Chapter 8 MIS

war driving.

A practice in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic is referred to as sniffing. drive-by tapping. war driving. snooping. cybervandalism.

application controls.

All of the following are types of information systems general controls except administrative controls software controls. physical hardware controls. computer operations controls. application controls.

True

As discussed in the chapter opening case, magnetic stripes are an old technology that is vulnerable to counterfeit and theft. True False

symmetric key encryption

In which method of encryption is a single encryption key sent to the receiver so both sender and receiver share the same key? public key encryption symmetric key encryption distributed encryption SSL/TLS private key encryption

it was designed to be easily accessible.

The Internet poses specific security problems because it changes so rapidly. Internet data is not run over secure lines. Internet standards are universal. there is no formal controlling body. it was designed to be easily accessible.

imposes responsibility on companies and management to safeguard the accuracy of financial information.

The Sarbanes-Oxley Act requires financial institutions to ensure the security of customer data. identifies computer abuse as a crime and defines abusive activities. imposes responsibility on companies and management to safeguard the accuracy of financial information. outlines medical security and privacy rules. specifies best practices in information systems security and control.

True

Viruses can be spread through e-mail. True False

WPA2

Which of the following specifications replaces WEP with a stronger security standard that features changing encryption keys? AUP UTM WPA2 VPN TLS

VoIP is more secure than the switched voice network.

Which of the following statements about the Internet security is not true? A corporate network without access to the Internet is more secure than one that provides access. Instant messaging can provide hackers access to an otherwise secure network. VoIP is more secure than the switched voice network. The use of P2P networks can expose a corporate computer to outsiders. Smartphones have the same security weaknesses as other Internet devices.

False

Wireless networks are more difficult for hackers to gain access too because radio frequency bands are difficult to scan. True False

True

You can test software before it is even written by conducting a walkthrough. True False

employees

You have been hired as a security consultant for a law firm. Which of the following constitutes the greatest source for network security breaches to the firm? wireless network employees software quality lack of data encryption authentication procedures

SSIDs

________ identify the access points in a Wi-Fi network. NICs SSIDs UTMs Mac addresses URLs

"Security"

________ refers to policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. "Security" "Identity management" "Benchmarking" "Algorithms" "Controls"

Intrusion detection systems

________ use scanning software to look for known problems such as bad passwords, the removal of important files, security attacks in progress, and system administration errors. Packet filtering technologies Intrusion detection systems Application proxy filtering technologies Stateful inspections Firewalls

Computer virus

a rogue software program that attaches itself to other software programs or data files to be executed, usually without user knowledge or permission.

Hacking, malware, theft and fraud, vandalism, denial of service

common threats agains corporate servers.

Tapping, sniffing, message alteration, theft and fraud, radiation

common threats against communication lines.

Unauthorized access, errors

common threats against the client layer.

War driving

eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic.

Service set identifiers (SSIDs)

identify the access points in a WiFi network.

Malware

include a variety of threats such as computer viruses, worms, and Trojan horses.

Controls

methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its records, and operational adherence to management standards.

SQL injection attacks

take advantage of vulnerabilities in poorly coded web application software to introduce malicious program code into a company's systems and networks.

can use a person's voice as a unique, measurable trait.

Biometric authentication only uses biographical details for identification. is used widely in Europe for security applications. can use a person's voice as a unique, measurable trait. is inexpensive. only uses physical measurements for identification.

False

Biometric authentication is the use of personal, biographic details such as the high school you attended and the first street you lived on to provide identification. True False

unauthorized access.

Client software in a client/server environment is specifically vulnerable to unauthorized access. radiation. vandalism. fraud. DoS attacks.

False

Organizations can use existing network security software to secure mobile devices. True False

Identity theft

________ is a crime in which an imposter obtains key pieces of personal information to impersonate someone else. Spoofing Social engineering Evil twins Identity theft Pharming

True

Authentication refers to verifying that a person is who he or she claims to be. True False

True

In 2013, Panda Security reported approximately 30 million new kinds of malware strains. True False

True

When errors are discovered in software programs, the sources of the errors are found and eliminated through a process called debugging. True False

Hacker

an individual who intends to gain unauthorized access to a computer system.

SSIDs

are broadcast multiple times and can be picked up fairly easily by intruders' sniffer programs.

Worms

independent computer programs that copy themselves from one computer to other computers over a network.

Keyloggers

record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card and or bank account numbers.

False

A computer virus replicates more quickly than a computer worm. True False

click fraud.

A salesperson clicks repeatedly on the online ads of a competitor's in order to drive the competitor's advertising costs up. This is an example of pharming. evil twins. click fraud. spoofing. phishing.

False

An acceptable use policy defines the acceptable level of access to information assets for different users. True False

collecting physical evidence on the computer.

Computer forensics tasks include all of the following except securely storing recovered electronic data. collecting physical evidence on the computer. presenting collected evidence in a court of law. finding significant information in a large volume of electronic data.

SSL, TLS, and S-HTTP.

