Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

WGU D430 FUNDAMENTALS OF INFORMATION
SECURITY: 2025–2026 LATEST EXAM WITH MOST
TEST QUESTIONS (HARVARD STYLE)
COVERS CORE TOPICS IN WGU D430 INCLUDING CYBERSECURITY PRINCIPLES,
RISK MANAGEMENT, NETWORK SECURITY, THREATS, VULNERABILITIES, AND
INCIDENT RESPONSE
...


Which cybersecurity term is defined as the potential for an attack on a resource?
A Impact
B Vulnerability
C Risk
D Threat - CORRECT ANSWER-D

Which security type deliberately exposes a system's vulnerabilities or resources to an attacker?
A Intrusion detection
B Firewalls
C Honeypots
D Intrusion prevention - CORRECT ANSWER-C

Which tool can be used to map devices on a network, along with their operating system types and
versions?
A Packet sniffer
B Packet filter
C Port scanner
D Stateful firewall - CORRECT ANSWER-C

Which web attack is a server-side attack?
A Clickjacking
B Cross-site scripting
C SQL injection

D Cross-site request forgery - CORRECT ANSWER-C

An organization employs a VPN to safeguard its information
...
Fortunately, no data was lost or altered while the server was offline
...


Which security principle is being attacked?
A Possession
B Integrity
C Confidentiality
D Availability - CORRECT ANSWER-D

A new start-up company has started working on a social networking website
...


Which cyber defense concept should the start-up company use to maintain the confidentiality of its
source code?

A Alarm systems
B Account permissions
C Antivirus software
D File encryption - CORRECT ANSWER-D

A company has an annual audit of installed software and data storage systems
...
This determination helps the auditor
ensure that the proper defense mechanisms are in place to protect critical data
...


Which security solution should be implemented?

A SSH/FTP
B AES
C SSL/TLS
D VPN - CORRECT ANSWER-C

What is an example of symmetric key encryption?

A MD5
B RSA
C AES
D ECC - CORRECT ANSWER-C

Which asymmetric cryptographic algorithm can provide confidentiality for data in motion?

A AES
B MD5
C RSA
D 3DES - CORRECT ANSWER-C

A company has just completed an audit of disaster protection strategies
...
The company has
implemented tape backups using 8mm digital audio tapes
...
This installation operates in a
harsh environment that is subjected to heat, humidity, and magnetic fields
...
They plan to camp in tents for the summer at the edge of a national park
and to use optical media to backup photos and research notes
...
As a result, employees sometimes shut down the power accidentally when
they leave the data center
...


Which type of cryptographic tool should the company use to protect the integrity of its open source
applications?

A Symmetric cryptography
B Hash functions
C Block cipher
D Asymmetric cryptography - CORRECT ANSWER-B

After considerable research, attackers directed a spear phishing attack at employees at a single bank
...


Which type of control should be implemented to prevent future spear phishing attacks?

A Mutual authentication
B Strong passwords
C Employee training
D Input validation - CORRECT ANSWER-C

A company has instituted a policy to prevent data leakage
...


Which principle that is part of the Parkerian hexad but not the CIA triad would be violated if one of
these devices was stolen?

A Confidentiality
B Integrity
C Possession
D Authenticity - CORRECT ANSWER-C

A company is concerned about potential phishing attacks through email
...


Which security principle that is part of Parkerian hexad but not part of the CIA triad is precipitating
this policy change?

A Confidentiality
B Authenticity
C Control
D Utility - CORRECT ANSWER-B

Which two principles of the CIA triad can be violated by a fabrication attack?

A Integrity and authenticity
B Integrity and availability
C Confidentiality and integrity
D Confidentiality and availability - CORRECT ANSWER-B

Which two principles of the CIA triad can be violated by an interruption attack?

A Confidentiality and availability
B Confidentiality and integrity
C Integrity and availability
D Integrity and authenticity - CORRECT ANSWER-C

Which attack category targets the confidentiality of data?

