Midterm Exam CS207
_____ is simply how often you expect a specific type of attack to occur.
ARO
__________ is a network project that preceded the Internet.
ARPANET
According to NIST SP 800-14's security principles, security should _____.
All of the above
An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization.
All of the above (hardware, software, data)
The National Information Infrastructure Protection Act of 1996 modified which act?
Computer Fraud and Abuse Act
The _____is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
EISP
The _____ attempts to prevent trade secrets from being illegally shared.
Economic Espionage Act
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?
Electronic Communications Privacy Act
A business policy is a task performed by an organization or one of its units in support of the organization's overallmission and operations. _____
False
A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. ______
False
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense.
False
A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.
False
A worm requires that another program is running before it can begin functioning.
False
A(n) alarming event is an event with negative consequences that could threaten the organization's information assets or operations._____
False
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _____
False
A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information. _______
False
An after-action review is an opportunity for everyone who was involved in planning for an incident or disaster to sit down and discuss what will happen when the plan is implemented.
False
Changes to systems logs are a possible indicator of an actual incident.
False
Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
False
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site.
False
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization . _____
False
For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to.
False
Hardware is often the most valuable asset possessed by an organization, and it is the main target of intentional attacks.
False
Media are items of fact collected by an organization and include raw numbers, facts, and words.
False
Once a(n) back door has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system. ______
False
Packet munchkins use automated exploits to engage in distributed denial-of-service attacks. ______
False
Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _____
False
Residual risk is the risk that organizations are willing to accept even after current current controls have been applied.
False
Risk analysis is the enumeration and documentation of risks to an organization's information assets. _____
False
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.
False
Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _____
False
The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement.
False
The RM policy is a strategic document that formalizes much of the intent of the Infosec group. _____
False
The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC.
False
The possession of information is the quality or state of having value for some purpose or end.
False
The role of the project manager—typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT)—in this effort cannot be overstated. _______
False
The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. ______
False
The total time needed to place the business function back in service must be longer than the maximum tolerable downtime.
False
Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms.
False
When a computer is the subject of an attack, it is the entity being attacked.
False
When electronic information is stolen, the crime is readily apparent.
False
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _____
False
You cannot use qualitative measures to rank information asset values.
False
What is the subject of the Computer Security Act of 1987?
Federal agency information security
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
Financial Services Modernization Act
Each of the following is a role for the crisis management response team EXCEPT:
Informing local emergency services to respond to the crisis
The Health Insurance Portability and Accountability Act of 1996, also known as the _____ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange.
Kennedy-Kessebaum
__________ was the first operating system to integrate security as one of its core functions.
MULTICS
__________ has become a widely accepted evaluation standard for training and education related to the security of information systems and is hosted by CNSS.
NSTISSI No. 4011
____ uses a number of hard drives to store information across multiple drive units.
RAID
_____ is a strategy of using multiple types of controls that prevent the failure of one system from compromising the security of information.
Redundancy
The goals of information security governance include all but which of the following?
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
The ______ data file contains the hashed representation of the user's password.
SAM
In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward misuse of organizational computing resources?
Singapore
Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams?
So individuals don't find themselves with different responsibilities in different locations at the same time.
_____often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
The ______ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
Which of these best defines information security governance?
The application of the principles and practices of corporate governance to the information security function.
A breach of possession may not always result in a breach of confidentiality.
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.
True
An alert message is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process.
True
An e-mail bomb is a form of DoS attack.
True
Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster.
True
Every organization, whether public or private and regardless of size, has information it wants to protect. ______
True
Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.
True
Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people.
True
Hackers are "persons who access systems and information without authorization and often illegally." ______
True
If the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general.
True
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.
True
Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.
True
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _____
True
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _____
True
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture.
True
Of the two approaches to information security implementation, the top-down approach has a higher probability of success. _______
True
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _____
True
Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community.
True
Software code known as a(n) cookie can allow an attacker to track a victim's activity on Web sites. ______
True
Some policies may also need a(n) sunset clause indicating their expiration date. _____
True
Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group.
True
The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies.
True
The chain of evidence is the detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition.
True
The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _____
True
The disaster recovery planning team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters.
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _____
True
The roles of information security professionals focus on protecting the organization's information systems and stored information from attacks.
True
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.
True
To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date. _____
True
When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information.
True
You can create a single, comprehensive ISSP document covering all information security issues.
True
A subject or object's ability to use, manipulate, modify, or affect another subject or object is known as ___________.
access
A(n) _____ is a document containing contact information for the people to be notified in the event of an incident.
alert roster
Risk _____ is the identification, analysis, and evaluation of risk as initial parts of risk management.
assessment
Most common data backup schemes involve ______.
both a and/or b (RAID; disk-to-disk-to-cloud)
Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components
chief information officer (CIO)
______ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents.
cyberterrorism
A(n) _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
data classification
The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security.
database
A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.
direct
A short-term interruption in electrical power availability is known as a ____.
fault
An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.
framework
Nonmandatory recommendations the employee may use as a reference is known as a _____.
guideline
Which of these is NOT a unique function of information security management?
hardware
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value.
hash
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ______.
hoaxes
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting ______.
industrial espionage
Understanding the _____ context means understanding elements that could impact or influence the RM process such as the organization's governance structure (or lack thereof), the organization's internal stakeholders, as well as the organization's culture.
internal
The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _____ purposes.
marketing
Information about a person's history, background, and attributes that can be used to commit identity theft is known as _____ information.
personally identifiable
The protection of tangible items, objects, or areas from unauthorized access and misuse is known as ___________.
physical security
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) ______.
rainbow table
As each information asset is identified, categorized, and classified, a(n) _____ value must be assigned to it.
relative
The first phase of the risk management process is _____.
risk identification
Advance-Fee fraud is an example of a ______ attack.
social engineering
A(n) _____ plan is a plan for the organization's intended efforts over the next several years (long-term).
strategic
Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.
tolerance
Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____.
vulnerabilities
In the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets to specific threats is explored by documenting _____.
vulnerabilities
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.
information security
