ITN260 Midterm Questions & Answers PDF

Question lists and answers **Module 1** Question: Vittoria is working on her computer information systems degree at a local college and has started researching information security positions. Because she has no prior experience, which of the following positions would Vittoria most likely be offered? a\. security administrator b\. security technician c\. security officer d\. security manager Answers: b Question: Which of the following is false about the CompTIA Security+ certification? a\. Security+ is one of the most widely acclaimed security certifications. b\. Security+ is internationally recognized as validating a foundation level of security skills and knowledge. c\. The Security+ certification is a vendor-neutral credential. d\. Professionals who hold the Security+ certification earn about the same or slightly less than security professionals who have not achieved this certification. Answers: d Question: Ginevra is explaining to her roommate the relationship between security and convenience. Which statement most accurately indicates this relationship? a\. Security and convenience are directly proportional. b\. Security and convenience have no relationship. c\. Any proportions between security and convenience depends on the type of attack. d\. Security and convenience are inversely proportional. Answers: d Question: Serafina is studying to take the Security+ certification exam. Which of the following of the CIA elements ensures that only authorized parties can view protected information? a\. confidentiality b\. integrity c\. availability d\. credentiality Answers: a Question: Which of the following AAA elements is applied immediately after a user has logged into a computer with their username and password? a\. authentication b\. authorization c\. identification d\. recording Answers: b Question: Gia has been asked to enhance the security awareness training workshop for new hires. Which category of security control would Gia be using? a\. managerial b\. technical c\. operational d\. physical Answers: c Question: Which specific type of control is intended to mitigate (lessen) damage caused by an attack? a\. corrective control b\. compensating control c\. preventive control d\. restrictive control Answers: a (A control that is intended to mitigate or lessen the damage caused by the incident is called a corrective control.) Question: Which control is designed to ensure that a particular outcome is achieved by providing incentives? a\. deterrent control b\. incentive control c\. detective control d\. directive control Answers: d (A directive control is designed to ensure that a particular outcome is achieved. One type of directive control is an incentive, which is the \"carrot\" instead of the \"stick.\" Incentives are often overlooked as a control, but they can be very powerful.) Question: Which of the following controls is NOT implemented before an attack occurs? a\. detective control b\. deterrent control c\. preventive control d\. directive control Answers: a (A detective control is used to identify an attack and occurs during an attack.) Question: Complete this definition of information security: That which protects the integrity, confidentiality, and availability of information \_\_\_\_\_. a\. on electronic digital devices and limited analog devices that can connect via the Internet or through a local area network b\. through a long-term process that results in ultimate security c\. using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately with limited resources d\. through products, people, and procedures on the devices that store, manipulate, and transmit the information Answers: d Question: Which of the following groups have the lowest level of technical knowledge for carrying out cyberattacks? a\. unskilled attackers b\. hacktivists c\. nation-state actors d\. organized crime Answers: a Question: Ilaria is explaining to her parents why information security is the preferred term when talking about security in the enterprise. Which of the following would Ilaria NOT say? a\. Cybersecurity usually involves a range of practices, processes, and technologies intended to protect devices, networks, and programs that process and store data in an electronic form. b\. In a business information may be in any format, from electronic files to paper documents. c\. Cybersecurity is a subset of information security. d\. Information security protects \"processed data\" or information. Answers: c Question: Which of the following is not considered an attribute of threat actors? a\. level of sophistication/capability b\. educated/uneducated c\. resources/funding d\. internal/external Answers: b Question: What is considered the motivation of an employee who practices shadow IT? a\. deception b\. ignorance c\. ethical d\. malicious Answers: c