1Which component of the CIA Triad ensures that information is not disclosed to unauthorized individuals, processes, or devices?
A.Confidentiality
B.Integrity
C.Availability
D.Authenticity
Correct Answer: Confidentiality
Explanation:Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes.
Incorrect! Try again.
2In the context of information security, what does Non-repudiation guarantee?
A.Data is accessible when needed
B.The sender cannot deny having sent the message
C.The data has not been altered in transit
D.The identity of the user is hidden
Correct Answer: The sender cannot deny having sent the message
Explanation:Non-repudiation ensures that a subject of an activity or who caused an event cannot deny that the event occurred. It is often achieved using digital signatures.
Incorrect! Try again.
3Which of the following is an example of a Technical (Logical) Control?
A.Security Policy Manual
B.Perimeter Fence
C.Firewall Access Control List (ACL)
D.Security Awareness Training
Correct Answer: Firewall Access Control List (ACL)
Explanation:A Firewall ACL is a technical control implemented through software or hardware systems to restrict access, unlike fences (physical) or policies (administrative).
Incorrect! Try again.
4A disgruntled employee intentionally deletes critical database files. What type of threat actor does this represent?
A.Script Kiddie
B.Insider Threat
C.Hacktivist
D.Advanced Persistent Threat (APT)
Correct Answer: Insider Threat
Explanation:An Insider Threat comes from individuals within the organization, such as employees or contractors, who have authorized access but misuse it.
Incorrect! Try again.
5What defines the total sum of vulnerabilities and exposure points that an attacker can use to enter a system?
A.Attack Vector
B.Attack Surface
C.Threat Matrix
D.Risk Appetite
Correct Answer: Attack Surface
Explanation:The Attack Surface is the sum of the different points (the 'attack vectors') where an unauthorized user can try to enter data to or extract data from an environment.
Incorrect! Try again.
6Which social engineering attack specifically targets high-profile individuals like CEOs or CFOs?
A.Phishing
B.Vishing
C.Whaling
D.Dumpster Diving
Correct Answer: Whaling
Explanation:Whaling is a specific form of spear phishing aimed at high-value targets ('big fish') within an organization, such as senior executives.
Incorrect! Try again.
7In cryptography, which concept implies that the output should look completely different from the input, even if the input changes slightly?
A.Confusion
B.Diffusion
C.Collision
D.Salting
Correct Answer: Diffusion
Explanation:Diffusion implies that a change in a single bit of the plaintext should result in the change of many bits in the ciphertext, spreading the information across the output.
Incorrect! Try again.
8If User A wants to send an encrypted message to User B using Asymmetric Encryption for confidentiality, which key does User A use to encrypt the data?
A.User A's Private Key
B.User A's Public Key
C.User B's Private Key
D.User B's Public Key
Correct Answer: User B's Public Key
Explanation:To ensure confidentiality in asymmetric encryption, the sender encrypts with the recipient's (User B's) Public Key. Only User B can decrypt it with their Private Key.
Incorrect! Try again.
9Which mathematical operation is fundamental to the Diffie-Hellman key exchange protocol?
A.Integer Factorization
B.Discrete Logarithms
C.Elliptic Curve integration
D.XOR summation
Correct Answer: Discrete Logarithms
Explanation:Diffie-Hellman relies on the computational difficulty of solving Discrete Logarithms in a finite field (computing from ).
Incorrect! Try again.
10What is the primary function of a Hash Function?
A.To encrypt data for confidentiality
B.To compress data for storage
C.To map data of arbitrary size to fixed-size values
D.To exchange private keys securely
Correct Answer: To map data of arbitrary size to fixed-size values
Explanation:A Hash Function takes an input (or 'message') and returns a fixed-size string of bytes, typically a digest, used to verify integrity.
Incorrect! Try again.
11Which of the following algorithms is a Symmetric cipher?
A.RSA
B.AES
C.ECC
D.Diffie-Hellman
Correct Answer: AES
Explanation:AES (Advanced Encryption Standard) is a symmetric encryption algorithm. RSA, ECC, and Diffie-Hellman are asymmetric (public key) algorithms.
Incorrect! Try again.
12In the context of PKI, what is the role of a Certificate Authority (CA)?
A.To store the user's private key
B.To issue and verify digital certificates
C.To generate random session keys
D.To act as a firewall for the network
Correct Answer: To issue and verify digital certificates
Explanation:A Certificate Authority (CA) is a trusted entity that issues digital certificates, which bind a public key to an identity.
Incorrect! Try again.
13What is Steganography?
