COSC 316 Mid-Term
Another name for TCP hijacking is _____. A) man-in-the-middle B) mail bombing C) spoofing D) denial of service
A
____ occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. A) Information extortion B) Technological extortion C) Insider trading D) Information hording
A
_____ is a respected professional society founded in 1947 as "the world's first educational and scientific computing society."
Association of Computing Machinery
A ____ is an application error that occurs when more data is sent to a program buffer than it is designed to handle. A) buffer underrun B) buffer overrun C) heap overflow D) heap attack
B
Ownership or control of information is called the characteristic of _____. A) confidentiality B) possession C) authenticity D) integrity
B
_____ is created by combining pieces of nonprivate data—often collected during software updates, and via cookies—that when combined may violate privacy. A) Contextual information B) Aggregate information C) Profile data D) Privacy data
B
Common failures in software development:
Buffer overruns Command injection Cross-site scripting (XSS) Failure to handle errors Failure to protect network traffic Failure to store and protect data securely Failure to use cryptographically strong random numbers Format string problems Neglecting change control Improper file access Improper use of SSL Information leakage Integer bugs (overflows/underflows) Race conditions SQL injection Trusting network address resolution Unauthenticated key exchange Use of magic URLs and hidden forms Use of weak password-based systems Poor usability
The law that regulates the role of the health-care industry in protecting the privacy of individuals is the _____. A) GLB B) FOIA C) HIPAA D) CFAA
C
____ hack systems to conduct terrorist activities via network or Internet pathways. A) Cyberhackers B) Electronic terrorists C) Cyberterrorists D) Electronic hackers
C
What do information security project team normally consist of?(Personnel wise)
Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users
What is a type of law that represents all of the laws that apply to a citizen (or subject) of a jurisdiction?
Civil Law
What are the 12 categories of threats of information security?
Compromises to intellectual property Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft
The characteristic of information that deals with preventing disclosure is ______.
Confidentiality
What does C.I.A. stand for in computer security?
Confidentiality, Integrity, Availability
What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state?
Criminal Law
Using a known or previously installed access mechanism is called using a _____. A) hidden bomb B) vector C) spoof D) back door
D
____ security addresses the protection of all communications media, technology, and content. A) Information B) Network C) Physical D) Communications
D
When a program tries using all commonly used passwords, this is known as a(n) ______.
Dictionary Attack
The American contribution to an effort to improve copyright protection internationally is called the _____.
Digital Millennium Copyright act
What are the software design principles?
Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability
_____ define socially acceptable behaviors.
Ethics
True or False: HTTP is a protocol programmers use to transfer sensitive data, such as credit card numbers and other personal information, between a client and a server.
False
True or False: Network security addresses the issues needed to protect items, objects, or areas.
False
True or False: The Federal Bureau of Investigation (FBI) is the federal agency responsible for signal intelligence and information system security of classified systems.
False
True or False: The National Security Agency (NSA) is responsible for the security of all national critical infrastructure.
False
The law that provides any person with the right to request access to federal agency records is the _____.
Freedom of Information Act of 1966(FOIA)
Who developed the mainframe time-sharing OS in the 1960's?
General Electric(GE), Bell Labs, and Massachusetts Institute of Technology(MIT)
What are the responsibilities of the CISO?
Has primary responsibility for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO
When did computer security begin?
Immediately after the first mainframes were developed.
What was the first operating system created with?
Integrated security into core functions
_____ is a nonprofit organization that focuses on the development and implementation of information security certifications.
International Information Systems Security Certification Consortium, Inc(ISC)
What are the phases of the SDLC Waterfall methodology?
Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and change
What does a virus do?
It consists of code segments that attach to existing program and take control of access to the targeted computer.
Name some commonplace security principles:
Keep design simple and small Access decisions by permission not exclusion Every access to every object checked for authority Design depends on possession of keys/passwords Protection mechanisms require two keys to unlock Programs/users utilize only necessary privileges Minimize mechanisms common to multiple users Human interface must be easy to use so users routinely/automatically use protection mechanisms.
____ are hackers of limited skill who use expertly written software to attack a system
Kiddies
Who developed the ARPANET?
Larry Roberts
Which SecSDLC phase keeps the security systems in a high state of readiness?
Maintenance and change
What are the types of software attacks?
Malware Virus Worms Trojan horses
What do Trojan horses do?
Malware disguised as helpful, interesting, or necessary pieces of software
Early focus of computer security research centered on what system?
Multiplexed Information and Computing Service
____ security encompasses the protection of voice and data networking components, connections, and content.
Network
What were some problems with the ARPANET?
No safety procedures for dial-up connections to ARPANET Non-existent user identification and authorization to system
What are the layers of security that could possibly be in place at organizations?
Operations Physical infrastructure People Functions Communications Information
____ is "the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining private information."
Pharming
Types of attacks using software:
Polymorphic threat Virus and worm hoaxes Back door Denial-of-Service Distributed denial of service Mail bombing Spam Packet sniffer Spoofing Pharming Man-in-the-middle
_____ is a type of law that regulates the relationship between an individual and an organization.
Private Law
What should security be balance between?
Protection and Availability
_____ is a type of law that regulates the structure and administration of government agencies.
Public
What started the study of information security?
Rand Report R-609
A formal approach to solving a problem based on a structured sequence of procedures is called a(n) _____.
SDLC Methodology
____ occurs when developers fail to properly validate user input before using it to query a relational database.
SQL Injection
What did the scope of computer security start with?
Securing the data Limiting random and unauthorized access to data Involving personnel from multiple levels of the organization in information security
What does SecSDLC stand for?
Security System Development life cycle
What are the responsibilities of the CIO?
Senior technology officer Primarily responsible for advising the senior executives on strategic planning
What are the components of an Information System?
Software Hardware Data People Procedures Networks
Name the two watchdog organizations investigate software abuse:
Software & Information Industry Association (SIIA) Business Software Alliance (BSA)
What is a SDLC?
System Development life cycle
What year did the Advanced Research Project Agency begin?
The 1960's
In the 2000's this brought millions of unsecured computer networks into continuous communication with each other.
The Internet
What is security?
The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.
What do worms do?
They replicate themselves until they completely fill available resources such as memory and hard drive space.
True or False: A computer worm consists of segments of code that perform malicious actions.
True
True or False: Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo.
True
True or False: If information has a state of being genuine or original and is not a fabrication, it has the characteristic of authenticity.
True
True or False: Information security programs that begin at a grassroots level by system administrators to improve security are often called a bottom-up approach.
True
True or False: The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) like www.course.com into the IP address of the Web server host.
True
True or False: The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986.
True
True or False: Warnings of attacks that are not valid are usually called hoaxes.
True
The ______ illustrates that each phase of the SDLC begins with the results and information gained from the previous phase.
Waterfall model
A(n) _____ can result when a programmer does not validate the inputs to a calculation to verify that the integers are of the expected size.
buffer overruns
The generally recognized term for the government protection afforded to intellectual property (written and electronic) is _____.
copyright law
True or False: When a program tries to reverse-calculate passwords, this is known as a brute force spoof.
false
When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow a(n) ____ approach. A) executive led B) trickle down C) top-down D) bottom-up
top-down