A Interruption
B Modification
C Interception
D Fabrication - CORRECT ANSWER-C

A bank website accepts online loan applications
...


Which federal law protects consumer's financial information?

A SOX
B GLBA
C FERPA
D HIPAA - CORRECT ANSWER-B

A retail store has hired a third party to audit its computer and network systems that process credit
card payments
...


Which regulation are they addressing?

A GLBA
B PCI DSS
C FCRA
D HIPAA - CORRECT ANSWER-B

A hospital allows its patients to pay by credit card
...


What does the European Union Directive 95/46/EC regulation safeguard for the purchaser?

A Personally identifiable information
B Computer fraud and abuse
C Unfair trade practices
D Right to return goods - CORRECT ANSWER-A

Which U
...
law defines security standards exclusively for federal agencies?

A HIPAA
B FERPA
C GLBA
D FISMA - CORRECT ANSWER-D

Which principle of the Parkerian hexad is the auditor addressing?
A Possession
B Integrity
C Authenticity
D Utility - CORRECT ANSWER-D

Which web attack is possible due to a lack of input validation?
A Extraneous files
B Clickjacking
C SQL injection
D Cross-site request forgery - CORRECT ANSWER-C

Which file action implements the principle of confidentiality from the CIA triad?
A Compression
B Hash
C Backup
D Encryption - CORRECT ANSWER-D

Which cyber defense concept suggests limiting permissions to only what is necessary to perform a
particular task?
A Authentication
B Authorization
C Defense in depth
D Principle of least privilege - CORRECT ANSWER-D

A company institutes a new policy that "All office computer monitors must face toward employees
and must face away from doorways
...
"

Which principle of the CIA triad is this company applying?
A Availability
B Confidentiality
C Utility
D Integrity - CORRECT ANSWER-B

At a small company, an employee makes an unauthorized data alteration
...


Which aspect of data is the organization attempting to protect?
A Integrity
B Possession

C Availability
D Authenticity - CORRECT ANSWER-A

Which aspect of the CIA triad is violated by an unauthorized database rollback or undo?
A Availability
B Identification
C Integrity
D Confidentiality - CORRECT ANSWER-C

A company's website has suffered several denial of service (DoS) attacks and wishes to thwart future
attacks
...


Which principle of the CIA triad is this requirement implementing?
A Utility
B Integrity
C Availability
D Confidentiality - CORRECT ANSWER-C

A company's IT policy manual states that "All company computers, workstations, application servers,
and mobile devices must have current versions of antivirus software
...
"

Which security principle is this policy addressing?
A Interruption
B Confidentiality
C Control
D Availability - CORRECT ANSWER-B

A company's website policy states that "To gain access to the corporate website, each employee
must provide a valid user name and password, and then answer one of six security questions
accurately
...


Which vulnerability should be addressed in the organization's security policy?
A Pretexting
B Phishing
C Baiting
D Tailgating - CORRECT ANSWER-D

A company wants to update its access control policy
...


Which type of access control policy should be implemented?
A Mandatory
B Physical
C Discretionary
D Attribute-based - CORRECT ANSWER-D

A new software development company has determined that one of its proprietary algorithms is at a
high risk for unauthorized disclosure
...


Which procedure should the company implement to protect this asset?
A Transfer the algorithm onto servers in the demilitarized zone
...

C Relocate the algorithm to encrypted storage
...
- CORRECT ANSWER-C

An accounting firm stores financial data for many customers
...
The company implements a written
policy indicating an employee can be fired for violating this requirement
...

B Remove unneeded services
...

D Remove unnecessary software
...
The sales force can also update its profiles and profile photos, but not the product
information
...


Which content access permissions should be granted to the sales force based on the principle of
least privilege?

A Read and limited write access
B Read and write access
C Limited write access only
D Limited read access only - CORRECT ANSWER-A

A corporation has discovered that some confidential personnel information has been used
inappropriately
...

