COM 416 Midterm

1.36) _______ is a network project that preceded the Internet.

ARPANET

1.42) ______________ of information is the quality or state of being genuine or original.

Authenticity

3.37) _________ law comprises a wide variety of laws that govern a nation or state.

Civil

1.47) An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as __________.

DevOps

3.49) The __________ attempts to prevent trade secrets from being illegally shared.

Economic Espionage Act

1.38) __________ was the first operating system to integrate security as one of its core functions.

MULTICS

2.56) In the ____________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

Man-in-the-middle

2.66) The average amount of time until the next hardware failure is known ______________.

Mean Time To Failure (MTTF)

3.38) ____________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public

2.40) Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____________.

SLA (Service-Level Agreement)

2.46) "4-1-9" fraud is an example of a _______________ attack. a) Social engineering b) Virus c) Worm d) Spam

a) Social Engineering

2.61) A long-term (outage) in electrical power availability is known as a(n) _________________.

blackout

2.41) A short-term interruption in electrical power availability is known as a(n) _______.

fault

1.49) During the _____________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases.

physical design

1.58) The protection of tangible items, objects, or areas from unauthorized access and misuse is known as ______________.

physical security

2.43) Acts of _______________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

tresspass

1.37) The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect ________________ in operating systems security.

vulnerabilities

1.53) The _______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

CISO (Chief Information Security Officer)

3.46) What is the subject of the Computer Security Act?

Federal agency information security

3.51) What is the subject of the Sarabanes-Oxley Act?

Financial reporting

3.39) The Computer ________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.

Fraud

1.57) The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ______________________.

Information Security

2.65) The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as ___________.

Mean Time Between Failure (MTBF)

1.44) __________ has become a widely accepted evaluation standard for training and education related to the security of information systems.

NSTISSI No. 4011

2.42) Hackers can be generalized into two skill groups: Expert and ____________.

Novice

1.39) ____________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

Physical

2.44) The _____________ data file contains the hashed representation of the user's password.

SAM (Security Account Manager)

1. 45) An information system is the entire set of _____________ people, procedures, and networks that enable the use of information resources in the organization.

Software, Hardware, Data. (Answer: All of the Above)

2.49) ______ is any technology that aids in gathering information about a person or organization without their knowledge.

Spyware

1.55) People with the primary responsibility for administering the systems that house the information used by the organization perform the role of __________.

System administrators

2.50) ____________________ are malware programs that hide their true nature and reveal their designed behavior only when activated.

Trojan horses

1.48) A type of SDLC in which each phase has results that flow into the next phase is called the ___________ model.

Waterfall

2.55) ______________ are compromised systems that are directed remotely (usually by transmitted command) by the attacker to participate in an attack. a) Drones b) Helpers c) Zombie d) Servants

Zombie

2.53) In a ____________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources. a) Denial-of-Service b) Distributed Denial-of-Service c) Virus d) Spam

a) Denial-of-Service

3.44) Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? a) Electronic Communications Privacy Act b) Financial Services Modernization Act c) Sarbanes-Oxley Act d) Economic Espionage Act

a) Electronic Communications Privacy Act

3.45) Which of the following acts is also widely known as the Gramm-Leaech-Bliley Act? a) Financial Services Modernization Act b) Communications Act c) Computer Security Act d) Heal Insurance Portability and Accountability Act

a) Financial Services Modernization Act

2.47) One form of online vandalism is ___________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. a) Hacktivist b) Phreak c) Hackcyber d) Cyberhacker

a) Hacktivist

2.59) When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting _____________. a) Industrial Espionage b) Competitive Intelligence c) Opposition Research d) Hostile Investigation

a) Industrial Espionaged

4.69) _________ controls cover security processes that are designed by strategic planners and implemented by security administration of the organization. a) Managerial b) Technical c) Operational d) Informational

a) Managerial

2.64) The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as __________. a) Pharming b) Phishing c) Sniffing d) Pharming

