IS chapter 7
101. The term _____ refers to clandestine software that is installed on your PC through duplicitous channels but is not particularly malicious. a. Alien software b. Virus c. Worm d. Back door e. Logic bomb
a
103. When companies attempt to counter _____ by requiring users to accurately select characters in turn from a series of boxes, attackers respond by using _____. a. keyloggers, screen scrapers b. screen scrapers, uninstallers c. keyloggers, spam d. screen scrapers, keyloggers e. spam, keyloggers
a
110. _____ controls are concerned with user identification, and they restrict unauthorized individuals from using information resources. a. Access b. Physical c. Data security d. Administrative e. Input
a
112. Biometrics are an example of: a. something the user is. b. something the user wants. c. something the user has. d. something the user knows. e. something the user does.
a
119. In a process called _____, a company allows nothing to run unless it is approved, whereas in a process called _____, the company allows everything to run unless it is not approved. a. whitelisting, blacklisting b. whitelisting, encryption c. encryption, whitelisting d. encryption, blacklisting e. blacklisting, whitelisting
a
12. Informing the consumer what data is being collected and how it will be used is an example of a. Notice/Awareness. b. Choice/Consent. c. Access/Participation. d. Integrity/Security.
a
128. You start a new job. You want to install some fun software on your laptop and get an error message which indicates that the software is not on the ________________ list so it cannot be installed. a. white b. black c. yellow d. blue
a
21. An information security threat is a. Any danger to an information resource. b. The potential loss or damage to an information resource. c. The possibility that an information resource will be lost or damaged. d. None of the above.
a
34. Which if the following is not a common risk mitigation strategy? a. Risk analysis. b. Risk limitation. c. Risk acceptance. d. Risk transference.
a
36. The four major types of information security controls are a. Access controls, physical controls, application controls, and communication controls. b. Risk controls, software controls, programmer controls, and access controls. c. Physical controls, risk controls, application controls, and communication controls. d. Physical controls, authentication controls, biometric controls, and anti-malware controls.
a
6. Phishing is what happens when a. Someone sends you unwanted e-mails attempting to sell products or services. b. Someone illegally blocks your access to a Web site. c. Someone pretends to be a trustworthy source to steal your personal information. d. Someone goes fishing with their iPhone.
a
84. An information system's _____ is the possibility that the system will be harmed by a threat. a. vulnerability b. risk c. control d. danger e. compromise
a
87. Unintentional threats to information systems include all of the following except: a. malicious software b. tailgating c. power outage d. lack of user experience e. tornados
a
96. _____ are segments of computer code that attach to existing computer programs and perform malicious acts. a. Viruses b. Worms c. Trojan horses d. Back doors e. Logic bombs
a
102. Which of the following is (are) designed to use your computer as a launch pad for sending unsolicited e-mail to other computers? a. Spyware b. Spamware c. Adware d. Viruses e. Worms
b
104. _____ is the process in which an organization assesses the value of each asset being protected, estimates the probability that it will be compromised, and compares the probable costs of an attack with the costs of protecting the asset. a. Risk management b. Risk analysis c. Risk mitigation d. Risk acceptance e. Risk transference
b
11. Giving consumers the right to opt-in or opt-out of how their information is used is an example of: a. Notice/Awareness. b. Choice/Consent. c. Access/Participation. d. Integrity/Security.
b
111. Access controls involve _____ before _____. a. biometrics, signature recognition b. authentication, authorization c. iris scanning, voice recognition d. strong passwords, biometrics e. authorization, authentication
b
117. Bob is using public key encryption to send a message to Ted. Bob encrypts the message with Ted's _____ key, and Ted decrypts the message using his _____ key. a. public, public b. public, private c. private, private d. private, public e. none of these
b
124. You receive an e-mail from your bank informing you that they are updating their records and need your password. Which of the following statements is true? a. The message could be an industrial espionage attack. b. The message could be a phishing attack. c. The message could be a denial of service attack. d. The message could be a back door attack. e. The message could be a Trojan horse attack.
