CSC 145: chapters 1-6

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

People with the primary responsibility for administering the systems that house the information used by the organization perform the role of ____. 1) Security policy developers 2) Security professionals 3) System administrators 4) End users

3) System administrators

A technique used to compromise a system is known as a(n) ___________. 1) access method 2) asset 3) exploit 4) risk

3) exploit

An alternative method to economic feasibility

Benchmarking seeks out and studies practices used in other organizations to produce desired results in one's own organization.

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. 1) Networking 2) Proxy 3) Defense in depth 4) Best-effort

Defense in depth

Attacks conducted by scripts are usually unpredictable. True False

False

Information security can be an absolute True or False?

False

NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. True False

False

The U.S. Secret Service is currently within the Department of the Treasury. _________________________ True False

False

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. True False

False

What is the subject of the Computer Security Act? 1. Federal agency information security 2. Telecommunications common carriers 3. Cryptography software vendors 4. All of the above

Federal agency information security

Three parts of risk management

Risk Identification (documentation of risks), Risk control, and Risk Assesment

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. 1) SSL 2) SLA 3) MSL 4) MIN

SLA Service Level Agreement - minimum level of service to expect

A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network. True False

True

A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to deter or prevent the theft of software intellectual property. True False

True

A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. True False

True

During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage. True or False?

True

In the physical design phase, specific technologies are selected. True False

True

Much human error or failure can be prevented with effective training and ongoing awareness activities. True False

True

Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords. True False

True

Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group. True False

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates. True False

True

You can create a single, comprehensive ISSP document covering all information security issues. True False

True

A type of SDLC in which each phase has results that flow into the next phase is called the __________ model. 1) pitfall 2) SA&D 3) waterfall 4) Method 7

Waterfall

Risk Assestment vs Risk control

assessment =the extent to which info assets are exposed to risk control = the application of controls that reduce risks of info assets (to an acceptable level)

The economic feasibility study determines the costs associated with protecting an asset. The formal documentation process of feasibility is called a __________

cost benefit analysis

__________ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information. 1. Packet-filtering 2. Application gateway 3. Circuit gateway 4. MAC layer

packet filtering

__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse. 1) Physical 2) Personal 3) Object 4) Standard

1) Physical

A computer is the __________ of an attack when it is used to conduct an attack against another computer. 1) subject 2) object 3) target 4) facilitator

1) Subject

When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting __________. 1) industrial espionage 2) competitive intelligence 3) opposition research 4) hostile investigation

1) industrial espionage the practice of spying or of using spies, typically by governments to obtain political and military information.

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) __________. 1) rainbow table 2) dictionary 3) crib 4) crack file

1) rainbow table

"4-1-9" fraud is an example of a ____________________ attack. 1) social engineering 2) virus 3) worm 4) spam

1) social engineering Type of advance-fee fraud - named after the section of a Nigerian penal code. Fictional companies - or a long lost relative - posing in order to fool people.

Components of risk identification

1. Plan 2. identify assets 3. classify 4. identify threats 5. specify vulnerabilities of assets

5 strategies of risk control

1. defend 2. transference 3. mitigate 4. accept 5. terminate

__________ law comprises a wide variety of laws that govern a nation or state. 1) Criminal 2) Civil 3) Public 4) Private

2) Civil

An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as __________. 1) SDLC 2) DevOps 3) JAD/RAD 4) SecOps

2) DevOps SecOps = using DevOps methods of an integrated development

What is the subject of the Sarbanes-Oxley Act? 1) Banking 2) Financial reporting 3) Privacy 4) Trade secrets

2) Financial reporting

The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. 1) Violence 2) Fraud 3) Theft 4) Usage

2) Fraud

_________ controls address personnel security, physical security, and the protection of production inputs and outputs. ​ 1) Informational 2) Operational ​3) Technical ​4) Managerial

2) Operational

____ is any technology that aids in gathering information about a person or organization without their knowledge. 1) A bot 2) Spyware 3) A Trojan 4) A worm

2) Spyware

The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security. 1) bugs 2) vulnerabilities 3) malware 4) maintenance hooks

2) Vulnerabilities

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. 1) emergency notification system 2) alert roster 3) phone list 4) call register

2) alert roster

The __________ design phase of an SDLC methodology is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. 1) conceptual 2) logical 3) integral 4) physical

2) logical

The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. 1) intentional 2) external 3) accidental 4) physical

3) accidental SETA = Security Education Training Awareness - reduces security information by employees since it focuses on training

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. 1) false alarms 2) polymorphisms 3) hoaxes 4) urban legends

3) hoaxes

The protection of tangible items, objects, or areas from unauthorized access and misuse is known as ___________. ​ 1) communications security ​2) network security ​3) physical security ​4) information security

3) physical security

Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. 1) bypass 2) theft 3) trespass 4) security

3) trespass

Which of the following is a valid type of role when it comes to data ownership? 1) Data owners 2) Data custodians 3) Data users 4) All of the above

4) All of the Above

An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization. 1) software 2) hardware 3) data 4) All of the above