a) Pharming

2.63) A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) ________. a) Rainbow table b) Dictionary c) Crib d) Crack file

a) Rainbow table

4.55) The goals of information security governance include all but which of the following? a) Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care b) Strategic alignment of information security with business strategy to support organizational objectives c) Risk management by executing appropriate measures to manage and mitigate threats to information resources d) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

a) Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care

3.48) The _______________ defines stiffer penalties for prosecution of terrorist crimes. a) USA PATRIOT Act b) Sarbanes-Oxley Act c) Gramm-Leach-Bliley Act d) Economic Espionage Act

a) USA PATRIOT Act

2.60) The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as __________ security. a) database b) data c) information d) residual

a) database

4.64) In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____________. a) identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. b) assess progress toward a recommended target state. c) communicate among local, state, and national agencies about cybersecurity risk. d) None of these

a) identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.

3.57) In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies ____________. a) provide security awareness training b) periodic assessment of risk c) develop policies and procedures based on risk assessments d) All of the Above

a) provide security awareness training

1.59) A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ______________.

access

1.60) An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) __________.

asset

2.48) ______________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents. a) Infoterrorism b) Cyberterrorism c) Hacking d) Cracking

b) Cyberterrorism

2.54) A _________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time

b) Distributed Denial-of-Service

4.57) The _______ is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. a) SysSP b) EISP c) GSP d) ISSP

b) EISP

3.43) The Health Insurance Portability and Accountability Act of 1996, also known as the ______________ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange. a) Gramm-Leach-Bliley b) Kennedy-Kessebaum c) Privacy d) HITECH

b) Kennedy-Kessebaum

4.70) __________ controls addresses personnel security, physical security, and the protection of product inputs and outputs. a) Informational b) Operational c) Technical d) Managerial

b) Operational

2.57) The __________ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network. a) WWW b) TCP c) FTP d) HTTP

b) TCP

4.75) A(n) _____________ is a document containing contact information for the people to be notified in the event of an incident. a) emergency notification system b) alert roster c) phone list d) call register

b) alert roster

3.54) Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage ______________. a) with intent b) by accident and/or through unintentional negligence c) with malice d) NONE OF THE ABOVE

b) by accident and/or through unintentional negligence

4.71) Security ______________ are the areas of trust within which users can freely communicate. a) perimeters b) domains c) rectangles d) layers

b) domains

1.52) The ____________ design phase of an SDLC methodology is implementation independent, meaning that it contains no reference to specific teechnologies, vendors, or products. a) conceptual b) logical c) integral d) physical

b) logical

2.58) Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than _____________ characters in Internet Explorer 4.0, the browser will crash. a) 64 b) 128 c) 256 d) 512

c) 256

3.47) Which if of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses? a) Electronic Communications Privacy Act of 1986 b) Freedom of Information Act (FOIA) of 1966 c) Computer Fraud and Abuse Act of 1986 d) All of the Above

c) Computer Fraud and Abuse Act of 1986

4.66) __________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. a) Networking b) Proxy c) Defense in depth d) Best-effort

c) Defense in depth

2.52) As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _______________. a) False alarms b) Polymorphisms c) Hoaxes d) Urban Legends

c) Hoaxes

4.67) _________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. a) Firewalling b) Hosting c) Redundancy d) Domaining

c) Redundancy

3.53) Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources? a) Austraila b) United States c) Singapore d) Sweden

c) Singapore

4.72) The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. a) intentional b) external c) accidental d) physical

c) accidental

4.56) Standards may be published, scrutinized, and ratified by a group, as in formal or _________ standards. a) de formale b) de public c) de jure d) de facto

c) de jure

4.60) The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security ___________." a) implementation b) certification c) management d) accreditation

c) management

4.65) The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the ___________ side of the organization. a) technology b) Internet c) people d) operational

c) people

3.40) According to National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except _______________. a) for purposes of commercial advantage. b) for private financial gain c) to harass d) in furtherance of a criminal act

c) to harass

1.56) The protection of all communications media, technology, and content is known as _________________.

