1. What name is given to a method of developing software that is based on small project iterations, or sprints, instead of long project schedules?

A. baseline
B. waterfall model
C. agile development
D. sprint

2. What is meant by authorizing official (AO)?

A. An individual to enact changes in response to reported problems.
B. The process of managing changes to computer/device configuration or application software.
C. A senior manager who reviews a certification report and makes the decision to approve the system for implementation.
D. A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.

3. What term is used to describe a benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products?

A. configuration control
B. functional policy
C. baseline
D. authorizing official (AO)

4. What is meant by certification?

A. The formal acceptance by the authorizing official of the risk of implementing the system.
B. A strategy to minimize risk by rotating employees between various systems or duties.
C. The technical evaluation of a system to provide assurance that you have implemented the system correctly.
D. A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies.

5. What or who is the individual or team responsible for performing the security test and evaluation for the system and for preparing the report for the AO on the risk of operating the system?

A. remediation
B. certifier
C. compliance liaison
D. system owners

6. ________ is the process of managing changes to computer/device configuration or application software.

A. Sprint
B. Procedure control
C. Change control
D. Proactive change management

7. ________ states that users must never leave sensitive information in plain view on an unattended desk or workstation.

A. Procedure management
B. Emergency operations policy
C. Clean desk/clear screen policy
D. Security administration policy

8. The process of managing the baseline settings of a system device is called ________.

A. guideline
B. baseline
C. configuration control
D. sprint

9. The name given to a group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies, is ________.

A. emergency operations group
B. security event team
C. guideline control
D. security administration

10. Which of the following is the definition of guideline?

A. A method of developing software that is based on small project iterations, or sprints, instead of long project schedules.
B. Recorded information from system events that describes security-related activity.
C. A recommendation to purchase or how to use a product or system.
D. A senior manager who reviews a certification report and makes the decision to approve the system for implementation.

11. Which of the following is the definition of anomaly-based IDS?

A. An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.
B. The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
C. An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders.
D. Using tools to determine the layout and services running on an organization's systems and networks.

12. Audits also often look at the current configuration of a system as a snapshot in time to verify that it complies with ________.

A. controls
B. management
C. standards
D. plan

13. As your organization evolves and as threats mature, it is important to make sure your __________ still meet(s) the risks you face today.

A. configuration
B. controls
C. monitoring
D. settings

14. One of the best ways to avoid wasting your organization's resources is to ensure that you follow the ________ review cycle.

A. audit
B. security
C. benchmark
D. monitoring

15. It's essential to match your organization's required __________ with its security structure.

A. monitoring
B. permission level
C. operating system
D. recommendations

16. Security audits help ensure that your rules and __________ are up to date, documented, and subject to change control procedures.

A. applications
B. mitigation activities
C. configurations
D. recommendations

17. ________ gives you the opportunity to review your risk-management program and to confirm that the program has correctly identified and reduced (or otherwise addressed) the risks to your organization.

A. Penetration testing
B. Real-time monitoring
C. An audit
D. Vulnerability testing

18. Audits are necessary because of ________.

A. potential liability
B. negligence
C. mandatory regulatory compliance
D. all of the above

19. _________ was developed for organizations such as insurance and medical claims processors, telecommunication service providers, managed services providers, and credit card transaction processing companies.

A. Real-time monitoring
B. Gray-box testing
C. SAS 70
D. White-box testing

20. The ___________ framework defines the scope and contents of three levels of audit reports.

A. Service Organization Control (SOC)
B. permission-level
C. real-time monitoring
D. zone transfer

21. SOC 2 and SOC 3 reports both address primarily ________-related controls.

A. security
B. financial reporting
C. management
D. communication

22. The primary difference between SOC 2 and SOC 3 reports is ________.

A. their length
B. the number of auditors involved
C. their focus
D. their audience

23. If knowing about an audit changes user behavior, an audit will ____________.

A. not be accurate
B. be more accurate
C. skew results
D. not be required

24. ________ provides information on what is happening as it happens.

A. Real-time monitoring
B. Pattern-based (or signature-based) IDS
C. Vulnerability testing
D. Security

25. Which of the following is the definition of false negative?

A. The process of gathering the wrong information.
B. Incorrectly identifying abnormal activity as normal.
C. Analysis of activity as it is happening.
D. A method of security testing that isn't based directly on knowledge of a program's architecture.

26. What is meant by gray-box testing?

A. Any activities designed to reduce the severity of a vulnerability or remove it altogether.
B. Security testing that is based on limited knowledge of an application's design.
C. A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.
D. Analysis of activity as it is happening.

27. Which of the following is the definition of hardened configuration?

A. Incorrectly identifying abnormal activity as normal.
B. The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
C. Using tools to determine the layout and services running on an organization's systems and networks.
D. A method of security testing that isn't based directly on knowledge of a program's architecture.

