Monday, April 28, 2008

NCFM Information Security Auditors Module - (Part 2) mock test papers

(B) Information Security Auditors Module - (Part 2)

Q1
The security functionality defines the expected activities of a security mechanism, and assurance defines __________. [ 1 Mark ]

(a) the confidence of the security the mechanism is providing
(b) cost/benefit relationship
(c) the data classification after the security mechanism has been implemented
(d) the controls the security mechanism will enforce
(e) I am not attempting the question

Q2
A cipher lock uses a keypad and is ___________. [ 1 Mark ]

(a) Expensive
(b) Programmable
(c) Reliable
(d) Portable
(e) I am not attempting the question

Q3
What is vulnerability? [ 1 Mark ]

(a) Can be leaky policy.
(b) A security hole
(c) An accessing data.
(d) A weakness that could be exploited.
(e) I am not attempting the question

Q4
__________ are objects, in form of credit cards, size memory cards or smart cards, or those resembling small calculators, that are used to supply static and dynamic passwords. [ 1 Mark ]

(a) Tokens
(b) Token passing network
(c) Coupons
(d) Token ring
(e) I am not attempting the question

Q5
What will be Annualized Rate of Occurrence (ARO) of the treat 'user input error', in the case that company employs 100 data entry clerks and every one of them make one input error each month? [ 1 Mark ]

(a) 1200
(b) 120
(c) 1
(d) 100
(e) I am not attempting the question

Q6
What is the formula for total risk? [ 1 Mark ]

(a) {(Threats X Vulnerability ) + asset value}
(b) (Threats X Vulnerability X asset value)
(c) Threats + vulnerability - asset value) X controls gap
(d) (Threats X vulnerability X asset value) X controls gap
(e) I am not attempting the question

Q7
What is true about a transponder? [ 1 Mark ]

(a) It is a passive proximity device.
(b) It is a card that a user swipes through a card reader to gain access to a facility.
(c) It is a card that can be read without sliding it through a card reader.
(d) It exchanges tokens with an authentication server.
(e) I am not attempting the question

Q8
Which type of encryption would be considered the more secured encryption method across a single link? [ 1 Mark ]

(a) Link encryption
(b) Transport encryption
(c) End-to-end encryption
(d) Tunnel encryption
(e) I am not attempting the question

Q9
Although the words 'Threat' , 'Vulnerability', 'risk' and 'exposure' sounds similar which one best describes the probability of threat materializing? [ 1 Mark ]

(a) Risk
(b) Threat Agent
(c) Vulnerability
(d) Exposure
(e) I am not attempting the question

Q10
Which one does not fall in Risk Assessment activity? [ 1 Mark ]

(a) Treatment options
(b) Reduction and Acceptance
(c) Selection of security controls and risk
(d) None of the above.
(e) I am not attempting the question

Q11
Which of the following would not be considered an operations media control task? [ 2 Marks ]

(a) Compressing and decompressing storage materials.
(b) Controlling access to media and logging activities.
(c) Storing backup information in a protected area.
(d) Erasing data when its retention period is over.
(e) I am not attempting the question

Q12
In business company's terms what is the other word for intellectual data? [ 1 Mark ]

(a) Forecast information
(b) Information data
(c) Company profile
(d) Procedure
(e) I am not attempting the question

Q13
In portable computer environment, what kind of attacks are common to compromise data integrity? [ 1 Mark ]

(a) Phishing
(b) Virus attacks
(c) Terrorist attacks
(d) Physical alteration of data
(e) I am not attempting the questions

Q14
What is an advantage of content-dependent access control in databases? [ 1 Mark ]

(a) Ensures concurrency
(b) Disallows data locking
(c) Processing overhead
(d) Granular control
(e) I am not attempting the question

Q15
In finger scan biometric, what is the average processing time? [ 1 Mark ]

(a) 8 seconds
(b) 7 seconds
(c) 2 - 3 seconds
(d) 10 seconds
(e) I am not attempting the question

Q16
Which best describes a quantitative risk analysis? [ 1 Mark ]

(a) A method that assigns monetary values to components in the risk assessment.
(b) A method that is based on gut feelings and opinions.
(c) Scenario-based analysis to research different security threats.
(d) A method used to apply severity levels to potential loss, probability of loss and risks.
(e) I am not attempting the question

Q17
_________ type of lock uses programmable keypads to restrict access [ 2 Marks ]

(a) Cipher
(b) Preset
(c) Device
(d) Complex
(e) I am not attempting the question