communications security

1.54) Which of the following is a valid type of role when it comes to data ownership? a) Data owners b) Data custodians c) Data users d) All of the Above

d) All of the Above

2.39) Which of the following functions does information security perform for an organization? a) Protecting the organization's ability to function. b) Enabling the safe operation of applications implemented on the organization's IT systems. c) Protecting the data the organization collects and uses. d) All of the Above

d) All of the Above

3.56) Laws, policies, and their associated penalties only deter if which of the following conditions are present? a) Fear of penalty b) Probability of being caught c) Probability of penalty being administered d) All of the Above

d) All of the Above

4.63) According to NIST SO 800-14's security principles, security should ______________. a) supporting the mission of the organization b) require a comprehensive and integrated approach c) be cost-effective d) All of the Above

d) All of the Above

4.68) Redundancy can be implemented at a number of points throughout the security architecture, such as in ____________. a) firewalls b) proxy servers c) access controls d) All of the Above

d) All of the Above

4.74) A fundamental difference between a BIA and risk management is that risk management focuses on identify threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes ______________. a) controls have been bypassed b) controls have proven ineffective c) controls have failed d) All of the Above

d) All of the Above

4.73) The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? a) Determine mission/business processes and recovery criticality. b) Identify recovery priorities for system resources c) Identify resource requirements d) All of these are BIA stages

d) All of these are BIA stages

3.41) The National Information Infrastructure Protection Act of 1996 modified which act? a) USA PATRIOT Act b) USA PATRIOT Improvement and Reauthorization Act c) Computer Security Act d) Computer Fraud and Abuse Act

d) Computer Fraud and Abuse Act

2.51) Which of the following is an example of a Trojan horse program? a) Netsky b) MyDoom c) Klez d) Happy99.exe

d) Happy99.exe

3.52) the Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with ___________ activities. a) online terrorist b) electronic commerce c) cyberactivist d) Internet

d) Internet

1.50) Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle? a) Investigation b) Implementation c) Analysis d) Maintenance and Change

d) Maintenance and Change

3.50) The _____________ of 1999 provides guidance on the use of encryption and provides protection from government intervention. a) Prepper Act b) Economic Espionage Act c) USA PATRIOT Act d) Security and Freedom through Encryption Act

d) Security and Freedom through Encryption Act

4.58) ____________ often function as standards or procedures to be used when configuring or maintaining systems. a) ESSPs b) EISPs c) ISSPs d) SysSPs

d) SysSPs

4.61) When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems? a) The standard lacked the measurement precision associated with a technical standard. b) It was not as complete as other frameworks. c) The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls. d) The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

d) The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

4.62) SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ___________. a) plan b) standard c) policy d) blueprint

d) blueprint

3.42) The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _________ purposes. a) troubleshooting b) billing c) customer service d) marketing

d) marketing

4.54) A(n) _______ plan is a plan for the organization's intended strategic efforts over the next several years. a) standard b) operational c) tactical d) strategic

d) strategic

1.40) A server would experience a(n) _______________ attack when a hacker compromises it to acquire information via a remote location using a network connection.

direct

2.45) Human error or failure often can be prevented with training, ongoing awareness activities, and ____________.

education

4.59) An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.

framework

1.43) In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value.

hash

3.55) Criminal or unethical __________ goes to the state of mind of the individual performing the act.

intent

2.62) A short-term decrease in electrical power availability is known as a(n) ______________.

sag

1.51) Organizations are moving toward more _________________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but [also] consumer confidence in their product.

security

1.41) A computer is the ___________ of an attack when it is used to conduct an attack against another computer.

subject

1.46) A methodology and formal development strategy for the design and implementation of an information system is referred to as a ___________.

systems development life cycle