MIS Chapter 17
Hackers might infiltrate computer systems to enlist hardware for subsequent illegal acts.
True
Spear phishing attacks specifically target a given organization or group of users.
True
1. In security circles the phrase "compliance" refers to: a. legal or professionally binding steps that an organization must take. b. security audit practices used by the tech divisions of Big Four accounting firms. c. a firm's installing software to fulfill government surveillance requirements. d. the U.S. government legislation requiring organizations to share security breaches with law enforcement and industry trade organizations. e. only deploying open source software that is downloaded from approved GitHub locations.
A
1. One of the major problems with the Heartbleed bug in OpenSSL software is that: a. the software was embedded in many hardware products that could not be easily patched with automatic software updates. b. any password typed into a CAPTCHA could be monitored by a Van Eck device. c. social engineers could exploit the bug through SQL injection. d. all social media profile data was exposed, giving hackers access to the potential answers many firms ask as part of password security questions. e. it eliminated the ability to expose a URL's desitination by hoving the cursor over an address.
A
1. Several surprising findings were revealed in the wake of the Target breach, providing a cautionary tale for all executives and security professionals. Which of the following was not thought to have occurred during the Target security breach? a. Target had security software, but the notification alerts from the software were ignored. b. Target had properly installed and configured its security software, but hackers got in, anyway. c. Credit card databases were on entirely separate systems, not connected to other parts of the firm's information system, but wireless networking allowed hackers to access anything reachable from a cell phone connection. d. Target regularly monitored file names and matched them to file sizes and archival copies to ensure that software was not installed on their systems using the names of legitimate products, but hackers saved files with blank file names so they wouldn't be detected. e. All of the above
A
1. Some of the most common guidelines issued by Web sites when designing a secure password include: a. The password should be at least eight characters long and include at least one number and other nonalphabet character. b. The password should be short and straightforward. c. The password should include names of family members or pets, so as to be easily remembered. d. Choose a hard-to-guess password, then re-use this hardened password across websites. This minimize instances of calling systems professionals for a password reset, hence eliminating an additional potential vulnerability. e. The password should be the same as your name so as to trick the hacker.
A
1. Which weakness of Web sites to launch attacks does an SQL injection technique exploit? a. Sloppy programming practices where software developers do not validate user input b. Lack of in-built anti-virus features c. Irregular auditing of Web site content d. Ease of infiltrating the Web site e. Non-employment of encryption techniques
A
3. Many U.S. technology firms believe that U.S. government surveillance techniques put them at a disadvantage relative to foreign firms because: a. some customers have begun seeking alternative products and services untarnished by the perception of having (complicity or unwittingly) provided private information to authorities. b. the cost to include government surveillance technology inside their products is expensive and lowers profits compared to rivals. c. the government-required installations of software, such as Stuxnet, that U.S. tech firms must comply with inevitably take up valuable storage space, adding cost to industrial and commercial products. d. the cost to house government workers on-site is a burden private corporations should not have to shoulder. e. firms in foreign governments are directly contracted to perform surveillance, and are compensated for their efforts with perks and tax breaks, while U.S. firms receive no such compensation.
A
1. Computer systems are often infected with malware by means of exploits that sneak in masquerading as something they are not. These exploits are called: a. rootkits. b. trojans. c. viruses. d. worms. e. honeypots.
B
1. Cyber criminals who infiltrate systems and collect data for illegal resale are called _____. a. cash-out fraudsters b. data harvesters c. corporate spies d. ethical hackers e. information hoarders
B
1. Technologies that measure and analyze human body characteristics for identification or authentication are known as _____. a. overlamination processes b. biometrics c. smart tags d. bio-embedded systems e. holographs
B
1. The e-mail password of a senior employee in an organization was compromised by someone observing this user as the employee accessed his account. This is most likely a case of: a. keylogging. b. shoulder surfing. c. dumpster diving. d. screen capture. e. spyware.
B
1. Which of the following statements holds true for the term spoof? a. It refers to a con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software. b. It refers to e-mail transmissions and packets that have been altered to seem as if they came from another source. c. It refers to scrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key. d. It refers to a seemingly tempting, but bogus target meant to draw hacking attempts. e. It refers to highly restrictive programs that permit communication only with approved entities and/or in an approved manner.
