COSC 316 Mid-Term

Another name for TCP hijacking is _____. A) man-in-the-middle B) mail bombing C) spoofing D) denial of service

A

____ occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. A) Information extortion B) Technological extortion C) Insider trading D) Information hording

A

_____ is a respected professional society founded in 1947 as "the world's first educational and scientific computing society."

Association of Computing Machinery

A ____ is an application error that occurs when more data is sent to a program buffer than it is designed to handle. A) buffer underrun B) buffer overrun C) heap overflow D) heap attack

B

Ownership or control of information is called the characteristic of _____. A) confidentiality B) possession C) authenticity D) integrity

B

_____ is created by combining pieces of nonprivate data—often collected during software updates, and via cookies—that when combined may violate privacy. A) Contextual information B) Aggregate information C) Profile data D) Privacy data

B

Common failures in software development:

Buffer overruns Command injection Cross-site scripting (XSS) Failure to handle errors Failure to protect network traffic Failure to store and protect data securely Failure to use cryptographically strong random numbers Format string problems Neglecting change control Improper file access Improper use of SSL Information leakage Integer bugs (overflows/underflows)‏ Race conditions SQL injection Trusting network address resolution Unauthenticated key exchange Use of magic URLs and hidden forms Use of weak password-based systems Poor usability

The law that regulates the role of the health-care industry in protecting the privacy of individuals is the _____. A) GLB B) FOIA C) HIPAA D) CFAA

C

____ hack systems to conduct terrorist activities via network or Internet pathways. A) Cyberhackers B) Electronic terrorists C) Cyberterrorists D) Electronic hackers

C

What do information security project team normally consist of?(Personnel wise)

Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users

What is a type of law that represents all of the laws that apply to a citizen (or subject) of a jurisdiction?

Civil Law

What are the 12 categories of threats of information security?

Compromises to intellectual property Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft

The characteristic of information that deals with preventing disclosure is ______.

Confidentiality

What does C.I.A. stand for in computer security?

Confidentiality, Integrity, Availability

What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state?

Criminal Law

Using a known or previously installed access mechanism is called using a _____. A) hidden bomb B) vector C) spoof D) back door

D

____ security addresses the protection of all communications media, technology, and content. A) Information B) Network C) Physical D) Communications

D

When a program tries using all commonly used passwords, this is known as a(n) ______.

Dictionary Attack

The American contribution to an effort to improve copyright protection internationally is called the _____.

Digital Millennium Copyright act

What are the software design principles?

Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability

_____ define socially acceptable behaviors.

Ethics

True or False: HTTP is a protocol programmers use to transfer sensitive data, such as credit card numbers and other personal information, between a client and a server.

False

True or False: Network security addresses the issues needed to protect items, objects, or areas.

False

True or False: The Federal Bureau of Investigation (FBI) is the federal agency responsible for signal intelligence and information system security of classified systems.

False

True or False: The National Security Agency (NSA) is responsible for the security of all national critical infrastructure.

False

The law that provides any person with the right to request access to federal agency records is the _____.

Freedom of Information Act of 1966(FOIA)

Who developed the mainframe time-sharing OS in the 1960's?

General Electric(GE), Bell Labs, and Massachusetts Institute of Technology(MIT)

What are the responsibilities of the CISO?

Has primary responsibility for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO

When did computer security begin?

Immediately after the first mainframes were developed.

What was the first operating system created with?

Integrated security into core functions

_____ is a nonprofit organization that focuses on the development and implementation of information security certifications.

International Information Systems Security Certification Consortium, Inc(ISC)

What are the phases of the SDLC Waterfall methodology?

Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and change

What does a virus do?

It consists of code segments that attach to existing program and take control of access to the targeted computer.

Name some commonplace security principles:

Keep design simple and small Access decisions by permission not exclusion Every access to every object checked for authority Design depends on possession of keys/passwords Protection mechanisms require two keys to unlock Programs/users utilize only necessary privileges Minimize mechanisms common to multiple users Human interface must be easy to use so users routinely/automatically use protection mechanisms.

____ are hackers of limited skill who use expertly written software to attack a system

Kiddies

Who developed the ARPANET?

Larry Roberts

Which SecSDLC phase keeps the security systems in a high state of readiness?

Maintenance and change

What are the types of software attacks?

Malware Virus Worms Trojan horses

What do Trojan horses do?

Malware disguised as helpful, interesting, or necessary pieces of software

Early focus of computer security research centered on what system?

Multiplexed Information and Computing Service

____ security encompasses the protection of voice and data networking components, connections, and content.

Network

What were some problems with the ARPANET?

No safety procedures for dial-up connections to ARPANET Non-existent user identification and authorization to system

What are the layers of security that could possibly be in place at organizations?

Operations Physical infrastructure People Functions Communications Information

____ is "the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining private information."

Pharming

Types of attacks using software:

Polymorphic threat Virus and worm hoaxes Back door Denial-of-Service Distributed denial of service Mail bombing Spam Packet sniffer Spoofing Pharming Man-in-the-middle

_____ is a type of law that regulates the relationship between an individual and an organization.

Private Law

What should security be balance between?

Protection and Availability

_____ is a type of law that regulates the structure and administration of government agencies.

Public

What started the study of information security?

Rand Report R-609

A formal approach to solving a problem based on a structured sequence of procedures is called a(n) _____.

SDLC Methodology

____ occurs when developers fail to properly validate user input before using it to query a relational database.

SQL Injection

What did the scope of computer security start with?

Securing the data Limiting random and unauthorized access to data Involving personnel from multiple levels of the organization in information security

What does SecSDLC stand for?

Security System Development life cycle

What are the responsibilities of the CIO?

Senior technology officer Primarily responsible for advising the senior executives on strategic planning

What are the components of an Information System?

Software Hardware Data People Procedures Networks

Name the two watchdog organizations investigate software abuse:

Software & Information Industry Association (SIIA) Business Software Alliance (BSA)‏

What is a SDLC?

System Development life cycle

What year did the Advanced Research Project Agency begin?

The 1960's

In the 2000's this brought millions of unsecured computer networks into continuous communication with each other.

The Internet

What is security?

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.

What do worms do?

They replicate themselves until they completely fill available resources such as memory and hard drive space.

True or False: A computer worm consists of segments of code that perform malicious actions.

True

True or False: Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo.

True

True or False: If information has a state of being genuine or original and is not a fabrication, it has the characteristic of authenticity.

True

True or False: Information security programs that begin at a grassroots level by system administrators to improve security are often called a bottom-up approach.

True

True or False: The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) like www.course.com into the IP address of the Web server host.

True

True or False: The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986.

True

True or False: Warnings of attacks that are not valid are usually called hoaxes.

True

The ______ illustrates that each phase of the SDLC begins with the results and information gained from the previous phase.

Waterfall model

A(n) _____ can result when a programmer does not validate the inputs to a calculation to verify that the integers are of the expected size.

buffer overruns

The generally recognized term for the government protection afforded to intellectual property (written and electronic) is _____.

copyright law

True or False: When a program tries to reverse-calculate passwords, this is known as a brute force spoof.

false

When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow a(n) ____ approach. A) executive led B) trickle down C) top-down D) bottom-up

top-down