B Only allow access to department heads and executives
...

D Only allow access to those who work in the human resources department
...
The
malware then infects the operating system
...

B Uninstall unnecessary software
...

D Limit user account privileges
...
An attacker used a
stolen username and password to log in to an employee email account
...


Which security failure is being addressed by this training module?

A Tailgating
B Pretexting
C Malware infections
D Weak passwords - CORRECT ANSWER-D

Which tool should an application developer use to help identify input validation vulnerabilities?

A scanner
B filter
C fuzzer

D sniffer - CORRECT ANSWER-C

A systems administrator enables operating system logging to capture unsuccessful log in attempts
...


Which tool can locate this vulnerability?

A Antivirus software
B Asymmetric encryption
C Honeypot
D Access control list - CORRECT ANSWER-A

Which type of tool can be used to detect vulnerabilities in source code related to improper handling
of user input?

A Fuzzer
B Port scanner
C Honeypot
D Sniffer - CORRECT ANSWER-A

A petroleum company has a group of computers used to monitor flow of materials in the refining
process
...


Which type of security will be able to help protect its software against theft?

A Network
B Physical
C Operating system
D Application - CORRECT ANSWER-B

An organization wants to minimize the impact of user credential theft by ensuring that only HR staff
can access employee personal information
...

B Apply the latest software patches
...

D Turn on logging and auditing
...


Which security tool should it implement?

A Antivirus
B Fuzzer
C Firewall
D Scanner - CORRECT ANSWER-A

A small IT firm is required to authenticate remote customers who access the firm's network
...
The
administrator has assigned the appropriate permissions to the files
...


Which security standard should the restaurant follow?

A FISMA
B PCI DSS
C SOX

D FERPA - CORRECT ANSWER-B

In addition to a username and corresponding password, a desktop application asks users to submit a
special code
...


Which authentication technique is the phone application providing?

A Something you have
B Something you are
C Something you know
D Something you do - CORRECT ANSWER-A

Employees are required to swipe their access cards and then to use an iris scanner to access
protected areas in the company's data center
...
It decides to encrypt databases that contain
HIPAA information
...
An
attacker uses a phishing scam to gain the credentials of a user who is a member of the marketing
group, and then reads the file
...
The web server locks
up and must be restarted to restore functionality
...


Which component of the CIA triad has been compromised?

A Confidentiality
B Integrity
B Availability
D Authenticity - CORRECT ANSWER-B

Which U
...
law regulates the confidentiality and accuracy of a publicly traded corporation's financial
reports?

A FERPA
B FISMA
C HIPAA
D SOX - CORRECT ANSWER-D

Something that has the potential to cause harm to our assets is known as a(n) ________
...


A Physical controls
B Logical controls
C Administrative controls - CORRECT ANSWER-B

During what phase of the incident response process do we determine what happened, why it
happened, and what we can do to keep it from happening again?

A Containment
B Detection and Analysis
C Preparation
D Post-incident Activity
E Recovery - CORRECT ANSWER-D

The biometric characteristic that measures how well a factor resists change over time and with
advancing age is called __________
...


A Authentication
B Authorization
C Identification
D Identify verification - CORRECT ANSWER-A

A fingerprint is considered what type of authentication?

A Something you know
B Something you have

C Something you are
D Something you do
E Where you are - CORRECT ANSWER-C

A password or PIN is considered what type of authentication?

A Something you have
B Something you are
C Something you do
D Where you are
E Something you know - CORRECT ANSWER-E

What type of access control can prevent the confused deputy problem?

A Capability-based security
B A password policy
C ACLs
D A locked door - CORRECT ANSWER-A

A user who creates a network share and sets permissions on that share is employing which model of
access control?

