Kafli 5 - Öryggi (Multiple Choice)
In Cybersecurity terminology, a vulnerability is defined as ________: a. A weakness that threatens the confidentiality, integrity, or availability of data. b. Something or someone that can damage, disrupt, or destroy an asset. c. Estimated cost, loss, or damage that can result from an exploit. d. Tools or techniques that take compromise a network.
a. A weakness that threatens the confidentiality, integrity, or availability of data.
The _________ is an exercise that determines the impact of losing the support or availability of a resource. a. Business impact analysis (BIA) (áhrifagreining) b. Vulnerability audit c. Asset valuation audit d. Computing Cost/Benefit (CCB) audit
a. Business impact analysis (BIA) (áhrifagreining)
When it comes to defending against employee fraud, regulators look favorably on companies that can demonstrate good __________ and best practices in operational risk management. a. Corporate governance b. Access to legal counsel c. Relationships with security vendors d. Awareness of industry standards
a. Corporate governance
____________ is/are defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." a. Critical infrastructure (mikilvæg innviði) b. Cyber architecture c. National networks d. Strategic assets
a. Critical infrastructure (mikilvæg innviði)
The ability of an IS to continue to operate when a failure occurs, but usually for a limited time or at a reduced level is referred to as __________. a. Fault tolerance (villuþol) b. Hot site ready c. Cold site ready d. System override
a. Fault tolerance (villuþol)
LulzSec and Anonymous are examples of ________ that have claimed responsibility for high profile attacks designed to make a political statement, embarrass an organization or government, or to gain publicity. a. Hacktivists b. Hostile government agents c. Industrial spies d. Cyber terrorists
a. Hacktivists
One source of cybersecurity threats today are ____________who breach networks in an attempt to gain media attention or for their cause. a. Hacktivists b. Political criminals c. Industrial spies d. Social engineers
a. Hacktivists
________ is the supervision, monitoring, and control of an organization's IT assets. a. IT governance (upplýsingatækni stjórnun) b. Internal control c. PCI DSS d. FISMA
a. IT governance (upplýsingatækni stjórnun)
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ____________, or the property that data or files have not been altered in an unauthorized way. a. Integrity b. Confidentiality c. Availability d. Reliability
a. Integrity (heiðarleiki, gegnsæji..)
Boeing's Black smartphone is secure because it ________. a. Is self-destructing if tampered with. b. Uses dual SIM cards c. Communicates via satellite d. Is an Android device
a. Is self-destructing if tampered with.
One of ________ specialties is finding websites with poor security, and then stealing and posting information from them online. a. LulzSec's. b. .RSA's c. Fraudsters' d. Botmasters'
a. LulzSec's.
When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, vendors of those products release __________ or __________ to fix the vulnerabilities.
a. Patches; service packs (plástrar og þjónustu pakkar)
Sometimes system failures and data or information loss can result from reasons other than an intentional attempt to breach security. Unintentional threats are all of the following except ___________. a. Political/civic unrest b. Human errors c. Environmental hazards d. Computer systems failures
a. Political/civic unrest
Physical security includes several controls. Which of the following is not a type of physical control? a. Security bonds or malfeasance insurance for key employees b. Emergency power shutoff and backup batteries c. Shielding against electromagnetic fields d. Properly designed and maintained air-conditioning systems
a. Security bonds or malfeasance insurance for key employees
The IT security defense-in-depth model starts with ________. a. Senior management commitment and support b. IT security procedures and enforcement c. Hardware and software selection d. Acceptable use policies and IT security training
a. Senior management commitment and support
___________ tactics are used by hackers and corporate spies to trick people into revealing login information or access codes. a. Social engineering b. Backdoor c. BYOD d. Password cracking
a. Social engineering
A key of finding of the 2014 Global State of Information Security Survey was ________. a. Too many companies are defending yesterday---that is, they rely on yesterday's cybersecurity practices that are ineffective at combating today's threats. b. Protecting all data at an equally high level is now practical and feasible. c. Most companies implement stringent security policies before moving to cloud computing, but not before implementing BYOD. d. APTs require a new information-protection model that focuses on preventing DDoS attacks.
a. Too many companies are defending yesterday---that is, they rely on yesterday's cybersecurity practices that are ineffective at combating today's threats.