b
129. You start a new job. You want to install some fun software on your laptop and get an error message which indicates that the software is on the ________________ list so it cannot be installed. a. white b. black c. yellow d. blue
b
131. You start a new job, and human resources gives you a ten-page document that outlines the employee responsibilities for information security. Which of the following statements is most likely to be true? a. The document recommends that login passwords be left on a piece of paper in the center desk drawer so that others can use the laptop if necessary. b. You are expected to read the document, and you could be reprimanded if you don't follow its guidelines. c. You can back up sensitive data to a thumb drive so you can take them home to work with. d. The document indicates that you can leave your laptop unlocked if you leave your desk for less than an hour. e. The document permits you to lend your laptop to your brother for the weekend.
b
15. How many keys does public key encryption use? a. 1. b. 2. c. 3. d. 4.
b
26. Unintentional threats to information systems include all of the following except a. Discarding old computers without completely wiping the memory. b. Theft of confidential information by copying files onto a flash drive c. Accidentally leaving a company laptop on a taxi or plane. d. All of the above are unintentional threats.
b
38. Which of the following statements is true? a. Multifactor authentication systems are more reliable and less expensive than single-factor. b. Multifactor authentication systems are more reliable and more expensive than single-factor. c. Multifactor authentication systems are less reliable and less expensive than single-factor d. Multifactor and single-factor authentications have the same degree of reliability.
b
42. An information system exposure is a. Any danger to an information resource. b. The potential loss or damage to an information resource. c. The possibility that an information resource will be lost or damaged. d. None of the above.
b
52. The difficulties in protecting information resources include all of the following except a. Computer resources are situated in many locations, including laptops, that employees can take out of the office. b. Penetration tests have proved to be useless in finding security weaknesses. c. The cost of mitigating risk can be very high, and the benefits of reducing threats can be difficult to measure. d. All of the above are difficulties.
b
55. A password system on a computer network is an example of which type of information security control? a. physical b. access c. communication d. None of the choices listed is correct
b
56. ____________ is an encryption standard used for secure transactions such as credit card processing and online banking. a. VPN b. TLS c. DMZ d. Whitelisting
b
81. The computing skills necessary to be a hacker are decreasing for which of the following reasons? a. More information systems and computer science departments are teaching courses on hacking so that their graduates can recognize attacks on information assets. b. Computer attack programs, called scripts, are available for download from the Internet. c. International organized crime is training hackers. d. Cybercrime is much more lucrative than regular white-collar crime. e. Almost anyone can buy or access a computer today.
b
86. Employees in which functional areas of the organization pose particularly grave threats to information security? a. human resources, finance b. human resources, management information systems c. finance, marketing d. operations management, management information systems e. finance, management information systems
b
9. You should change your online password: a. Every day. b. Frequently. c. Once a year. d. Every hour.
b
94. A _____ is a document that grants the holder exclusive rights on an invention for 20 years. a. copyright b. patent c. trade secret d. knowledge base e. private property notice
b
10. Making data available to consumers so they can verify its correctness is an example of a. Notice/Awareness. b. Choice/Consent. c. Access/Participation. d. Integrity/Security.
c
105. Which of the following statements is false? a. Credit card companies usually block stolen credit cards rather than prosecute. b. People tend to shortcut security procedures because the procedures are inconvenient. c. It is easy to assess the value of a hypothetical attack. d. The online commerce industry isn't willing to install safeguards on credit card transactions. e. The cost of preventing computer crimes can be very high.
c
106. In _____, the organization takes concrete actions against risks. a. risk management b. risk analysis c. risk mitigation d. risk acceptance e. risk transference
c
109. Which of the following statements concerning the difficulties in protecting information resources is not correct? a. Computing resources are typically decentralized. b. Computer crimes often remain undetected for a long period of time. c. Rapid technological changes ensure that controls are effective for years. d. Employees typically do not follow security procedures when the procedures are inconvenient. e. Computer networks can be located outside the organization.