4) All of the above

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. 1) firewalls 2) proxy servers 3) access controls 4) All of the above

4) All of the above

The __________ attempts to prevent trade secrets from being illegally shared. 1) Electronic Communications Privacy Act 2) Sarbanes-Oxley Act 3) Financial Services Modernization Act 4) Economic Espionage Act

4) Economic Espionage Act EEA = trade secrets

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________. 1) ​communications security ​2) network security ​3) physical security ​4) information security

4) information security

In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. 1) zombie-in-the-middle 2) sniff-in-the-middle 3) server-in-the-middle 4) man-in-the-middle

4) man-in-the-middle

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes. 1) troubleshooting 2) billing 3) customer service 4) marketing

4) marketing

Laws, policies, and their associated penalties only deter if which of the following conditions is present? 1. Fear of penalty 2. Probability of being caught 3. Probability of penalty being administered 4. All of the above

4. All of the above

__________ access control is a form of __________ access control in which users are assigned a matrix of authorizations for particular areas of access. 1. lattice-based, discretionary 2. arbor-based, nondiscretionary 3. arbor-based, discretionary 4. lattice-based, nondiscretionary

4. lattice-based, nondiscretionary

According to NIST SP 800-14's security principles, security should ________. 1) support the mission of the organization 2) require a comprehensive and integrated approach 3) be cost-effective 4) All of the above

All of the above

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? 1) Electronic Communications Privacy Act 2) Financial Services Modernization Act 3) Sarbanes-Oxley Act 4) Economic Espionage Act

Electronic Communications Privacy Act ECPA = wiretapping act

Ethics are the moral attitudes or customs of a particular group. _________________________ True False

False Cultural Mores Mores - social or cultural norms

The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ True False

False It was created from the Homeland Security act of 2002, in response to 9/11

​Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager. True False

False Role-based controls

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________ True False

False Shoulder "Surfing"

Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _________________________ True False

False This is an ISSP issue-specific security policy

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. True False

False This isn't a standard, it's a information security policy Standard = A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."

Which of the following versions of TACACS is still in use? 1. TACACS 2. Extended TACACS 3. TACACS+ 4. All of the above

TACACS+ Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.

Kerberos __________ provides tickets to clients who request services. 1. KDS 2. TGS 3. AS 4. VPN

TGS Kerberos - An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises. TGS = ticket gaining service

Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. _________________________ True False

True

The DMZ can be a dedicated port on the firewall device linking a single bastion host. True False

True

A mail bomb is a form of DoS attack. True False

True An attack designed to overwhelm the receiver with excessive quantities of e-mail. spam Undesired e-mail, typically commercial advertising transmitted in bulk.

Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violations of those rules. True False

True packet-filtering firewall - A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.

A(n) __________ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. 1. SVPN 2. VPN 3. SESAME 4. KERBES

VPN

The restrictions most commonly implemented in packet-filtering firewalls are based on __________. 1. IP source and destination address 2. Direction (inbound or outbound) 3. TCP or UDP source and destination port requests 4. All of the above

all of the above

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. 1) with intent 2) by accident 3) with malice 4) with negligence

by accident

Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. 1) de formale 2) de public 3) de jure 4) de facto

de jure de jure = A standard that has been formally evaluated, approved, and ratified by a formal standards organization. Contrast with a de facto standard. de facto standard = A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. Contrast with a de jure standard.

A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event. 1. dynamic 2. static 3. stateful 4. stateless

dynamic

An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. 1) plan 2) framework 3) model 4) policy

framework

__________ firewalls are designed to operate at the media access control sublayer of the data link layer of the OSI network model. 1. MAC layer 2. Circuit gateway 3. Application gateway 4. Packet-filtering

mac layer

In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies __________. 1. provide security awareness training 2. periodic assessment of risk 3. develop policies and procedures based on risk assessments 4. All of the above

provide security awareness training

In most common implementation models, the content filter has two components: __________. 1. encryption and decryption 2. filtering and encoding 3. rating and decryption 4. rating and filtering

rating and filtering

The transfer of transaction data in real time to an off-site facility is called ____. 1) off-site storage 2) remote journaling 3) electronic vaulting 4) database shadowing

remote journaling

A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. 1) standard 2) operational 3) tactical 4) strategic

strategic

Residual risk

the risk that remains after management implements internal controls or some other response to risk

The primary benefit of a VPN that uses _________ is that an intercepted packet reveals nothing about the true destination system. 1. intermediate mode 2. tunnel mode 3. reversion mode 4. transport mode

tunnel mode tunnel mode - entire client packet is encrypted transport mode - while the packet is encrypted, the header information of the packet is not


Ensembles d'études connexes

Microsoft 365 Fundamentals MS-900

View Set

MGT 410 Foundations of Group Behavior Exam 2

View Set

Chapter 45 (Drugs for Diabetes Mellitus) Practice Questions

View Set

Hesi Quiz: Evidence-Based Practice/Evidence

View Set

ENDOCRINE/GI&NUTRITION/INFECTIOUS DX/URINARY-Pediatrics

View Set

CISSP Information Security and Risk Management (Set 1)

View Set