Currently, the protocols used for secure information transfer over the Internet are S-HTTP and CA. TCP/IP and SSL. S-HTTP and SHTML. SSL, TLS, and S-HTTP. HTTP and TCP/IP.

False

DoS attacks are used to destroy information and access restricted areas of a company's information system. True False

may be accessible by anyone who has access to the same network.

Electronic data are more susceptible to destruction, fraud, error, and misuse because information systems concentrate data in computer files that can be opened with easily available software. are easily decrypted. are unprotected by up-to-date security systems. are rarely validated. may be accessible by anyone who has access to the same network.

bogus wireless network access points that look legitimate to users.

Evil twins are bogus wireless network access points that look legitimate to users. computers that fraudulently access a Web site or network using the IP address and identification of an authorized computer. Trojan horses that appears to the user to be a legitimate commercial software application. fraudulent Web sites that mimic a legitimate business's Web site. e-mail messages that mimic the e-mail messages of a legitimate business.

fault tolerant computer systems

For 100-percent availability, online transaction processing requires fault-tolerant computer systems. a digital certificate system. high-capacity storage. a multi-tier server network. dedicated phone lines.

two-factor authentication.

An authentication system in which a user must provide two types of identification, such as a bank card and PIN, is called two-factor authentication. smart card authentication. biometric authentication. symmetric key authorization. token authentication.

True

NAT conceals the IP addresses of the organization's internal host computers to deter sniffer programs. True False

True

One form of spoofing involves forging the return address on an e-mail so that the e-mail message appears to come from someone other than the sender. True False

True

Public key encryption uses two keys. True False

True

Smartphones have the same security flaws as other Internet-connected devices. True False

cybervandalism.

The intentional defacement or destruction of a Web site is called phishing. cyberwarfare. cybervandalism. spoofing. pharming.

e-mail.

The most common type of electronic evidence is instant messages. voice-mail. e-mail. spreadsheets. VOIP data.

False

The term cracker is used to identify a hacker whose specialty is breaking open security systems. True False

DDoS

Using numerous computers to inundate and overwhelm the network from numerous launch points is called a(n) ________ attack. phishing botnet SQL injection DoS DDoS

True

Zero defects cannot be achieved in larger software programs because fully testing programs that contain thousands of choices and millions of paths would require thousands of years. True False

Spyware

small programs that install themselves surreptitiously on computers to monitor user web surfing activity and serve up advertising.

Worms

unlike viruses, can operate on their own without attaching to other computer program files and rely less on human behavior to spread from computer to computer.

is software that appears to be benign but does something other than expected.

A Trojan horse is a type of sniffer used to infiltrate corporate networks. is malware named for a breed of fast-moving Near-Eastern horses. is software that appears to be benign but does something other than expected. installs spyware on users' computers. is a virus that replicates quickly.

uses third-party CAs to validate a user's identity.

A digital certificate system protects a user's identity by substituting a certificate in place of identifiable traits. is used primarily by individuals for personal correspondence. uses third-party CAs to validate a user's identity. uses digital signatures to validate a user's identity. uses tokens to validate a user's identity.

enforce a security policy on data exchanged between its network and the Internet.

A firewall allows the organization to check the accuracy of all transactions between its network and the Internet. create access rules for a network. check the content of all incoming and outgoing e-mail messages. enforce a security policy on data exchanged between its network and the Internet. create an enterprise system on the Internet.

cyberwarfare.

A foreign country attempting to access government networks in order to disable a national power grid would be an example of denial-of-service attacks. cyberwarfare. cyberterrorism. evil twins. phishing.

gadget that displays passcodes.

An authentication token is a(n) electronic marker attached to a digital authorization file. type of smart card. gadget that displays passcodes. device the size of a credit card that contains access permission data.

risk assessment.

Analysis of an information system that rates the likelihood of a security incident occurring and its cost is included in a(n) AUP. security policy. business impact analysis. business continuity plan. risk assessment.

can be classified as input controls, processing controls, and output controls.

Application controls monitor the use of system software and prevent unauthorized access to software and programs. can be classified as input controls, processing controls, and output controls. include software controls, computer operations controls, and implementation controls. govern the design, security, and use of computer programs and the security of data files in general throughout the organization. apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment.

causing other people's computers to become "zombie" PCs following a master computer.

Hackers create a botnet by: infecting corporate servers with "zombie" Trojan horses that allow undetected access through a back door. pharming multiple computers. using Web search bots to infect other computers. causing other people's computers to become "zombie" PCs following a master computer. infecting Web search bots with malware.

They issue patches.

How do software vendors correct flaws in their software after it has been distributed? They issue bug fixes. They don't; users purchase software at their own risk. They release updated versions of the software. They issue patches. They re-release the software.

malware.

In a client/server environment, corporate servers are specifically vulnerable to malware. tapping. sniffing. radiation. unauthorized access.

deep-packet inspection

In controlling network traffic to minimize slow-downs, a technology called ________ is used to examine data files and sort low-priority data from high-priority data. deep-packet inspection stateful inspection application proxy filtering unified threat management high availability computing

vulnerable to many more kinds of threats

Large amounts of data stored in electronic form are ________ than the same data in manual form. prone to more errors vulnerable to many more kinds of threats more critical to most businesses more secure less vulnerable to damage

False

Malicious software programs referred to as spyware include a variety of threats such as computer viruses, worms, and Trojan horses. True False

only those viruses already known when the software is written.

