Midterm 2
A sniffer program can reveal data transmitted on a network segment, including passwords, the embedded and attached files—such as word-processing documents—and sensitive data transmitted to or from applications. a. True b. False
a. True
Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program. a. True b. False
a. True
Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people. a. True b. False
a. True
Good security programs begin and end with policy. a. True b. False
a. True
Hackers are "persons who access systems and information without authorization and often illegally." ______ a. True b. False
a. True
Much human error or failure can be prevented with effective training and ongoing awareness activities. a. True b. False
a. True
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. a. True b. False
a. True
The information security function in an organization safeguards its technology assets. a. True b. False
a. True
With the removal of copyright protection mechanisms, software can be easily and illegally distributed and installed. a. True b. False
a. True
______ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents. a. cyberterrorism b. hacking c. cracking d. infoterrorism
a. cyberterrorism
In a ______ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources. a. denial-of-service b. distributed denial-of-service c. virus d. spam
a. denial-of-service
Nonmandatory recommendations the employee may use as a reference is known as a _____. a. guideline b. practice c. standard d. procedure
a. guideline
Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems. a. treatment b. identification c. avoidance d. assessment
a. treatment
As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown. a. true b. false
a. true
Each policy should contain procedures and a timetable for periodic review. a. true b. false
a. true
Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people's information systems. a. true b. false
a. true
Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct. a. true b. false
a. true
To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards. a. true b. false
a. true
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense. a. True b. False
b. False
The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. ______ a. True b. False
b. False
When electronic information is stolen, the crime is readily apparent. a. True b. False
b. False
_____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. a. Loss b. Risk c. Loss frequency d. Loss magnitude
b. Risk
Risk _____ is the identification, analysis, and evaluation of risk as initial parts of risk management. a. management b. assessment c. identification d. control
b. assessment
A long-term interruption (outage) in electrical power availability is known as a(n) ______. a. sag b. blackout c. brownout d. fault
b. blackout
Suppose an act of theft performed by a hacker was accompanied by defacement actions to delay discovery. The first act is obviously in the category of "theft" but the second act is another category—in this case it is a "force of nature." a. true b. false
b. false
The first phase of the risk management process is _____. a. forming the risk management planning team b. risk identification c. risk evaluation d. risk control
b. risk identification
Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite. a. baseline b. tolerance c. residual d. benefit
b. tolerance
_____ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. a. Proxy b. Best-effort c. Defense in depth d. Networking
c. Defense in depth
_____ addresses are sometimes called electronic serial numbers or hardware addresses. a. HTTP b. IP c. MAC d. DHCP
c. MAC
Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. a. acceptance b. residual c. appetite d. benefit
c. appetite
A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. a. investigation b. review c. assessment d. search
c. assessment
Which of these is NOT a unique function of information security management? a. planning b. policy c. hardware d. programs
c. hardware
Advance-Fee fraud is an example of a ______ attack. a. virus b. spam c. social engineering d. worm
c. social engineering
Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____. a. exploits b. events c. vulnerabilities d. threats
c. vulnerabilities
Which of the following functions does information security perform for an organization? a. Protecting the organization's ability to function. b. Enabling the safe operation of applications implemented on the organization's IT systems. c. Protecting the data the organization collects and uses. d. All of the above.
d. All of the above.
Which of the following is NOT one of the categories recommended for categorizing information assets? a. Procedures b. Hardware c. Procedures d. Firmware
d. Firmware
Which of these best defines information security governance? a. The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction. b. The process of defining and specifying the long-term direction (strategy) to be taken by an organization. c. Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives. d. The application of the principles and practices of corporate governance to the information security function.
d. The application of the principles and practices of corporate governance to the information security function.
The _____ risk treatment strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. defense b. transference c. mitigation d. acceptance
d. acceptance
The probability that a specific vulnerability within an organization will be attacked by a threat is known as _____ a. potential b. determinism c. externality d. likelihood
d. likelihood
The _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations. a. defense b. mitigation c. acceptance d. transference
d. transference
