MIDTERM
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________.
All of the above
Management of classified data includes its storage and _________.
All of the above
Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses?
All of the above
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?
All of these are BIA stages
__________ law comprises a wide variety of laws that govern a nation or state.
Civil
The National Information Infrastructure Protection Act of 1996 modified which act?
Computer Fraud and Abuse Act
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
FALSE
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _________________________
FALSE
A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information. _________________________
FALSE
According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement.
FALSE
Authentication is a mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system. _________________________
FALSE
Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
FALSE
Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.
FALSE
E-mail spoofing involves sending an e-mail message with a harmful attachment.
FALSE
Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach of a code of conduct, because this loss has no effect on employees' marketability and earning power.
FALSE
Internet connections via dial-up lines are regaining popularity due to recent technological developments.
FALSE
Kerberos uses asymmetric key encryption to validate an individual user to various network resources. _________________________
FALSE
One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
FALSE
One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels. _________________________
FALSE
Operational feasibility is an assessment of whether the organization can acquire the technology necessary to implement and support the proposed control.
FALSE
Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _________________________
FALSE
Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses to communicate with the Internet on a one-to-one basis. _________________________
FALSE
Process-based measures are comparisons based on observed numerical data, such as numbers of successful attacks. _________________________
FALSE
Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _________________________
FALSE
Risk control is the enumeration and documentation of risks to an organization's information assets. _________________________
FALSE
SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles. ________________________
FALSE
The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources.
FALSE
The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.
FALSE
The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.
FALSE
The security framework is a more detailed version of the security blueprint.
FALSE
The water-ski model is a type of SDLC in which each phase of the process flows from the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
FALSE
Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms.
FALSE
Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category.
FALSE
You cannot use qualitative measures to rank information asset values.
FALSE
direction, scope, and tone for all security efforts. _________________________
FALSE
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location
False
The Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with __________ activities.
Internet
The service within Kerberos that generates and issues session keys is known as __________.
KDC
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
__________ has become a widely accepted evaluation standard for training and education related to the security of information systems.
NSTISSI No. 4011
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.
Operational
In SESAME, the user is first authenticated to an authentication server and receives a token. The token is then presented to a privilege attribute server as proof of identity to gain a(n) __________.
PAC
__________ and TACACS are systems that authenticate the credentials of users who are trying to access an organization's network via a dial-up connection.
RADIUS
The ____________________ data file contains the hashed representation of the user's password.
SAM
________often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network. _________________________
TRUE
A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network.
TRUE
A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.
TRUE
A mail bomb is a form of DoS attack.
TRUE
A security policy should begin with a clear statement of purpose. _________________________
TRUE
A sniffer program can reveal data transmitted on a network segment, including passwords, the embedded and attached files-such as word-processing documents-and sensitive data transmitted to or from applications.
TRUE
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.
TRUE
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator. _________________________
TRUE
Good security programs begin and end with policy.
TRUE
Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _________________________
TRUE
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.
TRUE
Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.
TRUE
Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________
TRUE
NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. _________________________
TRUE
Of the two approaches to information security implementation, the top-down approach has a higher probability of success. _________________________
TRUE
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________
TRUE
Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easy-to-guess passwords.
TRUE
Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violations of those rules.
TRUE
Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet.
TRUE
Some firewalls can filter packets by protocol name.
TRUE
The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research.
TRUE
The Federal Bureau of Investigation's National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; maintains a secure Web site for communication about suspicious activity or intrusions; sponsors local chapter activities; and operates a help desk for questions. _________________________
TRUE
The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies under all circumstances.
TRUE
The communications networks of the United States carry(ies) more funds than all of the armored cars in the world combined. _________________________
TRUE
The investigation phase of the SDLC involves specification of the objectives, constraints, and
TRUE
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
TRUE
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
TRUE
The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _________________________
TRUE
The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.
TRUE
The value of information comes from the characteristics it possesses.
TRUE
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.
TRUE
When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.
TRUE
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
____________________ are malware programs that hide their true nature and reveal their designed behavior only when activated.
Trojan horses
A(n) __________ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
VPN
A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
data classification scheme
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards.
de juro
The proxy server is often placed in an unsecured area of the network or is placed in the __________ zone.
demilitarized
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
Security __________ are the areas of trust within which users can freely communicate.
domains
Some people search trash and recycling bins-a practice known as _________-to retrieve information that could embarrass a company or compromise information security.
dumpster diving
A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event.
dynamic
A short-term interruption in electrical power availability is known as a ____.
fault
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
hoaxes
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as __________.
mean time between failure (MTBF)
Hackers can be generalized into two skill groups: expert and ____________________.
novice
The __________ is the difference between an organization's observed and desired performance.
performance gap
A _________ assigns a status level to employees to designate the maximum level of classified data they may access.
security clearance scheme
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations.
transference
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
trespass
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
A type of SDLC in which each phase has results that flow into the next phase is called the __________ model.
waterfall
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
weighted factor analysis
