Pregunta 1
Pregunta
The combination of the probability of an event and its consequence (ISO/IEC 73). ___ is/are mitigated through
the use of controls or safeguards.
Respuesta
-
Risk
-
Threat
-
Asset
-
Vulnerability
Pregunta 2
Pregunta
Anything that is capable of acting against an asset in a manner that can result in harm.
Respuesta
-
Risk
-
Threat
-
Asset
-
Vulnerability
Pregunta 3
Pregunta
Something of either tangible or intangible value that is worth protecting, including people, information,
infrastructure, finances and reputation
Respuesta
-
Risk
-
Threat
-
Asset
-
Vulnerability
Pregunta 4
Pregunta
A weakness in the design, implementation, operation or internal control of a process that could
expose the system to adverse threats from threat events.
Respuesta
-
Risk
-
Threat
-
Asset
-
Vulnerability
Pregunta 5
Pregunta
The risk level or exposure without taking into account the actions that management has taken or
might take
Respuesta
-
Inherent Risk
-
Residual Risk
Pregunta 6
Pregunta
Which breadcrumb is correct when framing an approach to risk management?
Respuesta
-
Threat Source initiates > Threat Events exploits > Vulnerability causing > Adverse Impact producing > Organization Risk
-
Threat Source initiates > Vulnerability causing > Threat Events exploits > Adverse Impact producing > Organization Risk
-
Threat Events exploits >Threat Source initiates > Vulnerability causing > Adverse Impact producing > Organization Risk
-
Threat Events exploits > Vulnerability causing > Threat Source initiates > Adverse Impact producing > Organization Risk
Pregunta 7
Pregunta
Approach to developing risk scenarios is based on describing risk events that are specific to
cybersecurity-related situations, typically hypothetical situations envisioned by the people performing the job
functions in specific processes.
Respuesta
-
Top-down Approach
-
Bottom-up Approach
Pregunta 8
Pregunta
Approach to scenario development is based on understanding business goals and how a risk event
could affect the achievement of those goals. Under this model, the risk practitioner looks for the outcome of events
that may hamper business goals identified by senior management.
Respuesta
-
Top-down Approach
-
Bottom-up Approach
Pregunta 9
Pregunta
The ___ approach is suited to general risk management of the company, because it looks at both IT- and non-
IT-related events. A benefit of this approach is that because it is more general, it is easier to achieve management
buy-in even if management usually is not interested in IT. The ___ approach also deals with the goals that
senior managers have already identified as important to them.
Respuesta
-
Top-down Approach
-
Bottom-down Approach
Pregunta 10
Pregunta
The ____ approach can be a good way to identify scenarios that are highly dependent on the specific
technical workings of a process or system, which may not be apparent to anyone who is not intimately involved
with that work but could have substantial consequences for the organization.
Respuesta
-
Top-down Approach
-
Bottom-down Approach
Pregunta 11
Pregunta
___ is used to calculate the risk that an organization faces based on the number of events that may occur within a given time period.
Respuesta
-
Threat
-
Impact
-
Likelihood
-
Vulnerabilty
Pregunta 12
Pregunta
Failure to detect a ___ may be the result of its absence, or it may be a false negative arising from configurations of a tool or improper performance of a manual review.
Respuesta
-
Vulnerability
-
Threat
-
Risk
-
Impact
Pregunta 13
Pregunta
Given the combination of unknown ___ and unknown ___, it is difficult of the cybersecurity professional to provide a comprehensive estimate of the likelihood of a successful attack.
Respuesta
-
Threat, Vulnerability
-
Asset, Threat
-
Vulnerability, Asset
-
Threat, Risk
Pregunta 14
Pregunta
Vulnerability assessments and penetration test provide the cybersecurity practitioner with valuable information on which to partially estimate the ___ .
Respuesta
-
Vulnerabilities
-
Risks
-
Threats
-
Likelihood
Pregunta 15
Pregunta
When using ___ rankings, the most important state is to rigorously define the meaning of each category and use definitions consistently throughout the assessment process.