A.Scrambling text to make it unreadable
B.Hiding the existence of data within another file
C.Creating a digital signature
D.Verifying the identity of a sender
Correct Answer: Hiding the existence of data within another file
Explanation:Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video, effectively hiding the existence of the communication.
Incorrect! Try again.
14Which principle states that a subject should be given only those privileges necessary to complete its task?
A.Separation of Duties
B.Least Privilege
C.Defense in Depth
D.Security through Obscurity
Correct Answer: Least Privilege
Explanation:The Principle of Least Privilege (PoLP) requires that modules (such as a user or a process) must be able to access only the information and resources that are necessary for its legitimate purpose.
Incorrect! Try again.
15Which attack involves an attacker following an authorized person into a secure area without their knowledge?
A.Tailgating
B.Dumpster Diving
C.Shoulder Surfing
D.Phishing
Correct Answer: Tailgating
Explanation:Tailgating (or piggybacking) involves an attacker seeking entry to a restricted area without proper authentication by following closely behind an authorized person.
Incorrect! Try again.
16What type of malware demands payment to restore access to the victim's data?
A.Spyware
B.Ransomware
C.Adware
D.Rootkit
Correct Answer: Ransomware
Explanation:Ransomware is a type of malicious software that encrypts the victim's data and demands payment (ransom) for the decryption key.
Incorrect! Try again.
17What is the result of the XOR operation: ?
A.1
B.
C.2
D.10
Correct Answer:
Explanation:The XOR (Exclusive OR) operation returns 0 if the inputs are the same. and . It returns 1 if inputs are different.
Incorrect! Try again.
18Which component of AAA controls what a user is allowed to do after they have been identified?
A.Authentication
B.Authorization
C.Accounting
D.Audit
Correct Answer: Authorization
Explanation:Authorization determines the permissions and resources the authenticated user can access.
Incorrect! Try again.
19RSA security is based on the computational difficulty of which mathematical problem?
A.Elliptic Curve Discrete Logarithm
B.Integer Factorization of large prime products
C.Knapsack Problem
D.Traveling Salesman Problem
Correct Answer: Integer Factorization of large prime products
Explanation:RSA relies on the fact that while it is easy to multiply two large prime numbers, it is computationally infeasible to factor the resulting product back into the original primes.
Incorrect! Try again.
20Which standard format is used for Digital Certificates?
A.X.509
B.PKCS#7
C.PGP
D.Kerberos
Correct Answer: X.509
Explanation:X.509 is the standard defining the format of public key certificates used in many Internet protocols (like TLS/SSL).
Incorrect! Try again.
21What is a Zero-Day vulnerability?
A.A vulnerability fixed 0 days ago
B.A flaw known to the vendor but not the public
C.A flaw unknown to the software vendor/developer
D.A virus that deletes data in 0 days
Correct Answer: A flaw unknown to the software vendor/developer
Explanation:A Zero-Day vulnerability is a software security flaw that is known to the vendor, and for which no patch or fix exists yet.
Incorrect! Try again.
22Which type of control is a security camera (CCTV) primarily considered?
A.Preventive
B.Detective
C.Corrective
D.Compensating
Correct Answer: Detective
Explanation:CCTV is primarily a Detective control because it records events for review. It can be a deterrent (preventive), but its main function is to detect and record activity.
Incorrect! Try again.
23In cryptography, what is Salting?
A.Adding random data to a password before hashing
B.Encrypting the hash with a private key
C.Using two different algorithms
D.Repeating the hashing process multiple times
Correct Answer: Adding random data to a password before hashing
Explanation:Salting involves adding unique, random data to a password before hashing it to defend against rainbow table attacks and ensure identical passwords have different hashes.
Incorrect! Try again.
24Which of the following is a characteristic of Symmetric Encryption?
A.It uses two different keys
B.It is slower than asymmetric encryption
C.It faces a key distribution problem
D.It provides non-repudiation naturally
Correct Answer: It faces a key distribution problem
Explanation:Symmetric encryption uses a single shared key. Securely sharing this key with the recipient without interception is known as the Key Distribution Problem.
Incorrect! Try again.
25What is the block size of AES (Advanced Encryption Standard)?
A.64 bits
B.128 bits
C.192 bits
D.256 bits
Correct Answer: 128 bits
Explanation:AES operates on a fixed block size of 128 bits, regardless of whether the key length is 128, 192, or 256 bits.
Incorrect! Try again.
26Who are Script Kiddies?
