1 / 14
WGU C836 Quizzes Questions and Answers 2023
(Verified Answers)
- Which social engineering technique involves impersonating someone
else to convince the target to perform some action that they wouldn’t
normally do for a stranger?
A Pretexting
B Phishing
C Spear phishing
D Tailgating ANS A Pretexting - You swipe your key card to gain access to a secure area of the
building. As you pass through the door, you notice someone right behind
you. You don’t recall that he was walking behind you a moment ago, nor do
you see a key card in his hand. What social engineering technique is
demonstrated in this example?
A Pretexting
B Phishing
C Spear phishing
D Tailgating ANS D Tailgating
2 / 14
- Which of the following is not a best practice for password security?
A Enforcing complex password
requirements B Creating a password policy
C Educating users on password management
D Teaching users how to manually sync passwords between systems
E Forcing password expiration intervals ANS D Teaching users how to
manually sync passwords between systems - Your IT department has implemented a comprehensive defense in
depth strategy to protect your company resources. The buildings are
protected by key card swipes and video surveillance, logins and
passwords are required for access to any digital resource, and your
network and workstation equip- ment is properly configured, patched, and
protected. Policies are in place to recover from any major security risk.
What single entity can invalidate all of these efforts?
A A USB drive
B A virus
C A corrupt file
3 / 14
D A person
E A bad hard drive ANS D A person
- Which of the options below is an example of an effective Security
Aware- ness, Training, and Education (SATE) strategy?
A periodic email that references the Employee Handbook and includes a
link to a required quiz
B A 3-hour CBT course with a completion certificate, required yearly
C A daily “security check” question that, if answered correctly, enters
the user into a giveaway
D A biannual conference room training session that offers free coffee and
is four hours long ANS C A daily “security check” question that, if
answered correctly, enters the user into a giveaway - The study that was
conducted to discover the cause of the information leak during the Vietnam
War was codenamed and is now considered a
symbol of OPSEC.
A Sun Tzu
B Purple Dragon
C The Art of War
D Vietnam Viper ANS B Purple Dragon
1 / 15
WGU C836 OA Study Guide
1.CIA Triad: Confidentiality, Integrity, Availability
2.Parkerian hexad: Where the CIA triad consists of confidentiality,
integrity, and availability, the Parkerian hexad consists of these three
principles, as well as possession or control, authenticity, and utility
3.Confidentiality: Refers to our ability to protect our data from those
who are not authorized to view it.
Confidentiality can be compromised by the loss of a laptop containing
data, a person looking over our shoulder while we type a password, an
e-mail attachment being sent to the wrong person, an attacker
penetrating our systems, or similar issues.
4.Integrity: Refers to the ability to prevent our data from being
changed in an unauthorized or undesirable manner. This could mean
the unauthorized change or deletion of our data or portions of our
data, or it could mean an authorized, but undesirable, change or
deletion of our data. To maintain integrity, we not only need to have
the means to prevent unauthorized changes to our data but also need
the ability to reverse authorized changes that need to be undone.
2 / 15
5.Availability: refers to the ability to access our data when we need it.
Loss of availability can refer to a wide variety of breaks anywhere in
the chain that allows us access to our data. Such issues can result
from power loss, operating system or application problems, network
attacks, compromise of a system, or other problems. When such issues
are caused by an outside party, such as an attacker, they are
commonly referred to as a denial of service (DoS) attack.
6.Possession or Control: Refers to the physical disposition of the
media on which the data is stored. This enables us, without involving
other factors such as availability, to discuss our loss of the data in its
physical medium
An example is data store be on multiple devices and there could be
numerous versions.
7.Authenticity: Attribution as to the owner or creator of the data in
question.
Authenticity can be enforced through the use of digital signatures.
8.Utility: Refers to how useful the data is to us.
9.Interception: Interception attacks allow unauthorized users to access
our data, applications, or environments and are primarily an attack
against confidentiality. Interception might take the form of
unauthorized file viewing or copying, eaves-
3 / 15
dropping on phone conversations, or reading e-mail, and can be
conducted against data at rest or in motion. Properly executed,
interception attacks can be very difficult to detect.
