Ch 1-3
A company cannot use fingerprint scanners at its doors, so it adds security guards who check employee badges instead.
What type of control is this?
What is a compensating control?
A campus firewall overheats and stops working, but students can still get online because all traffic is allowed to pass through during the failure.
What type of failure is this?
What is fail-open?
Port 443 is associated with this protocol.
What is HTTPS?
A script automatically applies security updates every night without anyone having to log in.
What is this process an example of?
What is automation?
A device connects to the WiFi in a public place instantly with no login or acceptance page.
What type of network access is this?
What is an open network?
An attacker builds a detailed fake story using real internal information to convince an employee to reset a password.
Which social engineering technique is being used?
What is pretexting?
A security system spots malicious traffic and alerts the administrators right away.
How is this traffic labeled?
What is positive?
A vulnerability tool logs in with approved account credentials so it can inspect settings that non logged in users cannot view.
What type of scan is this?
What is a credentialed vulnerability scan?
A business chooses team supervisors to verify that requested system upgrades are completed safely and correctly.
Which role does this describe?
What is a change management owner?
A manager lists the business processes that must continue during emergencies, such as payroll and customer support.
Which step of risk management is this?
What is Identify Mission Essential Functions?
An entity that verifies a user's identity and validates a certificate signing request (CSR).
What is a registration authority?
A developer sends unusual characters and unpredictable data into a web form to see whether the application reacts poorly or exposes errors.
What testing method is being used?
What is fuzzing?
A hired tester attempts to break into the company’s systems by launching attacks exactly the way a real criminal would.
Which type of penetration test is being performed?
What is an offensive penetration test?
A company reviews how a prolonged outage would affect customers, profits, and operations to understand the severity of each risk. Which risk management step does this describe?
What is analyze business impacts?
A tester is provided a partial list of IP addresses but must discover all additional system information independently.
What testing environment is this?
What is gray box or partially known?
An attacker creates a fake URL that looks identical to a bank website except for one swapped character. Users who mistype the address are redirected to the malicious page.
Which attack method is this?
What is typosquatting?
A switch is set up to forward copies of all traffic from several office computers to a monitoring station for analysis while allowing the original traffic to continue normally.
What is this called?
What is port mirroring?
A user wants to install software that the device’s operating system normally blocks, so they modify the system to remove built in restrictions and allow unapproved apps to run.
What is this action called?
What is jailbreaking?
A company backs up its order records every four hours. After a system failure, the business decides it can tolerate losing up to four hours of recent data.
What is the Recovery Point Objective?
A company preparing for a regulatory audit hires a third-party security firm to review its controls and verify whether its practices meet required standards. The reviewers have no role within the organization.
What type of assessment is this?
What is an external assessment?
Several employees attempt to visit the company’s legitimate payroll website, but their browsers silently redirect them to a fake version even though they typed the correct URL. Investigators discover that the attackers modified DNS entries to reroute all traffic to the spoofed site.
An employee accidentally deletes an entire project folder from the company file server. The administrator restores all missing files by rolling the storage system back to an earlier point in time, without affecting any other systems or virtual machines.
Which backup or recovery method did the administrator use?
What is a filesystem snapshot?
A company uses cloud-based virtual servers and storage, but it must install and secure its own operating systems and applications while the provider manages the cloud service.
Which cloud service model is this?
What is infrastructure as a service (IaaS)?
A company signs a contract with a cloud provider that requires the provider to meet specific performance targets, such as how quickly services must respond. If these targets are missed, penalties apply.
What type of agreement is this?
What is a Service Level Agreement?
An employee logs in to the company portal at the start of the day. After that first login, they can open the email system, project tools, and internal dashboards without entering credentials again for each service.
Which authentication system is this?
What is single sign-on (SSO)?