9-5. When credit card transactions are handled in __________, receipts are often collected over a day or week and then sent in as multiple sets of information.

Batch processing

9-6. PSS DSS is a set of standards designed to help organizations that process credit card payments prevent fraud by having increased control over data and its exposure.

A. True

9-7. When credit card transactions are handled in __________, a consumer's credit card is charged immediately to complete a purchase.

Real-time processing

9-8. You are attempting to synchronize your Web server to online timekeeping. Which of the following protocols is responsible for managing system time?

C. NTP

9-9. Which of the following firewall considerations are recommended by the PCI Security Standards Council?

B. Block unused ports

C. Use host-based firewall systems on mobile computers

D. Conduct periodic reviews of firewall and router set rules

9-10. Merchants should develop a two-factor authentication scheme to protect access to cardholder data.

A. True

10-1. The bounce rate identifies the percentage of people who leave you site from the page they initially visited.

A. True

10-2. You recently developed an application. In which SDLC stages would the application likely be in just prior to being released to the production environment?

A. RC1

D. Beta

10-3. Recovery testing analyzes how an application manages the aftermath of failures and crashes.

A. True

10-4. As a software developer, you have recently coded a security patch to a Web application. Which of the following might you do after finishing the patch?

A. Perform a regression test

10-5. You have completed an application and now you wonder if it will work with both the Microsoft Internet Explorer and Mozilla Firefox Web browsers. Which of the following tests might you perform.

C. Compatibility test

10-6. __________ incorporates features of black and white box testing.

Gray box testing

10-7. Regulations are not set by organizations but by applicable laws.

A. True

10-8. You are using a testing mechanism that looks at the input and output of an application to determine potential problems. Which mechanisms may be in use?

A. Black box testing

B. White box testing

C. Gray box testing

10-9. Which of the following is often developed by first creating a risk analysis?

C. Security policies

14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database?

A. Network architect

11-1. The "percentage of vulnerabilities not found" metric is a useful way of reporting assessment data.

B. False

11-2. How many tiers are commonly used for Web sites?

C. 3

11-3. The act of fixing vulnerabilities or findings resulting from an assessment is known as __________.

Remidiation

11-4. Which of the following activities are considered parts of a Web server OS assessment?

B. Identifying the patches and updates that have been installed

C. Identify the services and ports that are active

11-5. Ping sweeps are part of what process?

B. Discovery

11-6. Web site forms and user input fields are often attacked using cross-site scripting.

A. True

11-7. Which section of the assessment report is intended to be a high-level briefing of the findings?

D. Executive summary

11-8. An in-depth security assessment of a Web sever application includes performing which of the following?

C. A source code review

11-9. SQL __________ is an attempt to manipulate a database by inserting commands into a field or URL.

Injection

11-10. Nmap's primary features include which of the following?

B. OS fingerprinting

C. Port scanning

E. Ping sweeps

11-11. What is the purpose of exploiting a vulnerability or flaw in a system to gain access to resources not otherwise available to the attacker or tester?

C. Privilege escalation

11-12. OWASP is the organization known for developing secure application development standards and practices.

A. True

11-13. Nessus uses thousands of __________ to identify vulnerabilities associated with services, application, and operating systems.

Plug-ins

11-14. Which attack involves exploring the files and folders of a Web server by manipulating URLs?

D. Directory traversal attacks

11-15. Unauthenticated scanning requires the scanner logging onto the systems being accessed.

B. False

12-1. Which two security risks apply to IM chatting?

B. Possible data compromise

C. Virus and malware

12-2. 3G networks use packet-switching to route voice calls.

B. False

12-3. __________ is a form of messaging used to share pictures, text pages, and ringtones.

MMS

12-4. 4G network speeds are comparable to DSL and cable modem Internet services.

A. True

12-5. Which of the following risks does not apply to Internet browsing?

B. Physical theft

12-6. __________ is the threat related to voice communications and involves an unauthorized party listening in to conversations.

Eavesdropping

12-7. The term endpoint is typically used to describe what type of device?

B. A device with server capabilities

12-8. What is the minimum strength recommended for whole-device encryption?

D. There is no minimum

12-9. The term __________ describes the merging of various types of devices and technologies into a common single form.

Convergence

12-10. Which two controls provide physical security for devices?