Pregunta 16
Pregunta
For each identified threat, the ___ of harm expected to result should also be determined.
Respuesta
-
Risk
-
Vulnerability
-
Impact
-
Likelihood
Pregunta 17
Pregunta
Select all that apply: A number of methodologies are available to measure risk. Different industries and professions have adopted various tactics based upon the following criteria:
Pregunta 18
Pregunta
It is particularly important to understand an organization's ___ when considering how to measure risk.
Respuesta
-
Risk management plan
-
Risk appetite
-
Risk tolerance
-
Risk assessment
Pregunta 19
Pregunta
There are three different approaches to implementing cybersecurity. Which three are they below
Respuesta
-
Ad hoc
-
Compliance-based
-
Risk-based
-
Threat-based
-
Impact-based
-
Likelihood-based
Pregunta 20
Pregunta
An ___ approach simply implements security with no particular rationale or criteria. ___
implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise,
knowledge or training when designing and implementing safeguards.
Respuesta
-
Ad hoc
-
Compliance-based
-
Risk-based
-
Threat-based
Pregunta 21
Pregunta
Also known as standards-based security, this approach relies on regulations or standards to
determine security implementations. Controls are implemented regardless of their applicability or necessity, which
often leads to a “checklist” attitude toward security
Respuesta
-
Ad hoc
-
Compliance-based
-
Risk-based
-
Threat-based
Pregunta 22
Pregunta
___ security relies on identifying the unique risk a particular organization faces and designing
and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business
needs. The ___ approach is usually scenario-based.
Respuesta
-
Ad hoc
-
Compliance-based
-
Risk-based
-
Threat-based
Pregunta 23
Pregunta
The ___ approach is usually scenario-based.
Respuesta
-
Ad hoc
-
Compliance-based
-
Risk-based
-
Threat-based
Pregunta 24
Pregunta
___ have been known to breach security boundaries and perform malicious acts to gain a
competitive advantage.
Respuesta
-
Cybercriminals
-
Corporations
-
Online social hackers
-
Script kiddies
Pregunta 25
Pregunta
Motivated by the desire for profit, these individuals are involved in fraudulent financial transactions
Respuesta
-
Cybercriminals
-
Cyberwarriors
-
Corporations
-
Hacktivists
Pregunta 26
Pregunta
Characterized by their willingness to use violence to achieve their goals, ___ frequently target critical infrastructures and government groups.
Respuesta
-
Cyberterrorists
-
Cybercriminals
-
Cyberwarriors
-
Nation states
Pregunta 27
Pregunta
Often likened to hacktivists, ___ , also referred to as cyberfighters, are nationally
motivated citizens who may act on behalf of a political party or against another political party that threatens them.
Respuesta
-
Cyberwarriors
-
Cyberterrorists
-
Cybercriminals
-
Script kiddies
Pregunta 28
Pregunta
Although they typically have fairly low-tech methods and tools, dissatisfied current or former
___ represent a clear cybersecurity risk. All of these attacks are adversarial, but some are not related to
APT cyberattacks.
Respuesta
-
Employees
-
Nation states
-
Online social hackers
-
Script kiddies
Pregunta 29
Pregunta
Although they often act independently, politically motivated hackers may target specific individuals
or organizations to achieve various ideological ends.
Respuesta
-
Cyberterrorists
-
Hacktivists
-
Cyberwarriors
-
Cybercriminals
Pregunta 30
Pregunta
___ often target government and private entities with a high level of sophistication to
obtain intelligence or carry out other destructive activities.
Respuesta
-
Nation states
-
Online social hackers
-
Hacktivists
-
Employees
Pregunta 31
Pregunta
Skilled in social engineering, these attackers are frequently involved in cyberbullying,
identity theft and collection of other confidential information or credentials.
Respuesta
-
Script kiddies
-
Online social hackers
-
Hacktivists
-
Employees
Pregunta 32
Pregunta
___ are individuals who are learning to hack; they may work alone or with others and
are primarily involved in code injections and distributed denial-of-service (DDoS) attacks.
