This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Exam
Name___________________________________ TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false.
1) As problems caused by human errors are not malicious, they are not security threats. 1) 2) An example of malicious human activity could include an employee who inadvertently installs an
old database on top of the current one. 2) 3) Unauthorized data disclosures can occur from malicious human activity. 3) 4) Phishing is a technique for intercepting computer communications. 4) 5) Pretexting occurs when a person receives a confidential SMS by mistake. 5) 6) Sniffing occurs when an intruder uses another site's IP address as if it were that other site. 6) 7) Email spoofing is a synonym for phishing. 7) 8) Drive-by spoofers take computers with wireless connections through an area and search for
unprotected wireless networks. 8) 9) Drive-by sniffers can access wireless computer networks. 9) 10) People who intentionally gain unauthorized access to computer systems are called hackers. 10) 11) Faulty service includes incorrectly billing customers or sending the wrong information to
employees, but not incorrect data modification. 11) 12) When a hacker floods a Web server with millions of bogus service requests so that it cannot service
legitimate requests, this is called a denial-of-service attack. 12) 13) A denial-of-service situation is always the result of a malicious attack. 13) 14) According to the NIST Handbook, responsibility for information security in a particular
department. rests with the manager of that department. 14) 15) According to the NIST Handbook, defining a security policy and managing computer-security risk
are the responsibilities of a company's IT department. 15) 16) According to the elements of company security outlined in the NIST Handbook, computer security
cannot be constrained by societal factors. 16) 17) Uncertainty is the likelihood of an adverse occurrence. 17) 18) Uncertainty is different from risk. 18) 1 19) Risk management can only be approximated because of uncertainty. 19) 20) According to the NIST Handbook, there is always a residual risk that the safeguard will not protect
the assets in all circumstances. 20) 21) Intangible consequences are those whose financial impact can be measured. 21) 22) Tangible consequences when an asset is compromised include such things as loss of customer
goodwill. 22) 23) Probable loss is the probability that a given asset will be compromised by a given threat, despite
the safeguards. 23) 24) Probable loss is concerned only with tangible consequences; it does not include intangible
consequences. 24) 25) The Privacy Act of 1974 gives individuals the right to access health data. 25) 26) HIPAA sets limits on who can receive your health information. 26) 27) The Gramm-Leach-Bliley Act set limits on how health care providers use your medical
information. 27) 28) Technical safeguards involve the hardware and software components of an information system. 28) 29) Smart cards are convenient and easy to use since they don't require any PIN numbers for
authentication. 29) 30) A magnetic strip holds far more data than a microchip. 30) 31) A retina scan would be considered as a biometric authentication technique. 31) 32) Encryption is an example of a technical safeguard. 32) 33) Windows, Linux, Unix, and other operating systems employ Kerberos and can authenticate user
requests across networks of computers using a mixture of these operating systems. 33) 34) Wireless networks are more secure than wired networks. 34) 35) To gain access to a wired network, a potential intruder must obtain physical access to the network. 35) 36) It is not possible to protect wireless networks. 36) 37) WEP is the newest and most advanced wireless security standard. 37) 38) With symmetric encryption, both the sender and receiver use the same key to transmit messages. 38) 39) Digital signatures use public keys to encrypt the message digest. 39) 2 40) Secure Socket Layer (SSL) is a protocol that is restricted to asymmetric encryption. 40) 41) The letters "http://" in the browser's address bar indicate that it is safe to send data over the
Internet. 41) 42) When a message is hashed to produce a message digest, the message digest can be unhashed to
produce the original message. 42) 43) Public keys are supplied by third parties called certificate authorities. 43) 44) A certificate authority verifies the legitimacy of the business sending the digital certificate. 44) 45) Viruses and worms are examples of malware. 45) 46) A Trojan horse is a virus that masquerades as a useful program or file. 46) 47) Most spyware is benign in that it does not perform malicious acts or steal data. 47) 48) The term bot is a new catch-all term that refers to any type of virus, worm, Trojan Horse, spyware,
adware, or other program not installed and controlled by the computer's owner or manager. 48) 49) A botnet is a network of bots that is created and managed by the individual or organization that
infected the network with the bot program. 49) 50) Data safeguards are measures used to protect computer hardware from external threat. 50) 51) Employee termination may lead to a security threat for an organization. 51) 52) Business requirements may necessitate opening information systems to the public that can threaten
its security. The best safeguard from such threats is to harden the Web site. 52) 53) The different systems procedure types are: normal operations, review, control, and recovery. 53) 54) Cold sites are cheaper to lease than hot sites. 54) 55) Following a disaster, hot sites provide office space, but customers must themselves provide and
install the equipment needed to continue operations. 55) MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.
