cybersecurity midterm

Which of the following is NOT one of the categories recommended for categorizing information assets?

procedures

In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward misuse of organizational computing resources?

singapore

A detailed statement of what must be done to comply with management intent is known as a _____.

standard

A(n) _____ plan is a plan for the organization's intended efforts over the next several years (long-term).

strategic

A computer is the __________ of an attack when it is used to conduct an attack against another computer.

subject

An e-mail bomb is a form of DoS attack.

true

The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _____

true

Most common data backup schemes involve ______. a) RAID b) disk-to-disk-to-cloud c) neither a nor b d) both a and/or b

A and B

false

A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.

The SETA program is a control measure designed to reduce the instances of _____ security breaches by employees.

ACCIDENTAL

Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

APPETITE

_____ is simply how often you expect a specific type of attack to occur.

ARO

__________ is a network project that preceded the Internet.

ARPANET

​The goals of information security governance include all but which of the following? a) ​Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved b) ​Strategic alignment of information security with business strategy to support organizational objectives c) Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care d) ​Risk management by executing appropriate measures to manage and mitigate threats to information resources

C

Which of these is not one of the general categories of security policy?

Category-specific policy (CSP)

Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses?

Computer Fraud and Abuse Act of 1986

Which of these best defines information security governance? a) The process of defining and specifying the long-term direction (strategy) to be taken by an organization. b) Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives. c) The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction. d) The application of the principles and practices of corporate governance to the information security function.

D

Payment Card Industry _____ Standards are designed to enhance the security of customers' payment card account data.

DATA SECURITY

In a ______ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources.

DENIAL OF SERVICE

_____ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident.

Damage assessment

The _____is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

EISP

The _____ attempts to prevent trade secrets from being illegally shared.

Economic Espionage Act

The RM policy is a strategic document that formalizes much of the intent of the Infosec group. _____

FALSAE

"Know the enemy" means identifying, examining, and understanding the competition facing the organization. _____

FALSE

"Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. ______

FALSE

A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization.

FALSE

A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements.

FALSE

A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.

FALSE

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.

FALSE

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.

FALSE

A worm requires that another program is running before it can begin functioning.

FALSE

A(n) alarming event is an event with negative consequences that could threaten the organization's information assets or operations._____

FALSE

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.

FALSE

Every member of the organization's InfoSec department must have a formal degree or certification in information security.

FALSE

In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies.

FALSE

Media are items of fact collected by an organization and include raw numbers, facts, and words.

FALSE

Much of the early research on computer security centered on a system called Management Information and Computing Service (MULTICS). _______

FALSE

One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. ______

FALSE

Procedures are planned for each identified incident scenario with incident handling procedures established for before and during the incident.

FALSE

Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _____

FALSE

Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

FALSE

Risk mitigation is the risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk.

FALSE

The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _____

FALSE

The complete details of ISO/IEC 27002 are widely available to everyone.

FALSE

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

FALSE

The role of the project manager—typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT)—in this effort cannot be overstated. _______

FALSE

The security framework is a more detailed version of the security blueprint.

FALSE

Two ways to activate an alert roster are simultaneously and in parallel.

FALSE

When a computer is the subject of an attack, it is the entity being attacked.

FALSE

When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. ______

FALSE

Within data classification schemes, it is important that all categories used be unique and mutually exclusive. _____

FALSE

A short-term interruption in electrical power availability is known as a ____.

FAULT

A(n) _____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.

FCO

A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _____

False

The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident.

False

What is the subject of the Sarbanes-Oxley Act?

Financial reporting

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ______.

HOAXES

_____ is a professional association that focuses on auditing, control, and security. The membership comprises both technical and managerial professionals.

ISACA

_____ addresses are sometimes called electronic serial numbers or hardware addresses.

MAC

The stated purpose of ISO/IEC 27002:2013 is to give guidelines for organizational information security standards and information security

MANAGEMENT

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption is _____.

MAXIMUM TOLERABLE DOWNTIME (MTD)

__________ was the first operating system to integrate security as one of its core functions.

MULTICS

_____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

Managerial

__________ has become a widely accepted evaluation standard for training and education related to the security of information systems and is hosted by CNSS.

NSTISSI No. 4011

The EISP component of _____ provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets.

Need for Information Security

Individuals who control, and are therefore ultimately responsible for, the security and use of a particular set of information are known as data __________.

OWNERS

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _____ side of the organization.

PEOPLE

_____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) ______.

RAINBOW TABLE

_____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty.

RISK

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ____.

Recovery Time Objective (RTO)

A ____ is an agency that provides physical facilities in the event of a disaster for a fee.

SERVICE BUREAU

The ______ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.

TCP

Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, often referred to as the bottom-up approach. _______

TRUE

NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. _____

TRUE

Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords.