Facebook, YouTube, Twitter, LinkedIn, and other social networks are making IT security dangers worse. Why? a. Users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen log-in credentials. b. E-mail viruses and malware have been increasing for years even though e-mail security has improved. c. Communication has shifted from social networks to smartphones. d. Web filtering, user education, and strict policies cannot help prevent IT security dangers on Facebook and other social networks.
a. Users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen log-in credentials.
Cybersecurity is ___________. a. an ongoing unending process b. a problem that is solved with hardware or software c. defined in the AUP that is enforced periodically d. primarily the responsibility of the IT and legal departments
a. an ongoing unending process
Storm worm, which is spread via spam, is a ________ agent embedded inside over 25 million computers. Storm's combined power has been compared to the processing power of ________. a. botnet; a supercomputer b. spyware; a DDoS attack c. vector; zombies d. spear phishing; a server
a. botnet; a supercomputer
Business operations are controlled by apps, systems, and networks that are so interconnected that anyone's ________ is an entry point for attacks. a. mobile device b. botnet c. BYOD d. firewall
a. mobile device
In cybersecurity terms, the function of a password together with a username is to __________ a user's identity to verify that the person has the right to access a computer or network. a. Record b. Authenticate (sannreyna...) c. Substantiate d. Validate
b. Authenticate (sannreyna...)
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ________, or the avoidance of unauthorized disclosure of information or data. a. Integrity b. Confidentiality c. Availability d. Reliability
b. Confidentiality
The three key cybersecurity principles are: a. Data protection, equipment protection, reputation protection b. Confidentiality, integrity, availability (þagmælska, áreiðanleiki, aðgengi...) c. Anticipate, defend, counter-attack d. Identify, assess risk, take action
b. Confidentiality, integrity, availability (þagmælska, áreiðanleiki, aðgengi...)
Negative consequences of lax cybersecurity that companies tend to face include all of the following except ________. a. Damaged brands and reputations b. Criminal charges c. Financial penalties d. Customer backlash
b. Criminal charges
Government and corporate officials concerned about security threats do not bring their own cell phones or laptops when traveling overseas. Instead, they bring loaner devices and follow strict security procedures including not connecting to their domestic network while out of the country. These procedures are referred to as _________. a. Black Ops procedures b. Do-Not-Carry rules c. Foreign Threat Prevention procedures d. Strict Security standards
b. Do-Not-Carry rules
Most organizations use software or hardware devices to control access to their private networks from the Internet by analyzing incoming and outgoing data packets. These devices are called ___________. a. Antimalware b. Firewalls c. Intrusion detection systems d. Middleware
b. Firewalls
The main cause of data breaches is ________, which is so successful because of ________ when management does not do enough to defend against cyberthreats. a. Hacking; highly motivated hackers b. Hacking; negligence (hökkun og gáleysi) c. Malware; BYOD d. Malware; negligence
b. Hacking; negligence (hökkun og gáleysi)
People who have their social security or credit card numbers stolen and used by thieves are frequently victims of ___________________. a. Insider fraud b. Identity theft c. Occupational corruption d. Document sabotage
b. Identity theft
___________ is a term referring to a variety of criminal behaviors perpetrated by an organization's own employees or contractors. a. Managerial corruption b. Insider or internal fraud c. Corporate fraud d. Intentional fraud
b. Insider or internal fraud
__________ are essential to the prevention and detection of occupation frauds a. Anti-malware and firewalls b. Internal audits and internal controls c. Encryption and IDS d. AUPs
b. Internal audits and internal controls
Experts believe the three greatest cybersecurity dangers over the next few years will involve all of the following except __________. a. persistent threats b. POS attacks c. mobile computing d. the use of social media
b. POS attacks
Internal fraud prevention and detection measures are based on __________ and __________. a. A detailed recovery plan; containment, including a fault-tolerant system b. Perimeter defense technologies, such as e-mail scanners; human resource procedures, such as recruitment screening c. General controls; application controls d. Physical controls, including authorization; authentication systems
