Exam 3 Info Security Review

Ace your homework & exams now with Quizwiz!

The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources. True False

false

The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________ True False

false

The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _________________________ True False

false

The complete details of ISO/IEC 27002 are widely available to everyone. True False

false

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. True False

false

The number of horizontal and vertical pixels captured and recorded is known as the image's contrast. _________________________ True False

false

To perform the Caesar cipher encryption operation, the pad values are added to numeric values that represent the plaintext that needs to be encrypted. True False

false

UltraViolet wireless (UVW) is a de facto industry standard for short-range wireless communications between devices. _________________________ True False

false

Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms. True False

false

Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________ True False

false

DES uses a(n) ___________-bit block size. a.32 b.64 c.128 d.256

b. 64

__________ is a protocol that can be used to secure communications across any IP-based network such as LANs, WANs, and the Internet. a.SSH b.IPSec c.SET d.PEM

b. IPSec

__________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. a.Private b.Civil c.Public d.Criminal

public

A __________ is a key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. a.digest b.MAC c.fingerprint d.signature

b. MAC

The __________ algorithm, developed in 1977, was the first public-key encryption algorithm published for commercial use. a.MAC b.DES c.RSA d.AES

c. RSA

The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security without permission. _________________________ True False

true

The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies under all circumstances. True False

true

__________ are encrypted message components that can be mathematically proven to be authentic. a.Digital signatures b.Message digests c.Message certificates d.MACs

a. Digital signatures

What is the subject of the Computer Security Act? a.Federal agency information security b.Telecommunications common carriers c.Cryptography software vendors d.All of the above

a. Federal agency information security

What is the subject of the Sarbanes-Oxley Act? a.Financial reporting b.Banking c.Trade secrets d.Privacy

a. Financial reporting

The __________ defines stiffer penalties for prosecution of terrorist crimes. a.USA PATRIOT Act b.Gramm-Leach-Bliley Act c.Sarbanes-Oxley Act d.Economic Espionage Act

a. USA PATRIOT ACT

At the World Championships in Athletics in Helsinki in August 2005, a virus called Cabir infected dozens of __________, the first time this occurred in a public setting. a.Bluetooth mobile phones b.laptop Macintosh computers c.iPad tablets d.WiFi routers

a. bluetooth mobile phones

The transfer of transaction data in real time to an off-site facility is called ____. a.electronic vaulting b.off-site storage c.database shadowing d.remote journaling

a. electronic vaulting

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a.Financial Services Modernization Act b.Health Insurance Portability and Accountability Act c.Computer Security Act d.Communications Act

a. financial services modernization act

In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies __________. a.provide security awareness training b.periodic assessment of risk c.develop policies and procedures based on risk assessments d.All of the above

a. provide security awareness training

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. a.Redundancy b.Hosting c.Domaining d.Firewalling

a. redundancy

Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources? a.Singapore b.Sweden c.Australia d.United States

a. singapore

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. a.with intent b.by accident and/or through unintentional negligence c.with malice d.NONE OF THE ABOVE

b. by accident and/or through unintentional negligence

Security __________ are the areas of trust within which users can freely communicate. a.​perimeters b.​domains c.​rectangles d.​layers

b. domains

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? a.Sarbanes-Oxley Act b.Electronic Communications Privacy Act c.Financial Services Modernization Act d.Economic Espionage Act

b. electronic communication privacy act

An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. a.plan b.framework c.policy d.model

b. framework

Criminal or unethical __________ goes to the state of mind of the individual performing the act. a.attitude b.intent c.accident d.All of the above

b. intent

__________ is the entire range of values that can possibly be used to construct an individual key. a.An algorithm b.Keyspace c.A cryptogram d.Code

b. keyspace

More advanced substitution ciphers use two or more alphabets, and are referred to as __________ substitutions. a.monoalphabetic b.polyalphabetic c.multialphabetic d.polynomic

b. polyalphabetic

SHA-1 produces a(n) ___________-bit message digest, which can then be used as an input to a digital signature algorithm. a.48 b.56 c.160 d.256

c. 160

__________ is the current federal information processing standard that specifies a cryptographic algorithm used within the U.S. government to protect information in federal agencies that are not a part of the national defense infrastructure. a.3DES b.2DES c.AES d.DES

c. AES

In PKI, the CA periodically distributes a(n) _________ to all users that identifies all revoked certificates. a.RA b.RDL c.CRL d.MAC

c. CRL

Digital signatures should be created using processes and products that are based on the __________. a.HTTPS b.SSL c.DSS d.NIST

c. DSS

The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. a.SysSP b.ISSP c.EISP d.GSP

c. EISP (enterprise information security policy)

