Test Bank for Security in Computing
Edition
Which of the following best describes an implicit deny principle?
A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above. - answers b
What is the intent of least privilege?
A. Enforce the most restrictive rights required by users to run system processes.
B. Enforce the least restrictive rights required by users to run system processes.
C. Enforce the most restrictive rights required by users to complete assigned tasks.
D. Enforce the least restrictive rights required by users to complete assigned tasks. -
answers c
Which of the following models is also known as an identity-based access control model?
A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control - answers a
A central authority determines which files a user can access. Which of the following best
describes this?
A. An access control list (ACL)
B. An access control matrix
C. Discretionary access control model
D. Nondiscretionary access control model - answers d
A central authority determines which files a user can access based on the organization's
hierarchy. Which of the following best describes this?
A. Discretionary access control model
B. An access control list (ACL)
C. Rule-based access control model
D. Role-based access control model - answers d
Which of the following best describes a rule-based access control model?
A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally. - answers d
What type of access control model is used on a firewall?
A. Mandatory access control model
,B. Discretionary access control model
C. Rule-based access control model
D. Role-based access control model - answers c
Which of the following best describes a characteristic of the mandatory access control
model?
A. Employs explicit-deny philosophy
B. Permissive
C. Rule-based
D. Prohibitive - answers d
Which of the following can help mitigate the success of an online brute-force attack?
A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password - answers b
What type of attack uses email and attempts to trick high-level executives?
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing - answers c
Which one of the following tools is used primarily to perform network discovery scans?
A. Nmap
B. Nessus
C. Metasploit
D. lsof - answers a
Which one of the following is not normally included in a security assessment?
A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment - answers c
Who is the intended audience for a security assessment report?
A. Management
B. Security auditor
C. Security professional
D. Customers - answers a
Which one of the following tests provides the most accurate and detailed information
about the security state of a server?
A. Unauthenticated scan
B. Port scan
C. Half-open scan
, D. Authenticated scan - answers d
Badin Industries runs a web application that processes e-commerce orders and handles
credit card transactions. As such, it is subject to the Payment Card Industry Data
Security Standard (PCI DSS). The company recently performed a web vulnerability
scan of the application and it had no unsatisfactory findings. How often must Badin
rescan the application?
A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement. - answers c
Grace is performing a penetration test against a client's network and would like to use a
tool to assist in automatically executing common exploits. Which one of the following
security tools will best meet her needs?
A. nmap
B. Metasploit
C. Nessus
D. Snort - answers b
Paul would like to test his application against slightly modified versions of previously
used input. What type of test does Paul intend to perform?
A. Code review
B. Application vulnerability review
C. Mutation fuzzing
D. Generational fuzzing - answers c
Users of a banking application may try to withdraw funds that don't exist from their
account. Developers are aware of this threat and implemented code to protect against
it. What type of software testing would most likely catch this type of vulnerability if the
developers have not already remediated it?
A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review - answers a
What type of interface testing would identify flaws in a program's command-line
interface?
A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing - answers b
During what type of penetration test does the tester always have access to system
configuration information?
A. Black box penetration test
Edition
Which of the following best describes an implicit deny principle?
A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above. - answers b
What is the intent of least privilege?
A. Enforce the most restrictive rights required by users to run system processes.
B. Enforce the least restrictive rights required by users to run system processes.
C. Enforce the most restrictive rights required by users to complete assigned tasks.
D. Enforce the least restrictive rights required by users to complete assigned tasks. -
answers c
Which of the following models is also known as an identity-based access control model?
A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control - answers a
A central authority determines which files a user can access. Which of the following best
describes this?
A. An access control list (ACL)
B. An access control matrix
C. Discretionary access control model
D. Nondiscretionary access control model - answers d
A central authority determines which files a user can access based on the organization's
hierarchy. Which of the following best describes this?
A. Discretionary access control model
B. An access control list (ACL)
C. Rule-based access control model
D. Role-based access control model - answers d
Which of the following best describes a rule-based access control model?
A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally. - answers d
What type of access control model is used on a firewall?
A. Mandatory access control model
,B. Discretionary access control model
C. Rule-based access control model
D. Role-based access control model - answers c
Which of the following best describes a characteristic of the mandatory access control
model?
A. Employs explicit-deny philosophy
B. Permissive
C. Rule-based
D. Prohibitive - answers d
Which of the following can help mitigate the success of an online brute-force attack?
A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password - answers b
What type of attack uses email and attempts to trick high-level executives?
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing - answers c
Which one of the following tools is used primarily to perform network discovery scans?
A. Nmap
B. Nessus
C. Metasploit
D. lsof - answers a
Which one of the following is not normally included in a security assessment?
A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment - answers c
Who is the intended audience for a security assessment report?
A. Management
B. Security auditor
C. Security professional
D. Customers - answers a
Which one of the following tests provides the most accurate and detailed information
about the security state of a server?
A. Unauthenticated scan
B. Port scan
C. Half-open scan
, D. Authenticated scan - answers d
Badin Industries runs a web application that processes e-commerce orders and handles
credit card transactions. As such, it is subject to the Payment Card Industry Data
Security Standard (PCI DSS). The company recently performed a web vulnerability
scan of the application and it had no unsatisfactory findings. How often must Badin
rescan the application?
A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement. - answers c
Grace is performing a penetration test against a client's network and would like to use a
tool to assist in automatically executing common exploits. Which one of the following
security tools will best meet her needs?
A. nmap
B. Metasploit
C. Nessus
D. Snort - answers b
Paul would like to test his application against slightly modified versions of previously
used input. What type of test does Paul intend to perform?
A. Code review
B. Application vulnerability review
C. Mutation fuzzing
D. Generational fuzzing - answers c
Users of a banking application may try to withdraw funds that don't exist from their
account. Developers are aware of this threat and implemented code to protect against
it. What type of software testing would most likely catch this type of vulnerability if the
developers have not already remediated it?
A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review - answers a
What type of interface testing would identify flaws in a program's command-line
interface?
A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing - answers b
During what type of penetration test does the tester always have access to system
configuration information?
A. Black box penetration test
