is the ALE?

a. Unable to determine with information given
b. $300
c. $7,500
d. $90,000

16. What would an organization include in a risk management plan to compare the cost of a recommendation with the projected benefit?

a. POAM
b. TCO
c. CBA
d. RA

17. What is scope?

a. Boundaries of a plan
b. Order of RA steps
c. Analyzing records
d. A list of responsibilities

18. Which of the following will be included in a risk management report?

a. Policies
b. Audit reports
c. Standards
d. Recommendations

19. You are using a cause and effect diagram to identify threats and vulnerabilities. However, you are concerned the focus is to narrow. What elements can you include to ensure the diagram is balanced?

a. Methods, policies, standards, procedures
b. Tangible and intangible costs
c. Methods, machinery, manpower, materials, environment
d. POAM, CBA, and TOC

20. A risk management team decides to identify threats, vulnerabilities, and recommendations using an affinity diagram. Which of the following is not one of the basic steps used to create an affinity diagram?

a. Create a problem statement
b. Identify unacceptable suggestions
c. Generate ideas
d. Mitigate risks

21. A series of events have been recorded in several logs. What is this?

a. System logging
b. Security logging
c. Audit trail
d. Intrusion detection system

22. An authorized person follows an employee into a secure area. The employee used the cipher code to gain access but the unauthorized person did not. What is this?

a. Tailbacking
b. Social trusting
c. Syn Flood
d. Piggybacking

23. What type of attack consumes resources on a server by initiating but not completing TCP sessions?

a. TCP Syn flood
b. UDP Syn flood
c. DDoS
d. MAC flood

24. An organization uses configuration management techniques to ensure that systems are configured similarly. What is used to ensure that these systems are not modified?

a. Compliance auditing
b. Patch management
c. Gap analysis
d. Penetration testing

25. Administrators within an organization routinely modify system configurations during day-to-day work. This has resulted in some IT outages. What can this company implement to reduce these outages?

a. Systems training
b. Patch management
c. Change management
d. Gap analysis requirements

Part 2

Descriptive Questions (Please type your answers in the space provided)

The following questions are about identifying risks, threats and vulnerabilities in an IT infrastructure using tools such as ZeNmapGUI (Nmap) and Nessus.You will need to familiarize yourself with some fundamental knowledge of ZeNmap and Nessus to answer these questions.

1. What are the differences between ZeNmap GUI (Nmap) and Nessus?

2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure?

3. While Nessus provides suggestions for remediation steps, what else does Nessus provide that can help you assess the risk impact of the identified software vulnerability?

4. Are open ports necessarily a risk? Why or why not?

5. When you identify known software vulnerability, where can you go to assess the risk impact of the software vulnerability?

6. If Nessus provides a pointer in the vulnerability assessment scan report to look up CVE- 2009- 3555 when using the CVE search listing, specify what this CVE is, what the potential exploits are, and assess the severity of the vulnerability.

7. Explain how the CVE search listing can be a tool for security practitioners and a tool for hackers.

8. Which tool should be used first if performing an ethical hacking penetration test and why?