9-1. Because it's a perimeter defense strategy, a firewall is not a critical element for cardholder data security.
9-2. You are tasked with designing a security policy for cardholder data. Which of the following are recommended security strategies for cardholder data?
A. Verify that data is retained for a limited period of time
B. Verify that data is disposed of properly
C. Verify that passwords are encrypted during transmission
9-3. Use WEP to secure communications sent over a wired network.
9-4. Which of the following elements are typically examined during a PCI DSS Security Assessment?
B. Network hardware
9-5. When credit card transactions are handled in __________, receipts are often collected over a day or week and then sent in as multiple sets of information.
9-6. PSS DSS is a set of standards designed to help organizations that process credit card payments prevent fraud by having increased control over data and its exposure.
9-7. When credit card transactions are handled in __________, a consumer's credit card is charged immediately to complete a purchase.
9-8. You are attempting to synchronize your Web server to online timekeeping. Which of the following protocols is responsible for managing system time?
9-9. Which of the following firewall considerations are recommended by the PCI Security Standards Council?
B. Block unused ports
C. Use host-based firewall systems on mobile computers
D. Conduct periodic reviews of firewall and router set rules
9-10. Merchants should develop a two-factor authentication scheme to protect access to cardholder data.
10-1. The bounce rate identifies the percentage of people who leave you site from the page they initially visited.
10-2. You recently developed an application. In which SDLC stages would the application likely be in just prior to being released to the production environment?
10-3. Recovery testing analyzes how an application manages the aftermath of failures and crashes.
10-4. As a software developer, you have recently coded a security patch to a Web application. Which of the following might you do after finishing the patch?
A. Perform a regression test
10-5. You have completed an application and now you wonder if it will work with both the Microsoft Internet Explorer and Mozilla Firefox Web browsers. Which of the following tests might you perform.
C. Compatibility test
10-6. __________ incorporates features of black and white box testing.
Gray box testing
10-7. Regulations are not set by organizations but by applicable laws.
10-8. You are using a testing mechanism that looks at the input and output of an application to determine potential problems. Which mechanisms may be in use?
A. Black box testing
B. White box testing
C. Gray box testing
10-9. Which of the following is often developed by first creating a risk analysis?
C. Security policies
14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database?
A. Network architect
11-1. The "percentage of vulnerabilities not found" metric is a useful way of reporting assessment data.
11-2. How many tiers are commonly used for Web sites?
11-3. The act of fixing vulnerabilities or findings resulting from an assessment is known as __________.
11-4. Which of the following activities are considered parts of a Web server OS assessment?
B. Identifying the patches and updates that have been installed
C. Identify the services and ports that are active
11-5. Ping sweeps are part of what process?
11-6. Web site forms and user input fields are often attacked using cross-site scripting.
11-7. Which section of the assessment report is intended to be a high-level briefing of the findings?
D. Executive summary
11-8. An in-depth security assessment of a Web sever application includes performing which of the following?
C. A source code review
11-9. SQL __________ is an attempt to manipulate a database by inserting commands into a field or URL.
11-10. Nmap's primary features include which of the following?
B. OS fingerprinting
C. Port scanning
E. Ping sweeps
11-11. What is the purpose of exploiting a vulnerability or flaw in a system to gain access to resources not otherwise available to the attacker or tester?
C. Privilege escalation
11-12. OWASP is the organization known for developing secure application development standards and practices.
11-13. Nessus uses thousands of __________ to identify vulnerabilities associated with services, application, and operating systems.
11-14. Which attack involves exploring the files and folders of a Web server by manipulating URLs?
D. Directory traversal attacks
11-15. Unauthenticated scanning requires the scanner logging onto the systems being accessed.
12-1. Which two security risks apply to IM chatting?
B. Possible data compromise
C. Virus and malware
12-2. 3G networks use packet-switching to route voice calls.
12-3. __________ is a form of messaging used to share pictures, text pages, and ringtones.
12-4. 4G network speeds are comparable to DSL and cable modem Internet services.
12-5. Which of the following risks does not apply to Internet browsing?
B. Physical theft
12-6. __________ is the threat related to voice communications and involves an unauthorized party listening in to conversations.