b. Perimeter defense technologies, such as e-mail scanners; human resource procedures, such as recruitment screening
Samuel received an email that looked like it came from his bank. The email told him to click a link that opened an official looking Webpage where he was asked to enter his account information. But when Samuel examined the URL, he noticed it was a strange address he did not recognize. Most likely, someone was attempting to steal Samuel's confidential information using a technique called __________. a. Botnets b. Phishing (vefveiðar) c. Spoofing d. Click hijacking
b. Phishing (vefveiðar)
A defense strategy requires several controls. ___________ protect computer facilities and resources such as computers, data centers, software, manuals, and networks. a. Application controls b. Physical controls c. General controls d. Authentication controls
b. Physical controls
Chris is a network manager for a large company. She receives daily updates about various malware and then assesses how to best protect her organization's network from attack. In cybersecurity terminology, she is involved in __________. a. Identifying exposure b. Risk management (áhættustýring) c. A security audit d. Encryption defenses
b. Risk management (áhættustýring)
The internal control environment is the work atmosphere that a company sets for its employees and is designed to achieve all of the following except _________. a. Reliability of financial reporting b. Secure decision making (örugg ákvarðanataka) c. Compliance with laws d. Compliance with regulations and policies
b. Secure decision making (örugg ákvarðanataka)
The Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover is a __________. a. Set of standards required by U.S. and international law for protecting credit card transaction data. b. Set of industry standards required for all online merchants that store, process, or transmit cardholder data. c. Set of voluntary security guidelines for retailers who accept Visa, MasterCard, American Express, and Discover credit cards. d. Set of regulations (that vary from state to state, and country to country) that apply to credit card companies.
b. Set of industry standards required for all online merchants that store, process, or transmit cardholder data.
Which of the following statements about malware is false? a. Technically, malware is a computer program or code that can infect anything attached to the Internet and is able to process the code. b. Setting an e-mail client, such as Microsoft Outlook or Gmail, to allow scripting blocks malware. c. RATS create an unprotected backdoor into a system through which a hacker can remotely control that system. d. The payload carries out the purpose of the malware.
b. Setting an e-mail client, such as Microsoft Outlook or Gmail, to allow scripting blocks malware.
In Cybersecurity terminology, a threat is defined as ________. a. A weakness that threatens the confidentiality, integrity, or availability of data. b. Something or someone that can damage, disrupt, or destroy an asset. c. Estimated cost, loss, or damage that can result from an exploit. d. Tools or techniques that take compromise a network.
b. Something or someone that can damage, disrupt, or destroy an asset.
__________ is the elapsed time between when vulnerability is discovered and when it is exploited and has shrunk from months to __________. a. Time-to-exploitation; days b. Time-to-exploitation; minutes c. Denial of service; days d. Denial of service; seconds
b. Time-to-exploitation; minutes
A stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time is referred to as a(n) __________ attack. a. registry denial b. advanced persistent threat c. DDOS d. hacktivist
b. advanced persistent threat
Voice and fingerprint _______ can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services . a. cryptography b. biometrics c. encryption d. visualization
b. biometrics
A(n) ________ attack bombards a network or website with traffic to crash it and leave it vulnerable to other threats. a. advanced persistent threat b. distributed denial-of-service c. malware d. phishing
b. distributed denial-of-service
The principle of ________ acknowledges that the cost of information security needs to be balanced with its benefits. It is the basic cost-benefit principle with which you are familiar. a. accounting b. economic use of resources c. legality d. COBIT
b. economic use of resources
Advanced persistent threat (APT) attackers want to ________. a. create awareness for their causes b. remain unnoticed so they can continue to steal data c. conduct cyberwarfare d. reveal weaknesses in business and government websites and then force them offline.