c
120. Organizations use hot sites, warm sites, and cold sites to insure business continuity. Which of the following statements is false? a. A cold site has no equipment. b. A warm site has no user workstations. c. A hot site needs to be located close to the organization's offices. d. A hot site duplicates all of the organization's resources. e. A warm site does not include actual applications.
c
126. You start a new job, and the first thing your new company wants you to do is create a user ID and a password. To remember your password, you write it on a PostIt note and put it on your laptop screen. This is an example of a. social engineering. b. tailgating. c. poor security. d. dumpster diving e. phishing.
c
127. You start a new job. You know that logging in with your password authenticates who you are. What actions, rights, or privileges you have based on your identity is called a. biometrics b. authorization. c. passphrase. d. encryption.
c
16. Who knows the private key? a. The company. b. The computer. c. The receiver. d. All of the above.
c
18. The key pairs are based on a. Only even numbers. b. Only odd numbers. c. Only prime numbers. d. Only numbers divisible by 5.
c
19. Information technology has the potential to a. Benefit organizations in terms of efficiency, but the devastating consequences of cyberterrorism always cause the costs to outweigh the benefits. b. Benefit organizations in terms of productivity, but the intangible costs of employee negligence are larger than the increases in productivity. c. Benefit organizations, but it can also have negative consequences. d. Benefit large organizations, but small businesses like Ruby's Club are better off not investing in IT.
c
22. An information system vulnerability is a. Any danger to an information resource. b. The potential loss or damage to an information resource. c. The possibility that an information resource will be lost or damaged. d. None of the above.
c
27. Which of the following is not a social engineering technique? a. Tailgating b. Shoulder surfing c. Careless internet surfing d. All of the choices are social engineering techniques. e. None of the choices are social engineering techniques
c
3.What is the last step of setting up a secure connection? a. Server sends back digital acknowledgement. b. Browser checks if it trusts SSL certificate. c. Encrypted data are shared. d. Browser requests the server to identify itself.
c
30. Which of the following is a remote software attack from outside the system that requires a user inside the system to take some type of action? a. The attacker has a back door into the system with a password created by a programmer and known only to him or her. b. A computer programmer hides a Trojan horse in a program that will activate at a later time. c. A worm (computer code) is attached to a regular program that performs the malicious actions when a file or link is opened. d. The attacker uses zombies or bots from many computers to request information from the company's computer.
c
31. Which of the following would be an example of a SCADA attack? a. Bank accounts are hacked into after Internet purchases b. Social Security numbers are deleted from a company's database. c. Computer viruses are introduced into the electrical company's systems resulting in a shutdown of the power plant. d. Email accounts are hacked and kinky messages are sent to all of the user's contacts
c
33. The purpose of risk management is to a. Train employees to follow security procedures to prevent potential software attacks. b. Save money by not getting involved in expensive investigations to try to find the attacker that may not be successful. c. Reduce risk to an acceptable level. d. All of the above are purposes of risk management.
c
37. Communication controls include a. Authentication, passwords, and authorization. b. Motion detectors, locked doors, guards, and temperature sensors. c. Firewalls, anti-malware, and secure socket layers (SSLs). d. Input, processing, and output controls.
c
4. Strong encryption is how many bits? a. 8. b. 64. c. 128. d. 256.
c
50. Which type of alien software uses your computer to send emails that look like they came from you to all the people in your address book? a. adware b. spyware c. spamware d. cookies
c
7. If a stranger tries to "friend" you on a social media Web site such as MySpace or Facebook, you should a. Introduce yourself. b. Ask the person to contact you at your e-mail address. c. Ignore the person. d. Just be nice.
c
82. Rank the following in terms of dollar value of the crime, from highest to lowest. a. robbery - white collar crime - cybercrime b. white collar crime - extortion - robbery c. cybercrime - white collar crime - robbery d. cybercrime - robbery - white collar crime e. white collar crime - burglary - robbery
c
89. The cost of a stolen laptop includes all of the following except: a. Loss of intellectual property b. Loss of data c. Backup costs d. Loss of productivity e. Replacement cost
c
90. Dumpster diving is: a. always illegal because it is considered trespassing. b. never illegal because it is not considered trespassing. c. typically committed for the purpose of identity theft. d. always illegal because individuals own the material in the dumpster. e. always legal because the dumpster is not owned by private citizens.