56) Which of the following is considered malicious human activity?
A) hacking of information systems
B) poorly written programs resulting in losses
C) data loss as a result of flooding
D) an employee who accidentally deletes records 56) 57) The ________ pretends to be a legitimate company and sends an email requesting confidential data,
such as account numbers, Social Security numbers, account passwords, and so forth.
D) phisher 57) 3 58) ________ is a technique for intercepting computer communications, either through a physical
connection to the network or, in the case of wireless networks, with no physical connection.
D) Sniffing 58) 59) ________ occurs when someone deceives by pretending to be someone else.
C) Baiting D) Sniffing 59) 60) Email spoofing is a synonym for ________.
B) sniffing D) hacking C) phishing 60) 61) ________ take computers with wireless connections through an area and search for unprotected
wireless networks and then monitor and intercept wireless traffic at will.
A) Drive-by spoofers
D) Drive-by sniffers 61) 62) Which of the following is an example of a sniffing technique?
C) ad blockers 62) D) IP spoofing 63) When referring to security threats, pretexting, sniffing, IP spoofing, and phishing are all examples
A) incorrect data modification
B) faulty services
C) unauthorized data disclosure
D) loss of infrastructure 63) 64) ________ occurs when a person gains unauthorized access to a computer system, invading a
network to obtain critical data or to manipulate the system for financial gain.
D) Phishing 64) 65) Which of the following could most likely be the result of hacking?
A) pop-up ads appearing frequently
B) an unexplained reduction in your account balance
C) increasing amounts of spam in your inbox
D) certain Web sites being blocked from viewing for security reasons 65) 66) ________ occurs when unauthorized programs invade a computer system and replace legitimate
programs, shutting down the legitimate system and substituting their own processing.
D) Spoofing 66) 67) Which of the following usually happens in a malicious denial-of-service attack?
A) A hacker monitors and intercepts wireless traffic at will.
B) A phisher pretends to be a legitimate company and requests confidential data.
C) A hacker floods a Web server with millions of bogus service requests.
D) A hacker uses unauthorized programs to invade a system and replace legitimate programs. 67) 68) Which of the following is an example of a human safeguard?
B) application design
C) database backups
D) procedure design 68) 4 69) Customers often object to thorough physical searches at airports. Which aspect of computer
security described in the NIST Handbook is reflected here?
A) Computer security should be periodically reassessed.
B) Computer security is an integral element of sound management.
C) Computer security is constrained by societal factors.
D) System owners have computer security responsibilities outside their own organizations. 69) 70) Which of the following is a critical security function of senior-management involvement?
A) establishing the security policy and managing risk
B) managing the security program on a real-time basis
C) planning responses to specific security incidents
D) safeguarding computer hardware and software 70) 71) Which of the following is the responsibility of senior management in an organization?
A) protecting the computer network from sneak attacks by installing safeguards
B) training junior employees about the organization's security policy
C) implementing disaster-recovery safeguards in individual departmental systems
D) managing risk by balancing the costs and benefits of the security program 71) 72) Which of the following is NOT an element of organizational security policy?
A) resource-specific policy
B) a general statement of the security program
C) issue-specific policy
D) system-specific policy 72) 73) A security policy covering personal use of computers at work would be an example of a(n)
A) data policy
B) issue-specific policy
C) network security policy
D) system-specific policy 73) 74) An example of a system-specific security policy would be ________.
A) limiting personal use of an organization's computer systems
B) a general statement about the goals of the organization's overall security program
C) deciding what customer data from the order-entry system will be shared with other
D) inspection of an employee's personal email for compliance with company policy 74) 75) Which element of the security policy specifies how the organization will ensure the enforcement of
security programs and policies?
A) the system-specific policy
B) the general statement of the security program
C) the network policy
D) the issue-specific policy 75) 76) ________ refers to things we do not know, while ________ is the likelihood of an adverse
A) Assessment; uncertainty
B) Risk; indemnity
C) Vulnerability; risk
D) Uncertainty; risk 76) 5 77) Which of the following is the first step in risk management?
A) reduce the likelihood of a threat
B) assess what the threats are
C) evaluate the results of the risk management process
D) create perfect hedges to mitigate the risks 77) 78) Which factor of risk assessment refers to the probability that a given asset will be compromised by
a given threat, despite the safeguards?
D) consequence 78) 79) Which of the following is an example of an intangible consequence?
A) a loss of customer goodwill due to an outage
B) financial loss reported due to high input costs
C) a dip in sales because the supplies were not replenished
D) reduced production because of plant maintenance 79) 80) A weakness in a security system is known as a system ________.
C) vulnerability 80) D) failure 81) To obtain a measure of probable loss, companies ________.
A) multiply residual risk by the likelihood of the occurrence
B) multiply likelihood by the cost of the consequences
C) multiply the vulnerability by the probability of the occurrence
D) multiply likelihood by the probability of the occurrence 81) 82) Which of the following is covered by the Gramm-Leach-Bliley Act of 1999?
A) health data created by doctors and other health-care providers
B) information related to national security
C) records maintained by the U.S. government
D) consumer financial data stored by financial institutions 82) 83) Which of the following was passed to give individuals the right to access their own health data
created by doctors and other health-care providers?
A) Gramm-Leach-Bliley Act
C) Privacy Act of 1974
D) Sarbanes-Oxley Bill 83) 84) The Privacy Act of 1974 covers ________.
A) records held by banks and other financial institutions
B) records held by private companies
C) records held by the U.S. government
D) records held by medical organizations 84) 85) Which of the following is an example of a technical safeguard?
D) procedure design 85) 86) A(n) ________ card has a microchip on it to hold data.
C) debit 6 D) ATM 86) 87) Which of the following is used for biometric authentication?
A) personal identification number
C) facial features
D) smart cards 87) 88) Which of the following cards does NOT use a magnetic strip to hold data?
C) debit 88) D) smart 89) Which of the following statements is true for biometric identification?
A) A major advantage of biometric identification is that it is a relatively cheap mode of
B) One drawback of biometric methods is their unreliability; they provide only weak
C) Users of biometric authentication systems need to enter a PIN for authentication.
D) Biometric authentication often faces resistance from users for its invasive nature. 89) 90) A system called ________ authenticates users without sending their passwords across the
D) WEP 90) 91) The IEEE 802.11 Committee, the group that develops and maintains wireless standards, first
developed a wireless security standard called ________.
A) Wireless Security Instruction Set
B) Wireless Fidelity
C) Wi-Fi Protected Access
D) Wired Equivalent Privacy 91) 92) ________ eliminate(s) spoofing of public keys and requires browser to have a CA's public key.
A) Digital signatures
B) Digital certificates
D) SSL/TSL 92) 93) With ________ encryption, the sender and receiver transmit a message using the same key.
D) symmetric 93) 94) Which of the following observations concerning Secure Socket Layer (SSL) is true?
A) It is a useful hybrid of symmetric and asymmetric encryption techniques.
B) It works between Levels 2 and 3 of the TCP-OSI architecture.
C) It was originally developed by Microsoft.
D) It uses only asymmetric encryption. 94) 95) You are doing an online fund transfer through the Web site of a reputed bank. Which of the
following displayed in your browser's address bar will let you know that the bank is using the SSL
D) http 95) 96) ________ is a method of mathematically manipulating the message to create a string of bits that
characterize the message.
D) Hashing 96) 97) Which of the following is a technique used to ensure that plaintext messages are received without
A) digital signatures
B) asymmetric encryption
D) symmetric encryption 97) 7 98) A program that asks a sender to transmit its public key could be fooled. To solve this problem,
trusted, independent third-party companies called ________ supply public keys.
A) certificate authorities
B) trojan horses
C) authentication programs
D) true parties 98) 99) ________ is the term used to denote Trojan horses, spyware, and adware.
C) Firewall 99) D) Malware 100) A virus is a computer program that replicates itself. The program code that causes unwanted
activity is called the ________.
D) digest 100) 101) A(n) ________ is a type of virus that propagates itself using the Internet or other computer
D) Trojan horse 101) 102) ________ are viruses that masquerade as useful programs or files.
B) Trojan horses
C) Firmware 102) D) Adware 103) What is a major difference between spyware and adware?
A) Unlike spyware, adware does not observe user behavior.
B) Unlike spyware, adware does not perform malicious acts.
C) Unlike spyware, adware steals data from users.
D) Unlike spyware, adware is installed with the user's permission. 103) 104) The term ________ refers to any type of program that is surreptitiously installed and that takes
actions unknown and uncontrolled by the computer's owner or administrator.
D) string 104) 105) Which of the following is NOT an example of a data safeguard?
A) periodically creating backup copies of database contents
B) storing all backups on organization premises
C) physical security of devices that store database data
D) storing sensitive data in encrypted form 105) 106) Because encryption keys can be lost or destroyed, a copy of the key should be stored with a trusted
third party. This procedure is called ________.
A) key escrow
B) authentication deposit
C) encryption herding
D) control account 106) 107) Maintaining the DBMS on computers in a locked room is part of ________.
A) prevention of malware
B) physical security procedures
C) recovery procedures
D) data rights and responsibilities 107) 8 108) Which of the following statements about human safeguards for employees is true?
A) There are only two main aspects to security enforcement: responsibility and accountability.
B) Given appropriate job descriptions, users' computer accounts should give users the least
possible privilege necessary to perform their jobs.
C) Companies should provide user accounts and passwords to employees prior to their security
D) Security screening in an organization applies only to new employees. 108) 109) When an employee is terminated, IS administrators should receive advance notice so they can
A) plan for new recruitment
B) destroy the employee's records
C) remove accounts and passwords
D) disseminate information 109) 110) ________ a site means to take extraordinary measures to reduce a system's vulnerability, using
special versions of the operating system, and eliminating features and functions that are not
required by the application.
D) Certifying 110) 111) The three main systems procedure types are ________.
A) normal operation, backup, and recovery
B) design, implementation, and control
C) activity control, monitoring, and feedback
D) planning, organizing, and controlling 111) 112) Activity log analyses, security testing, and investigating and learning from security incidents are
activities included in ________.
A) creating backups
B) security monitoring
C) account administration
D) employee screening 112) 113) In disaster-preparedness terminology, a ________ is a utility company that can take over another
company's processing with no forewarning.
A) hot site
B) development site
C) cold site
D) Web farm 113) 114) Which of the following observations is true of a cold site?
A) The total cost is always less than the cost of a hot site.
B) It is located in the company's premises.
C) Customers will have to install and manage systems themselves.
D) It is more expensive to lease than a hot site. 114) 115) When an employee notices a virus on his or her machine, the ________ plan should specify what to
D) incident-response 115) ESSAY. Write your answer in the space provided or on a separate sheet of paper.
116) What is a security threat? What are the three general sources of security threats? 9 117) What is a denial-of-service security problem? How does this result from actions by the various sources of
118) What are the three components of a security program?
119) What are the key elements of a security policy?
120) Explain encryption and the various types of encryption for computer systems.
121) Differentiate between Trojan horses and worms.
122) What are spyware and adware programs?
123) What is key escrow?
124) Discuss some human safeguards for employees that can ensure the security of information systems.
125) What is a hot site? How is it different from a cold site? 10 ...
View Full Document
- Spring '11