Affects Confidentiality
10.Interruption: Interruption attacks cause our assets to become
unusable or unavailable for our use, on a temporary or permanent
basis. Interruption attacks often affect availability but can be an
attack on integrity as well. In the case of a DoS attack on a mail
server, we would classify this as an availability attack.
Affects Integrity and availability
11.Modification: Modification attacks involve tampering with our
asset. If we access a file in an unauthorized manner and alter the
data it contains, we have affected the integrity of the data contained
in the file.
12.Fabrication: Fabrication attacks involve generating data, processes,
commu- nications, or other similar activities with a system. Fabrication
attacks primarily affect integrity but could be considered an availability
attack as well. If we generate spurious information in a database, this
would be considered to be a fabrication attack.
Affects Integrity and Availability
13.Threat: Something that has potential to cause harm
1 / 8
WGU C836 Fundamentals of Information Security Exam 2023
Questions and Answers (Verified Answers)
1.Which cybersecurity term is defined as the potential for an attack
on resource ANS Threat
2.Which security type deliberately exposes a system’s vulnerabilities
or resources to an attack ANS Honeypots
3.Which tool can be used to map devices on a network, along with
their operating system and versions ANS Port Scanner
4.Which web attack is a server-side attack ANS SQL injection
- An organization employs a VPN to safeguard its information.
Which security principle is protected by a VPN ANS Data in motion
2 / 8
- A malicious hacker was successful in a denial of service attack against
an institution’s mail server. Fortunately, no data was lost or altered while
the server was offlline.
Which type of attack is this ANS Interruption - A company has had several successful denial of service attacks on
its email server.
Which security principle is being attacked ANS Availability - A new start-up company has started working on a social networking
website. The company has moved all its source code to a cloud provider
and wants to protect this source code from unauthorized access.
Which cyber defense concept should the start-up company use to maintain
the confidentiality of its source code ANS File encryption - A company has an annual audit of installed software and data storage
systems. During the audit, the auditor asks how the company’s most
critical data is used. This determination helps the auditor ensure that the
proper defense mechanisms are in place to protect critical data.
Which principle of the Parkerian hexad is the auditor addressing ANS
3 / 8
Utility
10.Which web attack is possible due to a lack of input validation ANS
SQL injection
11.Which file action implements the principle of confidentiality from the
CIA triad ANS Encryption
1 / 16
WGU C836 Fundamentals of Information security Terms
1.Protecting information and information systems from unauthorized
ac- cess, use, disclosure, disruption, modification, or destruction:
Information Security
2.Companies that process credit card payments must comply with this
set of standards: Payment Card Industry Data Security Standard (PCI
DSS)
3.Used to keep something private or minimally known: Confidentially
4.Refers to the ability to prevent our data from being changed in an
unau- thorized or undesirable manner.: Integrity
5.Refers to the ability to access our data when we need it: Availability
6.A type of attack, primarily against confidentiality: Interception
7.Something that has the potential to cause harm to our assets: Threat
2 / 16
8.A weakness that can be used to harm us: Vulnerability
9.The likelihood that something bad will happen: Risk
10.An attack that causes our assets to become unusable or unavailable
for our use, on a temporary or permanent basis: Interruption attack
11.An attack that involves tampering with our assets: Modification attack
12.A model that adds three more principles to the CIA triad: Possession
or Control, Authenticity, and Utility: Parkerian hexad
13.The physical disposition of the media on which the data is stored:
pos- session or control
14. Allows for attribution as to the owner or creator of the data in question:
Authenticity
15.Refers to how useful the data is to us: Utility
16.An attack that involves generating data, processes, communications,
or other similar activities with a system: Fabrication attack
17.One of the first and most important steps of the risk management
process: Identify assets
3 / 16
18.A multilayered defense that will allow us to achieve a successful
defense should one or more of our defensive measures fail: defense in
depth
19.Based on rules, laws, policies, procedures, guidelines, and other
items that are “paper” in nature: administrative controls
4 / 16
20.Sometimes called technical controls, these protect the systems, networks, and environments that process, transmit, and store our data:
logical controls
21.Controls that protect the physical environment in which our systems
sit, or where our data is stored: physical controls
22.Involves putting measures in place to help ensure that a given type
of threat is accounted for: migrating risk
23.The risk management phase that consists of all of the activities that we
can perform in advance of the incident itself, in order to better enable us
to handle it: preparation phase
24.The risk management phase where we detect the occurrence of an
issue and decide whether it is actually an incident so that we can respond
to it appropriately: detection and analysis phase
25.The risk management phase where we determine specifically what
hap- pened, why it happened, and what we can do to keep it from
happening again: Post-incident activity phase
- To completely remove the effects of the issue from our environment: –
Eradication
1 / 39
WGU C836 Fundamentals of Information Security EXAM 2023
Questions and Answers (Verified Answers)
Which cybersecurity term is defined as the potential for an attack on a
resource?