Respuesta
-
Online social hackers
-
Employees
-
Script kiddies
-
Cybercriminals
Pregunta 33
Pregunta
The actual occurrence of a threat, or an activity by a threat agent (or adversary) against an asset.
Respuesta
-
Exploit
-
Attack Vector
-
Attack
-
Attack Mechanism
Pregunta 34
Pregunta
From an attacker’s point of view, the asset is a target, and the path or route used to gain access to the target (asset) is known as an
Respuesta
-
Exploit
-
Attack Vector
-
Attack
-
Attack Mechanism
Pregunta 35
Pregunta
There are two types of attack vectors: ingress and egress. Which one is known as data exfiltration?
Pregunta 36
Pregunta
Which attack vector focuses on intrusion and hacking into systems?
Pregunta 37
Pregunta
Employees that steal data from systems and networks is an example of which attack vector?
Pregunta 38
Pregunta
The attacker must defeat any controls in place and/or use an ___ to take advantage of a vulnerability.
Respuesta
-
Exploit
-
Attack Vector
-
Attack
-
Attack Mechanism
Pregunta 39
Pregunta
The method used to deliver the exploit.
Respuesta
-
Target
-
Attack Vector
-
Attack
-
Attack Mechanism
Pregunta 40
Pregunta
An example of this can be a crafted malicious pdf, crafted by the attacker and delivered by email.
Respuesta
-
Exploit
-
Attack Vector
-
Attack
-
Attack Mechanism
Pregunta 41
Pregunta
Which order is correct for the attributes of an attack?
Respuesta
-
Attack Vector, Exploit, Vulnerability, Payload, Target (Asset)
-
Attack Vector, Exploit, Payload, Vulnerability, Target (Asset)
-
Attack Vector, Vulnerability, Payload, Exploit, Target (Asset)
-
Attack Vector, Vulnerability, Exploit, Payload, Target (Asset)
Pregunta 42
Pregunta
Usually the result of an error, malfunction or mishap of some sort.
Pregunta 43
Pregunta
Made by a human threat agent
Pregunta 44
Pregunta
The adversary gathers information using a variety of techniques, passive or active.
Pregunta 45
Pregunta
The adversary crafts the tools needed to carry out a future attack.
Pregunta 46
Pregunta
The adversary inserts or installs whatever is needed to carry out the attack.
Pregunta 47
Pregunta
The adversary takes advantage of information and systems in order to compromise
them.
Pregunta 48
Pregunta
The adversary coordinates attack tools or performs activities that interfere with
organizational functions.
Pregunta 49
Pregunta
The adversary causes an adverse impact.
Pregunta 50
Pregunta
The adversary continues to exploit and compromise the system
Pregunta 51
Pregunta
The adversary coordinates a campaign against the organization.
Pregunta 52
Pregunta
What is the correct order of the Threat Process?
Respuesta
-
Perform reconnaissance, Create attack tools, Exploit and compromise, Deliver malicious capabilities, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
-
Perform reconnaissance, Create attack tools, Deliver malicious capabilities, Exploit and compromise, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
-
Perform reconnaissance, Deliver malicious capabilities, Create attack tools, Exploit and compromise, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
-
Perform reconnaissance, Deliver malicious capabilities, Create attack tools, Exploit and compromise, Conduct an attack, Maintain a presence or set of capabilities, Achieve results, Coordinate a campaign
Pregunta 53
Pregunta
Perform reconnaissance: The adversary gathers information using a variety of techniques, passive or active. Passive may include:
Respuesta
-
i. Sniffing network traffic
ii. Using open source discovery of organizational information (news groups; company postings on IT design
and IT architecture)
iii. Google hacking
-
i. Scanning the network perimeter
ii. Social engineering (fake phone calls, low-level phishing)
Pregunta 54
Pregunta
The following are examples of which attack process?