b. remain unnoticed so they can continue to steal data
According to cybersecurity experts, most data breaches go unreported because corporate victims fear that disclosure would damage their stock price, or because ________. a. they want to hide the attack from the government b. they never knew they were hacked in the first place c. they want to cover up the intrusion d. they do not have to report them.
b. they never knew they were hacked in the first place
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is _________, or the property that data is accessible and modifiable when needed by those authorized to do so. a. Integrity b. Confidentiality c. Availability d. Reliability
c. Availability
Access to top secret or highly secure networks associated with Homeland Security or national defense use authentication methods based on a biological feature, such as a fingerprint or retinal scan to identify a person. These methods are called _____________. a. Bio-Engineering b. Physical security c. Biometrics (líffræðilegir...) d. Human factors
c. Biometrics (líffræðilegir...)
When it comes to fraud committed by an organization's employees, the single most effective fraud prevention technique is _______. a. Holding managers responsible for the actions of their employees b. Peer monitoring (employees monitor each other) c. Creating the perception that fraud will be detected and punished d. A clearly written employee policy manual that explains unacceptable behaviors
c. Creating the perception that fraud will be detected and punished
When sending sensitive email, James uses a program that transforms data into unreadable text to protect it from being understood by unauthorized users. James is using ________ to protect his email communications. a. Authentication b. Defense-in-depth c. Encryption d. Hashing
c. Encryption
The objectives of cybersecurity are to accomplish each of the following except _________. a. Make data and documents available and accessible 24/7 while simultaneously restricting access. b. Promote secure and legal sharing of information among authorized persons and partners. c. Ensure compliance with supply chain business partners. d. Detect, diagnose, and respond to incidents and attacks in real time.
c. Ensure compliance with supply chain business partners.
Which of the following is not a characteristic of money laundering and terrorist financing? a. Transnational organized crime groups use money laundering to fund their operations, which creates international and national security threats. b. Cybercrime is safer and easier than selling drugs, dealing in black market diamonds, or robbing banks. c. Funds used to finance terrorist operations are easy to track, which provides evidence to identify and locate leaders of terrorist organizations and cells. d. Online gambling offers easy fronts for international money-laundering operations.
c. Funds used to finance terrorist operations are easy to track, which provides evidence to identify and locate leaders of terrorist organizations and cells.
A defense strategy requires several controls. _________are established to protect the system regardless of the specific application. a. Application controls b. Physical controls c. General controls d. Authentication controls
c. General controls
The IT security defense-in-depth model ends with ________. a. Senior management commitment and support b. IT security procedures and enforcement c. Hardware and software selection d. Acceptable use policies and IT security training
c. Hardware and software selection
Which of the following represents a cybersecurity concern about employees using their own smartphones for work purposes? a. Employees will spend too much time playing games or using entertainment and recreation apps, thus reducing productivity. b. Managers will be unable to monitor the time spent on personal calls made during work hours. c. Many personal smartphones do not have anti-malware or data encryption apps, creating a security problem with respect to any confidential business data stored on the device. d. Consumer-quality equipment are more likely to break or malfunction than enterprise quality devices.
c. Many personal smartphones do not have anti-malware or data encryption apps, creating a security problem with respect to any confidential business data stored on the device.