Question: Which tool is most commonly associated with nation-state actors? a\. Closed-Source Resistant and Recurrent Malware (CSRRM) b\. Advanced Persistent Threat (APT) c\. Unlimited Harvest and Secure Attack (UHSA) d\. Network Spider and Worm Threat (NSAWT) Answers: b Question: Flavia is reading about insider threats. Which of the following is NOT true about insider threats? a\. Attacks from an insider threat are hard to recognize. b\. Insider threats are usually dismissed as not being a serious risk. c\. Insider threats often occur because the enterprise is watching for outsiders. d\. Government insiders have stolen large volumes of sensitive information. Answers: b Question: What is the primary motivation of hacktivists? a\. disruption/chaos b\. financial gain c\. data exfiltration d\. war Answers: a Question: What is another name for \"attack surface\"? a\. vulnerability exposure b\. threat vector c\. legacy platform d\. attack floor Answers: b Question: Which of the following is NOT a message-based attack surface? a\. voice calls b\. instant messages c\. texts d\. network protocols Answers: d Question: Which of the following is NOT true about supply chains? a\. A supply chain is a network that moves a product from its creation to the end-user. b\. Vendors are the first step in a supply chain. c\. Each link in a supply chain can be a potential attack surface. d\. Hardware providers and software providers are types of supply chains. Answers: b **\ ** **Module 2** Question: What is the attack surface of social engineering? a\. manipulation b\. human vectors c\. persuasion d\. deception Answers: b Question: Bjorn just received a phone call in which the person claimed to be a senior vice president demanding that his password be reset, or else Bjorn\'s supervisor would be contacted about his lack of cooperation. Bjorn was convinced that this was a social engineering attack. Which principle of human manipulation did the attacker attempt on Bjorn? a\. authority b\. fright c\. intimidation d\. urgency Answers: c Question: Which of the following is NOT a personal technique used by social engineering attackers to gain the trust of the victim? a\. Provide a reason. b\. Project confidence. c\. Demand compliance. d\. Use evasion and diversion. Answers: c Question: Albrecht received a call from a senior vice president of finance who had received a phishing email and had deleted it. What type of phishing attack was this? a\. dolphining b\. harpooning c\. phishing spear d\. whaling Answers: d Question: Tobias received an SMS text that falsely said his bank account was overdrawn and to avoid a \$45 fee, he should contact the bank immediately with an explanation. What type of social engineering attack is this? a\. texting attack b\. SMS phishing c\. smishing d\. IM vectoring Answers: c Question: Which of the following is NOT true about BEC? a\. It is decreasing in popularity among threat actors. b\. It takes advantage of electronically making payments or transferring funds. c\. It takes advantage of the size and complexity of large enterprises. d\. It is not limited to businesses. Answers: a Question: Which social engineering attack is masquerading as a real or fictitious character and then playing out the role of that person on a target? a\. pretending b\. pretexting c\. impersonation d\. acting Answers: c Question: Wolfgang-Cashman is a new intern at the online company WebHighSchoolStore.com. He has been assigned the task of researching all of the similar domain names to theirs in order to counteract attacks. What is Wolfgang-Cashman combating? a\. mistranslations b\. spimming c\. typo squatting d\. redactioning Answers: c Question: What is false or inaccurate information that comes from a malicious intent? a\. misinformation b\. half-truths c\. disinformation d\. varication Answers: c Question: Which of the following is NOT a type of data reconnaissance? a\. purchasing used technology equipment b\. excel dorking c\. dumpster diving d\. shoulder surfing Answers: b (Google dorking uses advanced Google search techniques to look for information that unsuspecting victims have carelessly posted on the web.) Question: Which type of sensor is most appropriate for monitoring a large warehouse for intruders? a\. microwave sensor b\. IR sensor c\. XG sensor d\. passive RGP sensor Answers: a Question: Which of the following statements is NOT true about a pressure sensor? a\. A pressure sensor can differentiate between a car and a person. b\. Modern pressure sensors can differentiate between what has entered and where they are headed. c\. A pressor sensor is a type of management control. d\. A pressure sensor can be used to detect if a person has entered a restricted area. Answers: c Question: Arndt is on a team that is increasing the security in an office. They want to allow anyone to pass by a