Exam 3 Info Security Review
The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources. True False
false
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ True False
false
The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _________________________ True False
false
The complete details of ISO/IEC 27002 are widely available to everyone. True False
false
The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. True False
false
The number of horizontal and vertical pixels captured and recorded is known as the image's contrast. _________________________ True False
false
To perform the Caesar cipher encryption operation, the pad values are added to numeric values that represent the plaintext that needs to be encrypted. True False
false
UltraViolet wireless (UVW) is a de facto industry standard for short-range wireless communications between devices. _________________________ True False
false
Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms. True False
false
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________ True False
false
DES uses a(n) ___________-bit block size. a.32 b.64 c.128 d.256
b. 64
__________ is a protocol that can be used to secure communications across any IP-based network such as LANs, WANs, and the Internet. a.SSH b.IPSec c.SET d.PEM
b. IPSec
__________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. a.Private b.Civil c.Public d.Criminal
public
A __________ is a key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. a.digest b.MAC c.fingerprint d.signature
b. MAC
The __________ algorithm, developed in 1977, was the first public-key encryption algorithm published for commercial use. a.MAC b.DES c.RSA d.AES
c. RSA
The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security without permission. _________________________ True False
true
The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies under all circumstances. True False
true
__________ are encrypted message components that can be mathematically proven to be authentic. a.Digital signatures b.Message digests c.Message certificates d.MACs
a. Digital signatures
What is the subject of the Computer Security Act? a.Federal agency information security b.Telecommunications common carriers c.Cryptography software vendors d.All of the above
a. Federal agency information security
What is the subject of the Sarbanes-Oxley Act? a.Financial reporting b.Banking c.Trade secrets d.Privacy
a. Financial reporting
The __________ defines stiffer penalties for prosecution of terrorist crimes. a.USA PATRIOT Act b.Gramm-Leach-Bliley Act c.Sarbanes-Oxley Act d.Economic Espionage Act
a. USA PATRIOT ACT
At the World Championships in Athletics in Helsinki in August 2005, a virus called Cabir infected dozens of __________, the first time this occurred in a public setting. a.Bluetooth mobile phones b.laptop Macintosh computers c.iPad tablets d.WiFi routers
a. bluetooth mobile phones
The transfer of transaction data in real time to an off-site facility is called ____. a.electronic vaulting b.off-site storage c.database shadowing d.remote journaling
a. electronic vaulting
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a.Financial Services Modernization Act b.Health Insurance Portability and Accountability Act c.Computer Security Act d.Communications Act
a. financial services modernization act
In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies __________. a.provide security awareness training b.periodic assessment of risk c.develop policies and procedures based on risk assessments d.All of the above
a. provide security awareness training
__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. a.Redundancy b.Hosting c.Domaining d.Firewalling
a. redundancy
Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources? a.Singapore b.Sweden c.Australia d.United States
a. singapore
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. a.with intent b.by accident and/or through unintentional negligence c.with malice d.NONE OF THE ABOVE
b. by accident and/or through unintentional negligence
Security __________ are the areas of trust within which users can freely communicate. a.perimeters b.domains c.rectangles d.layers
b. domains
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? a.Sarbanes-Oxley Act b.Electronic Communications Privacy Act c.Financial Services Modernization Act d.Economic Espionage Act
b. electronic communication privacy act
An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. a.plan b.framework c.policy d.model
b. framework
Criminal or unethical __________ goes to the state of mind of the individual performing the act. a.attitude b.intent c.accident d.All of the above
b. intent
__________ is the entire range of values that can possibly be used to construct an individual key. a.An algorithm b.Keyspace c.A cryptogram d.Code
b. keyspace
More advanced substitution ciphers use two or more alphabets, and are referred to as __________ substitutions. a.monoalphabetic b.polyalphabetic c.multialphabetic d.polynomic
b. polyalphabetic
SHA-1 produces a(n) ___________-bit message digest, which can then be used as an input to a digital signature algorithm. a.48 b.56 c.160 d.256
c. 160
__________ is the current federal information processing standard that specifies a cryptographic algorithm used within the U.S. government to protect information in federal agencies that are not a part of the national defense infrastructure. a.3DES b.2DES c.AES d.DES
c. AES
In PKI, the CA periodically distributes a(n) _________ to all users that identifies all revoked certificates. a.RA b.RDL c.CRL d.MAC
c. CRL
Digital signatures should be created using processes and products that are based on the __________. a.HTTPS b.SSL c.DSS d.NIST
c. DSS
The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. a.SysSP b.ISSP c.EISP d.GSP
c. EISP (enterprise information security policy)
The Health Insurance Portability and Accountability Act of 1996, also known as the __________ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange. a.Gramm-Leach-Bliley b.HITECH c.Kennedy-Kessebaum d.Privacy
c. Kennedy-Kessebaum
The goals of information security governance include all but which of the following? a.Strategic alignment of information security with business strategy to support organizational objectives b.Risk management by executing appropriate measures to manage and mitigate threats to information resources c.Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due cared. d.Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
c. Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due cared.