Attacks ________ could significantly disrupt the functioning of government and business—and trigger cascading effects far beyond the targeted sector and physical location of the incident. a. By hacktivists b. By hackers c. On critical infrastructure d. On industrial control systems
c. On critical infrastructure
The purpose of the ________ is to improve customers' trust in e-commerce, especially when it comes to online payments, and to increase the Web security of online merchants. a. IT governance b. Internal control c. PCI DSS d. FISMA
c. PCI DSS
Most APT attacks are launched through ________. a. Data tampering b. Worms c. Phishing d. Vectors
c. Phishing
________ is the most cost-effective approach to fraud. a. Detection b. Lawsuits c. Prevention (fyrirbyggja, koma í veg fyrir...) d. Prosecution
c. Prevention
In the United States, the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB), Federal Information Security Management Act (FISMA), and USA Patriot Act all require businesses to __________________________. a. Report security breaches via media sources to inform the public b. Backup sensitive data to offsite locations c. Protect personally identifiable information d. Inform the public about network failures in a timely manner
c. Protect personally identifiable information
While security threats from e-mail viruses and malware have been declining for years as e-mail security has improved, threats from __________ have increased considerably in recent years. a. Software errors b. Malicious employees c. Social networks and cloud computing d. Vendor sabotage
c. Social networks and cloud computing
The discount retailer Target suffered a hacker attack during the fourth quarter of 2013 (4Q2013) that exposed customer account information. Which of the following was not an impact of Target's hacker attack and data breach? a. 4Q 2013 profit dropped 46% and sales revenue fell 5.3 % after breach was disclosed. b. Gartner estimated the cost of the breach from $400 million to $450 million c. Target faced 2 lawsuits—one related to privacy invasion and one for negligence. d. The incident scared shoppers away, affecting the company's profits throughout 2014.
c. Target faced 2 lawsuits—one related to privacy invasion and one for negligence.
The preferred method of hackers who want to steal trade secrets and other confidential information from business organizations is ___________. a. To bribe employees to get access codes and passwords. b. To bombard websites or networks with so much traffic that they "crash", exposing sensitive data. c. To break into employees' mobile devices and leapfrog into employers' networks—stealing secrets without a trace. d. Use a combination of sophisticated hardware tools designed to defeat IT security defenses.
c. To break into employees' mobile devices and leapfrog into employers' networks—stealing secrets without a trace.
Social networks and cloud computing have increased vulnerabilities in all of the following ways except ________. a. by providing a single point of failure and attack for organized criminal networks b. In Twitter and Facebook, users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen logins. c. Twitter's use of service packs and patches have not been effective. d. These networks and services increase exposure to risk because of the time-to- exploitation of today's sophisticated spyware and mobile viruses
c. Twitter's use of service packs and patches have not been effective.
An audit is an important part of any control system. Which of the following is not a question that would typically be asked as part of an information systems audit? a. Are there sufficient controls in the system? Which areas are not covered by controls? b. Are the controls effective and implemented properly? c. What is the ROI associated with system controls? d. Are there procedures to ensure reporting and corrective actions in case of violations of controls?
c. What is the ROI associated with system controls?
The cybersecurity defense strategy and controls that should be used depend on __________. a. The source of the threat b. Industry regulations regarding protection of sensitive data c. What needs to be protected and the cost-benefit analysis d. The available IT budget
c. What needs to be protected and the cost-benefit analysis
A(n) ________ is a hacker who quietly attempts to breach secure networks looking for trade secrets or proprietary information. a. Hacktivist b. Political criminal c. profit-motivated cybercriminalIndustrial spy d. Identity thief
c. profit-motivated cybercriminalIndustrial spy
Detecting internal fraud has become sophisticated. Audit trails from key systems and personnel records are stored in data warehouses and subjected to __________ where things like excessive hours worked, unusual transactions, copying of huge amounts of data and other unusual patterns of behavior are identified. a. Security audits b. Pattern analysis c. Behavior recognition scans d. Anomaly detection analysis (frávikagreining)
d. Anomaly detection analysis (frávikagreining)
Intrusion Detection Systems (IDS) are designed to monitor network traffic and identify threats that have breached the networks' initial defenses. IDS identify all of the following except: a. An attacker who is trying to break into the credentials of a legitimate user in order to gain access to an IS, device, or network. b. A legitimate user who performs actions he is not authorized to do. c. A user who tries to disguise or cover up his actions by deleting audit files or system logs. d. Employees who use computing or network resources inefficiently.
d. Employees who use computing or network resources inefficiently.
