CS 207

Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than ______ characters in Internet Explorer 4.0, the browser will crash.

256

The _____ is a respected professional society that was established in 1947. Today it is "the world's largest educational and scientific computing society.

Association for Computing Machinery

The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) _____.

CBA

Which of these is not one of the general categories of security policy?

Category-specific policy (CSP)

_____ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Defense in depth

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?

Electronic Communications Privacy Act

A(n) _____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.

FCO

_____ use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities, if the use is for educational or library purposes, is not for profit, and is not excessive.

Fair

A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _____

False

A(n) strategic information security policy is also known as a general security policy, and sets the strategic direction, scope, and tone for all security efforts. _____

False

According to the CNSS, networking is "the protection of information and its critical elements." _______

False

An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms.

False

An affidavit is permission to search for evidentiary material at a specified location or to seize items to return to an investigator's lab for examination.

False

Information security's primary mission is to ensure that systems and their contents retain their confidentiality at any cost.

False

Media are items of fact collected by an organization and include raw numbers, facts, and words.

False

Media assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ______

False

Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse

False

Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.

False

The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement.

False

The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident.

False

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

False

The security framework is a more detailed version of the security blueprint.

False

The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. ______

False

Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _____

False

_____ addresses are sometimes called electronic serial numbers or hardware addresses.

MAC

_____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

Managerial

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.

SLA

The _____ of 1999 provides guidance on the use of encryption and provides protection from government intervention.

Security and Freedom through Encryption Act

In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward misuse of organizational computing resources?

Singapore

____ is any technology that aids in gathering information about a person or organization without their knowledge.

Spyware

Which of these best defines information security governance?

The application of the principles and practices of corporate governance to the information security function.

A breach of possession may not always result in a breach of confidentiality.

True

A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.

True

A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to deter or prevent the theft of software intellectual property.

True

As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown.

True

Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster.

True

Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective.

True

Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people's information systems.

True

Hackers are "persons who access systems and information without authorization and often illegally." ______

True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. _______

True

Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.

True

NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. _____

True

Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords.

True

RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security.

True

Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community.

True

The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _____

True

The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: the two approaches are protect and forget, and apprehend and prosecute.

True

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.

True

Using a service bureau is a BC strategy in which an organization contracts with a service agency to provide a facility for a fee.

True

A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ___________.

access

According to NIST SP 800-14's security principles, security should _____.

all of the above: require a comprehensive and integrated approach be cost-effective support the mission of the organization

An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________.

asset

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____.

blueprint

The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. is called a(n) _____.

chain of evidence

The CPMT should include a _____ who is a high-level manager to support, promote, and endorse the findings of the project and could be the COO or (ideally) the CEO/president.

champion

The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security.

database

A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.

direct

The concept of competitive _____ refers to falling behind the competition.

disadvantage

Most common data backup schemes involve ______.

disk-to-disk-to-cloud RAID

"Know the enemy" means identifying, examining, and understanding the competition facing the organization. _____

false

A cold site provides many of the same services and options of a hot site, but at a lower cost.

false

A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.

false

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.

false

A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _____

false

A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information

false

Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal.

false

Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.

false

Ethics are the moral attitudes or customs of a particular group. _____

false

Every member of the organization's InfoSec department must have a formal degree or certification in information security.

false

Incident response is an organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.

false

Information denigration refers to pieces of nonprivate data that, when combined, may create information that violates privacy. _____

false

Information security can be an absolute

false

Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets.

false

Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _____

false

Residual risk is the risk that organizations are willing to accept even after current current controls have been applied.

false

Risk analysis is the enumeration and documentation of risks to an organization's information assets. _____

false

Risk perception is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically part of the risk appetite. _____

false

The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement effort, was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.

false

The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _____

false

The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _____

false

The role of the project manager—typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT)—in this effort cannot be overstated.

false

The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management. _____

false

The work response time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. _____

false

When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of asset management must become an integral part of the economic basis for making business decisions. _____

false

You cannot use qualitative measures to rank information asset values.

false

Which of the following is NOT one of the categories recommended for categorizing information assets?

firmware

An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.

framework

A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.

hot site

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.

information security

Criminal or unethical _____ goes to the state of mind of the individual performing the act.

intent

In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

man-in-the-middle

The actions taken by management to specify the short-term goals and objectives of the organization are _____.

operational planning

Information about a person's history, background, and attributes that can be used to commit identity theft is known as _____ information.

personally identifiable

The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as ______.

pharming

security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

physical

_____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

public

Advance-Fee fraud is an example of a ______ attack.

social engineering

A detailed statement of what must be done to comply with management intent is known as a _____.

standard

A(n) _____ plan is a plan for the organization's intended efforts over the next several years (long-term).

strategic

The actions taken by management to specify the intermediate goals and objectives of the organization are _____.

tactical planning

Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.

tolerance

A(n) capability table specifies which subjects and objects users or groups can access. _____

true

Confidentiality ensures that only those with the rights and privileges to access information are able to do so

true

During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.

true

Every organization, whether public or private and regardless of size, has information it wants to protect

true

Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _______

true

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.

true

Intellectual property is defined as "the creation, ownership, and control of ideas as well as the representation of those ideas." ______

true

Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _____

true

Reported attacks are a probable indicator of an actual incident.

true

Software code known as a(n) cookie can allow an attacker to track a victim's activity on Web sites. ______

true

Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets.

true

The business impact analysis is a preparatory activity common to both CP and risk management,

true

The value of information comes from the characteristics it possesses.

true

To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.

true

When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.

true

Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____.

vulnerabilities

In the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets to specific threats is explored by documenting _____.

vulnerabilities

The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.

vulnerabilities

The average amount of time until the next hardware failure is known as ______.

​mean time to failure (MTTF)