The __________ is responsible for the fragmentation, compression, encryption, and attachment of an SSL header to the cleartext prior to transmission. a.S-HTTP b.SFTP c.SSL Record Protocol d.Standard HTTP
c. SSL Record Protocol
The __________ is responsible for the fragmentation, compression, encryption, and attachment of an SSL header to the cleartext prior to transmission. a.SFTP b.Standard HTTP c.SSL Record Protocol d.S-HTTP
c. SSL Record Protocol
The __________ defines stiffer penalties for prosecution of terrorist crimes. a.Gramm-Leach-Bliley Act b.Economic Espionage Act c.USA PATRIOT Act d.Sarbanes-Oxley Act
c. USA PATRIOT ACT
__________ law comprises a wide variety of laws that govern a nation or state. a.Private b.Criminal c.Civil d.Public
c. civil
_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. a.Incident response b.Containment development c.Damage assessment d.Disaster assessment
c. damage assessment
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. a.Proxy b.Best-effort c.Defense in depth d.Networking
c. defense in depth
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization. a.technology b.Internet c.people d.operational
c. people
More advanced substitution ciphers use two or more alphabets, and are referred to as __________ substitutions. a.monoalphabetic b.multialphabetic c.polyalphabetic d.polynomic
c. polyalphabetic
In PKI, the CA periodically distributes a(n) _________ to all users that identifies all revoked certificates. a.MAC b.RA c.RDL d.CRL
d. CRL
The National Information Infrastructure Protection Act of 1996 modified which act? a.Computer Security Act b.USA PATRIOT Act c.USA PATRIOT Improvement and Reauthorization Act d.Computer Fraud and Abuse Act
d. Computer Fraud and Abuse Act
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a.Health Insurance Portability and Accountability Act b.Communications Act c.Computer Security Act d.Financial Services Modernization Act
d. Financial Services Modernization Act
________often function as standards or procedures to be used when configuring or maintaining systems. a.ISSPs b.ESSPs c.EISPs d.SysSPs
d. SysSPs
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. a.emergency notification system b.phone list c.call register d.alert roster
d. alert roster
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________. a.controls have proven ineffective b.controls have been bypassed c.controls have failed d.All of the above
d. all of the above
Laws, policies, and their associated penalties only deter if which of the following conditions is present? a.Fear of penalty b.Probability of being caught c.Probability of penalty being administered d.All of the above
d. all of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. a.firewalls b.proxy servers c.access controls d.All of the above
d. all of the above
An X.509 v3 certificate binds a ___________, which uniquely identifies a certificate entity, to a user's public key. a.message digest b.fingerprint c.digital signature d.distinguished name
d. distinguished name
Security __________ are the areas of trust within which users can freely communicate. a.layers b.rectangles c.perimeters d.domains
d. domains
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. a.database shadowing b.remote journaling c.off-site storage d.electronic vaulting
d. electronic vaulting
The Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with __________ activities. a.online terrorist b.electronic commerce c.cyberactivist d.Internet
d. internet
A __________ is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext. a.passphrase b.cipher c.password d.key
d. key
__________ is the amount of effort (usually in hours) required to perform cryptanalysis to decode an encrypted message when the key or algorithm (or both) are unknown. a.A key b.An algorithm c.Code d.Work factor
d. work factor
A hard drive feature known as "hot swap" is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails. True False
false
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology. True False
false
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions. True False
false
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. True False
false
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _________________________ True False
false
A(n) key is the set of steps used to convert an unencrypted message into an encrypted sequence of bits that represent the message; it sometimes refers to the programs that enable the cryptographic processes. _________________________ True False
false
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. True False
false
As DES became known as being too weak for highly classified communications, Double DES was created to provide a level of security far beyond that of DES. _________________________ True False
false
Ethics are the moral attitudes or customs of a particular group. _________________________ True False