B
1. Which of the following types of infiltration techniques does one open up to by posting sensitive personal information and details about one's workplace on social networking sites? a. Phishing b. Social engineering c. Password theft d. Virus infections e. Physical threats
B
3. A research scientist with a major pharmaceutical firm in New Jersey is caught passing on sensitive information, worth millions of dollars, regarding the composition and test results of his firm's latest drug to a rival company. What crime is he being held responsible for? a. Cyber-fraud b. Corporate espionage c. Carrying out technology disruptions d. Extortion e. Illegal funds transfer
B
3. Which of these would be an example of a DDoS attack? a. An extortion attempt where hackers threaten to reveal names and social security information stolen from medical records databases b. Overloading a popular social networking site with inbound messages in order to shut down access to the site c. Launching a targeted phishing campaign on a department of defense or other surveilance network. d. Stealing proprietary data directly from mobile phones using a distributed network of difficult-to-trace online services. e. Launching tough-to-track click-fraud efforts
B
6. What is the key takeaway from the Heartland breach? a. Even widely-used open source software is vulnerable. b. Compliance does not equal security and firms that have passed multiple compliance audits may still remain vulnerable. c. SSL public-key encrpytion can be hacked. d. GitHub is a horrible place to store widely-used code. e. Firms that fail to employ ISO 27000 will remain vulnerable.
B
1. Attacks that exhaust all possible password combinations in order to break into an account are called _____ attacks. a. strong arm b. permuted c. brute-force d. zero-day e. infinity
C
1. Hordes of surreptitiously infiltrated computers, linked and controlled remotely, are known as zombie networks or: a. honeypots. b. zombots. c. botnets. d. blacklists. e. megabots.
C
1. Sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack is known as: a. trash recovery. b. junk exploring. c. dumpster diving. d. scrap sifting. e. data sieving.
C
1. Which of the following is a valid statement on information security? a. Security breaches cannot be prevented despite the adoption of the best security policies. b. Technology lapses are solely responsible for almost all security breaches. c. Information security is everybody's responsibility. d. Greater expenditure on security products is the only way to contain security breaches. e. A reactive, rather than proactive, approach is better suited for dealing with security breaches.
C
1. Which of the following statements holds true for the term encryption? a. It refers to a con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software. b. It refers to e-mail transmissions and packets that have been altered to seem as if they came from another source. c. It refers to scrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key. d. It refers to a seemingly tempting, but bogus target meant to draw hacking attempts. e. It refers to highly restrictive programs that permit communication only with approved entities and/or in an approved manner.
C
2. A system that monitors network use for potential hacking attempts and takes preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel is known as a(n): a. firewall system. b. whitelist. c. intrusion detection system. d. honeypot system. e. patching system.
C
2. One of the reasons organizations delay patches to plug holes in their security applications is: a. the rising cost of labor. b. lack of information on effectiveness of patches. c. the fear that the new technology contains a change that will cause problems down the road. d. redundancy of patches within a short span of time. e. bureaucratic inefficiency.
C
3. A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage is called a(n) _____. a. activist b. cyber agitator c. hacktivist d. ethical hacker e. cybersquatter
C
3. An attack on the US power grid by terrorists or a foreign power is indicative of: a. DDoS attacks. b. espionage. c. cyberwarfare. d. extortion. e. phishing.
C
3. The term _____ originally referred to a particularly skilled programmer. a. data harvester b. cracke c. hacker d. black hat e. hacktivist
C
6. What type of tool enforces access privileges and helps verify that systems are not being accessed by the unauthorized, or in suspicious ways? a. Audit trails b. Intrusion detection tools c. Access control tools d. User-tracking tools e. Network watching tools
C
1. A bank customer receives a message, ostensibly from the bank's Web site, asking her to provide her login information. Assuming the message is intended to defraud the customer, what type of infiltration technique is being used here? a. Spyware b. Malware c. Social engineering d. Phishing e. Virus infections
D
1. Attacks that are so new that they have not been clearly identified, and so have not made it into security screening systems are called _____. a. novel attacks b. first mover attacks c. non-precedent breaches d. zero-day exploits e. brute force attacks
D
1. Which of the followings aspects of international law would enable a cyber-criminal operating across borders to evade prosecution? a. Lack of technology to identify the origin of a security attack b. Non-recognition of commission of a security-related crime c. Unwillingness of developed countries to share technical know-how with lesser-developed countries d. Non-existent extradition agreements between two countries e. Technological incompatibility between the two countries
D
1. _____ can be either software-based or deployed via hardware, such as a recording "dongle" that is plugged in between a keyboard and a PC. a. Shadow-keyboards b. Bootloggers c. KitRoots d. Keyloggers e. Adwares
D
3. A(n) _____ is someone who uncovers computer weaknesses and reveals them to manufacturers or system owners, without exploiting these vulnerabilities. a. hacktivist b. data harvester c. corporate spy d. white hat hacker e. ethical cyber criminal
D
3. Which of the following statements is consistent with ground realities regarding information security? a. Cyber-crime is not yet considered a serious enough threat to warrant the attention of law-enforcement agencies. b. Law-enforcement agencies are well-resourced to fight cyber-crimes effectively. c. Governments usually outmatch private industry in terms of retaining top talent with incentives and generous pay. d. Law-enforcement agencies struggle to hire, train, and retain staff capable of keeping pace with today's cyber-criminals. e. Cyber-crime is not rewarding in terms of financial gain.