door but have an alarm sound whenever someone gets too close to the door. Which sensor would Arndt recommend using? a\. IR sensor b\. microwave sensor c\. ultrasonic sensor d\. pressure sensor Answers: c Question: Which type of buffer is automated and has two interlocking doors, only one of which can be opened at a time? a\. access control vestibule b\. reception area c\. waiting room d\. vestibule office Answers: a Question: Milan is on a design team that needs to run a hardened carrier PDS underground between two buildings. What requirement would Milan add to the specifications? a\. It must be buried at least 25 feet below surface level. b\. It can only be used for fiber-optic cables. c\. It must be visually inspected on a weekly basis. d\. It must be encased in concrete. Answers: d Question: Which data classification has the highest level of data sensitivity? a\. \"eyes-only\" b\. sensitive c\. private d\. confidential Answers: d Question: Jan is working on classifying data. Some data has been identified that if compromised, the function and mission of the enterprise would be severely impacted. Which data classification should Jan give this data? a\. secret b\. top secret c\. critical d\. classified Answers: c Question: Which type of data is hospital patient information protected by HIPAA? a\. restricted data b\. regulated data c\. secure data d\. private data Answers: b Question: JSON and XML would be classified as which type of data? a\. compiled data b\. lightweight data c\. schematic data d\. non-human-readable data Answers: d Question: Which of the following data security methods creates a copy of the original data but uses obfuscation on any sensitive elements? a\. data masking b\. data protecting c\. data tokening d\. data covering Answers: a **\ ** **Module 3** Question: Aaliyah wants to send a message to a friend, but she does not want anyone else to know that she is communicating with them. Which technique would she use? a\. cryptography b\. steganography c\. encryption d\. ciphering Answers: b Question: Zeinab has been asked by her supervisor to speak with an angry customer who claims that they never received notification of a change in the terms of service agreement. Zeinab learned that an automated \"read receipt\" was received, showing that the customer opened the email with the new terms of service outlined. What action will Zeinab now take regarding this customer? a\. repudiation b\. obfuscation c\. integrity d\. nonrepudiation Answers: d Question: Which of the following is NOT a form of obfuscation? a\. tokenization b\. ciphering c\. steganography d\. data masking Answers: b Question: Which of the following is NOT correct about \"security through obscurity\"? a\. It attempts to hide its existence from outsiders. b\. Proprietary cryptographic algorithms are a common example. c\. It is essentially impossible to achieve. d\. It should only be used as a general information security protection in extreme circumstances. Answers: d Question: Layla has encrypted a document so that it can only be viewed by those who have been provided the key. What protection has she given to this document? a\. confidentiality b\. integrity c\. authentication d\. obfuscation Answers: a Question: Which of the following is NOT correct about a one-time pad (OTP)? a\. It combines plaintext with a random key. b\. The recipient must have a copy of the pad to decrypt the message. c\. It was used during the Cold War. d\. It requires a cipher disk. Answers: d Question: What is data called that is to be encrypted by inputting it into a cryptographic algorithm? a\. plaintext b\. byte-text c\. cleartext d\. ciphertext Answers: a Question: Which of the following creates the most secure ciphertext? a\. redundant function b\. stream cipher c\. block cipher d\. sponge function Answers: d Question: Karyme needs to select a hash algorithm that will produce the longest and most secure digest. Which would she choose? a\. RipeMD160 b\. SHA-256 c\. XRA3-512 d\. Whirlpool Answers: d Question: Which algorithm uses the same key to both encrypt and decrypt data? a\. asymmetric cryptographic algorithm b\. hashing algorithm c\. pairwise keypair algorithm d\. symmetric cryptographic algorithm Answers: d Question: Which of the following is NOT to be decrypted but is only used for comparison purposes? a\. Digest b\. Key c\. Stream d\. Algorithm Answers: a Question: Which of these is NOT a characteristic of a secure hash algorithm? a\. Collisions may occur but they should be rare. b\. A message cannot be produced from a predefined hash. c\. The hash should always be the same fixed size. d\. The results of a hash function should not be reversed. Answers: a Question: Which of the following is a weakness of RSA? a\. RSA weaknesses are based on ECC. b\. RSA has no known weaknesses. c\. As computers become more