A.Highly skilled state-sponsored hackers
B.Hackers who write their own zero-day exploits
C.Unskilled attackers using existing tools/scripts
D.Insiders with database access
Correct Answer: Unskilled attackers using existing tools/scripts
Explanation:Script Kiddies are individuals with little technical skill who use pre-existing scripts, tools, or exploits written by others to launch attacks.
Incorrect! Try again.
27What does a Digital Signature provide?
A.Confidentiality and Availability
B.Integrity and Non-repudiation
C.Authorization and Encryption
D.Compression and Speed
Correct Answer: Integrity and Non-repudiation
Explanation:A Digital Signature ensures the data has not been altered (Integrity) and proves the origin of the sender (Non-repudiation).
Incorrect! Try again.
28Which mechanism checks the revocation status of a digital certificate in real-time?
A.CRL (Certificate Revocation List)
B.OCSP (Online Certificate Status Protocol)
C.CSR (Certificate Signing Request)
D.CA (Certificate Authority)
Correct Answer: OCSP (Online Certificate Status Protocol)
Explanation:OCSP is an internet protocol used for obtaining the revocation status of an X.509 digital certificate in real-time, unlike the periodically downloaded CRL.
Incorrect! Try again.
29Which attack involves an attacker inserting themselves between two communicating parties to intercept or alter data?
A.DoS (Denial of Service)
B.Man-in-the-Middle (MitM)
C.SQL Injection
D.Brute Force
Correct Answer: Man-in-the-Middle (MitM)
Explanation:A Man-in-the-Middle (MitM) attack occurs when an attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.
Incorrect! Try again.
30What is the primary motivation of a Hacktivist?
A.Financial Gain
B.Political or Social Cause
C.National Security
D.Curiosity
Correct Answer: Political or Social Cause
Explanation:Hacktivists are motivated by political, social, or religious ideologies and use hacking to promote their cause.
Incorrect! Try again.
31Which hashing algorithm is currently considered insecure due to collision vulnerabilities?
A.SHA-256
B.SHA-3
C.MD5
D.Whirlpool
Correct Answer: MD5
Explanation:MD5 is considered cryptographically broken and insecure because researchers have found efficient ways to generate collisions (two different inputs producing the same hash).
Incorrect! Try again.
32In the context of Block Ciphers, what is Padding?
A.Adding extra bits to the key to increase strength
B.Adding data to the plaintext to fill the last block
C.Removing bits to compress the file
D.Encrypting the data twice
Correct Answer: Adding data to the plaintext to fill the last block
Explanation:Block ciphers process data in fixed sizes. If the plaintext is not a multiple of the block size, Padding is added to fill the final block.
Incorrect! Try again.
33Which security concept relies on layering multiple defensive mechanisms?
A.Single Point of Failure
B.Defense in Depth
C.Open Design
D.Obfuscation
Correct Answer: Defense in Depth
Explanation:Defense in Depth is a strategy that leverages multiple security measures to protect an organization's assets. If one line of defense is compromised, others exist.
Incorrect! Try again.
34What is Vishing?
A.Video Phishing
B.Voice Phishing
C.Virtual Phishing
D.Visual Phishing
Correct Answer: Voice Phishing
Explanation:Vishing (Voice Phishing) is a social engineering attack that involves the use of the telephone to scam the user into surrendering private information.
Explanation:Ephemeral Diffie-Hellman generates a unique session key for every conversation. If the long-term private key is compromised later, past sessions remain secure.
Incorrect! Try again.
36What is the output length of the SHA-256 algorithm?
A.128 bits
B.160 bits
C.256 bits
D.512 bits
Correct Answer: 256 bits
Explanation:As the name implies, SHA-256 produces a 256-bit (32-byte) message digest.
Incorrect! Try again.
37Which control is designed to restore systems and data after a security incident?
A.Preventive
B.Detective
C.Corrective
D.Deterrent
Correct Answer: Corrective
Explanation:Corrective controls are implemented to restore systems to normal after an unwanted event has occurred (e.g., restoring backups).
Incorrect! Try again.
38In the CIA Triad, ensuring that data is accurate and free from tampering refers to:
A.Confidentiality
B.Integrity
C.Availability
D.Authorization
Correct Answer: Integrity
Explanation:Integrity ensures that data remains accurate, consistent, and has not been altered by unauthorized people or processes.
Incorrect! Try again.
39What is a Supply Chain Attack?
A.Attacking the physical shipping trucks
B.Compromising a third-party vendor to breach the target
C.Stealing supplies from the office
D.Denying power supply to the server room
Correct Answer: Compromising a third-party vendor to breach the target
Explanation:A Supply Chain Attack targets less secure elements in the supply network (like software vendors or partners) to gain access to the primary target.