12-7. The term endpoint is typically used to describe what type of device?
B. A device with server capabilities
12-8. What is the minimum strength recommended for whole-device encryption?
D. There is no minimum
12-9. The term __________ describes the merging of various types of devices and technologies into a common single form.
12-10. Which two controls provide physical security for devices?
B. Locking the device
C. Remote erasure
12-11. A hand off, or transfer of communications from on cell to another, was a significant factor regarding the mobility and popularity of cellular phones.
12-12. Which form of communication is compatible across nearly all cellular networks and is widely considered to be the most often used communication method, by quantity, on today's phones?
A. SMS texting
12-13. Which of these mobile risks are included among the OWASP Top 10?
A. Weak server-side controls
B. Poor authorization and authentication
D. Client-side injection
12-14. The OWASP mobile security risk "Security Decisions Via Untrusted Inputs" refers to what unsecure practice?
B. Making security decisions on potentially untrusted sources
12-15. What are two popular ways that Web sites arrange a session?
A. By creating cookies
D. By creating a random string of characters in the URL or Web address
13-1. When information is temporarily kept at one or more middle points during transmission, that technique is called __________ communication.
13-2. Which of the following describes multiple points of presence (MPOP)?
B. Aggregating presence information from multiple applications or devices
13-3. Phishing, social engineering, and 419 scams are some of the threats encountered when using __________.
13-4. Messaging or chatting on social networking sites can be considered very private and secure.
13-5. Why are PBXs an attractive target to attackers?
A. Several services depend on the PBX's operation
B. Numerous protocols are involved
13-6. Store-and-forward communication is preferred over real-time communication in which environments?
A. When delivery is unreliable
B. When the destination is not always available
13-7. Which areas of concern are associated with SMS vulnerabilities?
13-8. SMS and MMS are primarily the same service apart from the addition of multimedia with MMS.
13-9. Protocols such as SIP, H.323, MGCP, IP, and RTP are encountered when discussing which of the following?
13-10. This chapter discussed which issues brought on by adding VoIP devices to an organization?
A. Performance issues: significantly more network traffic
B. Security issues: new attack vectors and more vulnerabilities to deal with
13-11. A networking method of segregating VoIP traffic from data traffic is __________.
13-12. Select one way SIP does not assist with establishing a multimedia connection.
D. User distance
13-13. SIP manages multimedia sessions with features similar to how the telephone system dials, rings, and manages responses from phones.
13-14. The SIP session request and response messages are formed similarly to __________ messages.
14-1. Data typically refers to RAW unorganized facts.
14-2. A SQL server database is an example of a relational database.
14-3. The TOR browser is used to access which of the following?
C. Deep web
14-4. Which of the following represents a mindset whereby programming is done with a clear understanding of current threats and how these threats potentially impact overall security?
C. Defensive programming
14-5. Which of the following professions are concerned with the back-end development of a Web sire and will incorporate appropriate security measures from initial concept to completion?
B. Web developer
14-6. A(n) __________ is a set of instructions understood by the computer allowing it to perform predetermined functions.
14-7. Which of the following professions are opensource programming languages?
14-8. __________ refers to the systems and processes used to ensure technology helps meet and organizations goals?
14-9. Certification courseware and training materials are focused and directed, but degree programs often require elective courses that are not always related to the specific area of IT.
14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database>
A. Network architect
15-1. Which organization provides incident response support for the federal government?
15-2. Which organizations investigate Internet crime?
15-3. Which of the following standards are governed by NIST?
A. Advances Encryption Standard (AES)
C. The United States Government Configuration Baseline
15-4. Which of the following are (ISC)2 qualifications?
15-5. You must pass an exam to become an (ISC)2 Associate.
15-6. Which certification organization is not approved under DoD Directive 8750?
15-7. What is the purpose of open proxy honeypots in relation to Internet-based Web attacks?
A. Silently record for later analysis
15-8. Roughly how many site reviews were used to generate the most recent WASC Web Security Report?
15-9. ISO 17024 is the international standard for which of the following?
D. Certification programs for personal competence
15-10. The National Institute of Standards and Technology (NIST) represents the United States in the International Standards Organization.