a. Sniffing network traffic
b. Using open source discovery of organizational information (news groups; company postings on IT design and IT architecture)
c. Google hacking
d. Scanning the network perimeter
e. Social engineering (fake phone calls, low-level phishing)
Pregunta 55
Pregunta
The following are examples of which attack process?
a. Phishing or spear phishing attacks
b. Crafting counterfeit websites or certificates
c. Creating and operating false organizations and placing them in to the supply chain to inject malicious components
Pregunta 56
Pregunta
The following are examples of which attack process?
a. Introducing malware into organizational information systems
b. Placing subverted individuals into privileged positions within the organization
c. Installing sniffers or scanning devices on targeted networks and systems
d. Inserting tampered hardware or critical components into organizational systems or supply chains
Pregunta 57
Pregunta
The following are examples of which attack process?
a. Split tunneling or gaining physical access to organizational facilities
b. Exfiltrating data or sensitive information
c. Exploiting multitenancy (i.e., multiple customers on shared resources) in a public cloud environment (e.g.,
attacking open public access points; application program interfaces [APIs])
d. Launching zero-day exploits
Pregunta 58
Pregunta
The following are examples of which attack process?
a. Communication interception or wireless jamming attacks
b. Denial-of-service (DoS) or distributed DDoS attacks
c. Remote interference with or physical attacks on organizational facilities or infrastructures
d. Session-hijacking or man-in-the-middle attacks
Pregunta 59
Pregunta
The following are examples of which attack process?
a. Obtaining unauthorized access to systems and/or sensitive information
b. Degrading organizational services or capabilities
c. Creating, corrupting or deleting critical data
d. Modifying the control flow of information system (e.g., industrial control system, supervisory control and
data acquisition (SCADA) systems)
Pregunta 60
Pregunta
The following are examples of which attack process?
a. Obfuscating adversary actions or interfering with intrusion detection systems (IDSs)
b. Adapting cyberattacks in response to organizational security measures
Pregunta 61
Pregunta
The following are examples of which attack process?
a. Multi-staged attacks
b. Internal and external attacks
c. Widespread and adaptive attacks
Pregunta 62
Pregunta
Which of the following is NOT a Nonadversarial Threat Event?
Respuesta
-
Mishandling of critical or sensitive information by authorized users
-
Incorrect privilege settings
-
Fire, flood, hurricane, windstorm or earthquake at primary or backup facilities
-
Introduction of vulnerabilities into software products
-
Viruses, Network Worms, Botnets
-
Pervasive disk errors or other problems caused by aging equipment
Pregunta 63
Pregunta
Software designed to gain access to targeted computer systems, steal information or disrupt computer operations.
Respuesta
-
DoS Attack
-
Malware
-
Social Engineering
-
Phishing
Pregunta 64
Pregunta
A piece of code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage.
Respuesta
-
Spyware
-
Adware
-
Virus
-
Network Worm
Pregunta 65
Pregunta
A variant of the computer virus, which is essentially a piece of self-replicating code designed to spread itself across computer networks. It does not require intervention or execution to replicate.
Respuesta
-
Virus
-
Network Worm
-
Trojan Horse
-
Botnet
Pregunta 66
Pregunta
A piece of malware that gains access to a targeted system by hiding within a genuine application
Respuesta
-
Virus
-
Network Worm
-
Trojan Horse
-
Botnet
Pregunta 67
Pregunta
Derived from “robot network,” a large, automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as DoS.
Respuesta
-
Virus
-
Network Worm
-
Trojan Horse
-
Botnet
Pregunta 68
Pregunta
A class of malware that gathers information about a person or organization without the knowledge of
that person or organization.
Respuesta
-
Spyware
-
Adware
-
Ransomware
-
Keylogger
-
Rootkit
Pregunta 69
Pregunta
Also called “hostage code,” a class of extortive malware that locks or encrypts data or functions and demands a payment to unlock them. Several types are available for every operating system
Respuesta
-
Spyware
-
Adware
-
Ransomware
-
Keylogger
-
Rootkit
Pregunta 70
Pregunta
A class of malware that secretly records user keystrokes and, in some cases, screen content.