D
1. The use of public wireless connections can increase a user's vulnerability to monitoring and compromise. ____________ software can be used to encrypt transmissions over public networks, making it more difficult for a user's PC to be penetrated. a. DDos b. Rootkit c. Keylogging d. CAPTCHa e. VPN
E
1. Viruses are programs that infect other software or files and require: a. a large file size to spread. b. the computer to be shutdown to spread. c. Windows as an operating system to spread. d. a disk based operating system to spread. e. an executable program to spread.
E
1. Which of the following are considered sources of information that can potentially be used by social engineers? a. LinkedIn b. Corproate directories c. Social media posts d. Contests or surveys e. All of the above
E
2. Systems that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions are said to employ a(n): a. intrusion detection software. b. access restriction software. c. whitelists. d. anti-virus software. e. blacklists.
E
1. A vast majority of security breaches are not preventable and happen despite the best security practices.
False
1. According to research firm Gartner, the majority of loss-causing security incidents involve the handiwork of international cyber-criminal gangs.
False
1. It's bad when a firm's e-mail and password file is stolen; however the impact is minimized because user passwords set up for one system cannot be used on others.
False
1. Two-factor authentication is favored for most security situations since it's considered to be fast and conveient for customres.
False
1. procedural factors rarely factor in.
False
A black hat hacker looks for weaknesses in security mechanisms, with a view to help plug the holes that might be exploited by cyber-criminals.
False
Because of Moore's Law, widely-used encryption programs currently employed by banks and ecommerce sites are now easily penetrated by brute-force attacks that can be employed by hackers using just a handful of simple desktop computers.
False
Conforming to industry-standard guidelines and frameworks for organizational security ensures continued immunity from attacks on an organization's information.
False
Hardware failure is the least likely of threats to one's data.
False
In public-key encryption systems, the functions of the public and private keys are interchangeable.
False
Multiple administrators jointly controlling key systems are an unnecessary burden that adds to the complexity of managing security in an organization.
False
Online backup services are considered a poor choice for end-users, since this only increases the liklihood that an individual's data will be hacked.
False
URL-shortening services such as bit.ly limit the impact of phishing posts since the shortened URL will clearly reveal the destination arrived at when clicked on.
False
When using a public wireless network, using VPN software is not advisable as it can reveal your communications to any network eavesdroppers.
False
Worms require an executable (a running program) to spread, attaching to other executables.
False
1. Organized crime networks now have their own R&D labs and are engaged in sophisticated development efforts to piece together methods to thwart current security measures.
True
1. The information systems of several firms have been compromised by insiders that can include contract employees, cleaning staff, and temporary staffers.
True
A team working on organizational security should include representatives from general counsel, audit, public relations, and human resources, in addition to those from specialized security and broader technology and infrastructure functions.
True
Dumpster diving refers to physically trawling through trash to mine any valuable data or insights that can be stolen or used in a security attack.
True
One of the reasons one should be careful about clicking on any URL in an e-mail is that hackers can easily embed a redirection in e-mail links, reroutiing a user to an alternate online destination.
True
Regularly updated software lowers a system's vulnerable attack surface.
True
Social networking sites such as Facebook and LinkedIn form valuable sources of vital information that can be used to craft a scam by con artists.
True
The term ISO 27000 refers to a series of standards representing the set of best practices for implementing, maintaining and improving organizational security.
True
Web sites of reputed companies can also be sources of malware.
True
Challenge questions offered by Web sites to automate password distribution and resets are formidable in protecting the privacy of email accounts.
false
1. Information security policies would be ineffective without _____ and _____. a. audit; enforcement b. accountability; flexibility c. compliance; subjectivity d. protocols; the backing of ISO e. rigidity; adaptability
A
2. Updates that plug existing holes in a software are called: a. patches. b. compliance. c. maculations. d. keys. e. dongles.
A
