Name:     ID: 
 
Email: 

Test 3 Chap 5 -6

True/False
Indicate whether the statement is true or false.
 

 1. 

Baselining is the comparison of past security activities and events against the organization’s current performance.
 

 2. 

To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
 

 3. 

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it.
 

 4. 

Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets.
 

 5. 

Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.
 

 6. 

You should adopt naming standards that do not convey information to potential system attackers.
 

 7. 

When determining the relative importance of each asset, refer to the organization’s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.
 

 8. 

According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement.
 

 9. 

Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
 

 10. 

In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization,
 

 11. 

Know yourself means identifying, examining, and understanding the threats facing the organization.
 

 12. 

Residual risk is the risk that that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.
 

 13. 

The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.
 

 14. 

If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general
 

 15. 

Risk control is the application of mechanisms to reduce the potential for loss or change to an organization’s information assets.
 

 16. 

Within a data classification scheme, comprehensive means that an information asset should fit in only one category.
 

 17. 

Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming, and reduce resistance to expected change through communication, education, and involvement.
 

 18. 

The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
 

 19. 

The defense control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but is not the preferred approach to controlling risk.
 

 20. 

In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset’s value and the annualized loss expectancy.
 

 21. 

When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information.
 

 22. 

The value of information to the organization's competition should influence the asset's valuation.
 

 23. 

One advantage to benchmarking is that best practices change very little over time.
 

 24. 

Best business practices are often called recommended practices.
 

 25. 

The upper management of an organization must structure the IT and information security functions to defend the organization’s information assets.
 

 26. 

Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall’s database or violations of those rules.
 

 27. 

A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network.
 

 28. 

Some firewalls can filter packets by protocol name.
 

 29. 

The application layer firewall is firewall type capable of performing filtering at the application layer of the OSI model, most commonly based on the type of service.
 

 30. 

Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.
 

 31. 

It is important that e-mail traffic reach your e-mail server and only your e-mail server.
 

 32. 

Internet connections via dial-up lines are regaining popularity due to recent technological developments.
 

 33. 

The DMZ can be a dedicated port on the firewall device linking a single bastion host.
 

 34. 

A firewall cannot be deployed as a separate network containing a number of supporting devices.
 

 35. 

Circuit-level gateways usually look at data traffic flowing between networks rather than preventing direct connections between networks.
 

 36. 

Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems.
 

 37. 

Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access.
 

 38. 

Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.
 

 39. 

When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.
 

 40. 

Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.
 

 41. 

The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.
 

 42. 

All organizations with a router at the boundary between the organization’s internal networks and the external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets.
 

 43. 

A VPN, used properly, allows a user to use the Internet as if it were a private network.
 

 44. 

Firewalls can be categorized by processing mode, development era, or structure.
 

 45. 

The RADIUS system decentralizes the responsibility for authenticating each user, by validating the user's credentials on the NAS server.
 

 46. 

Most current operating systems require specialized software to connect to VPN servers, as support for VPN services is no longer built into the clients.
 

 47. 

Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.
 

 48. 

Good firewall rules include requiring that all data that is not verifiably authentic should be denied.
 

 49. 

A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations.
 

 50. 

Discretionary access control is an access control approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.
 

 51. 

The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure as the general public networks but more secure than the internal network.
 

Multiple Choice
Identify the choice that best completes the statement or answers the question.
 

 52. 

The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________.
a.
ARO
c.
ALE
b.
CBA
d.
SLE
 

 53. 

The first phase of risk management is _________.
a.
risk identification
c.
risk control
b.
design
d.
risk evaluation
 

 54. 

The concept of competitive _________ refers to falling behind the competition.
a.
disadvantage
c.
failure
b.
drawback
d.
shortcoming
 

 55. 

__________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede.
a.
IR
c.
BC
b.
DR
d.
BR
 

 56. 

A(n) _________ is a formal access control methodology used to assign a level of
confidentiality to an information asset and thus restrict the number of people who can access it..
a.
security clearance scheme
c.
risk management scheme
b.
data recovery scheme
d.
data classification scheme
 

 57. 

Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification.
a.
Sensistive
c.
Unclassified
b.
Confidential
d.
Public
 

 58. 

A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
a.
IP
c.
CTO
b.
FCO
d.
HTTP
 

 59. 

The __________ is the difference between an organization’s observed and desired performance.
a.
performance gap
c.
issue delta
b.
objective
d.
risk assessment
 

 60. 

When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________.
a.
baselining
c.
benchmarking
b.
best practices
d.
standards of due care
 

 61. 

Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
a.
benefit
c.
acceptance
b.
appetite
d.
avoidance
 

 62. 

__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
a.
Qualitative assessment
c.
Quantitative assessmen
b.
Metric-centric model
d.
Value-specific constant
 

 63. 

Management of classified data includes its storage and _________.
a.
distribution
c.
destruction
b.
portability
d.
All of the above
 

 64. 

The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress.
a.
BC
c.
IR
b.
DR
d.
BR
 

 65. 

_________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty.
a.
Loss Magnitude
c.
Loss Frequency
b.
Risk
d.
Loss
 

 66. 

In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores.
a.
threat assessment
c.
weighted factor analysis
b.
risk management program
d.
data classification scheme
 

 67. 

_________  assigns a status level to employees to designate the maximum level of classified data they may access.
a.
security clearance scheme
c.
risk management scheme
b.
data recovery scheme
d.
data classification scheme
 

 68. 