A Attribute-based access control
B Role-based access control
C Mandatory access control
D Discretionary access control - CORRECT ANSWER-D

A client-side attack that involves the attacker placing an invisible layer over something on a website
that the user would normally click on, in order to execute a command differing from what the user
thinks they are performing, is known as ___________
...
is a military-support branch consisting of 1,400 computers with Internet
access and 250 servers
...
From the options
listed below, what access control model would be most appropriate for this organization?

A Discretionary access control
B Role-based access control
C Attribute-based access control
D Mandatory access control - CORRECT ANSWER-D

Nessus is an example of a(n) _______________ tool
...
Fortunately, the new system you
installed took action and refused traffic from the source before you even had a chance to respond
...
He denies that he was there during that time, but
the existence of the video log proves otherwise
...


A Accountability

B Authentication
C Access
D Nonrepudiation
E Authorization - CORRECT ANSWER-A

Backordered Parts is a defense contractor that builds communications parts for the military
...
Due to the
sensitive nature of the business, Backordered Parts would like to implement a solution that secures
all browser connections to the Web servers
...
The company is concerned that a wily, computer-savvy competitor will send e-mail messages
pretending to be from Shovels and Shingles to its customers, in an attempt to gather customer
information
...


A Integrity, confidentiality
B Availability, integrity
C Confidentiality, availability

D Confidentiality, integrity
E Integrity, availability - CORRECT ANSWER-A

The science of breaking through encryption is known as _____
...
Which of the options below is an example of this industry compliance?

A FISMA
B PCI DSS
C SOX
D HIPAA
E GLBA - CORRECT ANSWER-B

______ sets limits on the use and disclosure of patient information and grants individuals rights over
their own health records
...


A SOX
B PCI DSS
C FERPA
D HIPAA
E FISMA - CORRECT ANSWER-E

______ protects the privacy of students and their parents
...


A FERPA
B HIPAA
C GLBA
D FISMA
E SOX - CORRECT ANSWER-E

______ protects the customers of financial institutions
...
You set a
timer to turn lights and the TV on and off at various times throughout the day, suspend the mail
delivery, and arrange for a neighbor to come in and water the plants
...


A Competitive business
B Business intelligence
C Business competition
D Counter intelligence
E Competitive intelligence - CORRECT ANSWER-E

The study that was conducted to discover the cause of the information leak during the Vietnam War
was codenamed ________ and is now considered a symbol of OPSEC
...
As you pass through the door,
you notice someone right behind you
...
What social engineering technique is demonstrated in this
example?

A Spear phishing
B Tailgating
C Pretexting
D Phishing - CORRECT ANSWER-B

Your IT department has implemented a comprehensive defense in depth strategy to protect your
company resources
...
Policies are in place to recover from any
major security risk
...
You recommend a
variety of approaches, including a security guard stationed at the entrance, a high fence around the
property, and key card entry to all nonpublic areas
...
The new servers are up and
running, and normal operations have resumed
...
What is
your primary concern before they auction off the old hardware?

A Data redundancy
B Data availability
C Data backups
D Residual data - CORRECT ANSWER-D

What planning process ensures that critical business functions can continue to operate during an
emergency?

A Disaster recovery planning
B Operations security planning
C Risk management planning
D Incident response planning
E Business continuity planning - CORRECT ANSWER-E

Which of the options below demonstrates all three types of physical security controls: deterrent,
detective, and preventive?

A warning sign
B employee policy
C burglar alarm
D guard dog
E locked door - CORRECT ANSWER-D

What planning process ensures that we can respond appropriately during and after a disaster?

A Operations security process
B Risk management process
C Incident response planning
D Business continuity planning
E Disaster recovery planning - CORRECT ANSWER-E

A tool that deliberately displays vulnerabilities in an attempt to bait attackers is called
_____________
...


A Proxy server
B Intrusion detection system
C Web server
D Packet sniffer
E FTP server - CORRECT ANSWER-A

_____________ is a popular, fully-featured sniffer capable of intercepting traffic from a wide variety
of wired and wireless sources
...


