CIST 1602 Module 1 Chapter 1&2

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

Briefly describe five different types of laws.

1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed.

6 of the 12 general categories of threat to an organization are: Human error. This can be someone deleting important resources accidental Information extortion: This would be hacker blackmailing organizations of there resources Software attacks: Include several such as malware and DoS attacks Theft. Can include someone taking organizations property with out authority Forces of nature. When earthquakes, fire, floods, or event that humans can not control. Hardware failure. Sometimes when equipment are to old there can be equipment failure.

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Computer Security Act (CSA)

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

List and explain the critical characteristics of information as defined by the C.I.A. triad.

Confidentiality of information ensures that only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached. Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Availability is the characteristic of information that enables user access to information without interference or obstruction and in a useable format.

focuses on enhancing the security of the critical infrastructure in the United States

Cybersecurity Act

Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures

DMCA

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

Descriptive ethics

a collection of statutes that regulates the interception of wire, electronic, and oral communications

Electronic Communications Privacy Act

​Which of the following is not among the 'deadly sins of software security'?

Extortion sins

A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________

False

Corruption of information can occur only while information is being stored.

False

DoS attacks cannot be launched against routers.

False

Ethics carry the sanction of a governing authority.

False

Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________

False

One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________

False

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________

False

The authorization process takes place before the authentication process.

False

The first step in solving problems is to gather facts and make assumptions.

False

The macro virus infects the key operating system files located in a computer's start up sector. _________________________

False

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ ___________

False

​Deterrence is the best method for preventing an illegal or unethical activity. ____________

False

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance: Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether or not the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

List the measures that are commonly used to protect the confidentiality of information.

Information classification Secure document (and data) storage Application of general security policies Education of information custodians and end users Cryptography (encryption)

Blackmail threat of informational disclosure is an example of which threat category?

Information extortion

A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?

Policies must be: ​ Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.

SLA

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

The Electronic Communications Privacy Act of 1986

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?

The Telecommunications Deregulation and Competition Act

What is the key difference between law an ethics?

The difference between law and ethics is that ethics is behavior that is socially acceptable. Having the sense of knowing whats right from wrong. While law are regulations that are govern by higher authority in which everyone is to abid by.

____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.

True

A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________

True

The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.

True

The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________

True

​ Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________

True

​ The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________

True

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

What do audit logs that track user activity on an information system provide?

accountability

an approach that applies moral codes to actions drawn from realistic situations

applied ethics

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?

availability

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

common good

addresses violations harmful to society and is actively enforced and prosecuted by the state

criminal law

Which type of attack involves sending a large number of connection or information requests to a target?

denial-of-service (DoS)

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

deterrence

A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial-of-service

Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________ .

education

defines socially acceptable behaviors

ethics

One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

hacktivist

Any court can impose its authority over an individual or organization if it can establish which of the following?

jurisdiction

In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

man-in-the-middle

Communications security involves the protection of which of the following?.

media, technology, and content

the study of what makes actions right or wrong, also known as moral theory

normative ethics

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is NOT a primary function of Information Security Management?

performance

Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?

planning

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

policy

regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments

public law

Which of the following is compensation for a wrong committed by an employee acting with or without authorization?

restitution

"4-1-9" fraud is an example of a ____________________ attack.

social engineering

Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

trespass