Q18
Among the following what is a disadvantage of intrusion detection system? [ 1 Mark ]

(a) Are expensive to install
(b) Can be penetrated
(c) Are subject to false alarms
(d) All of the above.
(e) I am not attempting the question

Q19
Recommendations and general approaches that provide advice and flexibility are called as ________. [ 1 Mark ]

(a) Procedure
(b) Guideline
(c) Standard
(d) Policy
(e) I am not attempting the question

Q20
You take a fire insurance policy and give the risk for fire to an insurance company, what kind of risk management technique is this? [ 1 Mark ]

(a) Transfer the risk.
(b) Risk reduction
(c) Acceptance of risk
(d) Avoidance of risk
(e) I am not attempting this question

Q21
On what are risk reduction technique based? [ 1 Mark ]

(a) The costs of mitigating actions that could be taken.
(b) The costs of potential losses.
(c) The likelihood that a damaging event will occur.
(d) All of the above.
(e) I am not attempting this question

Q22
What does SSL do? [ 1 Mark ]

(a) It encrypts the communication between the browser and the web server.
(b) It encrypts the communication between the browser and client.
(c) It authenticates the browser to the web server.
(d) None of the above
(e) I am not attempting this question

Q23
The PRIMARY purpose of operations security is to ________. [ 1 Mark ]

(a) establish thresholds for violation detection and logging
(b) monitor the actions of vendor service personnel
(c) protect the system hardware from environment damage
(d) safeguard information assets that are resident in the system
(e) I am not attempting this question

Q24
Which of the following centrally controls the database and manages different aspects of the data? [ 1 Mark ]

(a) Database
(b) Access control
(c) Data dictionary
(d) Data storage
(e) I am not attempting this question

Q25
Who is ultimately responsible for making sure data is classified and protected? [ 1 Mark ]

(a) Users
(b) Management
(c) Administration
(d) Security analyst
(e) I am not attempting this question

Q26
Inventories are used for maintaining company's ________. [ 2 Marks ]

(a) software assets
(b) paper assets
(c) physical assets
(d) All of the above.
(e) I am not attempting this question

Q27
_______ procedures cover the firewalls, routers, switches and operating systems. [ 1 Mark ]

(a) Administrative
(b) Incident response
(c) Auditing
(d) Configuration
(e) I am not attempting this question

Q28
How does proximity detector intrusion systems work? [ 1 Mark ]

(a) By detecting any sound that is made during a forced entry.
(b) By detecting a change or break in a circuit.
(c) By monitoring the magnetic field which it produces.
(d) By detecting the change in a light beam.
(e) I am not attempting this question

Q29
Which option relates to views? [ 1 Mark ]

(a) Allow the data base to be conceptually divided into pieces.
(b) Allow users to selectively and dynamically grant privileges to other users.
(c) Allows a user access to an object dynamically.
(d) None of the above
(e) I am not attempting this question

Q30
What is shared information? [ 1 Mark ]

(a) Publicly accessible
(b) Restricted to a specific list of people
(c) Your internal employees only
(d) Shared within groups
(e) I am not attempting this question

Q31
Who should measure the effectiveness of security related controls in an organization? [ 1 Mark ]

(a) The local security specialist
(b) The central security manager
(c) The business manager
(d) The system auditor
(e) I am not attempting this question

Q32
Most computer attacks result in violation of which of the following security properties? [ 1 Mark ]

(a) Availability
(b) Confidentiality
(c) Integrity and control
(d) All of the above.
(e) I am not attempting this question

Q33
What is the most critical characteristic of a biometric identifying system? [ 1 Mark ]

(a) Storage requirements
(b) Accuracy
(c) Reliability
(d) Perceived intrusiveness
(e) I am not attempting this question

Q34
Any compromise in a security policy could lead to ___________. [ 1 Mark ]

(a) hamper the company's work flow
(b) increase in company's turnover
(c) rejection of company's security certification
(d) company's loss of sensitive information
(e) I am not attempting this question

Q35
A security policy does not contain _________. [ 1 Mark ]

(a) the implementation process of the security
(b) the statement of words which concerns security
(c) the security goal to be achieved
(d) the awareness of security for employees
(e) I am not attempting this question

Q36
What is a protocol? [ 1 Mark ]

(a) A set of rules that dictates how computers exchange a service over networks.
(b) A set of rules that dictates how computers communicate over networks.
(c) It is a de facto standard for transmitting data across the internet.
(d) It is the major component of the ping utility.
(e) I am not attempting this question

Q37
Buffer overflow and boundary condition errors are subsets of _________. [ 1 Mark ]

