Review Questions | Security + Exam Guide (Charles River Media Networking/Security)

< Day Day Up >

1.	John Doe from the local power and light company calls you and requests access to your secure remote location for a routine meter reading. What do you do? Let him in. All local regulations give power and light companies access precedence for routine maintenance. Ask the guard at the front desk what he thinks you should do. Check your documented access control policy, which might contain an access list. Let him in if he’s on the list. Deny access and call the power company if he is not. Tell him to say “Open Sesame.”
2.	Which of the following choices is not a considered a physical security control? Cryptography. Mantrap. Turnstile. Biometric device.
3.	Which of the following choices represent preventive control measures? Implementing more restrictive file level permissions after a breach. Antivirus protection and strong passwords. Reviewing log files and monitoring suspicious activity. A good backup system.
4.	A security management concept known as the CIA Triad represents what? Confidentiality, IDEA, Auditing. Customers, Integrity, Auditing. Conspiracy, IDEA, Availability. Confidentiality, Integrity, Availability.
5.	What is best way to secure portable devices that contain confidential information? Use a BIOS-protecting password. Secure the devices by storing and locking them in cars, vaults, and safes. Do not allow employees to use portable devices. Encrypt the data.
6.	Which type of fire extinguishing agent holds back water in the pipe with a clapper valve, offering time to shut down the system if you happen to get the fire under control? CWet pipe. Dry pipe. Gas discharge. Timing pipe.
7.	Which type of handheld fire extinguisher should never be used to put out a Class A fire? BC. ABC. DC. ACD.
8.	Which type of wiring is most secure and least susceptible to interference? CAT5. Coaxial. Fiber-optic. High-quality RJ11.
9.	Which backup type provides the easiest and fastest restore? GFS. Incremental. Full. Backup 0.
10.	Which type of backup site will allow you to get your business systems and applications up and running in the least amount of time? Hot site. Cold site. Warm site. Fiber-optic site.
11.	What should be your first step when creating a DRP (Disaster Recovery Plan)? Determine which type of site will be used. Define the goals the plan is expected to achieve. Identification of a disaster recovery response team. Identifying important information to back up. None of the above.
12.	What RAID level provides the best level of fault tolerance and performance? RAID 32. RAID 0. RAID 1. RAID 5. None of the above.
13.	Which statement best describes a security policy? Once documented, it is set in stone and never changes. Does not typically include an “Acceptable Use” statement or clause. It is a living document that is never completed or finished. Should only be followed by security personnel. None of the above.
14.	What is the activity of sifting through someone else’s trash in order to gain confidential information called? Rude and lascivious. Custodial engineering. Social engineering. Dumpster diving. None of the above.
15.	How should confidential company information that is stored on electronic media be handled if it is no longer needed? It should be thrown in the dumpster. It should be encrypted and then thrown in the dumpster. It should never be thrown away. It is company-confidential. It should be given to the security guard. None of the above.
16.	What is Two-Factor SSO? Using a user ID and a password to authenticate. Using a biometric device to authenticate. Using a user ID\password combination and a retina scanner for authentication. Using a client/server environment to authenticate. None of the above.
17.	Which of the following are important considerations concerning computer forensics? Secure third-party storage. Following a chain of custody. Using rubber gloves and sealed containers. Proper collection and preservation of data for evidence. All of the above.
18.	Which type of risk analysis uses controls such as deterrent, preventive, corrective, and detective? Ultimate risk analysis. Quantitative risk analysis. Qualitative risk analysis. Quality control risk analysis. None of the above.
19.	What is the formula used to calculate annual financial expected loss? ARO + ALE=SLE . ALE-ARO=SLE. ALE ï SLE=ARO. SLE ï ARO=ALE. None of the above.
20.	According to security roles and responsibilities, whose role includes the responsibilities of backups and restores? Manager. Owner. Custodian. User. None of the above.
21.	Concerning government and commercial data classification, which two data categories describe grave or extreme damage that can result if the public accesses this information? Confidential and Top-Secret. Sensitive and Unclassified. Secret and Sensitive. Secret and Sensitive but Unclassified. None of the above.