Incorrect! Try again.
40Which of the following is a stream cipher?
A.AES
B.DES
C.RC4
D.RSA
Correct Answer: RC4
Explanation:RC4 is a stream cipher (encrypts bit-by-bit or byte-by-byte), whereas AES and DES are block ciphers.
Incorrect! Try again.
41What distinguishes Elliptic Curve Cryptography (ECC) from RSA?
A.ECC uses larger keys for same security
B.ECC provides the same security with smaller key sizes
C.ECC is a symmetric algorithm
D.ECC cannot be used for digital signatures
Correct Answer: ECC provides the same security with smaller key sizes
Explanation:ECC offers equivalent security to RSA but with significantly smaller key sizes, making it more efficient for mobile devices and smart cards.
Incorrect! Try again.
42What is the 'Chain of Trust' in PKI?
A.A blockchain ledger
B.The hierarchy of CAs verifying each other up to a Root CA
C.The cable locking a server to the rack
D.The link between the user and their password
Correct Answer: The hierarchy of CAs verifying each other up to a Root CA
Explanation:The Chain of Trust refers to the hierarchical validation path from a user's certificate through intermediate CAs up to a trusted Root CA.
Incorrect! Try again.
43Which type of physical security control is a Mantrap?
A.Preventive
B.Detective
C.Administrative
D.Logical
Correct Answer: Preventive
Explanation:A Mantrap is a preventive physical control consisting of a small space with two interlocking doors, preventing tailgating and controlling entry.
Incorrect! Try again.
44What is Social Engineering?
A.Hacking into social media servers
B.Manipulating people into divulging confidential information
C.Analyzing social networks for data mining
D.Building engineering teams socially
Correct Answer: Manipulating people into divulging confidential information
Explanation:Social Engineering relies on psychological manipulation of people to perform actions or divulging confidential information, rather than technical hacking.
Incorrect! Try again.
45What is the primary difference between a Threat and a Vulnerability?
A.A threat is a weakness; a vulnerability is a potential danger
B.A threat is a potential danger; a vulnerability is a weakness
C.They are synonyms
D.A threat is internal; a vulnerability is external
Correct Answer: A threat is a potential danger; a vulnerability is a weakness
Explanation:A Vulnerability is a weakness in the system (e.g., a bug). A Threat is a potential cause of an unwanted incident that may exploit that vulnerability.
Incorrect! Try again.
46In a Digital Signature process using RSA, which key is used to sign the hash of the message?
A.Sender's Private Key
B.Sender's Public Key
C.Receiver's Private Key
D.Receiver's Public Key
Correct Answer: Sender's Private Key
Explanation:To create a digital signature, the sender encrypts the hash of the message with their own Private Key. Verification is done using the sender's Public Key.
Incorrect! Try again.
47What is Pretexting in social engineering?
A.Searching through trash
B.Creating a fabricated scenario to steal information
C.Looking over someone's shoulder
D.Following someone through a door
Correct Answer: Creating a fabricated scenario to steal information
Explanation:Pretexting involves creating an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information.
Incorrect! Try again.
48Which principle suggests that the security of a cryptosystem should not depend on the secrecy of the algorithm itself?
A.Kerckhoffs's Principle
B.Moore's Law
C.Murphy's Law
D.Principle of Least Privilege
Correct Answer: Kerckhoffs's Principle
Explanation:Kerckhoffs's Principle states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
Incorrect! Try again.
49What is the specific risk associated with Quantum Computing regarding current cryptography?
A.It will make symmetric keys too large
B.It can solve factorization and discrete log problems efficiently
C.It creates more hash collisions
D.It slows down internet traffic
Correct Answer: It can solve factorization and discrete log problems efficiently
Explanation:Shor's algorithm on a quantum computer can efficiently solve integer factorization and discrete logarithm problems, rendering current public-key algorithms (RSA, ECC) insecure.
Incorrect! Try again.
50Which of the following best describes Data at Rest?
A.Data traveling over the network
B.Data currently being processed by RAM
C.Data stored on a hard drive or backup tape
D.Data displayed on a monitor
Correct Answer: Data stored on a hard drive or backup tape
Explanation:Data at Rest refers to inactive data that is stored physically in any digital form (e.g., databases, files on disk), as opposed to data in transit or in use.
Incorrect! Try again.
Give Feedback
Help us improve by sharing your thoughts or reporting issues.