Software Security

Ace your homework & exams now with Quizwiz!

Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____________________ characters in Internet Explorer 4.0, the browser will crash.

256

The ____________________ data file contains the hashed representation of the user's password.

SAM

Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.

SLA

The ________________ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies. (SS)

Sarbanes-Oxley

The __________ of 1999 provides guidance on the use of encryption and provides protection from government intervention.

Security and Freedom through Encryption Act

Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources?

Singapore

An information system is the entire set of __________, people, procedures, and networks that make possible the use of information resources in the organization.

Software, data, hardware All of the above

________________ is unsolicited commercial e-mail. (SS)

Spam

________________ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host. (SS)

Spoofing

____ is any technology that aids in gathering information about a person or organization without their knowledge.

Spyware

________often function as standards or procedures to be used when configuring or maintaining systems.

SysSPs

__________________-specific security policies often function as standards or procedures to be used when configuring or maintaining systems. (SS)

Systems

The ____________________ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.

TCP

______________________ controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets.. (SS)

Technical

The ___________________ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities. (SS)

USA PATRIOT

The __________ defines stiffer penalties for prosecution of terrorist crimes.

USA PATRIOT Act

____________________ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.

Zombies

The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.

accidental

It is good practice, however, for policy ________________ to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies. (SS)

administrator

A(n) ___________________ is a detailed examination of the events that occurred from first detection to final recovery. (SS)

after-action review

A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.

alert roster

The ________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. (SS)

analysis

The Internet brought _________ to virtually all computers that could reach a phone line or an Internet-connected local area network. (SS)

connectivity

Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.

controls

Attempting to reverse-calculate a password is called ______________. (SS)

cracking

____________________ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.

cyberterrorism

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____.

electronic vaulting

A(n) ___________ information security policy outlines the implementation of a security program within the organization. (SS)

enterprise

Complete loss of power for a moment is known as a ____.

fault

A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.

framework

One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

hacktivist

In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value.

hash

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.

hoaxes

A(n) ____________ site is a fully configured computer facility, with all services, communications links, and physical plant operations including heating and air conditioning. (SS)

hot

The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."

management

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes.

marketing

A(n) ______________ is a formal approach to solving a problem by means of a structured sequence of procedures. (SS)

methodology

A(n) _______________ is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. (SS)

mutual agreement

Hackers can be generalized into two skill groups: expert and ____________________.

novice

A computer is the ____________ of an attack when it is the entity being targeted. (SS)

object

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

people

A(n) _________________ hacks the public telephone network to make free calls or disrupt services.

phreaker

During the early years, information security was a straightforward process composed predominantly of __________ security and simple document classification schemes. (SS)

physical

__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

physical

During the __________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases.

physical design

Duplication of software-based intellectual property is more commonly known as software _____________________. (SS)

piracy

Managerial directives that specify acceptable and unacceptable employee behavior in the workplace are known as ________________. (SS)

policies

The _______________ of information is the quality or state of ownership or control of some object or item. (SS)

possession

Family law, commercial law, and labor law are all encompassed by ___________ law. (SS)

private

A frequently overlooked component of an information system, ____________ are the written instructions for accomplishing a specific task. (SS)

procedures

Software is often created under the constraints of ____________ management, placing limits on time, cost, and manpower. (SS)

project

RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

redundant

A variation of n SDLC that can be used to implement information security solutions in an organizations with little or no formal security in place is the __________.

secSDLC

Organizations are moving toward more __________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.

security

"4-1-9" fraud is an example of a ____________________ attack.

social engineering

In the context of information security, ___________________ is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. (SS)

social engineering

The ________ component of the IS comprises applications, operating systems, and assorted command utilities. (SS)

software

A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.

strategic

A computer is the __________ of an attack when it is used to conduct an attack against another computer.

subject

People with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role.

system administrators

A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.

systems development life cycle

A(n) _____________ is an a potential risk to an information asset. (SS)

threat

According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________.

to harass

In the __________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action. (SS)

top-down

Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.

trepass

The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.

vulnerabilities

A(n) __________________ is a potential weakness in an asset or its defensive control(s).

vulnerability

A type of SDLC where each phase has results that flow into the next phase is called the __________ model.

waterfall

A ________________ is a malicious program that replicates itself constantly, without requiring another program environment.

worm

______________ enables authorized users - persons or computer systems - to access information without interference or obstruction and to receive it in the required format. (SS)

Availability

The CNSS model of information security evolved from a concept developed by the computer security industry known as the ________ triangle. (SS)

CIA

The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

CISO

__________ law comprises a wide variety of laws that govern a nation or state.

Civil

During the ________War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers. (SS)

Cold

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems

The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

The ________is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

EISP

The __________ attempts to prevent trade secrets from being illegally shared.

Economic Espionage Act

The ________________________ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications. (SS)

Electronic Communications Privacy

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?

Electronic Communications Privacy Act

What is the subject of the Computer Security Act?

Federal Agency Information Security

Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?

