ISDS551-Ch5
In Cybersecurity terminology, a vulnerability is defined as ________:
A weakness that threatens the confidentiality, integrity, or availability of data.
Detecting internal fraud has become sophisticated. Audit trails from key systems and personnel records are stored in data warehouses and subjected to __________ where things like excessive hours worked, unusual transactions, copying of huge amounts of data and other unusual patterns of behavior are identified.
Anomaly detection analysis
In cybersecurity terms, the function of a password together with a username is to __________ a user's identity to verify that the person has the right to access a computer or network.
Authenticate
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is _________, or the property that data is accessible and modifiable when needed by those authorized to do so.
Availability
Access to top secret or highly secure networks associated with Homeland Security or national defense use authentication methods based on a biological feature, such as a fingerprint or retinal scan to identify a person. These methods are called _____________.
Biometrics
The _________ is an exercise that determines the impact of losing the support or availability of a resource.
Business impact analysis (BIA)
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ________, or the avoidance of unauthorized disclosure of information or data.
Confidentiality
The three key cybersecurity principles are:
Confidentiality, integrity, availability
When it comes to defending against employee fraud, regulators look favorably on companies that can demonstrate good __________ and best practices in operational risk management.
Corporate governance
When it comes to fraud committed by an organization's employees, the single most effective fraud prevention technique is _______.
Creating the perception that fraud will be detected and punished
Negative consequences of lax cybersecurity that companies tend to face include all of the following except ________.
Criminal charges
____________ is/are defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
Critical infrastructure
Government and corporate officials concerned about security threats do not bring their own cell phones or laptops when traveling overseas. Instead, they bring loaner devices and follow strict security procedures including not connecting to their domestic network while out of the country. These procedures are referred to as _________.
Do-Not-Carry rules
Intrusion Detection Systems (IDS) are designed to monitor network traffic and identify threats that have breached the networks' initial defenses. IDS identify all of the following except:
Employees who use computing or network resources inefficiently.
When sending sensitive email, James uses a program that transforms data into unreadable text to protect it from being understood by unauthorized users. James is using ________ to protect his email communications.
Encryption
The objectives of cybersecurity are to accomplish each of the following except _________.
Ensure compliance with supply chain business partners.
The ability of an IS to continue to operate when a failure occurs, but usually for a limited time or at a reduced level is referred to as __________.
Fault tolerance
Most organizations use software or hardware devices to control access to their private networks from the Internet by analyzing incoming and outgoing data packets. These devices are called ___________.
Firewalls
Which of the following is not a characteristic of money laundering and terrorist financing?
Funds used to finance terrorist operations are easy to track, which provides evidence to identify and locate leaders of terrorist organizations and cells.
A defense strategy requires several controls. _________are established to protect the system regardless of the specific application.
General controls
The main cause of data breaches is ________, which is so successful because of ________ when management does not do enough to defend against cyberthreats.
Hacking; negligence
LulzSec and Anonymous are examples of ________ that have claimed responsibility for high profile attacks designed to make a political statement, embarrass an organization or government, or to gain publicity.
Hacktivists
One source of cybersecurity threats today are ____________who breach networks in an attempt to gain media attention or for their cause.
Hacktivists
The IT security defense-in-depth model ends with ________.
Hardware and software selection
All of the following describe The Sarbanes-Oxley Act except:
Has been adopted by all countries in North American and the European Union
________ is the supervision, monitoring, and control of an organization's IT assets.
IT governance
People who have their social security or credit card numbers stolen and used by thieves are frequently victims of ___________________.
Identity theft
___________ is a term referring to a variety of criminal behaviors perpetrated by an organization's own employees or contractors.
Insider or internal fraud
IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ____________, or the property that data or files have not been altered in an unauthorized way.
Integrity
__________ are essential to the prevention and detection of occupation frauds
Internal audits and internal controls
Boeing's Black smartphone is secure because it ________.
Is self-destructing if tampered with.
One of ________ specialties is finding websites with poor security, and then stealing and posting information from them online.
LulzSec's.
Which of the following represents a cybersecurity concern about employees using their own smartphones for work purposes?
Many personal smartphones do not have anti-malware or data encryption apps, creating a security problem with respect to any confidential business data stored on the device.
Cybercrime surveys have reported each of the following trends or findings except ________.
Older threats such as fraud and identity theft have decreased significantly.
Attacks ________ could significantly disrupt the functioning of government and business— and trigger cascading effects far beyond the targeted sector and physical location of the incident.
On critical infrastructure
U.S. cybersecurity experts and government officials are increasingly concerned about breaches from __________ into corporate networks, either through mobile devices or by other means.
Other countries
The purpose of the ________ is to improve customers' trust in e-commerce, especially when it comes to online payments, and to increase the Web security of online merchants.
PCI DSS
Experts believe the three greatest cybersecurity dangers over the next few years will involve all of the following except __________.
POS attacks
When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, vendors of those products release __________ or __________ to fix the vulnerabilities.
Patches; service packs
Which of the following is not a type of administrative control for information assurance and risk management?
Performing authorization and authentication
Internal fraud prevention and detection measures are based on __________ and __________.
Perimeter defense technologies, such as e-mail scanners; human resource procedures, such as recruitment screening
Most APT attacks are launched through ________.