The Health Insurance Portability and Accountability Act of 1996, also known as the __________ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange. a.Gramm-Leach-Bliley b.HITECH c.Kennedy-Kessebaum d.Privacy

c. Kennedy-Kessebaum

​The goals of information security governance include all but which of the following? a.​Strategic alignment of information security with business strategy to support organizational objectives b.​Risk management by executing appropriate measures to manage and mitigate threats to information resources c.Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due cared.​ d.Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

c. Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due cared.​

The __________ is responsible for the fragmentation, compression, encryption, and attachment of an SSL header to the cleartext prior to transmission. a.S-HTTP b.SFTP c.SSL Record Protocol d.Standard HTTP

c. SSL Record Protocol

The __________ is responsible for the fragmentation, compression, encryption, and attachment of an SSL header to the cleartext prior to transmission. a.SFTP b.Standard HTTP c.SSL Record Protocol d.S-HTTP

c. SSL Record Protocol

The __________ defines stiffer penalties for prosecution of terrorist crimes. a.Gramm-Leach-Bliley Act b.Economic Espionage Act c.USA PATRIOT Act d.Sarbanes-Oxley Act

c. USA PATRIOT ACT

__________ law comprises a wide variety of laws that govern a nation or state. a.Private b.Criminal c.Civil d.Public

c. civil

_________ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. a.Incident response b.Containment development c.Damage assessment d.Disaster assessment

c. damage assessment

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. a.Proxy b.Best-effort c.Defense in depth d.Networking

c. defense in depth

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization. a.technology b.Internet c.people d.operational

c. people

More advanced substitution ciphers use two or more alphabets, and are referred to as __________ substitutions. a.monoalphabetic b.multialphabetic c.polyalphabetic d.polynomic

c. polyalphabetic

In PKI, the CA periodically distributes a(n) _________ to all users that identifies all revoked certificates. a.MAC b.RA c.RDL d.CRL

d. CRL

The National Information Infrastructure Protection Act of 1996 modified which act? a.Computer Security Act b.USA PATRIOT Act c.USA PATRIOT Improvement and Reauthorization Act d.Computer Fraud and Abuse Act

d. Computer Fraud and Abuse Act

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a.Health Insurance Portability and Accountability Act b.Communications Act c.Computer Security Act d.Financial Services Modernization Act

d. Financial Services Modernization Act

________often function as standards or procedures to be used when configuring or maintaining systems. a.ISSPs b.ESSPs c.EISPs d.SysSPs

d. SysSPs

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident. a.emergency notification system b.phone list c.call register d.alert roster

d. alert roster

A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________. a.controls have proven ineffective b.controls have been bypassed c.controls have failed d.All of the above

d. all of the above

Laws, policies, and their associated penalties only deter if which of the following conditions is present? a.Fear of penalty b.Probability of being caught c.Probability of penalty being administered d.All of the above

d. all of the above

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. a.firewalls b.proxy servers c.access controls d.All of the above

d. all of the above

An X.509 v3 certificate binds a ___________, which uniquely identifies a certificate entity, to a user's public key. a.message digest b.fingerprint c.digital signature d.distinguished name

d. distinguished name

​Security __________ are the areas of trust within which users can freely communicate. a.​layers b.​rectangles c.​perimeters d.​domains

d. domains

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. a.database shadowing b.remote journaling c.off-site storage d.electronic vaulting

d. electronic vaulting

The Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with __________ activities. a.online terrorist b.electronic commerce c.cyberactivist d.Internet

d. internet

A __________ is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext. a.passphrase b.cipher c.password d.key

d. key

__________ is the amount of effort (usually in hours) required to perform cryptanalysis to decode an encrypted message when the key or algorithm (or both) are unknown. a.A key b.An algorithm c.Code d.Work factor

d. work factor

A hard drive feature known as "hot swap" is a RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails. True False

false

A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology. True False

false

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions. True False

false

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. True False

false

A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _________________________ True False

false

A(n) key is the set of steps used to convert an unencrypted message into an encrypted sequence of bits that represent the message; it sometimes refers to the programs that enable the cryptographic processes. _________________________ True False

false

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. True False

false

As DES became known as being too weak for highly classified communications, Double DES was created to provide a level of security far beyond that of DES. _________________________ True False

false

Ethics are the moral attitudes or customs of a particular group. _________________________ True False

false

Every member of the organization's InfoSec department must have a formal degree or certification in information security. True False

false

For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to. True False

false

Guidelines are detailed statements of what must be done to comply with policy. _________________________ True False

false

In 1953, Giovan Batista Bellaso introduced the idea of the passphrase (password) as a key for encryption. True False

false

In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies. True False

false

In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _________________________ True False

false

In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access. True False

false

Intellectual privacy is recognized as a protected asset in the United States. _________________________ True False

false

S-HTTP is an extended version of Hypertext Transfer Protocol that provides for the encryption of protected e-mail transmitted via the Internet between a client and server. _________________________ True False

false

SSL builds on the encoding format of the Multipurpose Internet Mail Extensions protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. True False

false

Standard HTTP (S-HTTP) is an extended version of the Hypertext Transfer Protocol that provides for the encryption of individual messages transmitted via the Internet between a client and server. True False

false

The AES algorithm was the first public-key encryption algorithm to use a 256-bit key length. True False

false

The Computer Security Act of 1987 is the cornerstone of many computer-related federal laws and enforcement efforts; it was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984. True False

false

A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster. True False

true

A security policy should begin with a clear statement of purpose. _________________________ True False

true

Criminal laws address activities and conduct harmful to society and is categorized as private or public. True False

true

Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal. True False

true

Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. True False

true

Each policy should contain procedures and a timetable for periodic review. True False

true

In 1917, Gilbert S. Vernam, an AT&T employee, invented a polyalphabetic cipher machine that used a non-repeating random key. True False

true

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. True False

true

Internet Protocol Security (IPSec) is an open-source protocol framework for security development within the TCP/IP family of protocols. True False

true

Internet Protocol Security is designed to protect data integrity, user confidentiality, and authenticity at the IP packet level. _________________________ True False

true

Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________ True False

true

NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. True False

true

Nonrepudiation means that customers or partners can be held accountable for transactions, such as online purchases, which they cannot later deny. True False

true

PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities. True False

true

Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms. True False

true

Pretty Good Privacy (PGP) uses the freeware ZIP algorithm to compress the message after it has been digitally signed but before it is encrypted. _________________________ True False

true

Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. True False

true

Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community. True False

true

Steganography is a data hiding method that involves embedding information within other files, such as digital pictures or other images. True False

true

Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group. True False

true

Technical controls are the tactical and technical implementations of security in the organization. _________________________ True False

true

The code of ethics put forth by (ISC) 2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _________________________ True False

true

The communications networks of the United States carry(ies) more funds than all of the armored cars in the world combined. _________________________ True False

true

The most common hybrid system is based on the Diffie-Hellman key exchange, which is a method for exchanging private keys using public-key encryption. True False

true

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. True False

true

The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _________________________ True False

true

When an asymmetric cryptographic process uses the sender's private key to encrypt a message, the sender's public key must be used to decrypt the message. True False

true

You can create a single, comprehensive ISSP document covering all information security issues. True False

true


Related study sets

Healthy communities midterm review

View Set

Chapter 1: The political culture, people, and economy of Texas

View Set

Part 2; Unit 2; Chapter 4: The Self and Interaction

View Set

CompTIA A+ 220-801 220-802 Chapter 10

View Set

Anatomy Chapter 9 Book Questions

View Set