B. Locking the device

C. Remote erasure

12-11. A hand off, or transfer of communications from on cell to another, was a significant factor regarding the mobility and popularity of cellular phones.

A. True

12-12. Which form of communication is compatible across nearly all cellular networks and is widely considered to be the most often used communication method, by quantity, on today's phones?

A. SMS texting

12-13. Which of these mobile risks are included among the OWASP Top 10?

A. Weak server-side controls

B. Poor authorization and authentication

D. Client-side injection

12-14. The OWASP mobile security risk "Security Decisions Via Untrusted Inputs" refers to what unsecure practice?

B. Making security decisions on potentially untrusted sources

12-15. What are two popular ways that Web sites arrange a session?

A. By creating cookies

D. By creating a random string of characters in the URL or Web address

13-1. When information is temporarily kept at one or more middle points during transmission, that technique is called __________ communication.

Store-and-forward

13-2. Which of the following describes multiple points of presence (MPOP)?

B. Aggregating presence information from multiple applications or devices

13-3. Phishing, social engineering, and 419 scams are some of the threats encountered when using __________.

E-mail

13-4. Messaging or chatting on social networking sites can be considered very private and secure.

B. False

13-5. Why are PBXs an attractive target to attackers?

A. Several services depend on the PBX's operation

B. Numerous protocols are involved

13-6. Store-and-forward communication is preferred over real-time communication in which environments?

A. When delivery is unreliable

B. When the destination is not always available

13-7. Which areas of concern are associated with SMS vulnerabilities?

B. Integrity

C. Confidentiality

13-8. SMS and MMS are primarily the same service apart from the addition of multimedia with MMS.

B. False

13-9. Protocols such as SIP, H.323, MGCP, IP, and RTP are encountered when discussing which of the following?

C. VoIP

13-10. This chapter discussed which issues brought on by adding VoIP devices to an organization?

A. Performance issues: significantly more network traffic

B. Security issues: new attack vectors and more vulnerabilities to deal with

13-11. A networking method of segregating VoIP traffic from data traffic is __________.

VLANs

13-12. Select one way SIP does not assist with establishing a multimedia connection.

D. User distance

13-13. SIP manages multimedia sessions with features similar to how the telephone system dials, rings, and manages responses from phones.

A. True

13-14. The SIP session request and response messages are formed similarly to __________ messages.

C. HTTP

14-1. Data typically refers to RAW unorganized facts.

A. True

14-2. A SQL server database is an example of a relational database.

B. True

14-3. The TOR browser is used to access which of the following?

C. Deep web

14-4. Which of the following represents a mindset whereby programming is done with a clear understanding of current threats and how these threats potentially impact overall security?

C. Defensive programming

14-5. Which of the following professions are concerned with the back-end development of a Web sire and will incorporate appropriate security measures from initial concept to completion?

B. Web developer

14-6. A(n) __________ is a set of instructions understood by the computer allowing it to perform predetermined functions.

A. Program

14-7. Which of the following professions are opensource programming languages?

B. Perl

C. PHP

14-8. __________ refers to the systems and processes used to ensure technology helps meet and organizations goals?

C. Governance

14-9. Certification courseware and training materials are focused and directed, but degree programs often require elective courses that are not always related to the specific area of IT.

A. True

14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database>

A. Network architect

15-1. Which organization provides incident response support for the federal government?

C. US-CERT

15-2. Which organizations investigate Internet crime?

B. IC3

C. ECTFs

15-3. Which of the following standards are governed by NIST?

A. Advances Encryption Standard (AES)

C. The United States Government Configuration Baseline

15-4. Which of the following are (ISC)² qualifications?

B. CISSP

C. CISSP-ISSEP

E. CSSLP

15-5. You must pass an exam to become an (ISC)² Associate.

A. True

15-6. Which certification organization is not approved under DoD Directive 8750?

D. FLETC

15-7. What is the purpose of open proxy honeypots in relation to Internet-based Web attacks?

A. Silently record for later analysis

15-8. Roughly how many site reviews were used to generate the most recent WASC Web Security Report?

B. 10,000

15-9. ISO 17024 is the international standard for which of the following?

D. Certification programs for personal competence

15-10. The National Institute of Standards and Technology (NIST) represents the United States in the International Standards Organization.

B. False