28. Which of the following defines network mapping?

A. The standard by which your computer or device is compared to determine if it's securely configured.
B. A method of security testing that isn't based directly on knowledge of a program's architecture.
C. Using tools to determine the layout and services running on an organization's systems and networks.
D. A process of finding the weaknesses in a system and determining which places may be attack points.

29. What term is used to describe a reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version are running on a computer?

A. false negative
B. operating system fingerprinting
C. Security Information and Event Management (SIEM) system
D. network mapping

30. Which of the following is the definition of pattern-based IDS?

A. The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
B. An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders.
C. Software and devices that assist in collecting, storing, and analyzing the contents of log files.
D. A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.

31. How your organization responds to risk reflects the value it puts on its ___________.

A. environment
B. assets
C. technology
D. vulnerability

32. A countermeasure, without a corresponding __________, is a solution seeking a problem; you can never justify the cost.

A. risk
B. control
C. event
D. response

33. It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as a ________.

A. critical business function
B. disaster plan
C. business continuity plan
D. risk management plan

34. ___________ is the likelihood that a particular threat exposes a vulnerability that could damage your organization.

A. Backup
B. Incident
C. Risk
D. Preventive control

35. A _____________ is a flaw or weakness in a system's security procedures, design, implementation, or internal controls.

A. threat
B. impact
C. risk
D. vulnerability

36. ___________ refers to the amount of harm a threat can cause by exploiting a vulnerability.

A. Impact
B. Threat
C. Risk
D. Incident

37. An attacker or event that might exploit a vulnerability is a(n) ____________.

A. incident
B. threat source
C. cost
D. hacker

38. A(n) ________ is an intent and method to exploit a vulnerability.

A. impact
B. incident
C. threat source
D. safeguard

39. A threat source can be a situation or method that might accidentally trigger a(n) ____________.

A. event
B. incident
C. vulnerability
D. control

40. A(n) ________ is a measurable occurrence that has an impact on the business.

A. corrective control
B. event
C. cost
D. critical business function

41. A control involved in the process of developing and ensuring compliance with policy and procedures is the definition of ________.

A. technical control
B. preventive control
C. safeguard
D. administrative control

42. A measure installed to counter or address a specific threat is the definition of ________.

A. technical control
B. preventive control
C. countermeasure
D. administrative control

43. ________ attempts to describe risk in financial terms and put a dollar value on all the elements of a risk.

A. Risk management
B. Quantitative risk analysis
C. Qualitative risk analysis
D. Financial risk analysis

44. ________ is a risk management phase that includes assessment of various types of controls to mitigate the identified risks, selection of a control strategy, and justification of choice of controls.

A. Risk identification
B. Risk assessment
C. Inventory of assets
D. Identify threats and vulnerabilities

45. ________ represents the percentage of the asset value that will be lost if an incident were to occur.

A. Asset value
B. Exposure factor (EF)
C. Single loss expectancy
D. Annualized loss expectancy

46. What term is used to describe the probability that a potential vulnerability might be exercised within the construct of an associated threat environment?

A. likelihood
B. event
C. detective control
D. incident

47. A company can discontinue or decide not to enter a line of business if the risk level is too high. This is categorized as ________.

A. risk mitigation
B. risk assignment
C. risk acceptance
D. risk avoidance

48. An organization knows that a risk exists and has decided that the cost of reducing it is higher than the loss would be. This can include self-insuring or using a deductible. This is categorized as ________.

A. risk mitigation
B. risk assignment
C. risk acceptance
D. risk acceptance

49. ________ allows an organization to transfer risk to another entity. Insurance is a common way to reduce risk.

A. Risk mitigation
B. Risk assignment
C. Risk acceptance
D. Risk acceptance

50. ________ uses various controls to reduce identified risks. These controls might be administrative, technical, or physical.

A. Risk mitigation
B. Risk assignment
C. Risk acceptance
D. Risk acceptance

51. Cryptography accomplishes four security goals: confidentiality, integrity, authentication, and ________________.

A. security
B. privacy
C. nonrepudiation
D. reliability

52. Cryptography accomplishes four security goals: nonrepudiation, integrity, authentication, and ________________.

A. security
B. confidentiality
C. privacy
D. reliability

53. What term is used to describe a type of cryptography that uses a cipher with two separate keys, one for encryption and one for decryption, so that correspondents do not first have to exchange secret information to communicate securely?

A. hash
B. key distribution
C. asymmetric key cryptography
D. symmetric key cryptography

54. The number of possible keys to a cipher is a ___________.

A. checksum
B. cryptosystem
C. keyspace
D. key directory

55. Without any knowledge of the key, an attacker with access to an encrypted message and the decryption cipher could try every possible key to decode the message. This is referred to as ________.