powerful, the ability to compute factoring has increased. d\. The digest produced by the RSA algorithm is too short to be secure. Answers: c Question: Which of these is NOT true about ECC? a\. ECC has gained wide popularity. b\. All modern OSs and web browsers use ECC. c\. ECC security is comparable to other asymmetric cryptography but has smaller key sizes. d\. It uses both sloping curves and prime numbers. Answers: d (ECC uses slopping curves while RSA use large prime number Question: If Bob wants to send a secure message to Alice using an asymmetric cryptographic algorithm, which key does he use to encrypt the message? a\. Alice\'s private key b\. Alice\'s public key c\. Bob\'s public key d\. Bob\'s private key Answers: b Question: Farah needs to encrypt only a few files and does not want the entire disk contents to be encrypted. What type of encryption would she use? a\. file-level encryption b\. byte-level encryption c\. folder-level encryption d\. device-level encryption Answers: a Question: Which type of encryption would protect all data on a hard drive, including the installed OS? a\. FDE b\. SSED c\. TXPM d\. HRHS Answers: a Question: What is a collision? a\. Two files that produce the same digest. b\. Two ciphertexts that have the same length. c\. Two algorithms that have the same key. d\. Two keys that are the same length. Answers: a Question: Nahla has been asked to make a recommendation about the most secure TEE. Which of the following would she choose? a\. SED b\. HSM c\. TPM d\. ARC Answers: c Question: Which type of blockchain can anyone join? a\. Federated blockchain b\. Private blockchain c\. Hybrid blockchain d\. Public blockchain Answers: d **\ ** **Module 4** Question: Alarik is explaining to a colleague about digital certificates. Which of the following statements would he use to correctly describe the need for digital certificates? a\. It can speed up processing time when using a web browser. b\. It can hide the public key so that it cannot be abused. c\. It can confirm the true identity of the sender of an encrypted message. d\. It can replace digital signatures with a more robust technology. Answers: b Question: What is a technology used to associate a user\'s identity to a public key and has been digitally signed by a trusted third party? a\. digital signature b\. digital certificate c\. digital codebook d\. digital signing repository (DSR) Answers: b Question: Ville has been asked by his supervisor to review the contents of a questionable digital certificate. Which of the following would Ville NOT find in it? a\. owner\'s private key b\. serial number of the digital certificate c\. name of the issuer d\. owner\'s name or alias Answers: a Question: Who is responsible for verifying the credentials of an applicant for a digital certificate? a\. CA b\. registration authority c\. CSR d\. intermediate CSR Answers: b Question: Which of the following is NOT a means by which a person requesting a digital certificate can be authenticated? a\. birth certificate b\. employee badge c\. email d\. telephone number Answers: d Question: What is the strongest technology that would assure Alice that Bob is the sender of a message? a\. digital signature b\. encrypted signature c\. digest d\. digital certificate Answers: d Question: What is a publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate? a\. CA b\. CR c\. CB d\. CX Answers: b Question: Ansgar is studying how digital certificates can be used. Which of the following is NOT a use of a digital certificate? a\. to encrypt messages for secure email communications b\. to encrypt channels to provide secure communication between clients and servers c\. to verify the authenticity of the CA d\. to verify the identity of clients and servers on the web Answers: c Question: Which of the following performs a real-time lookup of a certificate\'s status? a\. Pinning b\. OCSP c\. Clipping d\. Remote lookup protocol (RLP) Answers: b Question: Which of the following is NOT true about a root digital certificate? a\. The next level down is one or more intermediate certificates. b\. It is self-signed. c\. It is created and verified by a CA. d\. It is the endpoint of the chain. Answers: d Question: Tordis has been asked to acquire a digital certificate that will cover all the subdomains of a new site. Which type of certificate would he acquire? a\. omnibus digital certificate b\. subname digital certificate c\. wildcard digital certificate d\. NAXX Answers: c Question: Bengt is setting up a new web server that will have several IP addresses. He only wants to acquire a single digital certificate. Which type of certificate will he acquire? a\. SAN b\. Asterisk digital certificate (ADC) c\. Domain digital certificate d\. EV Answers: a Question: What is the standard format for digital certificates? a\. CN b\. RCN c\. CER x9 d\. X-509 