QUESTION 1

1. Fundamentally, __________ refers to the ability of a subject and an object to

2 points
QUESTION 2
1. ____________ define the allowable interactions between subjects and objects.
Credentials
Responsibilities
Procedures
Access controls

2 points
QUESTION 3
1. There are three principal components of any access control scenario: policies,
subjects, and ____________.
tools
procedures
objects
access

2 points
QUESTION 4
1. The process known as AAA (or “triple A”) security involves three components.
_____________ means ensuring that an authenticated user is allowed to perform the
requested action.
Authentication
Authorization
Access
Accounting

2 points
QUESTION 5
1. The process known as AAA (or “triple A”) security involves three components.
_____________ means ensuring that users are who they claim to be.
Accounting
 Access
Authorization
Authentication

2 points
QUESTION 6
1. Passwords, tokens, and fingerprint scans are all examples of ________.
identification
authentication
authorization
credentials

2 points
QUESTION 7
1. _____________ is a set of rights defined for a subject and an object. They are
based on the subject’s identity.
Authentication
Authorization
Credentials
Passwords

2 points
QUESTION 8
1. Which of the following is the definition of authentication factor?
A secret combination of characters known only to the subject.
A way of confirming the identity of a subject. The three authentication factors are
something you know, something you have, and something you are.
The user, network, system, process, or application requesting access to a
resource.
Something only the subject and the authentication system know.

2 points
QUESTION 9
1. What term is used to describe the user, network, system, process, or application
requesting access to a resource?
shared secret
object
access control
subject

2 points
 QUESTION 10
1. ______________ is any strategy that tricks a user into giving up his or her
password or granting access to an attacker.
Heightened access
Social engineering
Password cracking
Vulnerability exploitation

2 points
QUESTION 11
1. ________is a very common social engineering tactic in which the attacker
creates an authentic-looking e-mail or Web page that convinces users to enter their
confidential information or install software on their computer that secretly records
information and sends it back to the attacker.
Password cracking
Password hashing
Phishing
Hacking

2 points
QUESTION 12
1. In order to correctly prioritize efforts at mitigating threats and vulnerabilities, we
perform ________ to accurately decide which threats represent the biggest impact to
resources and data.
vulnerability analysis
risk assessment
single loss expectancy
probability of
occurrence
2 points
QUESTION 13
1. In the risk management strategy known as risk ________, you simply change
your business activities so that you no longer incur the risk.
acceptance
avoidance
mitigation
transference

2 points
QUESTION 14
1. In the risk management strategy known as risk ________, you implement
controls designed to lessen the probability and/or impact of a risk.
transference
mitigation
avoidance
acceptance

2 points
QUESTION 15
1. A(n) ___________ analyzes traffic patterns and compares them to known
patterns of malicious behavior.
intrusion prevention system
intrusion detection system
defense-in-depth strategy
quantitative risk assessment

2 points
QUESTION 16
1. What term is used to describe a potential attack on a system?
risk
impact
exposure factor
threat

2 points
QUESTION 17
1. Only a person with the approved level of access is allowed to view the
information. This access is called _____________.
clearance
classification
disclosure
policy

2 points
QUESTION 18
1. ________is the process used to move a classified document into the public
domain.
Clearance
Disclosure
Controlled unclassified
 information
Declassification

2 points
QUESTION 19
1. The U.S. Department of Commerce defines ________ as information that can be
used to distinguish or trace an individual’s identity, such as their name, social security
number, biometric records, and so on, alone or when combined with other personal or
identifying information that is linked or linkable to a specific individual, such as date and
place of birth, mother’s maiden name, and so on.
personally identifiable information (PII)
controlled unclassified information (CUI)
top secret information
confidential information

2 points
QUESTION 20
1. The requester of sensitive information should not receive access just because of
his or her clearance, position, or rank. The requester must also establish a valid need to
see the information. The term for this is ________.
least privilege
need to know
confidential information declassification
access control

2 points
QUESTION 21
1. A ______________ deals with the potential for weaknesses within the existing
infrastructure to be exploited.
vulnerability assessment
threat assessment
security assessment
full asset inventory

2 points
QUESTION 22
1. _____________ is aimed primarily at the financial services industry.
The Gramm-Leach-Bliley Act
Regulatory compliance
The Sarbanes-Oxley Act
21 CFR Part 11
 2 points
QUESTION 23
1. The ________ is a U.S. law passed in 2000 that requires schools and libraries
receiving E-Rate funds to filter some Internet content. The law’s primary purpose is to
protect minors from obscene or harmful content.
Gramm-Leach-Bliley Act (GLBA)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Health Insurance Portability and Accountability Act (HIPAA)

2 points
QUESTION 24
1. The main role of _________ is to stop internal fraud.
GLBA
21 CFR Part 11
SOX
CALEA

2 points
QUESTION 25
1. Educational institutions are required to protect educational records by adhering to
the strict guidelines set in the ________.
Communications Assistance for Law Enforcement Act (CALEA)
Family Educational Rights and Privacy Act (FERPA)
Sarbanes-Oxley Act (SOX)
Gramm-Leach-Bliley Act (GLBA)

2 points
QUESTION 26
1. The ________ is a law that requires telecommunications carriers and equipment
makers to take steps to facilitate the electronic surveillance activities of law enforcement
agencies.
Communications Assistance to Law Enforcement Act (CALEA)
Sarbanes-OxleyAct (SOX)
Gramm-Leach-Bliley Act (GLBA)
Homeland Security Presidential Directive 12 (HSPD 12)

2 points
QUESTION 27
1. A(n) ________________ is a high-level document that defines how an
organization will assign and enforce access control rights.
 best practice
authorization policy
critical infrastructure
disclosure

