****
43. __________ of information is the quality or state of being genuine or original
. Authenticity
47. Standards may be published, scrutinized, and ratified by a group, as in formal or _____ standards.
. de jure
45. The actions taken by management to specify the intermediate goals and objectives of the organization are _____.
. tactical planning
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than ______ characters in Internet Explorer 4.0, the browser will crash.
256
________ is a network project that preceded the Internet
ARPANET
48. The ______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
CISO
In 1993, the first ______ conference was held in Las Vegas. Originally, it was established as a gathering for people interested in information security, including authors, lawyers, government employees, and law enforcement officials
Defcon
_____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
The protection of tangible items, objects, or areas from unauthorized access and misuse is known as
Physical
______ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse
Physical
Which of the following functions does information security perform for an organization?
Protecting the organization's ability to function. b. Enabling the safe operation of applications implemented on the organization's IT systems. c. Protecting the data the organization collects and uses.
The goals of information security governance include all but which of the following?
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
The ______ data file contains the hashed representation of the user's password.
SAM
41. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
SLA
50. People with the primary responsibility for administering the systems that house the information used by the organization performs the role of ____.
System administrators
. The ______ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
. Which of these best defines information security governance?
The application of the principles and practices of corporate governance to the information security function.
When ISO 17799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?
The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls.
The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines is called ______.
a. Information Technology Management and Professionals
. The EISP component of _____ provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets.
a. Need for Information Security
Redundancy can be implemented at a number of points throughout the security architecture, such as in _____.
a. firewalls b. proxy servers c. access controls
38. A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ________
access
The SETA program is a control measure designed to reduce the instances of _____ security breaches by employees
accidental
49. Which of the following is a valid type of role when it comes to data ownership?
all of the above
. An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) _
asset
44. __________ has become a widely accepted evaluation standard for training and education related to the security of information systems and is hosted by CNSS
b. NSTISSI No. 4011
44. A long-term interruption (outage) in electrical power availability is known as a(n) ______.
blackout
34. __________ was the first operating system to integrate security as one of its core functions.
c. MULTICS
64. The average amount of time until the next hardware failure is known as ______.
c. mean time to failure (MTTF)
43. When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting ______.
competitive intelligence
Human error or failure often can be prevented with training, ongoing awareness activities, and ______
controls
Which of these is not one of the general categories of security policy?
csp
. ______ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents.
cyberterriosm
________ often function as standards or procedures to be used when configuring or maintaining systems.
d. SysSPs
The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security.
database security
. _____ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
defense in depth
57. In a ______ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources.
denial of service
A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.
direct
. A ______ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time
distrubted denial of service
Security _____ are the areas of trust within which users can freely communicate
domains
The _____is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
enterprise info system
1. A technique used to compromise a system is known as a(n) _______
exploit
42. A short-term interruption in electrical power availability is known as a ____.
fault
An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.
framework
48. Nonmandatory recommendations the employee may use as a reference is known as a _____.
guidelines
. One form of online vandalism is ______ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
hacktivist
55. Which of the following is an example of a Trojan horse program?
happy99.exe
Which of these is NOT a unique function of information security management?
hardware
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value
hash
56. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ______.
hoaxes
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as
information technology
0. In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
man in the middle
The stated purpose of ISO/IEC 27002:2013 is to give guidelines for organizational information security standards and information security
management
63. The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as ______.
mean time between failure (MTBF)
45. Hackers can be generalized into two skill groups: expert and ______.
novice
0. A computer is the __________ of an attack when it is used to conduct an attack against another compute
object
_____ controls address personnel security, physical security, and the protection of production inputs and outputs
operational
44. The actions taken by management to specify the short-term goals and objectives of the organization are _____.
operational planning
51. Individuals who control, and are therefore ultimately responsible for, the security and use of a particular set of information are known as data _________
owners
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _______ side of the organization
people
. The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as ______.
pharming
Which of the following was not an identified fundamental problem with ARPANET security?
phone numbers for access were closely held and distributed on a need-to-know basis
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) ______.
rainbow table
. _____ is a strategy of using multiple types of controls that prevent the failure of one system from compromising the security of information.
redundancy
50. Advance-Fee fraud is an example of a ______ attack.
social engineering
. An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization.
software, hardware, and data
53. ____ is any technology that aids in gathering information about a person or organization without their knowledge.
spyware
. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____
standard
46. A detailed statement of what must be done to comply with management intent is known as a _____.
standards
A(n) _____ plan is a plan for the organization's intended efforts over the next several years (long-term).
strategical
40. A computer is the __________ of an attack when it is used to conduct an attack against another computer.
subject
. According to NIST SP 800-14's security principles, security should ______
support the mission of the organization, require a comprehensive and integrated approach , be cost-effective
. Acts of ______ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
trespass
. ______ are malware programs that hide their true nature and reveal their designed behavior only when activated
trojan horse
52. Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use are known as data ________
trustees
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
. ______ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack
zombies