. __________ is simply how often you expect a specific type of attack to occur.
a.
ARO
c.
ALE
b.
CBA
d.
SLE
 

 69. 

The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations.
a.
transfer
c.
accept
b.
defend
d.
mitigate
 

 70. 

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________.
a.
loss frequency
c.
likelihood
b.
annualized loss expectancy
d.
benefit of loss
 

 71. 

There are individuals who search trash and recycling — a practice known as _________ — to retrieve information that could embarrass a company or compromise information security.
a.
shoulder surfing
c.
pretexting
b.
dumpster diving
d.
corporate espionage
 

 72. 

The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
a.
termination
c.
transfer
b.
defense
d.
mitigate
 

 73. 

Risk _________ is the application of security mechanisms to reduce the risks to an organization’s data and information systems.
a.
management
c.
identification
b.
control
d.
security
 

 74. 

__________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
a.
Organizational
c.
Operational
b.
Technical
d.
Political
 

 75. 

_________ addresses are sometimes called electronic serial numbers or hardware addresses.
a.
HTTP
c.
DHCP
b.
IP
d.
MAC
 

 76. 

. In SESAME, the user is first authenticated to an authentication server and receives a token. The token is then presented to a privilege attribute server as proof of identity to gain a(n) __________.
a.
VPN
c.
ticket
b.
ECMA
d.
PAC
 

 77. 

The __________ is an intermediate area between a trusted network and an untrusted network.
a.
perimeter
c.
domain
b.
DMZ
d.
firewall
 

 78. 

Telnet protocol packets usually go to TCP port __________ whereas SMTP packets go to port __________.
a.
23, 52
c.
80, 25
b.
80, 52
d.
23, 25
 

 79. 

The service within Kerberos that generates and issues session keys is known as __________.
a.
VPN
c.
AS
b.
KDC
d.
TGS
 

 80. 

Which of the following is not a major processing-mode category for firewalls?
a.
Packet-Filtering Firewalls
c.
Circuit Gateways
b.
Application Gateways
d.
Router Passthru
 

 81. 

The dominant architecture used to secure network access today is the __________ firewall.
a.
static
c.
unlimited
b.
bastion
d.
screened subnet
 

 82. 

In most common implementation models, the content filter has two components: __________.
a.
encryption and decryption
c.
rating and decryption
b.
filtering and encoding
d.
rating and filtering
 

 83. 

__________ firewalls are designed to operate at the media access control sublayer of the data link layer of the OSI network model.
a.
MAC layer
c.
Application gateways
b.
Circuit gateway
d.
Packet filtering
 

 84. 

Kerberos __________ provides tickets to clients who request services.
a.
KDS
c.
AS
b.
TGS
d.
VPN
 

 85. 

__________ filtering requires that the filtering rules governing how the firewall decides which packets are allowed and which are denied be developed and installed with the firewall.
a.
Dynamic
c.
Stateful
b.
Static
d.
Stateless
 

 86. 

__________ access control is a form of __________ access control in which users are assigned a matrix of authorizations for particular areas of access.
a.
lattice-based, discretionary
c.
arbor-based, discretionary
b.
arbor-based, nondiscretionary
d.
lattice-based, nondiscretionary
 

 87. 

__________ and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection.
a.
RADIUS
c.
TUNMAN
b.
RADIAL
d.
IPSEC
 

 88. 

__________ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.
a.
Packet-filtering
c.
Circuit gateways
b.
Application gateways
d.
MAC layer firewalls
 

 89. 

Which of the following version of TACACS is still in use?
a.
TACACS
c.
TACACS+
b.
Extended TACACS
d.
All of the above
 

 90. 

__________ is the protocol for handling TCP traffic through a proxy server.
a.
SOCKS
c.
FTP
b.
HTTPS
d.
Telnet
 

 91. 

Known as the ping service, ICMP is a(n) __________ and should be ___________.
a.
essential feature, turned on to save money
c.
infrequently used hacker tool, turned off to prevent snooping
b.
common method for hacker reconnaissance, turned off to prevent snooping
d.
common method for hacker reconnaissance, turned on to save money
 

 92. 

A(n) __________ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
a.
SVPN
c.
SESAME
b.
VPN
d.
KERBES
 

 93. 

In __________ mode, the data within an IP packet is encrypted, but the header information is not.
a.
tunnel
c.
public
b.
transport
d.
symmetric
 

 94. 

The application gateway is also known as a(n) __________.
a.
application-level firewall
c.
proxy firewall
b.
client firewall
d.
All of the above
 

 95. 

A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event.
a.
dynamic
c.
stateful
b.
static
d.
stateless
 

 96. 

Since the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as the __________ host.
a.
trusted
c.
DMZ
b.
domain
d.
sacrificial
 

 97. 

The restrictions most commonly implemented in packet-filtering firewalls are based on __________.
a.
IP source and destination address
c.
TCP or UDP source and destination port requests
b.
Direction (inbound or outbound)
d.
All of the above
 

 98. 

The primary benefit of a VPN that uses _________ is that an intercepted packet reveals nothing about the true destination system.
a.
intermediate mode
c.
reversion mode
b.
tunnel mode
d.
transport mode
 

 99. 

__________ inspection firewalls keep track of each network connection between internal and external systems.
a.
Static
c.
Stateful
b.
Dynamic
d.
Stateless
 

 100. 

The proxy server is often placed in an unsecured area of the network or is placed in the __________ zone.
a.
fully trusted
c.
demilitarized
b.
hot
d.
cold
 



 
         Start Over