CS205 MIDTERM MCQ | OBJECTIVE PREPARATION

1. Security hardening follows_____ step methodology.

2

2. Validation of control implementation is done by

InfoSec team

Chief Information Officer

Chief Operating Officer

Senior management

3. Implementation on PRODUCTION & monitoring contains these steps except:

Monitor closely for 24-48 hours after moving to PROD

Rollback in case of unforeseen circumstances

IT team SOP finalized and now ops task

Update checklist with status column

4. ISMC stands for:

Information Security Management Committee

Information security Management Council

Internet Security Management Committee

Internet Standard Management Committee

5. If account lockout feature value is set to “0” on a ms 2012 member server than?
The account will never be locked despite of several failed login attempts
The account will be locked and system will have to be rebooting
Will require administrator to unlock the account
Will have to disconnect from network
6. _________________ is the part of Information Security Awareness.
Procedure
Standard
Policy
Training
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
7. What does check content explain about rule in DISA STIG?
Describes the control
escribes the benefit of implementing control
Tells how to check whether control is implemented or not
Tells how to apply control

8. The purpose of the information security lifecycle is to ensure that___________________.

Project management is conducted adequately
The sequence is documented
There is a completion date to security projects
All security projects & activities consistently follow the same sequence and steps

9. For effective information security implementation, the security journey should start
with___________.
Developing comprehensive policies and procedures
Management commitment
Security hardening and vulnerability management of IT assets
A penetration test
10. A policy is ___________________.
Mandatory and limited in scope to a department
Mandatory and applies to entire organization; signed off by senior management
Not mandatory but a guideline only
Signed off by information security department

11. What are the three types of redundant site models in an enterprise network?
Hot site, cold site and warm site
Primary site, secondary site and DR site
Highly available site, fault tolerant site and DR site
Both a & b

12. What do you mean by RTO in a business continuity plan?

Minimum frequency of backups
Maximum downtime an organization can handle
Maximum age of files that an organization must recover from backup storage for normal
operations to resume after disaster
Both a & b

13. The 4 layer security transformation model and isms requirements and controls
__________________.
Are both separate security programs
Are both separate security projects
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
May form essential elements of the security program
None of the given

14. Which of the following is not an IT Security functions

Network security

Systems security

Governance

Mobile security

15. Three Pillars of Information Security are:

People, process and technology

Confidentiality, integrity and availability

People process and governance

None of these

16. Three Pillars for implementation of Information Security are:

People, process and technology

Confidentiality, integrity and availability

People process and governance

None of these

17. Keeping information in its original form is coined as:

Confidentiality

Integrity

Availability

18. In Bangladesh Bank SWIFT Hack – Feb 2016 Hackers used SWIFT credentials of
Bangladesh Central Bank employees to send more than -------- fraudulent money transfer
requests
Two dozen

three dozen

four dozen

twelve dozen

19. In Bangladesh Bank SWIFT Hack – Feb 2016, what amount was stolen?
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
USD 18 MILLION

USD 81 million

USD 28 MILLION

20. As per PWC Global Economic Crime Report 2016, ______ was amongst the top 3 most
commonly reported types of economic crime
Information hack

Cyber Crime

Data breach

21. CISO stands for:

Chief Information Security Officer

Chief Inspector Security Officer

Chief Internet Security Officer

22. PCSA Stands for

Pakistan Chief Security Alliance

Pakistan Central Security Association

Pakistan Cyber Security Association

23. Pakistan ranked almost at the _____ of the table in International ranking by ITU

Top

Bottom

Middle

24. Who Are The Players In Information Security?

International organizations

Professional associations

Vendors and suppliers

All of these
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
25. CIRT stands for

Computer Incident Response Team

Computer Information Response Team

Common Incident Response Team

Computer Incident Reporting Team

26. Which of these is not a Professional association?

ISACA

APCERT

OWASP

Cloud Security Alliance

27. Third layer of Information Security Transformation Framework:

Security Governance

Security Engineering

Security Hardening

Security Fastening

28. What is MSB

Minimum Security Baseline

Maximum Security Baseline

Minimum Security Breach

29. NESSUS, Qualys are the internal tools used for:

Security Hardening

Security Implementation

Vulnerability Management
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
30. Core governance activities do not include:

Change management

incident management

internal audit

Performance reviews

31. Security in the “trenches” means:

Security which does not matter

Security in AN enterprise

Security at the most fundamental operational layer

32. Responsibility for governance is associated with the

Board and senior management

Board and junior management

Executive Management

Tone at the Top

33. The world’s leading and most widely adopted security governance standard

ISO27000:2013

ISO27001:2013

ISO2701:2012

ISO27001:2016

34. ISO27001:2013 Contains Ten short clauses and a long Annex with

114 controls in 14 groups

114 controls in 4 groups

104 controls in 14 groups

CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
114 controls in 24 groups

35. Which of the following is Mandatory?

SOP

Policy

Guideline

36. Yardstick to help achieve the policy goals:

Standard

Policy

SOP

Guidelines

37. Social engineering prevention is an example of:

Policy

Guideline

SOP

Standard

38. Sum-total of all activities planned and executed by the organization to meet its security
objectives is called

Security Program

Security Project

Security Cycle

39. In CIS benchmark categories, which category contains the maximum number of bench
marks?
Multifunction print devices

Operating systems(36)