A. decryption
B. breaking codes
C. brute-force attack
D. cryptanalysis

56. The most scrutinized cipher in history is the ________.

A. Data Encryption Standard (DES)
B. keyword mixed alphabet cipher
C. transposition cipher
D. Vigenère cipher

57. ________ is a one-way calculation of information that yields a result usually much smaller than the original message.

A. Caesar cipher
B. Checksum
C. Hash
D. Symmetric key

58. A ________ is one of the simplest substitution ciphers. It shifts each letter in the English alphabet a fixed number of positions, with Z wrapping back to A.

A. Caesar cipher
B. Vigenère cipher
C. transposition cipher
D. product cipher

59. _______________ enables you to prevent a party from denying a previous statement or action.

A. Authentication
B. Integrity
C. Nonrepudiation
D. Confidentiality

60. Certain security objectives add value to information systems. _________ provides an exact time when a producer creates or sends information.

A. Ownership
B. Timestamping
C. Revocation
D. Message authentication

61. Which OSI Reference Model layer includes all programs on a computer that interact with the network?

A. Presentation Layer
B. Session Layer
C. Network Layer
D. Application Layer

62. Which OSI Reference Model layer is responsible for the coding of data?

A. Presentation Layer
B. Session Layer
C. Data Link Layer
D. Transport Layer

63. Which OSI Reference Model layer is responsible for transmitting information on computers connected to the same local area network (LAN)?

A. Presentation Layer
B. Session Layer
C. Data Link Layer
D. Transport Layer

64. Which OSI Reference Model layer creates, maintains, and disconnects communications that take place between processes over the network?

A. Presentation Layer
B. Session Layer
C. Data Link Layer
D. Transport Layer

65. Which OSI Reference Model layer uses Media Access Control (MAC) addresses? Device manufacturers assign each hardware device a unique MAC address.

A. Data Link Layer
B. Presentation Layer
C. Transport Layer
D. Session Layer

66. Which OSI Reference Model layer must translate the binary ones and zeros of computer language into the language of the transport medium?

A. Data Link Layer
B. Transport Layer
C. Session Layer
D. Physical Layer

67. Which of the following is the definition of hub?

A. A device that connects two or more networks and selectively interchanges packets of data between them.
B. A network device that connects network segments, echoing all received traffic to all other ports.
C. A firewall device that examines the state of a connection as well as simple address, port, and protocol rules to determine how to process a packet.
D. A suite of protocols designed to connect sites securely using IP networks.

68. ________ is a suite of protocols designed to connect sites securely using IP networks.

A. Dynamic Host Configuration Protocol (DHCP)
B. Network access control (NAC)
C. Point-to-Point Tunneling Protocol (PPTP)
D. Internet Protocol Security (IPSec)

69. ________ allows the computer to get its configuration information from the network instead of the network administrator providing the configuration information to the computer. It provides a computer with an IP address, subnet mask, and other essential communication information, simplifying the network administrator's job.

A. Internet Protocol Security (IPSec)
B. Dynamic Host Configuration Protocol (DHCP)
C. Point-to-Point Tunneling Protocol (PPTP)
D. Internet Control Message Protocol (ICMP)

70. Network ________ is gathering information about a network for use in a future attack.

A. reconnaissance
B. eavesdropping
C. denial of service
D. surveying

71. A method to restrict access to a network based on identity or other rules is the definition of ________.

A. screened subnet
B. stateful inspection firewall
C. network access control (NAC)
D. Media Access Control (MAC)

72. A ___________ controls the flow of traffic by preventing unauthorized network traffic from entering or leaving a particular portion of the network.

A. hub
B. firewall
C. router
D. switch

73. A method to restrict access to a network based on identity or other rules is the definition of ________.

A. screened subnet
B. stateful inspection firewall
C. network access control (NAC)
D. network address translation (NAT)

74. What term is used to describe a method of IP address assignment that uses an alternate, public IP address to hide a system's real IP address?

A. application proxy firewall
B. network address translation (NAT)
C. Internet Control Message Protocol (ICMP)
D. network access control (NAC)

75. A _____________ contains rules that define the types of traffic that can come and go through a network.

A. firewall
B. hub
C. switch
D. network protocol

76. A firewall that examines each packet it receives and compares the packet to a list of rules configured by the network administrator is the definition of ________.

A. stateful inspection firewall
B. packet-filtering firewall
C. application proxy firewall
D. Point-to-Point Tunneling Protocol (PPTP)

77. Which of the following is the definition of packet-filtering firewall?

A. An advanced firewall that processes all traffic between two systems. Instead of allowing a direct connection between two systems, it connects to each system separately and passes filtered traffic to the destination based on filtering rules.
B. A firewall device that has three NICs. One NIC connects to the Internet, the second connects to the internal network, and the third connects to a DMZ.
C. A firewall that examines each packet it receives and compares the packet to a list of rules configured by the network administrator.
D. A protocol used on IP networks to provide configuration details automatically to client computers.

