CSC 145: chapters 1-6
People with the primary responsibility for administering the systems that house the information used by the organization perform the role of ____. 1) Security policy developers 2) Security professionals 3) System administrators 4) End users
3) System administrators
A technique used to compromise a system is known as a(n) ___________. 1) access method 2) asset 3) exploit 4) risk
3) exploit
An alternative method to economic feasibility
Benchmarking seeks out and studies practices used in other organizations to produce desired results in one's own organization.
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. 1) Networking 2) Proxy 3) Defense in depth 4) Best-effort
Defense in depth
Attacks conducted by scripts are usually unpredictable. True False
False
Information security can be an absolute True or False?
False
NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. True False
False
The U.S. Secret Service is currently within the Department of the Treasury. _________________________ True False
False
The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. True False
False
What is the subject of the Computer Security Act? 1. Federal agency information security 2. Telecommunications common carriers 3. Cryptography software vendors 4. All of the above
Federal agency information security
Three parts of risk management
Risk Identification (documentation of risks), Risk control, and Risk Assesment
Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. 1) SSL 2) SLA 3) MSL 4) MIN
SLA Service Level Agreement - minimum level of service to expect
A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network. True False
True
A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to deter or prevent the theft of software intellectual property. True False
True
A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. True False
True
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage. True or False?
True
In the physical design phase, specific technologies are selected. True False
True
Much human error or failure can be prevented with effective training and ongoing awareness activities. True False
True
Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords. True False
True
Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group. True False
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates. True False
True
You can create a single, comprehensive ISSP document covering all information security issues. True False
True
A type of SDLC in which each phase has results that flow into the next phase is called the __________ model. 1) pitfall 2) SA&D 3) waterfall 4) Method 7
Waterfall
Risk Assestment vs Risk control
assessment =the extent to which info assets are exposed to risk control = the application of controls that reduce risks of info assets (to an acceptable level)
The economic feasibility study determines the costs associated with protecting an asset. The formal documentation process of feasibility is called a __________
cost benefit analysis
__________ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information. 1. Packet-filtering 2. Application gateway 3. Circuit gateway 4. MAC layer
packet filtering
__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse. 1) Physical 2) Personal 3) Object 4) Standard
1) Physical
A computer is the __________ of an attack when it is used to conduct an attack against another computer. 1) subject 2) object 3) target 4) facilitator
1) Subject
When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting __________. 1) industrial espionage 2) competitive intelligence 3) opposition research 4) hostile investigation
1) industrial espionage the practice of spying or of using spies, typically by governments to obtain political and military information.
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) __________. 1) rainbow table 2) dictionary 3) crib 4) crack file
1) rainbow table
"4-1-9" fraud is an example of a ____________________ attack. 1) social engineering 2) virus 3) worm 4) spam
1) social engineering Type of advance-fee fraud - named after the section of a Nigerian penal code. Fictional companies - or a long lost relative - posing in order to fool people.
Components of risk identification
1. Plan 2. identify assets 3. classify 4. identify threats 5. specify vulnerabilities of assets
5 strategies of risk control
1. defend 2. transference 3. mitigate 4. accept 5. terminate
__________ law comprises a wide variety of laws that govern a nation or state. 1) Criminal 2) Civil 3) Public 4) Private
2) Civil
An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as __________. 1) SDLC 2) DevOps 3) JAD/RAD 4) SecOps
2) DevOps SecOps = using DevOps methods of an integrated development
What is the subject of the Sarbanes-Oxley Act? 1) Banking 2) Financial reporting 3) Privacy 4) Trade secrets
2) Financial reporting
The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. 1) Violence 2) Fraud 3) Theft 4) Usage
2) Fraud
_________ controls address personnel security, physical security, and the protection of production inputs and outputs. 1) Informational 2) Operational 3) Technical 4) Managerial
2) Operational
____ is any technology that aids in gathering information about a person or organization without their knowledge. 1) A bot 2) Spyware 3) A Trojan 4) A worm
2) Spyware
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security. 1) bugs 2) vulnerabilities 3) malware 4) maintenance hooks
2) Vulnerabilities
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. 1) emergency notification system 2) alert roster 3) phone list 4) call register
2) alert roster
The __________ design phase of an SDLC methodology is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. 1) conceptual 2) logical 3) integral 4) physical
2) logical
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees. 1) intentional 2) external 3) accidental 4) physical
3) accidental SETA = Security Education Training Awareness - reduces security information by employees since it focuses on training
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________. 1) false alarms 2) polymorphisms 3) hoaxes 4) urban legends
3) hoaxes
The protection of tangible items, objects, or areas from unauthorized access and misuse is known as ___________. 1) communications security 2) network security 3) physical security 4) information security
3) physical security
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. 1) bypass 2) theft 3) trespass 4) security
3) trespass