Mobile devices

Desktop software
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
40. In CIS benchmark categories, which category contains the minimum number of bench
marks?
Multifunction print devices(1)

Operating systems

Mobile devices

Desktop software

41. What is the total number of CIS benchmarks?

105

107

117

108

42. Control content of CIS benchmarks contains:

Description, Rationale, Audit, Remediation, Default Value, References

Profile applicability (ASA 8.X, ASA 9.X), Description, Rationale, Audit, Remediation, Default Value,
References

Profile applicability (ASA 8.X, ASA 9.X), Remediation, Default Value, References

43. In CIS benchmark of session timeout, if The default timeout is 0, this means
The console session will be handled by administrator

The console session will not time out

The console session will immediately timeout

44. According to CIS, _____ intended for environments or use cases where security is
paramount
Level 1

Level 2

CCI

45. In CIS benchmark for ensuring maximum password age Values for this policy setting range
from
0 to 990 days

1 to 999 days

0 to 999 days.
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
46. In CIS benchmark for ensuring maximum password age, If you set the value to 0,
the password will never expire.

The password will need to be changed

Default password will be used

47. In unclassified version of DISA STIGs, how many STIGs are available?
420

409

427

425

48. Any vulnerability, the exploitation of which has a potential to result in loss of
Confidentiality, Availability, or Integrity is a:
CAT 1

CAT 2

CAT 3

49. Status on Checklist screens does not include

Not reviewed

Open

Not recommended

Not a finding

Not applicable

50. The account lockout feature, when enabled, prevents ______ attacks on the system.
Security breach

Virus

brute-force password

malicious intruder

51. The network devices must time out access to the console port at 10 minutes or less of
inactivity. This benchmark has severity of:
CAT 3

CAT2
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
CAT 1

52. DISA uses ____ as an implementation tool.

CAT

SCAP

NESSUS

None of these

53. For small and medium sized organizations, what is well suited?
DISA

CIS

Both

54. Autoplay must be disabled for all drives. This CIS benchmark has the severity of:
CAT 1

CAT 2

CAT3

55. Shells with ______ permissions give the ability to maliciously modify the shell to obtain
unauthorized access.

world/group-read
world/group-write

world/group-update

56. By default, Oracle Net Listener permits only ______ for security reasons
local administration

remote administration

senior administration

57. the syntax needed to execute rename the system administrator(sa) login:

ALTER LOGIN sa WITH ACCOUNT = <different_user>;

ALTER LOGIN sa WITH NAME = <different_user>;

CHANGE LOGIN sa WITH NAME = <different_user>;

CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
RENAME LOGIN sa WITH NAME = <different_user>;

58. REMOTE_OS_ROLES to _____ allows operating system groups to control Oracle roles
TRUE

False

59. McAfee is
Enterprise VirusScan

Web Defender

PC Optimizer

60. The default value for the benchmark Configure 'Do not allow users to enable or disable
add-ons' is:
ENABLED

DISABLED

61. IDN Stands for:

Internationalized Domain Names

Internal Domain Names

Internet Data Nam

62. _________ is a basic network scanning technique used to determine which of a range of
IP addresses map to live hosts

Port Sniffing

MAC Address Spoofing

DNS Enumeration

Ping sweep

63. The _____ is the most privileged user in an AWS account.

Local account

Root account

Master account

Admin account
CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
64. SAMM Stands for:
Security Assessment and Monitoring Method

Systematic Application Management Model

Service Automation and Maintenance Module

Software Assurance Maturity Model

65. Which of the following does not come under GOVERNANCE business principle?
Strategy & Metrics

Education & Guidance

Threat Assessment

Policy & Compliance

66. Patches are also called:

Fixes

Updates

Amendments

67. There are ____ pre requisites for security hardening.

4

68. The capability of the org to continue delivery of products or services at acceptable
predefined levels following a disruptive incident is called

Business continuity
Disaster Recovery
Management Commitment

69. Three types of redundant site models are:

Hot site, thunder site, cold site

Hot site, cold site, warm site

Warm site, moderate site, cold site

CS205 MIDTERM MCQ | OBJECTIVE PREPARATION
70. Maximum amount of downtime an organization can handle _______
RTO

RPO

VM

One of the challenges in effective implementation of a security transformation project in a small-

sized organization is_______________.
Adhoc culture and lack of discipline
Old and outdated IT environment
Multiple data center sites
Lack of a disaster recovery (DR) site