Software Security
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____________________ characters in Internet Explorer 4.0, the browser will crash.
256
The ____________________ data file contains the hashed representation of the user's password.
SAM
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
SLA
The ________________ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies. (SS)
Sarbanes-Oxley
The __________ of 1999 provides guidance on the use of encryption and provides protection from government intervention.
Security and Freedom through Encryption Act
Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources?
Singapore
An information system is the entire set of __________, people, procedures, and networks that make possible the use of information resources in the organization.
Software, data, hardware All of the above
________________ is unsolicited commercial e-mail. (SS)
Spam
________________ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host. (SS)
Spoofing
____ is any technology that aids in gathering information about a person or organization without their knowledge.
Spyware
________often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
__________________-specific security policies often function as standards or procedures to be used when configuring or maintaining systems. (SS)
Systems
The ____________________ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
______________________ controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets.. (SS)
Technical
The ___________________ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities. (SS)
USA PATRIOT
The __________ defines stiffer penalties for prosecution of terrorist crimes.
USA PATRIOT Act
____________________ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
Zombies
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.
accidental
It is good practice, however, for policy ________________ to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies. (SS)
administrator
A(n) ___________________ is a detailed examination of the events that occurred from first detection to final recovery. (SS)
after-action review
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.
alert roster
The ________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. (SS)
analysis
The Internet brought _________ to virtually all computers that could reach a phone line or an Internet-connected local area network. (SS)
connectivity
Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
controls
Attempting to reverse-calculate a password is called ______________. (SS)
cracking
____________________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.
cyberterrorism
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.
electronic vaulting
A(n) ___________ information security policy outlines the implementation of a security program within the organization. (SS)
enterprise
Complete loss of power for a moment is known as a ____.
fault
A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
framework
One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
hacktivist
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value.
hash
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
hoaxes
A(n) ____________ site is a fully configured computer facility, with all services, communications links, and physical plant operations including heating and air conditioning. (SS)
hot
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."
management
The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes.
marketing
A(n) ______________ is a formal approach to solving a problem by means of a structured sequence of procedures. (SS)
methodology
A(n) _______________ is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. (SS)
mutual agreement
Hackers can be generalized into two skill groups: expert and ____________________.
novice
A computer is the ____________ of an attack when it is the entity being targeted. (SS)
object
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
people
A(n) _________________ hacks the public telephone network to make free calls or disrupt services.
phreaker
During the early years, information security was a straightforward process composed predominantly of __________ security and simple document classification schemes. (SS)
physical
__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
physical
During the __________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases.
physical design
Duplication of software-based intellectual property is more commonly known as software _____________________. (SS)
piracy
Managerial directives that specify acceptable and unacceptable employee behavior in the workplace are known as ________________. (SS)
policies
The _______________ of information is the quality or state of ownership or control of some object or item. (SS)
possession
Family law, commercial law, and labor law are all encompassed by ___________ law. (SS)
private
A frequently overlooked component of an information system, ____________ are the written instructions for accomplishing a specific task. (SS)
procedures
Software is often created under the constraints of ____________ management, placing limits on time, cost, and manpower. (SS)
project
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.
redundant
A variation of n SDLC that can be used to implement information security solutions in an organizations with little or no formal security in place is the __________.
secSDLC
Organizations are moving toward more __________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.
security
"4-1-9" fraud is an example of a ____________________ attack.
social engineering
In the context of information security, ___________________ is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. (SS)
social engineering
The ________ component of the IS comprises applications, operating systems, and assorted command utilities. (SS)
software
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.
strategic
A computer is the __________ of an attack when it is used to conduct an attack against another computer.
subject
People with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role.
system administrators
A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.
systems development life cycle
A(n) _____________ is an a potential risk to an information asset. (SS)
threat
According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________.
to harass
In the __________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action. (SS)
top-down
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
trepass
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
A(n) __________________ is a potential weakness in an asset or its defensive control(s).
vulnerability
A type of SDLC where each phase has results that flow into the next phase is called the __________ model.
waterfall
A ________________ is a malicious program that replicates itself constantly, without requiring another program environment.
worm
______________ enables authorized users - persons or computer systems - to access information without interference or obstruction and to receive it in the required format. (SS)
Availability
The CNSS model of information security evolved from a concept developed by the computer security industry known as the ________ triangle. (SS)
CIA
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
CISO
__________ law comprises a wide variety of laws that govern a nation or state.
Civil
During the ________War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers. (SS)
Cold
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
EISP
The __________ attempts to prevent trade secrets from being illegally shared.