78. What name is given to a protocol to implement a VPN connection between two computers?

A. Dynamic Host Configuration Protocol (DHCP)
B. Internet Control Message Protocol (ICMP)
C. screened subnet
D. Point-to-Point Tunneling Protocol (PPTP)

79. What term is used to describe the current encryption standard for wireless networks?

A. wireless access point (WAP)
B. Wi-Fi Protected Access (WPA)
C. screened subnet
D. Wired Equivalent Privacy (WEP)

80. Which of the following is the definition of network address translation (NAT)?

A. A management protocol for IP networks.
B. A protocol to implement a VPN connection between two computers.
C. A method to restrict access to a network based on identity or other rules.
D. A method of IP address assignment that uses an alternate, public IP address to hide a system's real IP address.

81. Malicious code attacks all three information security properties. Malware can modify database records either immediately or over a period of time. This property is ________.

A. confidentiality
B. integrity
C. availability
D. security

82. Malicious code attacks all three information security properties. Malware can erase or overwrite files or inflict considerable damage to storage media. This property is ________.

A. confidentiality
B. integrity
C. availability
D. security

83. Which of the following is the definition of botnet?

A. A botnet is a type of virus that primarily infects executable programs.
B. A botnet consists of a network of compromised computers that attackers use to launch attacks and spread malware.
C. A botnet is a type of virus that includes a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus.
D. A botnet is a group of honeypots made to simulate a real live network, but isolated from it.

84. What term is used to describe a type of virus that attacks document files containing embedded macro programming capabilities?

A. file infector
B. multipartite virus
C. data infector
D. logic bomb

85. ________ are viruses that target computer hardware and software startup functions.

A. File infectors
B. System infectors
C. Data infectors
D. Stealth virus

86. A ________ is a virus that attacks and modifies executable programs (like COM, EXE, SYS, and DLL files).

A. file infector
B. system infector
C. data infector
D. stealth virus

87. A ________ enables the virus to take control and execute before the computer can load most protective measures.

A. file infector
B. system infector
C. data infector
D. program infector

88. A ________ is a type of virus that primarily infects executable programs.

A. file infector
B. system infector
C. data infector
D. program infector

89. Malware developers often use _____________ to write boot record infectors.

A. C programming language
B. C++ programming language
C. Java
D. assembly language

90. ________ include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus.

A. Retro viruses
B. Stealth viruses
C. Polymorphic viruses
D. Multipartite viruses

91. ________ attack countermeasures such as antivirus signature files or integrity databases.

A. Retro viruses
B. Stealth viruses
C. Polymorphic viruses
D. Slow viruses

92. ________ counter the ability of antivirus programs to detect changes in infected files.

A. Retro viruses
B. Stealth viruses
C. Polymorphic viruses
D. Slow viruses

93. Unexplained increases in bandwidth consumption, high volumes of inbound and outbound e-mail during normal activity periods, a sudden increase in e-mail server storage utilization (this may trigger alarm thresholds set to monitor and manage disk/user partition space), and an unexplained decrease in available disk space are all telltale symptoms of a ________.

A. worm
B9. Trojan
C. logic bomb
D. DoS

94. Unrecognized new processes running, startup messages indicating that new software has been (or is being) installed (registry updating), unresponsiveness of applications to normal commands, and unusual redirection of normal Web requests to unknown sites are all telltale symptoms of a ________.

A. worm
B. Trojan
C. logic bomb
D. DoS

95. A ___________ is a program that executes a malicious function of some kind when it detects certain conditions.

A. worm
B. Trojan
C. logic bomb
D. DoS

96. _____________ are the main source of distributed denial of service (DDoS) attacks and spam.

A. Logic bombs
B. Botnets
C. Stealth viruses
D. Trojans

97. In a __________, the attacker uses IP spoofing to send a large number of packets requesting connections to the victim computer. These appear to be legitimate but in fact reference a client system that is unable to respond.

A. smurf attack
B. phishing attack
C. DoS attack
D. SYN flood attack

98. In a _________, attackers direct forged Internet Control Message Protocol (ICMP) echo-request packets to IP broadcast addresses from remote locations to generate denial of service attacks.

A. phishing attack
B. SYN flood attack
C. polymorphic virus
D. smurf attack

99. A ____________ tricks users into providing logon information on what appears to be a legitimate Web site but is in fact a Web site set up by an attacker to obtain this information.

A. smurf attack
B. DDoS attack
C. phishing attack
D. Trojan

100. Whether software or hardware based, a ____________ captures keystrokes, or user entries, and then forwards that information to the attacker.

A. botnet
B. keystroke logger
C. file infector
D. logic bomb.