Accounting Systems and Control Chapter 8
In addition to encryption, organizations should _______ to effectively secure wireless communications. a. Place all wireless access points in the DMZ b. Configure all wireless clients to operate in ad hoc mode c. Do both of the above d. Do you none of the above
A
Which of the following is a preventative control? a. Training b. Log analysis c. CIRT d. Virtualization
A
Which of the following statements is/are true? a. IT developments such as virtualization, cloud computing, and the Internet of Things weaken information security b. A large number of emergency changes is a potential red flag of other problems c. Information security is improved with the CISO reports to the CIO d. All of the statements are true e. None of the statements are true
A
Which of the following techniques is the most effective way for a firewall to use to protect the perimeter? a. Deep packet inspection b. Packet filtering c. Access control list d. All of the above are equally effective
A
Vulnerability scan
A detective control that identifies weaknesses in devices or software
Firewall
A device that provides perimeter security by filtering packets
Router
A device that uses the Internet Protocol (IP) to send packets across networks.
deep packet inspection
A firewall technique that filters traffic by examining not just packet header information but also the contents of a packet
Vulnerability
A flaw or weakness in a program
Change control and change management
A plan to ensure that modifications to an information system do not reduce its security
Demilitarized Zone (DMZ)
A subnetwork that is accessible from the Internet but separate from the organization's internal network.
penetration test
A test that determines the time it takes to compromise a system
Cloud computing
An arrangement whereby a user remotely accesses software, hardware, or other resources via a browser.
Social Engineering
An attack that involves deception to obtain access
A company's current password policy requires that passwords be alphanumeric, case sensitive, and 10 characters long. Which one of the following changes to a company's password policy will increase password strength the most? a. Require password to also include special characters b. Require passwords to be 15 characters long c. Both of the above changes would have the same affect on password strength
B
ABC Bank wants to strengthen the security of its online bill pay features. Therefore, it decides that in addition to a password, users must also correctly identify a picture that they have previously chosen to be one of their authentication credentials. This is an example of a process referred to as ______________. a. Multifactor authentication b. Multimodal authentication c. Neither of the above
B
The control procedure design to restrict what portions of an information system an employee can access and what actions he or she can perform is called ___________. a. Authentication b. Authorization c. Intrusion prevention d. Intrusion detection
B
The system employs a compatibility test to Decide whether to let a particular employee update records in a particular file. The compatibility test is a part of the aspect of access control referred to as _________. a. Authentication b. Authorization c. Accountability
B
Which of the following combinations of credentials is an example of multi factor authentication? a. Voice recognition and a fingerprint reader b. PIN and an ATM card c. A password and the user ID d. All of the above
B
Which of the following is a correct of control designed to fix vulnerabilities? a. Virtualization b. Patch management c. Penetration testing d. Authorization
B
Which of the following set of authentication credentials provides the strongest access control? a. A password and a security question b. A PIN and a smart card c. Voice recognition and a fingerprint d. All of the combinations of credentials are equally strong
B
Which of the following statements is true? a. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls b. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources c. The time-based model of security can be expressed in the following formula: P<D+RP<D+R d. Information security is primarily an IT issue, not a managerial concern
B
A firewall that uses __________ Would be most effective in detecting and stopping an attempt to deface the organizations website by sending an HTML "PUT" command to its web server. a. Static packet filtering b. Stateful packet filtering c. Deep packet inspection
C
A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n) ______ a. Exploit b. Patch c. Vulnerability d. Attack
C
Firewalls are most effective in reducing the ability of an attacker to ___________. a. Conduct initial reconnaissance b. Research vulnerabilities and exploits c. Scan and map the target d. All of the above are prevented by firewalls e. None of the above are prevented by firewalls
C
Which of the following is a detective control? a. Hardening endpoints b. Physical access controls c. Penetration testing d. Patch management
C
patch
Code that corrects a flaw in a program
Modifying default configuration's to turn off unnecessary programs and features to improve security is called ________. a. User account management b. Defense-in-depth c. Vulnerability scanning d. Hardening
D
The set of instructions for taking advantage of a flaw in a program is called a(n) _________. a. Vulnerability b. Patch c. Update d. Exploit
D
Which of the following statements is true? a. "Emergency" changes need to be documented once the problem is resolved b. Changes should be tested in a system separate from the one used to process transactions c. Change controls are necessary to maintain adequate segregation of duties d. All of the above are true
D
Hardening
Improving security by removal or disabling of unnecessary programs and features.
Authorization
Restricting the actions that are user is permitted to perform
Exploit
Software code that can be used to take advantage of a flaw and compromise a system
border router
The device that connects the organization to the Internet.
packet filtering
The firewall technique that filters traffic by examining only the information in packet headers to the rules in an ACL
Patch Management
The process of applying code supplied by a vendor to fix a problem in that vendor's software.
Virtualization
The process of running multiple machines on one physical server
CIRT
The set of employees assigned responsibility for resolving problems and incidents
Authentication
Verification of claimed identity