Economic Espionage Act
The ________________________ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications. (SS)
Electronic Communications Privacy
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?
Electronic Communications Privacy Act
What is the subject of the Computer Security Act?
Federal Agency Information Security
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
Financial Services Modernization Act
What is the subject of the Sarbanes-Oxley Act?
Financial reporting
The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
Fraud
Which of the following is an example of a Trojan horse program?
Happy99.exe
Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what immediate steps are taken when an attack occurs.
Incident response
The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee a range of security functions associated with __________ activities.
Internet
"Long arm __________________" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction. (SS)
Jurisdiction
The Health Insurance Portability and Accountability Act Of 1996, also known as the __________ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
Kennedy-Kessebaum
___________ are rules that mandate or prohibit certain behavior and are enforced by the State. (SS)
Laws
__________________ is the legal obligation of an entity that extends beyond criminal or contract law. (SS)
Liability
__________ was the first operating system to integrate security as its core functions.
MULTICS
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
__________ has become a widely accepted evaluation standard for training and education related to the security of information systems.
NSTISSI No. 4011
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.
Operational
__________________ controls are information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning. (SS)
Operational
__________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.
Redundancy
The goals of information security governance include all but which of the following?
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
According to NIST SP 800-14's security principles, security should ________.
(All of the above) require a comprehensive and integrated approach support the mission of the organization be cost-effective
Which of the following functions does information security perform for an organization?
(All the above) Protecting the organization's ability to function Protecting the data the organization collects and uses Enabling the safe operation of applications implemented on the organization's IT system
__________ is a network project that preceded the Internet.
APPANET
___________________ information is a form of collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. (SS)
Aggregate
A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________.
All of the above controls have proven ineffective controls have failed controls have been bypassed
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________
All of the above proxy servers firewalls access controls
Laws and policies and their associated penalties only deter if which of the following conditions is present?
All of the above Probability of penalty being administered Probability of being caught Fear of penalty
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?
All of these are BIA stages Identify resource requirements Determine mission/business processes and recovery criticality Identify recovery priorities for system resources
__________ of information is the quality or state of being genuine or original.
Authenticity
__________________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. (SS)
Authenticity
Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is ______________. (SS)
education
The National Information Infrastructure Protection Act of 1996 modified which Act?
Computer Fraud and Abuse Act
Which of the following acts defines and formalizes laws to counter threats from computer related acts and offenses?
Computer Fraud and Abuse Act of 1986
________________ management is the set of actions taken by an organization in response to an emergency to minimize injury or loss of life, preserve the organization's image and market share, and complement its disaster recovery and business continuity processes (SS)
Crisis
_______________________ are the fixed moral attitudes or customs of a particular group. (SS)
Cultural mores
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in depth
____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
In an organization, the value of _________________ of information is especially high when it involves personal information about employees, customers, or patients. (SS)
confidentiality
A virus or worm can have a payload that installs a(n) _______________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges. (SS)
back
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.
blueprint
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________.
by accident
A ____ site provides only rudimentary services and facilities.
cold
A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. (SS)
community of interest
The history of information security begins with the concept of _________ security. (SS)
computer
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
damage assessment
Which of the following is a valid type of role when it comes to data ownership?
data custodians, data users, data owners all of the above
Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.
de jure
In a ____________________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources.
denial-of-service
A server would experience a __________ attack when a hacker compromises it to acquire information from it from a remote location using a network connection.
direct
ESD is the acronym for electrostatic __________________. (SS)
discharge
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
Security __________ are the areas of trust within which users can freely communicate.
domains
The _____________________ Act of 1996 attempts to prevent trade secrets from being illegally shared. (SS)
economic espionage
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The low overall degree of tolerance for ______________ system use may be a function of the easy association between the common crimes of breaking and entering, trespassing, theft, and destruction of property to their computer-related counterparts. (SS)
illicit
A(n) _____________ is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. (SS)
incident
The senior technology officer is typically the chief ____________ officer. (SS)
information
Information has ________ when it is whole, complete, and uncorrupted. (SS)
integrity
Some information gathering techniques are quite legal, for example, using a Web browser to perform market research. These legal techniques are called, collectively, competitive _____________________. (SS)
intelligence
Criminal or unethical __________ goes to the state of mind of the individual performing the act.
intent
Script ________________ are hackers of limited skill who use expertly written software to attack a system. (SS)
kiddies
Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle?
maintenance and change
A computer virus consists of segments of code that perform __________________ actions. (SS)
malicious
In the well-known ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
man-in-the-middle