A Kismet
B Wireshark
C NetStumbler
D Hping3 - CORRECT ANSWER-A

Which well-known tool is a scanner with a large and broad set of functionality?

A Hping3
B NetStumbler
C Metasploit
D Stuxnet

E Nmap - CORRECT ANSWER-E

Which tool is a well-known vulnerability assessment tool that also includes a port scanner?

A NetStumbler
B Immunity CANVAS
C Nessus
D Metasploit - CORRECT ANSWER-C

What security strategy best protects an operating system from buffer overflow attacks?

A Apply software updates
B Implement executable space protection
C Install a host intrusion detection system
D Implement anti-malware tools - CORRECT ANSWER-B

The total of the available avenues through which our operating system might be attacked is called
a(n) ________
...


A Intruders
B Exploits
C Fuzzers

D Vulnerabilities
E Scanners - CORRECT ANSWER-B

Which software development vulnerability occurs when multiple processes control or share access to
a particular resource, and the correct handling of that resource depends on the proper ordering or
timing of transactions?

A Authentication attacks
B Input validation attacks
C Race conditions
D Buffer overflows
E Authorization attacks - CORRECT ANSWER-C

Which Microsoft fuzzing tool examines source code for general good practices?

A MiniFuzz File Fuzzer
B BinScope Binary Analyzer
C Nessus
D Nikto/Wikto
E Burp Suite - CORRECT ANSWER-B

Which tool performs checks for many common server-side vulnerabilities, and creates an index of all
the files and directories it can see on the target Web server?

A MiniFuzz File Fuzzer
B BinScope Binary Analyzer
C Nessus
D Nikto/Wikto
E NetStumbler - CORRECT ANSWER-D

Which of the following is not a major category of database security issues?

A Privilege escalation
B Arbitrary code execution
C Unauthenticated access
D Improper indexing
E Protocol issues - CORRECT ANSWER-D

Which type of tool bombards our application with data and inputs from a wide variety of sources in
an attempt to cause the application to fail or behave unexpectedly?

A Fuzzers
B Web application analysis tools
C Exploit frameworks
D Scanners
E Vulnerability assessment tools - CORRECT ANSWER-A

What is information security?

A Protecting information and information systems from unauthorized trust, use, disclosure,
disruption, modification, or destruction
...


C Protecting information and information systems from unauthorized access, use, disclosure,
displacement, modification, or destruction
...
- CORRECT ANSWER-D

Named for Donn Parker and introduced in his book Fighting Computer Crime, provides us with a
somewhat more complex variation of the classic CIA triad
...
- CORRECT

ANSWER-Parkerian hexad
Proper attribution to the owner or creator of the data
...
- CORRECT ANSWER-Possession

How useful the data is
...
The form of unauthorized file
viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted
against data at rest or in motion
...
These attacks affect ____________, such as a DDOS attack, but can
be an attack on integrity as well
...
Such attacks might primarily be
considered an ______________ attack but could also represent an availability attack
...
However, if we consider the case where the file in question is a
configuration file that manages how a particular service behaves, perhaps one that is acting as a Web
server, we might affect the availability of that service by changing the contents of the file
...
Primarily affects ____________ but could be considered an availability
attack as well
...
- CORRECT ANSWER-Fabrication

Eavesdropping on a phone is an example of ____________
...
- CORRECT ANSWER-Interruption

Altering a web server config file is an example of _______________
...
- CORRECT ANSWER-Risk

Weaknesses that can be used to harm us
...
- CORRECT ANSWER-Threat

The value of the asset is used to assess if a risk is present
...
- CORRECT

ANSWER-Identifying and Categorizing Assets
_____________controls, are those that protect the systems, networks, and environments that
process, transmit, and store our data
...
- CORRECT ANSWER-Logical and Technical
Controls

_____________ are based on rules, laws, policies, procedures, guidelines, and other items that are
"paper" in nature
...
One
important concept when we discuss this type of control is the ability to enforce compliance with
them
...
- CORRECT

ANSWER-Administrative Controls

Identifying and categorizing the assets we are trying to protect
...
- CORRECT ANSWER-Step 2:
Identify Threats

Identify any weaknesses that exist in our assets
...
- CORRECT ANSWER-Step 4: Assess Risks

Put controls in place
...
-

CORRECT ANSWER-Authorization
What dictates that we should only allow the bare minimum of access, as needed?