Which of the following is a valid type of role when it comes to data ownership? 1) Data owners 2) Data custodians 3) Data users 4) All of the above
4) All of the Above
An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization. 1) software 2) hardware 3) data 4) All of the above
4) All of the above
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. 1) firewalls 2) proxy servers 3) access controls 4) All of the above
4) All of the above
The __________ attempts to prevent trade secrets from being illegally shared. 1) Electronic Communications Privacy Act 2) Sarbanes-Oxley Act 3) Financial Services Modernization Act 4) Economic Espionage Act
4) Economic Espionage Act EEA = trade secrets
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________. 1) communications security 2) network security 3) physical security 4) information security
4) information security
In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. 1) zombie-in-the-middle 2) sniff-in-the-middle 3) server-in-the-middle 4) man-in-the-middle
4) man-in-the-middle
The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes. 1) troubleshooting 2) billing 3) customer service 4) marketing
4) marketing
Laws, policies, and their associated penalties only deter if which of the following conditions is present? 1. Fear of penalty 2. Probability of being caught 3. Probability of penalty being administered 4. All of the above
4. All of the above
__________ access control is a form of __________ access control in which users are assigned a matrix of authorizations for particular areas of access. 1. lattice-based, discretionary 2. arbor-based, nondiscretionary 3. arbor-based, discretionary 4. lattice-based, nondiscretionary
4. lattice-based, nondiscretionary
According to NIST SP 800-14's security principles, security should ________. 1) support the mission of the organization 2) require a comprehensive and integrated approach 3) be cost-effective 4) All of the above
All of the above
Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? 1) Electronic Communications Privacy Act 2) Financial Services Modernization Act 3) Sarbanes-Oxley Act 4) Economic Espionage Act
Electronic Communications Privacy Act ECPA = wiretapping act
Ethics are the moral attitudes or customs of a particular group. _________________________ True False
False Cultural Mores Mores - social or cultural norms
The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ True False
False It was created from the Homeland Security act of 2002, in response to 9/11
Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager. True False
False Role-based controls
"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________ True False
False Shoulder "Surfing"
Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _________________________ True False
False This is an ISSP issue-specific security policy
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. True False
False This isn't a standard, it's a information security policy Standard = A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."
Which of the following versions of TACACS is still in use? 1. TACACS 2. Extended TACACS 3. TACACS+ 4. All of the above
TACACS+ Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.
Kerberos __________ provides tickets to clients who request services. 1. KDS 2. TGS 3. AS 4. VPN
TGS Kerberos - An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises. TGS = ticket gaining service
Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. _________________________ True False
True
The DMZ can be a dedicated port on the firewall device linking a single bastion host. True False
True
A mail bomb is a form of DoS attack. True False
True An attack designed to overwhelm the receiver with excessive quantities of e-mail. spam Undesired e-mail, typically commercial advertising transmitted in bulk.
Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violations of those rules. True False
True packet-filtering firewall - A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
A(n) __________ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. 1. SVPN 2. VPN 3. SESAME 4. KERBES
VPN
The restrictions most commonly implemented in packet-filtering firewalls are based on __________. 1. IP source and destination address 2. Direction (inbound or outbound) 3. TCP or UDP source and destination port requests 4. All of the above
all of the above
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. 1) with intent 2) by accident 3) with malice 4) with negligence
by accident
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. 1) de formale 2) de public 3) de jure 4) de facto
de jure de jure = A standard that has been formally evaluated, approved, and ratified by a formal standards organization. Contrast with a de facto standard. de facto standard = A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. Contrast with a de jure standard.
A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event. 1. dynamic 2. static 3. stateful 4. stateless
dynamic
An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. 1) plan 2) framework 3) model 4) policy
framework
__________ firewalls are designed to operate at the media access control sublayer of the data link layer of the OSI network model. 1. MAC layer 2. Circuit gateway 3. Application gateway 4. Packet-filtering
mac layer
In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies __________. 1. provide security awareness training 2. periodic assessment of risk 3. develop policies and procedures based on risk assessments 4. All of the above
provide security awareness training
In most common implementation models, the content filter has two components: __________. 1. encryption and decryption 2. filtering and encoding 3. rating and decryption 4. rating and filtering
rating and filtering
The transfer of transaction data in real time to an off-site facility is called ____. 1) off-site storage 2) remote journaling 3) electronic vaulting 4) database shadowing
remote journaling
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. 1) standard 2) operational 3) tactical 4) strategic
strategic
Residual risk
the risk that remains after management implements internal controls or some other response to risk
The primary benefit of a VPN that uses _________ is that an intercepted packet reveals nothing about the true destination system. 1. intermediate mode 2. tunnel mode 3. reversion mode 4. transport mode
tunnel mode tunnel mode - entire client packet is encrypted transport mode - while the packet is encrypted, the header information of the packet is not