A Impact
B Vulnerability
C Risk
D Threat ANS D
- Which security type deliberately exposes a system’s vulnerabilities
or resources to an attacker?
A Intrusion detection
B Firewalls
C Honeypots
D Intrusion prevention ANS C - Which tool can be used to map devices on a network, along with
their operating system types and versions?
A Packet
sniffer B
Packet filter C
2 / 39
Port scanner
D Stateful firewall ANS C
- Which web attack is a server-side attack?
A Clickjacking
B Cross-site
scripting C SQL
injection
D Cross-site request forgery ANS C - An organization employs a VPN to safeguard its
information. Which security principle is protected by a VPN?
A Data in motion
B Data at rest
C Data in use
D Data in storage ANS A - A malicious hacker was successful in a denial of service (DoS) attack
against an institution’s mail server. Fortunately, no data was lost or
altered while the server was offline.
3 / 39
Which type of attack is this?
A Modification
B Fabrication
C Interception
D Interruption ANS D
- A company has had several successful denial of service (DoS) attacks
on its email server.
Which security principle is being
attacked? A Possession
B Integrity
C Confidentiality
D Availability
ANS D - A new start-up company has started working on a social networking
website. The company has moved all its source code to a cloud provider
and wants to protect this source code from unauthorized access.
Which cyber defense concept should the start-up company use to maintain
the confidentiality of its source code?
A Alarm systems
B Account permissions
C Antivirus software
4 / 39
D File encryption ANS D
- A company has an annual audit of installed software and data storage
systems. During the audit, the auditor asks how the company’s most
critical data is used. This determination helps the auditor ensure that the
proper defense mechanisms are in place to protect critical data.
Which principle of the Parkerian hexad is the auditor
addressing? A Possession
B Integrity
C
Authenticity
D Utility ANS
D
1 /
WGU C836 CHAPTER 1 – 6
1.FISMA (Federal Information Security Modernization Act): this law
provides a framework for ensuring the effectiveness of information
security controls in federal government
- changed from Management (2002) to Modernization in 2014
2.HIPAA (Health Insurance Portability and Accountability Act): this law
im- proves the efficiency and effectiveness of the health care system
and protects patient privacy
3.FERPA (Family Educational Rights and Privacy Act): this law protects
the privacy of students and their parents
4.SOX (Sarbanes-Oxley Act): this law regulates the financial practice
and gov- ernance of corporations
5.GLBA (Gramm-Leach-Bliley Act): this law protects the customers of
financial institutions
2 /
6.compliance: relating to an organization’s adherence to laws,
regulations, and standards
7.regulatory compliance: Regulations mandated by law usually requiring
regular audits and assessments
8.industry compliance: Regulations or standards designed for specific
industries that may impact ability to conduct business (e.g. PCI DSS)
9.privacy: the state or condition of being free from being observed or
disturbed by other people
10.The Federal Privacy Act of 1974: This act safeguards privacy
through the establishment of procedural and substantive rights in
personal data
11.privacy rights: Rights relating to the protection of an individual’s
personal information
12.PII (Personally Identifiable Information): Information that can be
used to identify an individual, and should be protected as sensitive
data and monitored for compliance
13.cryptography: the science of keeping information secure
14.Cryptanalysis: The science of breaking through the encryption used
3 /
to create ciphertext
15.cryptology: The overarching field of study that covers cryptography
and crypt- analysis
1 / 39
WGU C836 Pre-assessment 2023 Questions and Answers
(Verified Answers)
- At a small company, an employee makes an unauthorized data
alteration.