A Principle of least privilege
B ACL
C Policy
D User rights - CORRECT ANSWER-A

True or False
...


A True
B False - CORRECT ANSWER-A

Often referred to as "ackles," are a very common choice of access control implementation
...
- CORRECT ANSWER-Access control
lists (ACLs)

1 - Identification
2 - Authentication
3 - Authorization
4 - Access - CORRECT ANSWER-Accountability

Monitors and reports malicious events
...
- CORRECT ANSWER-Deterrence

Evidence exists where an individual is unable to deny he or she has made a statement or taken
action
...
- CORRECT ANSWER-Intrusion
Prevention Systems (HIPS and NIPS)

What is auditing?

A The primary means to ensure accountability through technical means
B Tracking system activity
C A way to track what systems are on your network
D The primary means to ensure accountability through non-technical means - CORRECT

ANSWER-A

________ provides a framework for ensuring the effectiveness of information security controls in
government
...
This requires each federal agency to develop, document, and
implement an information security program to protect its information and information systems
...
- CORRECT ANSWER-Health Insurance Portability and
Accountability Act (HIPAA)

________ protects the privacy of students and their parents
...
- CORRECT ANSWER-The Family Educational
Rights and Privacy Act (FERPA)

_____________ regulates the financial practice and governance of corporations and is designed to
protect investors and the general public by establishing requirements regarding reporting and
disclosure practices
...
Requires financial
institutions to safeguard a consumer's "nonpublic personal information," or NPI - CORRECT

ANSWER-The Gramm-Leach-Bliley Act (GLBA)
True or False
...


A True
B False - CORRECT ANSWER-B

FISMA refers to ____
...
S
...


C As long as the laws are abided by, industry standards without legal impacts may be ignored
...
- CORRECT

ANSWER-A
PII is personally identifiable information
...


A auditing
B competitive intelligence
C cloud computing
D OPSEC - CORRECT ANSWER-C

A tool used to test the security of firewalls
...
- CORRECT ANSWER-Kismet

A versatile tool able to scan ports, search for hosts on the network, and other operations
...
- CORRECT

ANSWER-Tcpdump
A graphical interface protocol analyzer capable of filtering, sorting, and analyzing both wired and
wireless network traffic
...


A Malware signature
B HIDS
C Software firewall
D Buffer overflow - CORRECT ANSWER-B

A category of tools, or more accurately, a category of sets of tools, called an ___________
...
- CORRECT ANSWER-Race Condition

Occurs when we do not properly account for the size of the data input into our applications
...
When another person views the Web page or media, he or she executes the code
automatically, and the attack is carried out
...
Every person reading the command in her browser would execute the attack
...
- CORRECT

ANSWER-Cross-site scripting (XSS)
Attack is similar to XSS, in a general sense
...
For instance,
such a link might cause the browser to add items to our shopping cart on Amazon or transfer money
from one bank account to another
...
- CORRECT ANSWER-Clickjacking

________________ is a web-related technology used to develop web pages while ____________
refers to an attack where malicious code is embedded into the web page
...
What is the most effective way of
mitigating these attacks?

A Authenticating the user on the server-side
B Authenticating the user on the client-side
C Validating user inputs
D Turning on database logging
E Keeping the software patched - CORRECT ANSWER-C

Strictly following secure coding guidelines is critical to application security

---