CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
A) Business impact analyses
B) Security gap analyses
C) System performance metrics
D) Incident response processes
2. A common concern with poorly written web applications is that they can allow an attacker to:
A) gain control through a buffer overflow.
B) conduct a distributed denial of service (DoS) attack.
C) abuse a race condition.
D) inject structured query language (SQL) statements.
3. Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A) Historical cost of the asset
B) Acceptable level of potential business impacts
C) Cost versus benefit of additional mitigating controls
D) Annualized loss expectancy (ALE)
4. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A) Understand the business requirements of the developer portal
B) Perform a vulnerability assessment of the developer portal
C) Install an intrusion detection system (IDS)
D) Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
5. A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name.Which would be the BEST approach to prevent successful brute forcing of the account?
A) Prevent the system from being accessed remotely
B) Create a strong random password
C) Ask for a vendor patch
D) Track usage of the account by audit trails
A) Business impact analyses
B) Security gap analyses
C) System performance metrics
D) Incident response processes
2. A common concern with poorly written web applications is that they can allow an attacker to:
A) gain control through a buffer overflow.
B) conduct a distributed denial of service (DoS) attack.
C) abuse a race condition.
D) inject structured query language (SQL) statements.
3. Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A) Historical cost of the asset
B) Acceptable level of potential business impacts
C) Cost versus benefit of additional mitigating controls
D) Annualized loss expectancy (ALE)
4. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?
A) Understand the business requirements of the developer portal
B) Perform a vulnerability assessment of the developer portal
C) Install an intrusion detection system (IDS)
D) Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
5. A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name.Which would be the BEST approach to prevent successful brute forcing of the account?
A) Prevent the system from being accessed remotely
B) Create a strong random password
C) Ask for a vendor patch
D) Track usage of the account by audit trails
1. Right Answer: B
Explanation: A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.
2. Right Answer: D
Explanation: Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.
3. Right Answer: C
Explanation: The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.
4. Right Answer: A
Explanation: The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.
5. Right Answer: B
Explanation: Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.
Explanation: A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.
2. Right Answer: D
Explanation: Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.
3. Right Answer: C
Explanation: The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.
4. Right Answer: A
Explanation: The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.
5. Right Answer: B
Explanation: Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