Version 3 Answers: d Question: Which of the following is false about PKI? a\. It is the underlying infrastructure that serves as a key management system for controlling public keys, private keys, and digital certificates. b\. It is the set of software, hardware, processes, procedures, and policies that are needed to create, manage, distribute, use, store, and revoke digital certificates across large user populations. c\. It is digital certificate management at scale. d\. It must be used by all enterprises with over 1,000 employees. Answers: d Question: Which is the first step in a key exchange? a\. The browser generates a random value (\"Pre-master secret\"). b\. The web server sends a message (\"ServerHello\") to the client. c\. The web browser verifies the server certificate. d\. The web browser sends a message (\"ClientHello\") to the server. Answers: d Question: Dag wants to set up a trust model in which he only will serve as a CA. Which trust model will he choose? a\. bridge trust model b\. distributed trust model c\. hierarchical trust model d\. sole trust model Answers: c Question: Einar has been asked to create a new policy that outlines the process in which keys are managed by a third party and the private key is split with each half encrypted. What policy is Einar creating? a\. key recovery policy b\. key expiration policy c\. extended validation policy d\. key escrow policy Answers: d Question: Which of the following is the most comprehensive secure communication and transport protocol? a\. SSL b\. TLS c\. IPSec d\. HSS Answers: c Question: Gjord has been assigned to design an implementation of IPSec at an old manufacturing plant that has legacy network equipment and many devices. Which implementation will he choose? a\. SRSR b\. AR Stack c\. BITW d\. BITS Answers: d Question: Which of the following is NOT a primary characteristic for determining the resiliency of a key to attacks? a\. randomness b\. key derivation c\. cryptoperiod d\. key length Answers: b **Module 5** Question: What word is the currently accepted term that is used today to refer to network-connected hardware devices? a\. host b\. endpoint c\. device d\. client Answers: b Question: Which of the following is NOT a feature of blocking ransomware? a\. A message on the user\'s screen appears pretending to be from a reputable third party. b\. It prevents a user from using their computer in a normal fashion. c\. It can be defeated by a double power cycle. d\. It is the earliest form of ransomware. Answers: c Question: Cillian is explaining to an intern why ransomware is considered to be the most serious malware threat. Which of the follow reasons would Cillian NOT give? a\. Once a device is infected with ransomware, it will never function normally. b\. Launching a ransomware attack is relatively inexpensive and does not require a high degree of skill. c\. Ransomware attacks occur with a very high frequency. d\. Attacks from ransomware have a high impact on organizations. Answers: a Question: Finn\'s team leader has just texted him that an employee, who violated company policy by bringing in a file on a USB flash drive, has just reported that their computer is infected with locking ransomware. Why would Finn consider this a serious situation? a\. It sets a precedent by encouraging other employees to violate company policy. b\. It can encrypt all files on any network that is connected to the employee\'s computer. c\. The organization may be forced to pay up to \$500 for the ransom. d\. The employee would have to wait at least an hour before their computer could be restored. Answers: b Question: What is the difference between a keylogger and spyware? a\. A keylogger operates much faster than spyware. b\. Spyware is illegal while a keylogger is not. c\. Spyware typically secretly monitors users but unlike a keylogger makes no attempts to gather sensitive user keyboard input. d\. Spyware can be installed using a hardware device while a keylogger cannot. Answers: c Question: Which of the following is NOT a technology used by spyware? a\. tracking software b\. system-modifying software c\. active tracking technologies d\. automatic download of software Answers: c Question: Which of the following is NOT true about RATs? a\. A RAT gives the threat agent unauthorized remote access to the victim\'s computer by using specially configured communication protocols. b\. A RAT and a worm have the same basic function. c\. A RAT allows the attacker to not only monitor what the user is doing but also can change computer settings, browse and copy files, and even use the computer to access other computers connected on the network. d\. A RAT creates an opening into the victim\'s computer, allowing the threat actor unrestricted access. Answers: b Question: Which of the following types of computer viruses is malicious computer