Phishing
Samuel received an email that looked like it came from his bank. The email told him to click a link that opened an official looking Webpage where he was asked to enter his account information. But when Samuel examined the URL, he noticed it was a strange address he did not recognize. Most likely, someone was attempting to steal Samuel's confidential information using a technique called __________.
Phishing
A defense strategy requires several controls. ___________ protect computer facilities and resources such as computers, data centers, software, manuals, and networks.
Physical controls
Sometimes system failures and data or information loss can result from reasons other than an intentional attempt to breach security. Unintentional threats are all of the following except ___________.
Political/civic unrest
________ is the most cost-effective approach to fraud.
Prevention
In the United States, the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB), Federal Information Security Management Act (FISMA), and USA Patriot Act all require businesses to _________.
Protect personally identifiable information
Chris is a network manager for a large company. She receives daily updates about various malware and then assesses how to best protect her organization's network from attack. In cybersecurity terminology, she is involved in __________.
Risk management
The internal control environment is the work atmosphere that a company sets for its employees and is designed to achieve all of the following except _________.
Secure decision making
Physical security includes several controls. Which of the following is not a type of physical control?
Security bonds or malfeasance insurance for key employees
The IT security defense-in-depth model starts with ________.
Senior management commitment and support
The Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover is a __________.
Set of industry standards required for all online merchants that store, process, or transmit cardholder data.
Which of the following statements about malware is false?
Setting an e-mail client, such as Microsoft Outlook or Gmail, to allow scripting blocks malware.
________ is also known as human hacking—tricking users into revealing their credentials and then using them to gain access to networks or accounts.
Social engineering
___________ tactics are used by hackers and corporate spies to trick people into revealing login information or access codes.
Social engineering
While security threats from e-mail viruses and malware have been declining for years as email security has improved, threats from __________ have increased considerably in recent years.
Social networks and cloud computing
In Cybersecurity terminology, a threat is defined as ________.
Something or someone that can damage, disrupt, or destroy an asset.
The discount retailer Target suffered a hacker attack during the fourth quarter of 2013 (4Q2013) that exposed customer account information. Which of the following was not an impact of Target's hacker attack and data breach?
Target faced 2 lawsuits—one related to privacy invasion and one for negligence.
Almost half of the 2013 breaches occurred in ________, where the largest number of records was exposed—more than 540 million data records or 66 percent.
The United States
In Cybersecurity terminology, a risk is defined as ________:
The probability of a threat exploiting a vulnerability and the resulting cost.
__________ is the elapsed time between when vulnerability is discovered and when it is exploited and has shrunk from months to __________.
Time-to-exploitation; minutes
The preferred method of hackers who want to steal trade secrets and other confidential information from business organizations is ___________.
To break into employees' mobile devices and leapfrog into employers' networks—stealing secrets without a trace.
A key of finding of the 2014 Global State of Information Security Survey was ________.
Too many companies are defending yesterday---that is, they rely on yesterday's cybersecurity practices that are ineffective at combating today's threats.
In Cybersecurity terminology, an exploit is defined as ________:
Tools or techniques that take advantage of a vulnerability.
Social networks and cloud computing have increased vulnerabilities in all of the following ways except ________.
Twitter's use of service packs and patches have not been effective.
Facebook, YouTube, Twitter, LinkedIn, and other social networks are making IT security dangers worse. Why?
Users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen log-in credentials.
Most information security incidents will occur because of _________.
Users who do not follow secure computing practices and procedures
An audit is an important part of any control system. Which of the following is not a question that would typically be asked as part of an information systems audit?
What is the ROI associated with system controls?
The cybersecurity defense strategy and controls that should be used depend on __________.
What needs to be protected and the cost-benefit analysis
A stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time is referred to as a(n) __________ attack.
advanced persistent threat
Cybersecurity is ___________.
an ongoing unending process
Voice and fingerprint _______ can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services.
biometrics
Storm worm, which is spread via spam, is a ________ agent embedded inside over 25 million computers. Storm's combined power has been compared to the processing power of ________.
botnet; a supercomputer
A(n) ________ attack bombards a network or website with traffic to crash it and leave it vulnerable to other threats.
distributed denial-of-service
The principle of ________ acknowledges that the cost of information security needs to be balanced with its benefits. It is the basic cost-benefit principle with which you are familiar.
economic use of resources
Business operations are controlled by apps, systems, and networks that are so interconnected that anyone's ________ is an entry point for attacks.
firewall
The single-most effective fraud prevention tactic is making employees know that ________.
fraud will be detected by IT monitoring systems and punished by the legal system.
The director of the Federal Trade Commission (FTC) bureau of consumer protection warned that the agency would bring enforcement action against small businesses that ________
lacked adequate policies and procedures to protect consumer data.
A(n) ________ is a hacker who quietly attempts to breach secure networks looking for trade secrets or proprietary information.
profit-motivated cybercriminalIndustrial spy
Advanced persistent threat (APT) attackers want to ________.
remain unnoticed so they can continue to steal data
According to cybersecurity experts, most data breaches go unreported because corporate victims fear that disclosure would damage their stock price, or because ________.
they never knew they were hacked in the first place
Crime can be divided into two categories depending on the tactics used to carry out the crime: ________.
violent and nonviolent