All of the following describe The Sarbanes-Oxley Act except: a. Is an antifraud law b. Forces more accurate business reporting and disclosure of GAAP (generally accepted accounting principles) violations. c. Makes it necessary to find and root out fraud. d. Has been adopted by all countries in North American and the European Union
d. Has been adopted by all countries in North American and the European Union
Cybercrime surveys have reported each of the following trends or findings except ________. a. security incidents increased 33% despite implementation of security practices b. current cybersecurity technologies and policies are simply not keeping pace with fast-evolving threats. c. Many threats and challenges that organizations face today were unimaginable 10 years ago. d. Older threats such as fraud and identity theft have decreased significantly.
d. Older threats such as fraud and identity theft have decreased significantly.
U.S. cybersecurity experts and government officials are increasingly concerned about breaches from __________ into corporate networks, either through mobile devices or by other means. a. Domestic terrorists b. Amateur hackers c. Organized crime syndicates based in the United States d. Other countries
d. Other countries
Which of the following is not a type of administrative control for information assurance and risk management? a. Fostering company loyalty b. Immediately revoking access privileges of dismissed, resigned, or transferred employees c. Instituting separation of duties by dividing sensitive computer duties among as many employees as economically feasible d. Performing authorization and authentication
d. Performing authorization and authentication
________ is also known as human hacking—tricking users into revealing their credentials and then using them to gain access to networks or accounts. a. Android-hacking b. BYOD c. Hacktivism d. Social engineering
d. Social engineering
Almost half of the 2013 breaches occurred in ________, where the largest number of records was exposed—more than 540 million data records or 66 percent. a. Asia b. China c. Europe d. The United States
d. The United States
In Cybersecurity terminology, a risk is defined as ________: a. A weakness that threatens the confidentiality, integrity, or availability of data. b. Something or someone that can damage, disrupt, or destroy an asset. c. Estimated cost, loss, or damage that can result from an exploit. d. The probability of a threat exploiting a vulnerability and the resulting cost.
d. The probability of a threat exploiting a vulnerability and the resulting cost.
In Cybersecurity terminology, an exploit is defined as ________: a. A weakness that threatens the confidentiality, integrity, or availability of data. b. Something or someone that can damage, disrupt, or destroy an asset. c. Estimated cost, loss, or damage that can result from an exploit. d. Tools or techniques that take advantage of a vulnerability.
d. Tools or techniques that take advantage of a vulnerability.
Most information security incidents will occur because of _________. a. Increases in hacker skills and capabilities b. Poorly designed network protection software c. Increasing sophistication of computer viruses and worms d. Users who do not follow secure computing practices and procedures
d. Users who do not follow secure computing practices and procedures
The single-most effective fraud prevention tactic is making employees know that ________. a. fraudsters will be fired b. fraudsters will be forced to repay what they stole plus interest c. fraud could destroy the company and jobs. d. fraud will be detected by IT monitoring systems and punished by the legal system.
d. fraud will be detected by IT monitoring systems and punished by the legal system.
The director of the Federal Trade Commission (FTC) bureau of consumer protection warned that the agency would bring enforcement action against small businesses that ________ a. failed to inform the public about network failures in a timely manner b. failed to transmit sensitive data c. did not report security breaches to law enforcement d. lacked adequate policies and procedures to protect consumer data.
d. lacked adequate policies and procedures to protect consumer data.
Crime can be divided into two categories depending on the tactics used to carry out the crime: ________. a. Fraud and felonies b. Occupational and opportunistic c. Lethal and misdemeanors d. violent and nonviolent
d. violent and nonviolent