TRUE

Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. _____

TRUE

Technical controls are the tactical and technical implementations of security in the organization. _____

TRUE

The Digital Millennium Copyright Act is the American law created in response to Directive 95/46/EC, adopted in 1995 by the European Union. _____

TRUE

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of healthcare data. _____

TRUE

The ISO/IEC 27000 series is derived from an earlier standard, BS7799.

TRUE

The roles of information security professionals focus on protecting the organization's information systems and stored information from attacks.

TRUE

When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.

TRUE

When unauthorized individuals or systems can view information, confidentiality is breached. _______

TRUE

​The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.

TRUE

Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use are known as data __________.

TRUSTEES

What is the subject of the Computer Security Act of 1987?

Telecommunications

False

The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts.

When ISO 17799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems? a) The standard lacked the measurement precision associated with a technical standard. b) It was not as complete as other frameworks. c) The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls. d) The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls.

A business process is a task performed by an organization or one of its units in support of the organization's overall mission and operations.

True

A(n) capability table specifies which subjects and objects users or groups can access. _____

True

The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _____

True

The work recovery time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered.

True

Risk _____ is the identification, analysis, and evaluation of risk as initial parts of risk management.

assesment

The most common schedule for tape-based backup is a _____ backup, either incremental or differential, with a weekly off-site full backup.

daily on site

The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security.

database

The transfer of transaction data in real time to an off-site facility is called ____.

database shadowing

Standards may be published, scrutinized, and ratified by a group, as in formal or _____ standards.

de jure

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

electronic vaulting

A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can access it.

false

Crisis response is an organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.

false

In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _____

false

Information security can be an absolute.

false

Media assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ______

false

Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _____

false

The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. ______

false

The history of information security begins with the concept of communications security. ______

false

The macro virus infects the key operating system files located in a computer's start-up sector. ______

false

Use of dormant accounts is a probable indicator of an actual incident.

false

An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.

framework

Nonmandatory recommendations the employee may use as a reference is known as a _____.

guideline

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____. a) assess progress toward a recommended target state b) identify and prioritize opportunities for improvement within the context of a continuous and repeatable process c) communicate among local, state, and national agencies about cybersecurity risk d) None of these

identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting ______.

industrial espionage

Understanding the _____ context means understanding elements that could impact or influence the RM process such as the organization's governance structure (or lack thereof), the organization's internal stakeholders, as well as the organization's culture.

internal

The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as ______.

mean time between failure (MTBF)

A potential disadvantage of a timeshare site-resumption strategy is:

more than one organization might need the facility

_____ controls address personnel security, physical security, and the protection of production inputs and outputs.

operational

The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as ______.

pharming

Which of the following was not an identified fundamental problem with ARPANET security?

phone numbers for access were closely held and distributed on a need-to-know basis

As each information asset is identified, categorized, and classified, a(n) _____ value must be assigned to it.

relative

The actions taken by management to specify the intermediate goals and objectives of the organization are _____.

tactical planning

Confidentiality ensures that only those with the rights and privileges to access information are able to do so. _______

true

Good security programs begin and end with policy.

true

Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _______

true

NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture.

true

One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _____

true

Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group.

true

The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _____

true

The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.

vulnerabilities

In a _____, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.

weighted table analysis

The average amount of time until the next hardware failure is known as ______.

​mean time to failure (MTTF)

Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than ______ characters in Internet Explorer 4.0, the browser will crash.

256

The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) _____.

CBA

The ______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

CISO

​Security _____ are the areas of trust within which users can freely communicate.

DOMAINS

Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.

FALSE

The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement effort, was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.

FALSE

The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement.

FALSE

Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization. _____

False

In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset's value and the annualized loss expectancy.

False

In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access.

False

The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines is called ______.

Information Technology Management and Professionals

Each of the following is a role for the crisis management response team EXCEPT: a) Communicating with major customers and other stakeholders b) Keeping the public informed about the event c) Informing local emergency services to respond to the crisis d) Supporting personnel and their loved ones during the crisis

Informing local emergency services to respond to the crisis

In 2001, the Council of Europe drafted the European Council Cybercrime Convention, which empowers an international task force to oversee a range of security functions associated with _____ activities.

Internet

Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.

True

______ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.

Zombies

a) provide security awareness training b) periodic assessment of risk c) develop policies and procedures based on risk assessments d) all of the other answers are correct

all of the other answers are correct

​A long-term interruption (outage) in electrical power availability is known as a(n) ______.

blackout

A ____ site provides only rudimentary services and facilities.

cold

An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a ____ backup strategy.

disk-to-disk-to-cloud

DoS attacks cannot be launched against routers.

false

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?

financial services modernization act

Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems.

TREATMENT

A security policy should begin with a clear statement of purpose. _____

TRUE

As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown.

TRUE

Ethics are the moral attitudes or customs of a particular group. _____

TRUE

Exposure factor is the expected percentage of loss that would occur from a particular attack. _____

TRUE

In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization.

TRUE

Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams?

So individuals don't find themselves with different responsibilities in different locations at the same time.