Most antivirus software is effective against any virus except those in wireless communications applications. only those viruses already known when the software is written. only those viruses active on the Internet and through e-mail. only viruses that are well-known and typically several years old. any virus.

False

Packet filtering catches most types of network attacks. True False

MSSPs.

Smaller firms may outsource some or many security functions to ISPs. PKIs. MISs. MSSPs. CAs.

False

Smartphones typically feature state-of-the-art encryption and security features, making them highly secure tools for businesses. True False

True

Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports. True False

they allow users to post software code.

Social networking sites have become a new conduit for malware because they are especially vulnerable to social engineering. they allow users to post software code. they are used by so many people. they allow users to post media and image files. they have poor user authentication.

security policy.

Statements ranking information risks and identifying security goals are included in a(n) AUP. risk assessment. business continuity plan. security policy. business impact analysis.

requires financial institutions to ensure the security of customer data.

The Gramm-Leach-Bliley Act identifies computer abuse as a crime and defines abusive activities. outlines medical security and privacy rules. imposes responsibility on companies and management to safeguard the accuracy of financial information. requires financial institutions to ensure the security of customer data. specifies best practices in information systems security and control.

outlines medical security and privacy rules.

The HIPAA Act of 1996 requires financial institutions to ensure the security of customer data. identifies computer abuse as a crime and defines abusive activities. outlines medical security and privacy rules. specifies best practices in information systems security and control. imposes responsibility on companies and management to safeguard the accuracy of financial information.

tapping.

The communications lines in a client/server environment are specifically vulnerable to malware. vandalism. tapping. errors. software failure.

True

The dispersed nature of cloud computing makes it difficult to track unauthorized access. True False

social engineering.

Tricking employees to reveal their passwords by pretending to be a legitimate member of a company is called pharming. phishing. sniffing. snooping social engineering.

a file deleted from a hard disk

Which of the following is a type of ambient data? a set of raw data from an environmental sensor data that has been recorded over a file deleted from a hard disk a file that contains an application's user settings computer log containing recent system errors

Conficker

Which of the following is a virus that uses flaws in Windows software to take over a computer remotely? Sasser ILOVEYOU Conficker Melissa Zeus Trojan

illegally accessing stored electronic communication

Which of the following is not an example of a computer used as a target of crime? illegally accessing stored electronic communication knowingly accessing a protected computer to commit fraud accessing a computer system without authority threatening to cause damage to a protected computer breaching the confidentiality of protected computerized data

breaching the confidentiality of protected computerized data

Which of the following is not an example of a computer used as an instrument of crime? theft of trade secrets unauthorized copying of software schemes to defraud intentionally attempting to intercept electronic communication breaching the confidentiality of protected computerized data

$1,250

Your company, an online discount stationers, has calculated that a loss of Internet connectivity for 3 hours results in a potential loss of $2,000 to $3,000 and that there is a 50% chance of this occurring each year. What is the annual expected loss from this exposure? $1,500 $500 $2,500 $1,000 $1,250

Data security

________ controls ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Input Administrative Software Data security Implementation

Ransomware

________ is malware that hijacks a user's computer and demands payment in return for giving back access. Ransomware Spyware A Trojan horse A virus An evil twin

A keylogger

________ is malware that logs and transmits everything a user types. A sniffer A keylogger A Trojan horse A worm Spyware

"Controls"

________ refers to all of the methods, policies, and organizational procedures that ensure the safety of the organization's assets, the accuracy and reliability of its accounting records, and operational adherence to management standards. "SSID standards" "Controls" "Vulnerabilities" "Security policy" "Legacy systems"

Trojan horse

a software program that appears to be benign but then does something other than expected.

Theft of data, copying data, alteration of data, hardware failure, software failure

common threats against corporate systems.

Drive by downloads

consists of malware that comes with a downloaded file that a user intentionally or unintentionally requests.

Security

the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems.

Ransomware

tries to extort money from users by taking control of their computers or displaying annoyed pop-up messages.

UTM

Comprehensive security management products, with tools for firewalls, VPNs, intrusion detection systems, and more, are called ________ systems. NSP PKI MSSP DPI UTM

redirecting users to a fraudulent Web site even when the user has typed in the correct address in the Web browser.

Pharming involves redirecting users to a fraudulent Web site even when the user has typed in the correct address in the Web browser. using e-mails for threats or harassment. setting up fake Wi-Fi access points that look as if they are legitimate public networks. pretending to be a legitimate business's representative in order to garner information about a security system. setting up fake Web sites to ask users for confidential information.

may hinder employee productivity.

Rigorous password systems are often disregarded by employees. are one of the most effective security tools. are costly to implement. may hinder employee productivity.

True

SSL is a protocol used to establish a secure connection between two computers. True False