c
92. A _____ is intellectual work that is known only to a company and is not based on public information. a. copyright b. patent c. trade secret d. knowledge base e. private property
c
93. A pharmaceutical company's research and development plan for a new class of drugs would be best described as which of the following? a. Copyrighted material b. Patented material c. A trade secret d. A knowledge base e. Public property
c
97. _____ are software programs that hide in other computer programs and reveal their designed behavior only when they are activated. a. Viruses b. Worms c. Trojan horses d. Back doors e. Logic bombs
c
114. Passwords and passphrases are examples of: a. something the user is. b. something the user wants. c. something the user has. d. something the user knows. e. something the user does.
d
116. Which of the following is not a strong password? a. IloveIT b. 08141990 c. 9AmGt/* d. Rainer e. Information Security
d
118. Which of the following statements concerning firewalls is false? a. Firewalls prevent unauthorized Internet users from accessing private networks. b. Firewalls examine every message that enters or leaves an organization's network. c. Firewalls filter network traffic according to categories of activities that are likely to cause problems. d. Firewalls filter messages the same way as anti-malware systems do. e. Firewalls are sometimes located inside an organization's private network.
d
122. Your company's headquarters was just hit head on by a hurricane, and the building has lost power. The company sends you to their hot site to minimize downtime from the disaster. Which of the following statements is true? a. The site will not have any servers. b. The site will not have any workstations, so you need to bring your laptop. c. The site is probably in the next town. d. The site should be an almost exact replica of the IT configuration at headquarters. e. The site will not have up-to-date data.
d
123. The forecast for your company's headquarters predicts the area hit head on by a hurricane. The company sends you to their warm site to minimize downtime should such a disaster hit. Which of the following statements is true? a. The site will not have any servers. b. The site will not have any workstations, so you need to bring your laptop. c. The site is probably in the next town. d. The site will not have any of the company's applications. e. The site will not have up-to-date data.
d
13. Having the data collector protect the information from unauthorized use or disclosure is an example of: a. Notice/Awareness. b. Choice/Consent. c. Access/Participation. d. Integrity/Security.
d
130. Your friend works in the risk management department for a mid-size financial institution. She said it's an interesting job - she has to put a value on each asset (information included), determine a probability that it would get compromised, and compare that to the cost of protecting that asset. This process is called a. risk acceptance. b. risk limitation. c. risk transference. d. risk analysis
d
14. Which of these mechanisms is/are in place to enforce fair information practices? a. Self-regulation. b. Private remedies. c. Government enforcement. d. All of these are required.
d
17. Who knows the public key? a. Only the computer. b. Only the receiver. c. Only the customers. d. All who want to communicate securely with the receiver.
d
23. Which of the following factors is (are) making information security more difficult? a. Today's highly complex networked business environment. b. The computing skills necessary to be a hacker are decreasing. c. Increased employee use of unmanaged computing and storage devices. d. All of the above.
d
25. Which of the following employees typically poses the most significant threat to information security? a. Janitors b. Contract labor c. Consultants d. IS employees
d
28. Which type of remote software attack does not require user action? a. virus b. worm c. phishing attack d. denial-of service attack
d
39. The hard drive problems in the Opening Case could have been prevented by: a) backing up the data. b) installing security software. c) They could not have been prevented. d) both a and b
d
44. Human mistakes that can lead to information security threats include all of the following except a. Poor password selection. b. Carelessness with discarded equipment. c. Opening questionable e-mails. d. All of the above can lead to information security threats.
d
46. Social engineering is an attack on information security that is perpetrated by a. Someone impersonating a manager or an IT employee to gather information or passwords over the phone. b. Someone who uses social media, e.g., Facebook or LinkedIn, to gather private information about a company in a social conversation. c. Someone who poses as a technician to gain access to offices and gather information about people or activities. d. All of the above are social engineering.