code that becomes part of a file? a\. file-based virus b\. jump virus c\. fileless virus d\. RAM-Check virus Answers: a Question: Which of the following is NOT a Microsoft Windows common LOLBin? a\. DLR b\..NET Framework c\. Macro d\. PowerShell Answers: a Question: Which of the following is sometimes called a \"network virus\" because it enters a computer to move through the network? a\. fileless virus b\. worm c\. trojan d\. file-based virus Answers: b Question: Which of these would NOT be considered the result of a logic bomb? a\. Send an email to Rowan\'s inbox each Monday morning with the agenda of that week\'s department meeting. b\. If the company\'s stock price drops below \$50, then credit Oscar\'s retirement account with one additional year of retirement credit. c\. Erase the hard drives of all the servers 90 days after Alfredo\'s name is removed from the list of current employees. d\. Delete all human resource records regarding Augustine one month after he leaves the company. Answers: a Question: Which of the following attacks is based on a website accepting user input without sanitizing it? a\. RSS b\. XSS c\. iSQL d\. SSXRS Answers: b Question: Which of the following attacks is based on the principle that when a user is currently authenticated on a website and then loads another webpage, the new page inherits the identity and privileges of the first website? a\. SSFR b\. DLLS c\. CSRF d\. DRCR Answers: c (cross-site request forgery (CSRF)) Question: Which of the following manipulates the trusting relationship between web servers? a\. SSRF b\. CSRF c\. EXMAL d\. SCSI Answers: a server-side request forgery (SSRF) Question: Which type of memory vulnerability attack manipulates the \"return address\" of the memory location of a software program? a\. pointer attack b\. stuffing attack c\. integer overwrite d\. buffer overflow attack Answers: d Question: What race condition can result in a NULL pointer/object dereference? a\. Conflict race condition b\. Value-based race condition c\. Thread race condition d\. Time of check (TOC) to time of use (TOU) Answers: d Question: Which of the following would NOT be considered an IoA? a\. resource manipulation b\. out-of-cycle logging c\. account lockout d\. blocked content Answers: a Question: Nollaig is reviewing the steps that an attacker took when they compromised a web server and accessed confidential files. What type of attack was this? a\. directory traversal b\. account overflow c\. race condition d\. TOE Answers: a Question: Which of the following is NOT correct about a secure cookie? a\. It is a means of protection of a web browser. b\. A secure cookie is only sent to the server with an encrypted request. c\. It uses the HTTPS protocol. d\. It prevents an unauthorized person from intercepting a cookie that is being transmitted. Answers: a Question: Which statement regarding a keylogger is NOT true? a\. Software keyloggers can be designed to send captured information automatically back to the attacker through the Internet. b\. Hardware keyloggers are installed between the keyboard connector and computer keyboard USB port. c\. Software keyloggers are generally easy to detect. d\. Keyloggers can be used to capture passwords, credit card numbers, or personal information. Answers: c **Module 6** Question: Ahmet is explaining to his team members the security constraints that have made it a challenge to protect a new embedded system. Which of the following would Ahmet NOT include as a constraint? a\. authentication b\. cost c\. power d\. ease of use Answers: d Ease of recovery instead Question: Yusuf has been asked to experiment with different hardware to create a controller for a new device on the factory floor. He needs a credit-card-sized motherboard that has a microcontroller instead of a microprocessor. Which would be the best solution? a\. SoC b\. Raspberry Pi c\. Arduino d\. FPGA Answers: c Question: Musa needs a tool with a single management interface that provides capabilities for managing and securing mobile devices, applications, and content. Which tool would be the best solution? a\. UEM b\. MDM c\. MCCM d\. MMAM Answers: a Question: In a job interview, Deniz asks about the company policy regarding smartphones. She is told that employees may choose from a limited list of approved devices but that she must pay for the device herself; however, the company will provide her with a monthly stipend. Which type of enterprise deployment model does this company support? a\. BYOD b\. DYOD c\. CYOD d\. Corporate-owned Answers: c Question: Eren has been asked to provide information regarding adding a new class of Android smartphones to a list of approved devices. One of the considerations is how frequently the smartphones receive firmware OTA updates. Which of the following reasons would Eren NOT list in their report as a