false
Every member of the organization's InfoSec department must have a formal degree or certification in information security. True False
false
For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to. True False
false
Guidelines are detailed statements of what must be done to comply with policy. _________________________ True False
false
In 1953, Giovan Batista Bellaso introduced the idea of the passphrase (password) as a key for encryption. True False
false
In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies. True False
false
In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _________________________ True False
false
In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access. True False
false
Intellectual privacy is recognized as a protected asset in the United States. _________________________ True False
false
S-HTTP is an extended version of Hypertext Transfer Protocol that provides for the encryption of protected e-mail transmitted via the Internet between a client and server. _________________________ True False
false
SSL builds on the encoding format of the Multipurpose Internet Mail Extensions protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. True False
false
Standard HTTP (S-HTTP) is an extended version of the Hypertext Transfer Protocol that provides for the encryption of individual messages transmitted via the Internet between a client and server. True False
false
The AES algorithm was the first public-key encryption algorithm to use a 256-bit key length. True False
false
The Computer Security Act of 1987 is the cornerstone of many computer-related federal laws and enforcement efforts; it was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984. True False
false
A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster. True False
true
A security policy should begin with a clear statement of purpose. _________________________ True False
true
Criminal laws address activities and conduct harmful to society and is categorized as private or public. True False
true
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal. True False
true
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. True False
true
Each policy should contain procedures and a timetable for periodic review. True False
true
In 1917, Gilbert S. Vernam, an AT&T employee, invented a polyalphabetic cipher machine that used a non-repeating random key. True False
true
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. True False
true
Internet Protocol Security (IPSec) is an open-source protocol framework for security development within the TCP/IP family of protocols. True False
true
Internet Protocol Security is designed to protect data integrity, user confidentiality, and authenticity at the IP packet level. _________________________ True False
true
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________ True False
true
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. True False
true
Nonrepudiation means that customers or partners can be held accountable for transactions, such as online purchases, which they cannot later deny. True False
true
PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities. True False
true
Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms. True False
true
Pretty Good Privacy (PGP) uses the freeware ZIP algorithm to compress the message after it has been digitally signed but before it is encrypted. _________________________ True False
true
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. True False
true
Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community. True False
true
Steganography is a data hiding method that involves embedding information within other files, such as digital pictures or other images. True False
true
Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group. True False
true
Technical controls are the tactical and technical implementations of security in the organization. _________________________ True False
true
The code of ethics put forth by (ISC) 2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _________________________ True False
true
The communications networks of the United States carry(ies) more funds than all of the armored cars in the world combined. _________________________ True False
true
The most common hybrid system is based on the Diffie-Hellman key exchange, which is a method for exchanging private keys using public-key encryption. True False
true
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. True False
true
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________ True False
true
When an asymmetric cryptographic process uses the sender's private key to encrypt a message, the sender's public key must be used to decrypt the message. True False
true
You can create a single, comprehensive ISSP document covering all information security issues. True False
true