2 points
QUESTION 28
1. The _______is legislation that was passed in 1996 and protects the privacy and
accessibility of health care information.
Communications Assistance to Law Enforcement Act (CALEA)
Health Insurance Portability and Accountability Act (HIPAA)
electronic protected health information (EPHI)
Family Educational Rights and Privacy Act (FERPA)

2 points
QUESTION 29
1. A ______________ is a set of specific steps to be taken to achieve a desired
result.
guideline
procedure
standard
policy

2 points
QUESTION 30
1. There are two primary causes of access control failures: _____________ and
technological factors.
institutional
people
administrative
organizational

2 points
QUESTION 31
1. What type of security breach includes Trojan horse programs, computer viruses,
and other malicious code?
indirect attacks
system exploits
eavesdropping
denial of service (DoS) attacks
 2 points
QUESTION 32
1. Sniffing network and wireless traffic, intercepting Bluetooth traffic, and even using
equipment to remotely pull information from monitors due to electromagnetic fields
(EMFs) are examples of a security breach known as ________.
indirect attacks
system exploits
eavesdropping
denial of service (DoS) attacks

2 points
QUESTION 33
1. ________ is a type of security breach that exploits human nature and human
error.
Social engineering
Eavesdropping
System exploit
Physical attack

2 points
QUESTION 34
1. ________ involve(s) e-mails and Web sites crafted to trick a user into installing
malicious code.
Social networking sites
File sharing
Rogue Internal Operatives
Phishing

2 points
QUESTION 35
1. What is meant by disaster recovery?
Refers to efforts to bring an organization back online after a natural or manmade
disaster.
The ability of an organization to maintain critical functions during and after a
disaster.
A strategy that combines attempts to minimize the probability and consequences of
a risk situation.
Simply accepting the risks and doing what you need to do anyway.

2 points
QUESTION 36
1. Access control is an application of risk ________.
 mitigation
transference
acceptance
avoidance

2 points
QUESTION 37
1. Information ____________ ensures that private or sensitive information is not
disclosed to unauthorized individuals.
integrity
confidentiality
availability
ability

2 points
QUESTION 38
1. Information _____________ ensures that data has not been modified without
authorization.
availability
confidentiality
integrity
ability

2 points
QUESTION 39
1. What is meant by mandatory access control ( MAC)?
Authentication system in which two conditions must be met in order for access to
be granted. If one condition is met but not the other, access is denied.
An access control system where rights are assigned by a central authority.
Requires that users commonly log into workstations under limited user accounts.
The principle in which a subject—whether a user, an application, or another entity
—should be given the minimum level of rights necessary to perform legitimate
functions.
2 points
QUESTION 40
1. ________is an access control system where rights are assigned by the owner of
the resource in question.
Mandatory access control (MAC)
Role-based access control (RBAC)
Automated account review
 Discretionary access control (DAC)

2 points
QUESTION 41
1. Which of the following is the definition of role-based access control ( RBAC)?
Ensures that data has not been accidentally or intentionally modified without
authorization.
Access control system where rights are assigned based on a user’s role rather
than his or her identity.
Ensures that private or sensitive information is not disclosed to unauthorized
individuals.
The principle in which a subject—whether a user, an application, or another entity
—should be given the minimum level of rights necessary to perform legitimate
functions.
2 points
QUESTION 42
1. During the Target breach, what type of attack was used against the 3rd party HVAC
vendor?
Firewall
Phishing/Social
Engineering
Physical
Technical

2 points
QUESTION 43
1. Target should have used multiple control layers to protect their systems. What term
is used for this concept?
Need to Know
Least Privilege
Mandatory
Vacation
Defense in
Depth

2 points
QUESTION 44
1. To help mitigate the Target breach, system administrators should have implemented
a system that only allowed certain programs to run on the POS (Point of Sale) system. What
is the term for this concept?
Application
whitelisting
Application
management
 Application
blacklisting
Application
certification

2 points
QUESTION 45
1. According to the Apple vs FBI case, which version of iOS began tangling
the passcode with a device-specific 256bit AES secret key that was required to unlock the
device?
iOS
5
iOS
6
iOS
7
iOS
8

2 points
QUESTION 46
1. In the Apple vs FBI case, what type of iPhone was being investigated?
iPhone
6s
iPhone
6
iPhone
5c
iPhone
5

2 points
QUESTION 47
1. In a Windows environment, __________ is a powerful tool that enables security
administrators to share user and group definitions, and even directory services, by defining
domains.
Domain Definitions
PowerShell
Active Directory
Microsoft Assessment and Planning (MAP)
toolkit

2 points
QUESTION 48
1. When setting up a file system that is intended to be shared among several users, it is
good practice to configure permissions so that:
each user can only view the contents of a folder but not modify it.
 the administrator must manually give each user access to each folder and file each
time it is needed.
each user’s account is able to access all of the folders and files.
each user’s account is able to access only the folders and files necessary.

2 points
QUESTION 49
1. One risk of granting full control access is that:
all members of the group must agree to an action before any one member can perform
it.
no member of the group has the ability to perform any action on the folder unless the
other group members all exercise their power of full control.
any member of the group has the ability to perform any action on the folder and can
possibly interfere with other group members’ content and their ability to access the
folder.
no member of the group has the ability to perform any action on the folder.

2 points
QUESTION 50
1. Which of the following statements is true regarding domain controllers?
They require less hardware than a standard server.
They require no additional administrative time and resources than any
other computer.
They can have many other applications on them.
They store the actual database of Active Directory shared resources.

2 points