d
5. What company is in the identity and authentication security business to secure and certify Web sites? a. Microsoft. b. IBM. c. InfoSys. d. VeriSign.
d
54. The three processes involved in risk management are a. Training computer users to follow security procedures, installing antivirus programs, and monitoring programmers to prevent logic bombs. b. Risk acceptance, risk limitation, and risk elimination. c. Assessing the value of the company's assets, calculating the probability that each asset will be compromised, and purchasing insurance to eliminate any losses. d. Risk analysis, risk mitigation, and controls evaluation
d
57. Business continuity planning involves a. Risk analysis, risk mitigation, and controls evaluation to reduce risks that can destroy the organization. b. Ensuring that access, physical, application, and communication controls are in place to reduce risks that can destroy the organization. c. Ensuring that firewalls, anti-malware, and virtual private networks are operating to reduce the risks that a disaster will occur. d. Using hot sites, off-site storage, and other disaster-recovery techniques to keep the organization running if a disaster occurs.
d
8. If you get a message from a friend on MySpace or Facebook that is blank except for a Web link, what should you do? a. Ignore it. It may be a "phishing" scam. b. Click on the link, but do not provide any information to the linked site. c. Reply and ask the friend if he or she really sent the link. d. Send a new message to your friend (not a reply) asking if he or she really sent the link.
d
80. Which of the following factors is not increasing the threats to information security? a. smaller computing devices b. downstream liability c. the Internet d. limited storage capacity on portable devices e. due diligence
d
83. A _____ is any danger to which an information resource may be exposed. a. vulnerability b. risk c. control d. threat e. compromise
d
85. The most overlooked people in information security are: a. consultants and temporary hires. b. secretaries and consultants. c. contract laborers and executive assistants. d. janitors and guards. e. executives and executive secretaries.
d
88. _____ involves building an inappropriate trust relationship with employees for the purpose of gaining sensitive information or unauthorized access privileges. a. Tailgating b. Hacking c. Spoofing d. Social engineering e. Spamming
d
95. An organization's e-mail policy has the least impact on which of the following software attacks? a. virus b. worm c. phishing d. zero-day e. spear phishing
d
99. A _____ attack uses deception to fraudulently acquire sensitive personal information by masquerading as an official e-mail. a. Zero-day b. Denial-of-service c. Distributed denial-of-service d. Phishing e. Brute force dictionary
d
How does an SSL certificate protect sites? a. It enables encryption of sensitive information. b. It is a unique credential. c. It authenticates the owner. d. All answers are correct.
d
What is the first step in setting up a secure connection? a. Server sends back digital acknowledgement. b. Browser checks if it trusts SSL certificate. c. Encrypted data are shared. d. Browser requests the server identify itself.
d
100. In a _____ attack, a coordinated stream of requests is launched against a target system from many compromised computers at the same time. a. phishing b. zero-day c. worm d. back door e. distributed denial-of-service
e
107. Which of the following is not a strategy for mitigating the risk of threats against information? a. Continue operating with no controls and absorb any damages that occur b. Transfer the risk by purchasing insurance. c. Implement controls that minimize the impact of the threat d. Install controls that block the risk. e. Installing an updated operating system
e
108. In _____, the organization purchases insurance as a means to compensate for any loss. a. risk management b. risk analysis c. risk mitigation d. risk acceptance e. risk transference
e
113. Voice and signature recognition are examples of: a. something the user is. b. something the user wants. c. something the user has. d. something the user knows. e. something the user does.
e
115. Which of the following is not a characteristic of strong passwords? a. They are difficult to guess. b. They contain special characters. c. They are not a recognizable word. d. They are not a recognizable string of numbers e. They tend to be short so they are easy to remember
e
125. You start a new job, and the first thing your new company wants you to do is create a user ID and a password. Which of the following would be a strong password? a. The name of the company b. Your last name c. Your birthdate d. Your initials (capitalized) and the number of the floor you are on e. The name of the company spelled backward
e
91. Cybercriminals can obtain the information they need in order to assume another person's identity by: a. Infiltrating an organization that stores large amounts of personal information. b. Phishing. c. Hacking into a corporate database. d. Stealing mail. e. All of the above are strategies to obtain information to assume another person's identity.