Integrity
Confidentiality
Availability
Authenticity ANS
Integrity - An organization plans to encrypt data in transit on a network.
Which aspect of data is the organization attempting to
protect? Authenticity
Possession
Availability
Integrity ANS
Integrity - Which aspect of the CIA triad is violated by an unauthorized database
roll back or undo?
2 / 39
Integrity
Confidentiality
Availability
Identification ANS
Integrity
- A company’s website has suffered several denial of service (DoS)
attacks and wishes to thwart future attacks.
Which security principle is the company
addressing? Availability
Confidentiality
Possession
Authenticity ANS
Availability - An organization has a requirement that all database servers and file
servers be configured to maintain operations in the presence of a failure.
Which principle of the CIA triad is this requirement implementing?
Availability
Confidentiality
3 / 39
Utility
Integrity ANS Availability
- Which tool can be used to map devices on a network, along with
their operating system types and versions?
Port scanner
Stateful firewall
Packet filter
Packet sniffer ANS Port scanner - Which web attack is a server-side attack?
SQL injection
Cross-site
scripting
Cross-site request
forgery Clickjacking ANS
SQL injection - A new start-up company has started working on a social networking
website. The company has moved all its source code to a cloud provider
and wants to protect this source code from unauthorized access.
Which cyber defense concept should the start-up company use to maintain
4 / 39
the confidentiality of its source code?
File encryption
Alarm systems
Antivirus software
Account permissions ANS File encryption
- A company has an annual audit of installed software and data storage
systems. During the audit, the auditor asks how the company’s most
critical data is used. This determination helps the auditor ensure that the
proper defense mechanisms are in place to protect critical data.
Which principle of the Parkerian hexad is the auditor
addressing? Utility
Possession
Authenticity
Integrity ANS
Utility
1 / 23
WGU C836 FINAL EXAM 2023 Questions and Answers
(Verified Answers)
- The Fabrication attack type most commonly affects which principle(s)
of the CIA triad?
A. Availability
B. Integrity
C. Confidentiality
D. Integrity and Availability
E. Confidentiality and Integrity: Integrity and Availability - The Interception attack type most commonly affects which
principle(s) of the CIA triad? This task contains the radio buttons and
checkboxes for
options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.A.Integrity and Availability
B.Confidentiality and Integrity
C.Availability
D.Integrity
E.Confidentiality: Confidentiality
2 / 23
- Something that has the potential to cause harm to our assets
is known as a(n) .
A.Threat
B.Impact
C.Risk
D.Vulnerability: Threat - Controls that
protect the systems, networks, and environments that process,
transmit, and store our data are called .
A.Logical controls
B.Administrative controls
C.Physical controls: Logical
Control - What is the first and arguably one of the most important steps of the
risk management process?
A.Assess risks
B.Mitigate risks
C.Identify threats
3 / 23
D.Assess vulnerabilities
E.Identify assets: Identify assets
4 / 23
6.Protects information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction:
information security
7.A type of attack, primarily against confidentiality: Interception
8.Something that has the potential to cause harm to our assets: Threat
9.A weakness that can be used to harm us: Vulnerability
10.The likelihood that something bad will happen: Risk
11.An attack that involves tampering with our assets: Modification attack
12.A model that adds three more principles to the CIA triad: possession
or control, utility, and authenticity: Parkerian hexad
13.The physical disposition of the media on which the data is stored:
Pos- session or control
14.An attack that involves generating data, processes, communications,
or other similar activities with a system: Fabrication attack
15.A multilayered defense that will allow us to achieve a successful
defense should one or more of our defensive measures fail: Defense in
depth
16.Sometimes called technical controls, these protect the systems, networks, and environments that process, transmit, and store our data:
Logical controls
17.Controls that protect the physical environment in which our systems
sit, or where our data is stored: Physical controls