(a) exceptional condition handling errors
(b) access validation errors
(c) race condition errors
(d) input validation errors
(e) I am not attempting this question

Q38
Why should employers make sure employees take their vacations? [ 1 Mark ]

(a) It is a way that fraud can be uncovered.
(b) To ensure that the employee does not get burnt out.
(c) They have a legal obligation.
(d) It is part of due diligence
(e) I am not attempting this question

Q39
What is a short coming of a firewall? [ 1 Mark ]

(a) They do not help to detect if an intrusion occurred and they can also be bypassed.
(b) They are not easily upgradeable.
(c) They are very costly to implement.
(d) They slow down the overall performance of the network.
(e) I am not attempting this question

Q40
Which of the following items is not considered a preventive physical control? [ 1 Mark ]

(a) Security dogs
(b) Security guard
(c) Access log
(d) Fencing
(e) I am not attempting this question

Q41
Which of the following fire suppressing agents should not be used in an operations center containing employees? [ 1 Mark ]

(a) Water
(b) Gas
(c) Soda acid
(d) CO2
(e) I am not attempting this question

Q42
What takes place at the session layer? [ 1 Mark ]

(a) Packet sequencing
(b) Routing
(c) Addressing
(d) Dialog control
(e) I am not attempting this question

Q43
How is single loss expectancy (SLE) calculated? [ 1 Mark ]

(a) Annualized rate of occurrence (ARO) X exposure factor
(b) Asset value X exposure factor
(c) Annualized rate of occurrence (ARO) X asset value
(d) Asset value X asset loss expectancy (ALE)
(e) I am not attempting this question

Q44
A prolonged power supply that is below normal voltage is a _______. [ 1 Mark ]

(a) brownout
(b) surge
(c) blackout
(d) fault
(e) I am not attempting this question

Q45
____________ is the means by which the ability to do something with a computer resource is explicitly enabled or restricted. [ 1 Mark ]

(a) System Resources
(b) Accesses Control
(c) Type Of Accesses
(d) Work Permit
(e) I am not attempting this question

Q46
If an access control has a fail-safe characteristic but not a fail-secure characteristic, what does that mean? [ 2 Marks ]

(a) It defaults to being locked.
(b) It defaults to sounding a remote alarm instead of a local alarm.
(c) It defaults to no access.
(d) It defaults to being unlocked.
(e) I am not attempting this question

Q47
A deviation from an organization-wide security policy requires which of the following? [ 1 Mark ]

(a) Risk containment
(b) Risk reduction
(c) Risk assignment
(d) Risk acceptance
(e) I am not attempting this question

Q48
What do you think the application should do when it fails? [ 1 Mark ]

(a) It should stop and mark as bad application.
(b) It should go directly to a secure state.
(c) It should be still active, so to track the attacker when he jumps in and uses it.
(d) It should stop and restart automatically.
(e) I am not attempting this question

Q49
SYN flood attack is what kind of attack? [ 1 Mark ]

(a) Dictionary attack
(b) Brute force attack
(c) Heart attack
(d) Denial of service attack
(e) I am not attempting this question

Q50
The preliminary steps to security planning include all of the following EXCEPT _________. [ 1 Mark ]

(a) establish objectives
(b) establish a security audit function
(c) list planning assumptions
(d) determine alternate courses of action
(e) I am not attempting this question

Q51
What is the disadvantage of risk assessment technique? [ 1 Mark ]

(a) It takes a considerable amount of time.
(b) It takes lots of man power.
(c) It is expensive
(d) It disrupts the work flow of the company.
(e) I am not attempting this question

Q52
Which of the following is NOT a system-sensing wireless proximity card? [ 2 Marks ]

(a) Passive device
(b) Field-powered device
(c) Transponder
(d) Magnetically striped card
(e) I am not attempting this question

Q53
In client browser and sever communication, data is passed in form of _______ [ 1 Mark ]

(a) Cookies
(b) Viruses
(c) Applets
(d) ActiveX
(e) I am not attempting this question

Q54
Why is user education helpful for portable computing? [ 1 Mark ]

(a) To make the users aware of the threats to company shared resources.
(b) To train the users so as to make them more efficient while using company's resources.
(c) To provide users with remote and mobile computing education.
(d) To train users before allowing them to access these portable computers.
(e) I am not attempting this question

Q55
How do you explain Risk Management? [ 1 Mark ]

(a) The process which involves identifying, controlling and eliminating the security risks.
(b) The process which involves implementing, developing and mitigating security risks.
(c) The process which involves isolating, combining and eliminating the security risks.
(d) None of above
(e) I am not attempting this question