factor in the frequency of Android firmware OTA updates? a\. OEMs are hesitant to distribute Google updates because it limits their ability to differentiate themselves from competitors if all versions of Android start to look the same through updates. b\. Because many of the OEMs have modified Android, they are reluctant to distribute updates that could potentially conflict with their changes. c\. Wireless carriers are reluctant to provide firmware OTA updates because of the bandwidth it consumes on their wireless networks. d\. Because OEMs want to sell as many devices as possible, they have no financial incentive to update mobile devices that users would then continue to use indefinitely. Answers: c Question: What is the process of identifying the geographical location of a mobile device? a\. Geotracking b\. Geolocation c\. GeoID d\. Geomonitoring Answers: b Question: Which of the following is NOT an advantage of COPE for an enterprise? a\. simplified IT infrastructure b\. cost savings c\. flexibility in management d\. more oversight Answers: d Question: Ceyhun received a request by a technician for a new portable computer. The technician noted that they wanted USB OTG support and asked Ceyhun\'s advice regarding it. Which of the following would Ceyhun NOT tell them is an advantage? a\. A device connected via USB OTG can function as a peripheral for external media access. b\. A device connected via USB OTG can function as a host. c\. USB OTG is only available for connecting Android devices to a portable computer. d\. Connecting a mobile device to an infected computer using USB OTG could allow malware to be sent to that device. Answers: c Question: Ozan has received a phone call from his supervisor that a new employee has attempted to download and install an unapproved app that allows her to circumvent the built-in limitations on her Android smartphone. What is this called? a\. rooting b\. sideloading c\. jailbreaking d\. ducking Answers: a Question: What is another name for runtime verification? a\. static code analysis b\. dynamic code analysis c\. fuzzering d\. weighted code analysis Answers: b Question: What is dead code? a\. A block of code that does not run. b\. Code that has been tagged to be removed from an application. c\. A branch in a code that calls in a subroutine but always returns a null value. d\. A section of an application that executes but performs no meaningful function. Answers: d Question: Cahill is writing an application using SecDevOps and wants to prevent XSS and CSRF attacks. What coding technique would he use? a\. obfuscation b\. code signing c\. input validation d\. normalization Answers: c Question: What does containerization do? a\. It splits operating system functions only on specific brands of mobile devices. b\. It places all keys in a special vault. c\. It slows down a mobile device to half speed. d\. It separates personal data from corporate data. Answers: d Question: What allows a device to be managed remotely? a\. MDM b\. MAM c\. MRM d\. MWM Answers: a Question: Which of these is NOT a security feature for locating a lost or stolen mobile device? a\. Remote lockout b\. Last known good configuration c\. Alarm d\. Thief picture Answers: b Question: What enforces the location in which an app can function by tracking the location of the mobile device? a\. Location resource management b\. Geofencing c\. GPS tagging d\. Graphical management tracking (GMT) Answers: b Question: Which of these is considered the strongest type of passcode to use on a mobile device? a\. password b\. PIN c\. fingerprint swipe d\. draw connecting-dots pattern Answers: a Question: Which of the following is NOT a means by which untrusted content can be sent to a mobile device? a\. SMS b\. MMS c\. RCS d\. XRX Answers: d Question: Which tool manages the distribution and control of apps? a\. MAM b\. MDM c\. MCM d\. MFM Answers: a Question: Which type of OS is typically found on an embedded system? a\. SoC b\. RTOS c\. OTG d\. COPE Answers: b **Module 7** Question: How is SAML used? a\. It serves as a backup to a directory server. b\. It allows secure web domains to exchange user authentication and authorization data. c\. It is an authenticator in IEEE 802.1x. d\. It is no longer used because it has been replaced by LDAP. Answers: b Question: Amahle is researching elements that can prove authenticity. Which of the following is based on unique biological characteristics? a\. something you exhibit b\. something you have c\. something you are d\. something about you Answers: c Question: Which of the following elements is NOT true about passwords? a\. The weakness of passwords is based on human memory. b\. The most effective passwords are short but complex. c\. For the highest level of security, each account should have a unique password. d\. The security of passwords is based