CIS Ch. 8

Which of the following is a virus that uses flaws in Windows software to take over a computer remotely? Conficker ILOVEYOU Sasser Zeus Trojan Melissa

Conficker

An acceptable use policy defines the acceptable level of access to information assets for different users. True False

False

The term cracker is used to identify a hacker whose specialty is breaking open security systems. True False

False

Wireless networks are more difficult for hackers to gain access too because radio frequency bands are difficult to scan. True False

False

Biometric authentication only uses biographical details for identification. is used widely in Europe for security applications. is inexpensive. can use a person's voice as a unique, measurable trait. only uses physical measurements for identification.

can use a person's voice as a unique, measurable trait.

Which of the following is not an example of a computer used as a target of crime? illegally accessing stored electronic communication threatening to cause damage to a protected computer breaching the confidentiality of protected computerized data accessing a computer system without authority knowingly accessing a protected computer to commit fraud

illegally accessing stored electronic communication

When errors are discovered in software programs, the sources of the errors are found and eliminated through a process called debugging. True False

true

Your company, an online discount stationers, has calculated that a loss of Internet connectivity for 3 hours results in a potential loss of $2,000 to $3,000 and that there is a 50% chance of this occurring each year. What is the annual expected loss from this exposure? $500 $2,500 $1,250 $1,000 $1,500

$1,250

A salesperson clicks repeatedly on the online ads of a competitor's in order to drive the competitor's advertising costs up. This is an example of phishing. spoofing. click fraud. evil twins. pharming.

Click fraud

________ refers to all of the methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its accounting records, and operational adherence to management standards.

Controls

The intentional defacement or destruction of a Web site is called phishing. cybervandalism. cyberwarfare. pharming. spoofing.

Cybervandalism

A foreign country attempting to access government networks in order to disable a national power grid would be an example of evil twins. cyberwarfare. cyberterrorism. denial-of-service attacks. phishing.

Cyberwarefare

Using numerous computers to inundate and overwhelm the network from numerous launch points is called a(n) ________ attack. DDoS botnet phishing SQL injection DoS

DDoS

________ controls ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Input Administrative Implementation Software Data security

Data security

In controlling network traffic to minimize slow-downs, a technology called ________ is used to examine data files and sort low-priority data from high-priority data. unified threat management stateful inspection high availability computing deep-packet inspection application proxy filtering

Deep-packet inspection

The most common type of electronic evidence is e-mail. instant messages. voice-mail. spreadsheets. VOIP data.

E-mail

You have been hired as a security consultant for a law firm. Which of the following constitutes the greatest source for network security breaches to the firm? employees wireless network software quality lack of data encryption authentication procedures

Employees

Biometric authentication is the use of personal, biographic details such as the high school you attended and the first street you lived on to provide identification. True False

False

DoS attacks are used to destroy information and access restricted areas of a company's information system. True False

False

Malicious software programs referred to as spyware include a variety of threats such as computer viruses, worms, and Trojan horses. True False

False

Organizations can use existing network security software to secure mobile devices. True False

False

Packet filtering catches most types of network attacks. True False

False

Smartphones typically feature state-of-the-art encryption and security features, making them highly secure tools for businesses. True False

False

________ is a crime in which an imposter obtains key pieces of personal information to impersonate someone else. Social engineering Evil twins Identity theft Spoofing Pharming

Identity theft

________ use scanning software to look for known problems such as bad passwords, the removal of important files, security attacks in progress, and system administration errors. Application proxy filtering technologies Stateful inspections Intrusion detection systems Firewalls Packet filtering technologies

Intrusion detection systems

Smaller firms may outsource some or many security functions to MSSPs. ISPs. PKIs. CAs. MISs.

MSSPs

In a client/server environment, corporate servers are specifically vulnerable to malware. tapping. sniffing. radiation. unauthorized access.

Malware

Rigorous password systems are often disregarded by employees. are one of the most effective security tools. may hinder employee productivity. are costly to implement.

May hinder employee productivity

________ is malware that hijacks a user's computer and demands payment in return for giving back access. An evil twin A virus Spyware Ransomware A Trojan horse

Ransomware

Analysis of an information system that rates the likelihood of a security incident occurring and its cost is included in a(n) business impact analysis. risk assessment. business continuity plan. security policy. AUP.

Rick assessment

________ identify the access points in a Wi-Fi network. Mac addresses URLs UTMs NICs SSIDs

SSIDS

Currently, the protocols used for secure information transfer over the Internet are S-HTTP and CA. S-HTTP and SHTML. HTTP and TCP/IP. SSL, TLS, and S-HTTP. TCP/IP and SSL.

SSL, TLS, and S-HTTP.

________ refers to policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. "Identity management" "Algorithms" "Security" "Benchmarking" "Controls"

Security

Statements ranking information risks and identifying security goals are included in a(n) business continuity plan. risk assessment. security policy. business impact analysis. AUP.

Security policy

Tricking employees to reveal their passwords by pretending to be a legitimate member of a company is called social engineering. snooping phishing. pharming. sniffing.

Social engineering

The communications lines in a client/server environment are specifically vulnerable to tapping. malware. errors. vandalism. software failure.

Tapping

How do software vendors correct flaws in their software after it has been distributed? They release updated versions of the software. They don't; users purchase software at their own risk. They issue bug fixes. They issue patches. They re-release the software.

They issue patches

As discussed in the chapter opening case, magnetic stripes are an old technology that is vulnerable to counterfeit and theft. True False

True

Authentication refers to verifying that a person is who he or she claims to be. True False

True

In 2013, Panda Security reported approximately 30 million new kinds of malware strains. True False

True

NAT conceals the IP addresses of the organization's internal host computers to deter sniffer programs. True False

True

One form of spoofing involves forging the return address on an e-mail so that the e-mail message appears to come from someone other than the sender. True False

True

Public key encryption uses two keys. True False

True

SSL is a protocol used to establish a secure connection between two computers. True False

True

Smartphones have the same security flaws as other Internet-connected devices. True False

True

The dispersed nature of cloud computing makes it difficult to track unauthorized access. True False

True

Viruses can be spread through e-mail. True False

True

You can test software before it is even written by conducting a walkthrough. True False

True

Zero defects cannot be achieved in larger software programs because fully testing programs that contain thousands of choices and millions of paths would require thousands of years. True False

True

Comprehensive security management products, with tools for firewalls, VPNs, intrusion detection systems, and more, are called ________ systems. UTM NSP MSSP DPI PKI

UTM

Which of the following statements about the Internet security is not true? Smartphones have the same security weaknesses as other Internet devices. The use of P2P networks can expose a corporate computer to outsiders. Instant messaging can provide hackers access to an otherwise secure network. VoIP is more secure than the switched voice network. A corporate network without access to the Internet is more secure than one that provides access.

VoIP is more secure than the switched voice network.

Which of the following specifications replaces WEP with a stronger security standard that features changing encryption keys? UTM TLS VPN WPA2 AUP

WPA2

A practice in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic is referred to as drive-by tapping. war driving. cybervandalism. snooping. sniffing.

War driving

Which of the following is a type of ambient data? a file deleted from a hard disk computer log containing recent system errors data that has been recorded over a file that contains an application's user settings a set of raw data from an environmental sensor

a file deleted from a hard disk

________ is malware that logs and transmits everything a user types. A worm A keylogger Spyware A Trojan horse A sniffer

a keylogger

All of the following are types of information systems general controls except administrative controls computer operations controls. physical hardware controls. software controls. application controls.

application controls

Evil twins are Trojan horses that appears to the user to be a legitimate commercial software application. e-mail messages that mimic the e-mail messages of a legitimate business. computers that fraudulently access a Web site or network using the IP address and identification of an authorized computer. fraudulent Web sites that mimic a legitimate business's Web site. bogus wireless network access points that look legitimate to users.

bogus wireless network access points that look legitimate to users.

Which of the following is not an example of a computer used as an instrument of crime? breaching the confidentiality of protected computerized data theft of trade secrets unauthorized copying of software schemes to defraud intentionally attempting to intercept electronic communication

breaching the confidentiality of protected computerized data

Application controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization. monitor the use of system software and prevent unauthorized access to software and programs. include software controls, computer operations controls, and implementation controls. apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. can be classified as input controls, processing controls, and output controls.

can be classified as input controls, processing controls, and output controls.

Hackers create a botnet by using Web search bots to infect other computers. infecting Web search bots with malware. infecting corporate servers with "zombie" Trojan horses that allow undetected access through a back door. causing other people's computers to become "zombie" PCs following a master computer. pharming multiple computers.

causing other people's computers to become "zombie" PCs following a master computer.

Computer forensics tasks include all of the following except presenting collected evidence in a court of law. securely storing recovered electronic data. collecting physical evidence on the computer. finding significant information in a large volume of electronic data.

collecting physical evidence on the computer.

A firewall allows the organization to check the content of all incoming and outgoing e-mail messages. create access rules for a network. enforce a security policy on data exchanged between its network and the Internet. create an enterprise system on the Internet. check the accuracy of all transactions between its network and the Internet.

enforce a security policy on data exchanged between its network and the Internet.

For 100-percent availability, online transaction processing requires a digital certificate system. high-capacity storage. a multi-tier server network. dedicated phone lines. fault-tolerant computer systems.

fault-tolerant computer systems.

An authentication token is a(n) device the size of a credit card that contains access permission data. type of smart card. electronic marker attached to a digital authorization file. gadget that displays passcodes.

gadget that displays passcodes.

The Sarbanes-Oxley Act outlines medical security and privacy rules. specifies best practices in information systems security and control. imposes responsibility on companies and management to safeguard the accuracy of financial information. identifies computer abuse as a crime and defines abusive activities. requires financial institutions to ensure the security of customer data.

imposes responsibility on companies and management to safeguard the accuracy of financial information.

A Trojan horse is a virus that replicates quickly. installs spyware on users' computers. is a type of sniffer used to infiltrate corporate networks. is malware named for a breed of fast-moving Near-Eastern horses. is software that appears to be benign but does something other than expected.

is software that appears to be benign but does something other than expected.

The Internet poses specific security problems because it changes so rapidly. there is no formal controlling body. Internet standards are universal. Internet data is not run over secure lines. it was designed to be easily accessible.

it was designed to be easily accessible

Electronic data are more susceptible to destruction, fraud, error, and misuse because information systems concentrate data in computer files that can be opened with easily available software. are easily decrypted. may be accessible by anyone who has access to the same network. are unprotected by up-to-date security systems. are rarely validated.

may be accessible by anyone who has access to the same network.

Most antivirus software is effective against any virus. only those viruses already known when the software is written. only viruses that are well-known and typically several years old. any virus except those in wireless communications applications. only those viruses active on the Internet and through e-mail.

only those viruses already known when the software is written.

The HIPAA Act of 1996 identifies computer abuse as a crime and defines abusive activities. specifies best practices in information systems security and control. imposes responsibility on companies and management to safeguard the accuracy of financial information. requires financial institutions to ensure the security of customer data. outlines medical security and privacy rules.

outlines medical security and privacy rules.

Pharming involves using e-mails for threats or harassment. setting up fake Web sites to ask users for confidential information. pretending to be a legitimate business's representative in order to garner information about a security system. setting up fake Wi-Fi access points that look as if they are legitimate public networks. redirecting users to a fraudulent Web site even when the user has typed in the correct address in the Web browser.

redirecting users to a fraudulent Web site even when the user has typed in the correct address in the Web browser.

The Gramm-Leach-Bliley Act specifies best practices in information systems security and control. requires financial institutions to ensure the security of customer data. outlines medical security and privacy rules. imposes responsibility on companies and management to safeguard the accuracy of financial information. identifies computer abuse as a crime and defines abusive activities.

requires financial institutions to ensure the security of customer data.

In which method of encryption is a single encryption key sent to the receiver so both sender and receiver share the same key? private key encryption distributed encryption SSL/TLS symmetric key encryption public key encryption

symmetric key encryption

Social networking sites have become a new conduit for malware because they allow users to post media and image files. they have poor user authentication. they are especially vulnerable to social engineering. they allow users to post software code. they are used by so many people.

they allow users to post software code.

Client software in a client/server environment is specifically vulnerable to vandalism. unauthorized access. fraud. radiation. DoS attacks.

unauthorized access

A digital certificate system uses third-party CAs to validate a user's identity. is used primarily by individuals for personal correspondence. uses digital signatures to validate a user's identity. uses tokens to validate a user's identity. protects a user's identity by substituting a certificate in place of identifiable traits.

uses third-party CAs to validate a user's identity.

Large amounts of data stored in electronic form are ________ than the same data in manual form. vulnerable to many more kinds of threats more secure less vulnerable to damage more critical to most businesses prone to more errors

vulnerable to many more kinds of threats