Q56
What do incident logs provide? [ 1 Mark ]

(a) A good insight into the vulnerabilities of a system.
(b) Throw new challenges to the security professionals.
(c) List of assets and their owners.
(d) Location of the assets.
(e) I am not attempting this question

Q57
Signs, lighting, environmental design are employed for what kind of control? [ 1 Mark ]

(a) preventive
(b) access
(c) deterrent
(d) administrative
(e) I am not attempting this question

Q58
The business processes can be affected by __________. [ 1 Mark ]

(a) disgruntled employees
(b) industrial espionage
(c) hackers
(d) all of the above
(e) I am not attempting the question

Q59
How do we better understand policy? [ 1 Mark ]

(a) It is a statement of the goals to be achieved by procedures.
(b) It is a statement of the goals to be achieved by guidelines.
(c) It is a statement of the goals to be achieved by baselines.
(d) It is a statement of the goals to be achieved by standards
(e) I am not attempting the question

Q60
Which of the following protocols is considered connection oriented? [ 2 Marks ]

(a) IP
(b) TCP
(c) ICMP
(d) UDP
(e) I am not attempting the question

Q61
What is the best description of CHAP (Challenge Handshake Authentication Protocol)? [ 1 Mark ]

(a) Password not sent in clear text.
(b) It is substandard to PAP.
(c) Passwords are sent in clear text.
(d) Passwords are not used, a digital signature is used.
(e) I am not attempting the question

Q62
In this information age, which is the most vulnerable asset of an organization? [ 1 Mark ]

(a) Employees
(b) Data
(c) Machinery
(d) Finance
(e) I am not attempting the question

Q63
What kind of device requires user to supply user Id plus password plus token and something more? [ 2 Marks ]

(a) Biometric
(b) Smart cards
(c) Dumb cards
(d) Challenge-response token
(e) I am not attempting the questions

Q64
Which of the following is not a purpose of doing a risk analysis? [ 1 Mark ]

(a) Define the balance between the impact of a risk and the cost of the necessary counter measure
(b) Identify risks
(c) Delegate responsibility
(d) Quantify impact of potential threats
(e) I am not attempting the question

Q65
Which one of the following individuals has PRIMARY responsibility for determining the classification level of information? [ 1 Mark ]

(a) Security manager
(b) Owner
(c) User
(d) Auditor
(e) I am not attempting the question

Q66
When security is a high priority, why is fiber cabling used? [ 1 Mark ]

(a) It has high data transfer rates and is less vulnerable to EMI
(b) It multiplexes data, which can confuse attackers.
(c) Data interception is very difficult.
(d) It has a high degree of data detection and correction.
(e) I am not attempting the question

Q67
Which of this is a best definition for socket? [ 1 Mark ]

(a) An IP address and MAC address
(b) A session layer link.
(c) An IP address and port number.
(d) MAC address and port number.
(e) I am not attempting the question

Q68
Devices that supply power when the commercial utility power system fails are called ________. [ 2 Marks ]

(a) uninterruptible power supplies
(b) power conditioners
(c) power filters
(d) power dividers
(e) I am not attempting the question

Q69
What attack is typically used for identifying the topology of the target network? [ 1 Mark ]

(a) Assessing
(b) Scanning
(c) Printing
(d) Porting
(e) I am not attempting this question

Q70
Under MAC, a clearance is a ______________. [ 1 Mark ]

(a) subject
(b) sensitivity
(c) privilege
(d) object
(e) I am not attempting this question

Q71
Policies are not written to affect ____________. [ 1 Mark ]

(a) software access
(b) hardware
(c) outside entities
(d) networks
(e) I am not attempting this questions

Q72
Qualitative risk analysis _____________. [ 2 Marks ]

(a) focuses on the costs of potential losses
(b) aims to analyze numerically the probability of each risk
(c) uses judgment and intuition instead of numbers
(d) focuses on the costs of mitigating
(e) I am not attempting this questions

Q73
In proximity identification system what do you understand by the term 'user activated'? [ 1 Mark ]

(a) User and system are independent of activation.
(b) System is activated mutually by the user and system.
(c) Action needs to be taken by the system.
(d) Action needs to be taken by a user
(e) I am not attempting this questions

Q74
Which of the following best describes a characteristic of IPsec? [ 1 Mark ]

(a) Provides content filtering
(b) Works as a proxy.
(c) Provides application layer protection.
(d) Provides system authentication.
(e) I am not attempting this question