on human memory. Answers: b Question: Imka has been asked to recommend a federation system technology that is an open source federation framework and can support the development of authorization protocols. Which of these technologies would she recommend? a\. OAuth b\. Open ID c\. Shibboleth d\. NTLM Answers: a Question: How is key stretching effective in resisting password attacks? a\. It takes more time to generate candidate password digests. b\. It requires the use of GPUs. c\. It does not require the use of salts. d\. The license fees are very expensive to purchase for use. Answers: a Question: Which of these is NOT a key stretching algorithm? a\. Argon2 b\. bcrypt c\. PBKDF2 d\. MD5 Answers: d Question: Kholwa is explaining to her colleague how a password cracker works. Which of the following is a true statement about password crackers? a\. Most states prohibit password crackers unless they are used to retrieve a lost password. b\. Due to their advanced capabilities, they require only a small amount of computing power. c\. A password cracker attempts to uncover the type of hash algorithm that created the digest because once it is known, the password is broken. d\. Password crackers differ as to how candidates are created. Answers: d Question: After a recent security breach, Lerato is investigating how the breach occurred. After examining log files, she discovered that the threat actor had used the same password on several different user accounts. What kind of attack was this? a\. password spraying attack b\. online brute force attack c\. offline brute force attack d\. dictionary attack Answers: a Question: Why are dictionary attacks successful? a\. Password crackers using a dictionary attack require less RAM than other types of password crackers. b\. They link known words together in a \"string\" for faster processing. c\. Users often create passwords from dictionary words. d\. They use pregenerated rules to speed up the processing. Answers: c Question: Which of the following is NOT true about a rule attack? a\. A rule attack conducts a statistical analysis on the stolen passwords. b\. Rule attacks are considered low-outcome attacks. c\. The results of a rule attack are used to create a mask of the format of the candidate password. d\. Using a mask will significantly reduce the time needed to crack a password. Answers: b Question: Which of the following would a threat actor use last in attacks on a password digest? a\. brute force attack b\. custom wordlist c\. dictionary attack d\. dictionary attack using rules Answers: a Question: Which of the following is NOT true about OTPs? a\. They are displayed on security keys. b\. An OTP can typically be used only once or for a limited period of time. c\. They are dynamic and not static. d\. There are two types of OTPs: TOTPs and HOTPs. Answers: a Question: Which of the following is the least secure method for sending an authentication code? a\. authentication app b\. windowed token c\. SMS text d\. MFA push Answers: c Question: Noxolo is researching human characteristics for biometric identification. Which of the following would she not find used for biometric identification? a\. retina b\. iris c\. weight d\. fingerprint Answers: c Question: What type of biometrics is related to the perception, thought processes, and understanding of the user? a\. cognitive biometrics b\. standard biometrics c\. intelligence biometrics d\. behavioral biometrics Answers: a Question: Which of the following is an authentication credential used to access multiple accounts or applications? a\. SSO b\. credentialization c\. identification authentication d\. federal login Answers: a Question: Which of the following is NOT true about password expiration? a\. Both NIST and Microsoft no longer support it. b\. It is not recommended for security. c\. It should be set to at least one day. d\. It is the point in time when a password is no longer valid. Answers: c Question: Which of the following is NOT true about LDAP? a\. It makes it possible for almost any application running on virtually any computer platform to obtain directory information. b\. It is an open protocol. c\. It is the protocol or communication process that enables users to access a network resource through a directory service. d\. It cannot be used with SSO. Answers: d Question: Mpho has been asked to look into security keys that have a feature of a key pair that is \"burned\" into the security key during manufacturing time and is specific to a device model. What feature is this? a\. authorization b\. authentication c\. attestation d\. accountability Answers: c Question: Which access control scheme uses flexible policies that can combine attributes? a\. ABAC b\. RB-RBAC c\. MAC d\. DAC Answers: a

ITN260 Midterm Questions & Answers PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue