Midterm Exam 414
What is NOT one of the three primary bureaus of the FTC?
Bureau of Finance
What does CVE stand for?
Common Vulnerabilities and Exposures
What is NOT a program overseen by the National Cybersecurity and Communications Integration Center?
DHS
Identify the true statement.
Exploited vulnerabilities result in losses.
What ensures that federal agencies protect their data and assigns specific responsibilities for federal agencies?
FISMA
What is NOT a standard or guideline for compliance that exists to assess and improve security?
FTC
A loss results in a compromise to business functions, and a threat results in a compromise to business assets.
False
A security policy provides a high-level overview of the goals of security and the details of how to implement security techniques.
False
All companies face the same set of vulnerabilities.
False
CBA stands for Cost Benefit Authorization
False
CBK stands for Cost Benefit Knowledge.
False
Exploit Wednesday refers to the day that Operation Aurora was discovered.
False
Future lost revenue is a tangible asset.
False
GASSP and GAISP are agencies within ISSA.
False
Hubs are better than switches because switches increase the risk of sniffing attacks.
False
MITRE is a part of MIT.
False
MITRE sponsors the CVE list.
False
Malware cannot threaten the workstation domain of a typical IT security infrastructure if the other six domains are secure.
False
Most companies should install antivirus software after connecting the server to the network.
False
Only a company can be a fiduciary.
False
Out-of-pocket costs are costs to reduce risks that a company CEO must pay for with his own money rather than the company's funds.
False
PCI DSS is a process that must be completed by the time a creditor issues a card to a consumer.
False
People are the eighth domain of typical IT infrastructure.
False
RAs are simpler to complete than risk management plans, because risk management plans are continuous processes while RAs are simple point-in-time documents that can easily be completed in a single sitting.
False
The Department of Homeland Security only deals with threats to national security and does not play a role in helping companies manage IT risks.
False
The Health Insurance Portability and Accountability Act (HIPAA) applies only to the health care industry.
False
The intangible value of an asset is not relevant to managing risks because there is no way to quantify its value in terms of monetary value during a risk assessment.
False
The organization known as Gay, Lesbian, and Bisexual Americans (GBLA) is responsible for sponsoring important legislation regarding protecting the privacy of employee's sexual orientation in the workplace.
False
The purpose of PCI DSS is to regulate creditors.
False
The second step of becoming ISO 27002 certified involves implementing best practices.
False
The term hacker is a general term that refers to all attackers who create intentional threats.
False
There are five levels of CMMI: initial, managed, defined, qualitatively managed, and optimized.
False
Unfortunately, most hackers are bored teenagers launching threats from the safety of their bedrooms, and this makes them difficult to find.
False
With proper security measures, a company can eliminate threats.
False
Identify the acronym that does NOT refer to an initiative taken by the government to help companies manage IT risks.
IIS
IDS stands for ______________.
Intrusion Detection System
What is NOT true about Operation Aurora?
It attacked several private citizens.
What is the area that is inside the firewall?
LAN Domain
What is NOT an example of unintentional threat?
Malware written and run by a "script kiddie" just to see what he could do destroys a company's information database.
A _________ is the likelihood that a loss will occur.`
Risk Threat
FERPA applies to all of the following, EXCEPT ______________.
Saint Mary's Private Elementary School for Girls
A key step in managing risk is to first understand and manage the source.
True
A run on a bank is when many depositors rush to withdraw their money.
True
A vulnerability leads to a threat, but does not lead to a loss by itself.
True
An exploit is a method used to take advantage of a vulnerability.
True
Continuous monitoring is necessary because security work is never done.
True
Data is a tangible asset.
True
Every state has its own Attorney General.
True
Greed, anger, and a desire to do damage are all motivations for the perpetrators behind intentional threats.
True
In a DMZ, the firewall connected to the Internet allows access to the public-facing servers.
True
Profitability = Revenue - Costs
True
RAs assume that current controls are working as expected.
True
Rogueware tricks users into installing bogus antivirus software.
True
The FDIC was created as a direct result of the failures that lead to the Great Depression.
True
The first step of becoming ISO 27002 certified involves implementing best practices.
True
The internal LAN is generally considered a trusted zone.
True
The ultimate goal in risk management is to protect the organization.
True
US-CERT is a part of the NCCIC.
True
Zombies are a threat to security.
True
You are a disgruntled employee with a master's degree in computer sciences who was recently laid off from a major technology company, and you want to launch an attack on the company. Where might you go to learn about vulnerabilities that you can exploit for your plan?
a blog
What is the best example of warez?
a file on your computer of tonight's new Game of Thrones episode you downloaded for free
What is a security policy?
a high-level overview of security goals
What is a publicly traded company?
any company that has stock that outside vendors can buy or sell
When companies are expected to adhere to the laws that they are affected by, this is commonly known as _______________.
compliance
What are the elements of the security triad?
confidentiality, integrity, and availability
What is compared in a threat-likelihood-impact matrix?
cost to manage a risk and impact value
What is NOT an example of an intangible value?
data
CIPA is ________________.
designed to limit offensive content from school and library computers
What is NOT a step in risk management?
eliminating all risks
Because US-CERT is run within DHS, US-CERT information is classified and unavailable to the public.
false
There is no difference between power of attorney and general power of attorney.
false
All of the following terms have the same meaning, EXCEPT _____________.
firewall zone
All of the following are major components of RAs, EXCEPT:
identifying stakeholders
In relation to risk management, IP stands for _________.
intellectual property
_________ are acts that are hostile to an organization.
international threat
When a threat exploits a vulnerability, it results in a(n) __________.
loss
It is common to focus the scope of an RA on system ownership, because doing so ____________.
makes it easier to implement recommendations
When a fiduciary does not exercise due diligence, it can be considered __________.
negligence
A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.
patch management
When the FTC was created in 1914, its primary goal was to ______________.
prevent unfair methods of competition
You recently changed jobs. HIPAA helps you ____________________ .
protect your health information
Most organizations use ___________________ as gateways to access the Internet.
proxy servers
What is one source of risk reduction?
reducing the impact of the loss
When risk is reduced to an acceptable level, the remaining risk is referred to as _________.
residual risk
Another term for risk mitigation is _______.
risk reduction
A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister's computer. While she's hanging out with friends at the mall, he enters his sister's IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________.
script kiddie
Companies use risk management techniques to differentiate ___________ from _________?
severe risks, minor risks
What is a major type of vulnerability for the user domain?
social engineering
HIPAA requires that your insurance company sets standards for the protection of your data and the systems that handle that data's ________________.
storage, use, and transmission
When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with ________________.
the Financial Privacy Rule
Hardening the server refers to ____________.
the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation
What can you control about threat/vulnerability pairs?
the vulnerability
A(n) _________ is the process of creating a list of threats.
threat identification
Total risk = _______________
threat x vulnerability x asset value
What is the purpose of a separation of duties?
to ensure no single person controls an entire process
What is the function of job rotation?
to prevent or reduce fraudulent activity
In a DMZ, the firewall connected to the internal network allows access to the public-facing servers.
true
When does a threat/vulnerability pair occur?
when a threat exploits a vulnerability
A new company starts up but does not have a lot of revenue for the first year. Installing anti-virus software for all the company's computers would be very costly, so the owners decide to forgo purchasing anti-virus software for the first year of the business. In what domain of typical IT infrastructure is vulnerability created?
workstation domain
A(n) __________ is a computer joined to a botnet.
zombie