Answers

1.	Correct answer = C The answer to this question is based on what your documented access control policy states. In other words, you might have a digital pass system, an ACL (Access Control List), a remote surveillance device, or biometric device that can be used to determine remotely whether the worker should be allowed or denied entry to the remote site. All other choices are invalid.
2.	Correct answer = A Cryptography is used to transform or encrypt plain text into an unreadable or unidentifiable format known as ciphertext. In order for the encrypted text to be understandable, it must be decrypted. Cryptography is not considered a physical security control. Mantraps, turnstiles, and biometric devices are considered physical security controls.
3.	Correct answer = B Implementing antivirus protection and strong passwords are examples of preventive controls. Implementing more restrictive file level permissions after a breach is considered a corrective control. Reviewing log files and monitoring suspicious activity are considered detective controls. A good backup system is a recovery control.
4.	Correct answer = D In operational security management terms, the protection of confidentiality, integrity and availability make up what is known as the CIA Triad. All other choices are invalid.
5.	Correct answer = D Laptop computers, PDAs (Personal Data Assistants), and cell phones can be easily lost or stolen. The best way to protect the information contained within these units is to use encryption. Using a BIOS password is always a good idea for securing access to a system before the operating system loads. However, it is not the most secure method for protecting data. Choices B and C are great ideas. However, they are nonproductive and impractical.
6.	Correct answer = B With a dry pipe system, water is held far back from the nozzle by a clapper valve. If the system detects fire, there remains significant time to shut down the system if the happen to put the fire out before water is needed. A wet pipe system keeps always keeps water in the pipes that lead to the sprinkler head or nozzle. A gas discharge system doesn’t use water. Timing pipe is an invalid selection.
7.	Correct answer = A A Class BC fire extinguisher is rated for chemical and electrical fires. It should never be used to extinguish a Class A rated fire. An ABC extinguisher is rated to put out normal paper or wood burning fires and can be used for a Class A fires. Selections C and D are invalid classes.
8.	Correct answer = C Fiber-optic cable is very secure and is least susceptible to interference or crosstalk. CAT5 and coaxial cable can be easily tapped and are more susceptible to electrical or magnetic interference. High-quality RJ11 would make a great choice for an analog phone connection but it is irrelevant here.
9.	Correct answer = A The answer to this question is A. A GFS (Grandfather-Father-Son) backup strategy using a daily differential backup provides the easiest and fastest restore. With this strategy, the last full and last differential backup tapes are needed to do the restore. All others choices are incorrect. Be ready to handle questions similar to this that contain minimal information on the real exam. Some of the questions on this exam are going to leave you wondering where is the rest of the information.
10.	Correct answer = A A hot site is considered a site that can provide full business functionality in a very short time. It is the most functional site. A cold site doesn’t have any equipment such as servers or workstations on site, and there is usually no active connectivity to external networks in place. A warm site has more functionality than a cold site but would need more equipment and associated components to equal that of a hot site. A fiber-optic site sounds real good; unfortunately, it is an invalid selection.
11.	Correct answer = B Be ready for this type of question on the real exam. The first step needed when creating a comprehensive DRP is defining the goals that the plan will achieve. This will usually include the identification and definition of what is considered to be a disaster or threat to your business. Choices A, C, and D are all items that should be included in the DRP. However, they are not considered the first step in this process.
12.	Correct answer = D RAID level 5 places parity information across all disks in an array. It provides the best combination of fault tolerance and performance of the popular RAID implementations. RAID 32 is an invalid selection. RAID 0 is not fault tolerant. Although RAID 1 or disk mirroring is fault tolerant, it is not considered to provide the best level of protection and performance of the RAID levels.
13.	Correct answer = C A security policy is never completed. It is a living document that requires continuous updates to reflect changes occurring over the lifetime of a business. Most security policies include an employee Acceptable Use policy statement or clause. A security policy should be provided to all employees, vendors, and third parties involved with the particular business.
14.	Correct answer = D Dumpster diving is going through someone else’s trash with the hopes of finding information such as names, ID’s, phone lists, passwords, network information, PINs, account numbers, and other information that can be used for social engineering attacks and access to information systems. All other answers are invalid.
15.	Correct answer = E Any company information that is no longer needed should be disposed of properly. Paper documents should be cross-shredded. Information that is stored on electronic media should be erased. Stay alert when taking the exam. There will be many common-sense questions similar to this that you cannot afford to miss.
16.	Correct answer = C With Two-factor SSO, a user provides an ID and a password combination and is also required to authenticate with a token or biometric device such as a retina or fingerprint scanner. Using a user ID and a password to authenticate is an example of plain Single Sign-on (SSO). Using a biometric device alone is not considered Two-Factor. Using a client/server environment to authenticate is typically a prerequisite that provides an environment for the implementation of SSO and Two-Factor SSO.
17.	Correct answer = E All choices are valid concerning computer forensics.
18.	Correct answer = C Qualitative risk analysis uses deterrent, preventive, corrective, and detective controls to offset risk. With quantitative risk analysis, the risks are guessed and money is appropriated as a means to offset or take care of the aftermath if an event should occur. All other choices are invalid.
19.	Correct answer = D In order to produce an Annualized Loss Expectancy (ALE), you must multiply the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). All other choices are invalid.
20.	Correct answer = C Custodian duties include the verification of system backups and restores as well as keeping updated documentation supporting testing and production efforts. Management is responsible for ensuring that all employees follow security policies and practices and protecting all company assets. Owners’ responsibilities include determining the classification level of data, making changes to the classification level, and assigning or delegating who will be responsible for data and the security of data. Users should be responsible and accountable for the data they work with.
21.	Correct answer = A Information that is commercially classified as Confidential might cause extreme damage if made public. Information that is governmentally classified as Top-Secret might cause grave or extreme damage if disclosed. These are the most classified of the two data classification categories. All other choices are invalid.

< Day Day Up >