Q75
UDP provides __________ delivery. [ 1 Mark ]

(a) distributed
(b) connection-oriented
(c) best-efficiency
(d) best effort
(e) I am not attempting this question

Q76
What is BS ISO/IEC 27001? [ 1 Mark ]

(a) Standard that provides a framework for computer to computer communication
(b) Standard that provides a specification for handling various controls in BCP
(c) International standard that provides a specification for security infrastructure
(d) New international standard that provides a specification for ISMS and the foundation for third-party audit and certification
(e) I am not attempting this question

Q77
Database views provide what type of security control? [ 1 Mark ]

(a) Administrative
(b) Corrective
(c) Detective
(d) Preventive
(e) I am not attempting this question

Q78
How does data encapsulation and the protocol stack work? [ 1 Mark ]

(a) Each protocol or service at each layer in the OSI model adds its own information to the data as it is passed down the protocol stack
(b) The packet is encapsulated and grows when it is passed up the protocol stack
(c) Each protocol or service at each layer in the OSI model multiplexes other packets to the data as it is passed down the protocol stack
(d) The packet is encapsulated and grows as it hops from router to router
(e) I am not attempting this question

Q79
Which software development model is actually a Meta model that incorporates a number of software development models? [ 1 Mark ]

(a) The Critical Path Model
(b) The modified Waterfall Model
(c) The Waterfall Model
(d) The Spiral Model
(e) I am not attempting this question

Q80
___________ best suits for theft protection on portable computers. [ 2 Marks ]

(a) Store all the data in password protected drives on portable computer
(b) Remove power supply batteries from the computer when in non-operational mode
(c) Should have a logon before gaining access to the resources
(d) Allow the computer to continue running when unattended
(e) I am not attempting this question

Q81
Before writing a security policy what concerns the security analyst? [ 1 Mark ]

(a) How large is the organization's infrastructure
(b) What is the annual turnover or revenues of an organization
(c) Which systems and processes are important to the company's mission
(d) The total number of employees working in an organization.
(e) I am not attempting this question

Q82
Which of the following is an administrative control for physical security? [ 1 Mark ]

(a) Lighting
(b) Fences
(c) Facility construction material
(d) Training
(e) I am not attempting this question

Q83
A system file that has been patched numerous times becomes infected with a virus. The anti-virus software warns that disinfecting the file may damage it. What course of action should be taken? [ 1 Mark ]

(a) Replace the file with the original version from master media.
(b) Proceed with automated disinfections
(c) Research the virus to see if it is benign
(d) Restore an uninfected version of the patched file from backup media
(e) I am not attempting this question

Q84
A risk assessment approach must fulfill which criteria? [ 1 Mark ]

(a) Identifying the impacts of losses of confidentiality, integrity and availability might have on the assets.
(b) Identifying the threats and vulnerabilities, and any other applicable security requirements.
(c) Identify the assets and owners of these assets.
(d) All of the above
(e) I am not attempting this question

Q85
Which of the following best allows risk management results to be used knowledgeably? [ 1 Mark ]

(a) A likelihood assessment
(b) An uncertainty analysis
(c) A threat identification
(d) A vulnerability analysis
(e) I am not attempting this question

Q86
Which of the following is currently the most recommended water system for a computer room? [ 1 Mark ]

(a) Deluge
(b) Preaction
(c) Dry pipe
(d) Wet pipe
(e) I am not attempting this question

Q87
Which type of control is concerned with avoiding occurrences of risks? [ 1 Mark ]

(a) Preventive controls
(b) Detective controls
(c) Deterrent controls
(d) Compensating controls
(e) I am not attempting this question

Q88
Which among these is a risk assessing technique? [ 1 Mark ]

(a) Compound
(b) Aggregate
(c) Monetary
(d) Basic
(e) I am not attempting this question

Q89
Which of the following is the backdoor to an application created by a developer? [ 1 Mark ]

(a) Trap Door
(b) Easter egg
(c) Trojan Horse
(d) Loop Hole
(e) I am not attempting this question

Q90
The estimated life time of a device or the estimated timeframe until a component within a device gives out is called ___________. [ 1 Mark ]

(a) MTBF
(b) MTTR
(c) UPS
(d) MTTB
(e) I am not attempting this question.

2 comments:

Lalitha Rao said...

Very useful blog. I have got the general knowledge of NCFM.NCFM Academy hyderabad

Lalitha Rao said...

Very useful blog. I have got the general knowledge of NCFM.NCFM Academy hyderabad