Financial Services Modernization Act

What is the subject of the Sarbanes-Oxley Act?

Financial reporting

The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.

Fraud

Which of the following is an example of a Trojan horse program?

Happy99.exe

Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what immediate steps are taken when an attack occurs.

Incident response

The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee a range of security functions associated with __________ activities.

Internet

"Long arm __________________" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction. (SS)

Jurisdiction

The Health Insurance Portability and Accountability Act Of 1996, also known as the __________ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.

Kennedy-Kessebaum

___________ are rules that mandate or prohibit certain behavior and are enforced by the State. (SS)

Laws

__________________ is the legal obligation of an entity that extends beyond criminal or contract law. (SS)

Liability

__________ was the first operating system to integrate security as its core functions.

MULTICS

________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

Managerial

__________ has become a widely accepted evaluation standard for training and education related to the security of information systems.

NSTISSI No. 4011

_________ controls address personnel security, physical security, and the protection of production inputs and outputs.

Operational

__________________ controls are information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning. (SS)

Operational

__________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public

__________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information.

Redundancy

​The goals of information security governance include all but which of the following?

Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care

According to NIST SP 800-14's security principles, security should ________.

(All of the above) require a comprehensive and integrated approach support the mission of the organization be cost-effective

Which of the following functions does information security perform for an organization?

(All the above) Protecting the organization's ability to function Protecting the data the organization collects and uses Enabling the safe operation of applications implemented on the organization's IT system

__________ is a network project that preceded the Internet.

APPANET

___________________ information is a form of collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. (SS)

Aggregate

A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes __________.

All of the above controls have proven ineffective controls have failed controls have been bypassed

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________

All of the above proxy servers firewalls access controls

Laws and policies and their associated penalties only deter if which of the following conditions is present?

All of the above Probability of penalty being administered Probability of being caught Fear of penalty

The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?

All of these are BIA stages Identify resource requirements Determine mission/business processes and recovery criticality Identify recovery priorities for system resources

__________ of information is the quality or state of being genuine or original.

Authenticity

__________________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. (SS)

Authenticity

Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is ______________. (SS)

education

The National Information Infrastructure Protection Act of 1996 modified which Act?

Computer Fraud and Abuse Act

Which of the following acts defines and formalizes laws to counter threats from computer related acts and offenses?

Computer Fraud and Abuse Act of 1986

________________ management is the set of actions taken by an organization in response to an emergency to minimize injury or loss of life, preserve the organization's image and market share, and complement its disaster recovery and business continuity processes (SS)

Crisis

_______________________ are the fixed moral attitudes or customs of a particular group. (SS)

Cultural mores

__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Defense in depth

____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.

Trojan horses

In an organization, the value of _________________ of information is especially high when it involves personal information about employees, customers, or patients. (SS)

confidentiality

A virus or worm can have a payload that installs a(n) _______________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges. (SS)

back

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

blueprint

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________.

by accident

A ____ site provides only rudimentary services and facilities.

cold

A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. (SS)

community of interest

The history of information security begins with the concept of _________ security. (SS)

computer

Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.

damage assessment

Which of the following is a valid type of role when it comes to data ownership?

data custodians, data users, data owners all of the above

Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.

de jure

In a ____________________ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources.

denial-of-service

A server would experience a __________ attack when a hacker compromises it to acquire information from it from a remote location using a network connection.

direct

ESD is the acronym for electrostatic __________________. (SS)

discharge

A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

distributed denial-of-service

Security __________ are the areas of trust within which users can freely communicate.

domains

The _____________________ Act of 1996 attempts to prevent trade secrets from being illegally shared. (SS)

economic espionage

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.

identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

The low overall degree of tolerance for ______________ system use may be a function of the easy association between the common crimes of breaking and entering, trespassing, theft, and destruction of property to their computer-related counterparts. (SS)

illicit

A(n) _____________ is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. (SS)

incident

The senior technology officer is typically the chief ____________ officer. (SS)

information

Information has ________ when it is whole, complete, and uncorrupted. (SS)

integrity

Some information gathering techniques are quite legal, for example, using a Web browser to perform market research. These legal techniques are called, collectively, competitive _____________________. (SS)

intelligence

Criminal or unethical __________ goes to the state of mind of the individual performing the act.

intent

Script ________________ are hackers of limited skill who use expertly written software to attack a system. (SS)

kiddies

Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle?

maintenance and change

A computer virus consists of segments of code that perform __________________ actions. (SS)

malicious

In the well-known ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.

man-in-the-middle


Related study sets

Chapter 7: Cellular Respiration and Fermentation

View Set

Textbook of Basic Nursing 11th Edition : Chapter 98 and 100

View Set

Maternal Newborn Health Promotion and Maintenance Quiz

View Set

351 Promulgated Contract Forms #5

View Set

Section C Test Bank-Risk Management

View Set

Chapter 1: Introduction to Drugs - ML6 (PHARM)

View Set

NCLEX Questions-Prioritizing Client Care

View Set