e
98 _____ are segments of computer code embedded within an organization's existing computer programs that activate and perform a destructive action at a certain time or date. a. Viruses b. Worms c. Trojan horses d. Back doors e. Logic bombs
e
121. True or False? You start a dog-walking service, and you store your client's records on your cell phone. You don't need to worry about information security.
false
24. True or False? Low level employees pose the greatest threat to information security.
false
29. True or False? For a remote software attack from outside the system to be successful, an employee needs to take some action on the system, such as opening an attachment or link
false
32. True or False? It is easier to protect information resources today than in the past because there are so many new security-enhancing technologies like firewalls and antivirus programs.
false
35. True or False? Information security controls can protect data, software, and hardware, but not networks because the Internet is not under the control of the company.
false
40. True or False? The computing skills necessary to be a hacker are becoming more sophisticated due to the enhanced security features installed on computers.
false
41. True or False? Cybercrime losses tend to be smaller than white-collar crime losses because white-collar employees often have access to an organization's cash
false
47. True of False You should regularly delete any spyware that might be residing on your computer, because it may be dangerous.
false
48. True or False? The theft of computing devices is less serious today than in the past because devices are less expensive to replace and can be reordered online
false
53. True or False? Risk management identifies, controls, and minimizes the impact of threats to the organization's information security.
false
58. True or False? The security of each computer on the Internet is independent of the security of all other computers on the Internet
false
62. True or False? Dumpster diving is always illegal because it involves trespassing on private property
false
65. True or False? Zero-day attacks use deceptive e-mails to acquire sensitive personal information.
false
68. True or False? Supervisory control and data acquisition (SCADA) systems require human data input
false
69. True or False? Cyberterrorism is usually carried out by nations
false
71. True or False? Risk analysis involves determining whether security programs are working.
false
72. True or False? A password refers to "something the user is."
false
78. True or False? A VPN is a network within the organization
false
20. True or False? Protecting an organization's information is becoming increasingly difficult due to the number of small devices, such as flash drives, that thieves can use to steal data.
true
43. True or False? The higher the level of employee, the greater the threat the employee poses to information security.
true
45. True or False? Social engineering refers to an attack where the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords
true
49. True or False? Phishing attacks occur when the attacker uses deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages
true
51. True or False? Risk analysis is the process by which an organization assesses the value of each asset being protected, estimates the probability that each asset will be compromised, and compares the probable costs of the asset's being compromised with the costs of protecting that asset.
true
59. True or False? The computing skills necessary to be a hacker are decreasing.
true
60. True or False? Human errors cause more than half of the security-related problems in many organizations
true
61. True or False? The higher the level of an employee in organization, the greater the threat that he or she poses to the organization.
true
63. True or False? Software can be copyrighted
true
64. True or False? Trojan horses are software programs that hide in other computer programs and reveal their designed behavior only when they are activated.
true
66. True or False? In most cases, cookies track your path through Web sites and are therefore invasions of your privacy.
true
67. True or False? Cyberterrorism and cyberwarfare can attack supervisory control and data acquisition (SCADA) systems to cause widespread physical damage.
true
70. True or False? IT security is the responsibility of everyone in the organization
true
73. True or False? Organizations utilize layers of controls because they face so many diverse threats to information security.
true
74. True or False? Public-key encryption uses two different keys, one public and one private.
true
75. True or False? Voice recognition is an example of "something a user does" authentication
true
76. True or False? Organizations use authentication to establish privileges to systems operations.
true
77. True or False? The area located between two firewalls within an organization is called the demilitarized zone.
true
79. True or False? A URL that begins with https rather than http indicates that the site transmits using an extra layer of security called transport layer security.
true