Respuesta
-
Spyware
-
Adware
-
Ransomware
-
Keylogger
-
Rootkit
Pregunta 71
Pregunta
A class of malware that hides the existence of other malware by modifying the underlying operating system.
Respuesta
-
Spyware
-
Adware
-
Ransomware
-
Keylogger
-
Rootkit
Pregunta 72
Pregunta
Complex and coordinated attacks directed at a specific entity or
organization. They require a substantial amount of research and time, often taking months or even years to fully execute.
Pregunta 73
Pregunta
A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions.
Pregunta 74
Pregunta
An attack made by trying all possible combinations of passwords or encryption keys until the correct one is found.
Pregunta 75
Pregunta
Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Pregunta 76
Pregunta
A type of injection in which malicious scripts are injected into otherwise benign and
trusted websites.
Respuesta
-
Structure Query Language (SQL) injection
-
Cross-site scripting (XSS)
-
DoS attack
-
Advanced persistent threats (APTs)
Pregunta 77
Pregunta
An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate.
Pregunta 78
Pregunta
Any attempt to exploit social vulnerabilities to gain access to information and/or systems.
Respuesta
-
Spear phishing
-
Social engineering
-
Phishing
-
Spoofing
Pregunta 79
Pregunta
A type of email attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering.
Respuesta
-
Phishing
-
Spoofing
-
Spear phishing
-
Social engineering
Pregunta 80
Pregunta
An attack where social engineering techniques are used to masquerade as a trusted party to obtain important information such as passwords from the victim.
Respuesta
-
Phishing
-
Social engineering
-
Spear phishing
-
Spoofing
Pregunta 81
Pregunta
Faking the sending address of a transmission in order to gain illegal entry into a secure system.
Respuesta
-
Spoofing
-
Phishing
-
Social engineering
-
Spear phishing
Pregunta 82
Pregunta
An attack that consists of insertion or ‘injection’ of a SQL query via the input data from the client to the application.
Pregunta 83
Pregunta
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
Pregunta 84
Pregunta
There are several attributes of good policies that should be considered: (select all that apply below)
Respuesta
-
Security policies should be an articulation of a well-defined information security strategy that captures the intent, expectations and direction of management.
-
Policies must be update/maintained on a frequent basis.
-
Policies must be clear and easily understood by all affected parties.
-
Policies should be short and concise, written in plain language.
Pregunta 85
Pregunta
Most organizations should create security policies ___ developing a security strategy.
Pregunta 86
Pregunta
Communicate required and prohibited activities and behaviors.
Respuesta
-
Procedures
-
Policies
-
Standards
-
Guidelines
Pregunta 87
Pregunta
Interpret policies in specific situations.
Respuesta
-
Guidelines
-
Policies
-
Standards
-
Procedures
Pregunta 88
Pregunta
Provide details on how to comply with policies and standards.
Respuesta
-
Procedures
-
Guidelines
-
Standards
-
Policies
Pregunta 89
Pregunta
Provide general advice on issues such as “what to do in particular circumstances.” These are not requirements to be met but are strongly recommended.
Respuesta
-
Policies
-
Standards
-
Procedures
-
Guidelines
Pregunta 90
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– Data classification and ownership
– System classification and ownership
– Resource utilization and prioritization
– Asset life cycle management
– Asset protection
Pregunta 91
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– At-work acceptable use and behavior, including privacy, Internet/email, mobile devices, BYOD, etc.
– Offsite acceptable use and behavior, including social media, blogs
Pregunta 92
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– Information security within the life cycle, requirements definition and procurement/acquisition processes
– Secure coding practices
– Integration of information security with change and configuration management
Pregunta 93
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
Contract management
Pregunta 94
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– IT information security architecture and application design
– Service level agreements
Pregunta 95
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– IT information security ___ assessment process
– Development of metrics
– Assessment repositories
Pregunta 96
Pregunta
Which COBIT 5 information security policy set do the following items belong to:
– Organizational risk management plan
– Information risk profile