SRA111 Final Exam

Card Set Information

Author:
guntoro
ID:
252403
Filename:
SRA111 Final Exam
Updated:
2013-12-11 13:45:29
Tags:
SRA111 Final Exam
Folders:

Description:
SRA111 Final Exam
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user guntoro on FreezingBlue Flashcards. What would you like to do?


  1. 1. An e-mail virus involves sending an e-mail message with a modified field. (T/F)
    False - E-mail Spoofing (p.12)
  2. 2. The possession of information is the quality or state of having value for some purpose or end. (T/F)
    • False - state of ownership or control (p.15)
    • The utility of information is the quality or state of having value for some purpose or end.
  3. 3. Information security can be an absolute. (T/F)
    False - CAN NOT be absolute (p.19)
  4. 4. To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats. (T/F)
    True (p.19)
  5. 5. Using a methodology increases the probability of success. (T/F)
    True (p.21)
  6. 6. The investigation phase of the SecSDLC begins with a directive from upper management. (T/F)
    True (p.26)
  7. 7. Recently, many states have implemented legislation making certain computer-related activities illegal. (T/F)
    True (p.27)
  8. 8. Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction. (T/F)
    False - Are NOT designed (p.29)
  9. 9. A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. (T/F)
    True (p.30)
  10. 10. The roles of information security professionals are aligned with the goals and mission of the information security community of interest. (T/F)
    True (p.31)
  11. 11. Information security safeguards the technology assets in use at the organization. (T/F)
    True (p.41)
  12. 12. Two watchdog organizations that investigate allegations of software abuse: SIIA and NSA. (T/F)
    False - SIIA (Software & Information Industry Association) & BSA (Business Software Alliance) (p.46)
  13. 13. A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to enforce copyright laws. (T/F)
    True (p.46)
  14. 14. Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people’s information systems. (T/F)
    True (p.53)
  15. 15. Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because they are usually occur with very little warning and are beyond the control of people. (T/F)
    True (p.56)
  16. 16. Compared to Web site defacement, vandalism within a network is less malicious in intent and more public. (T/F)
    False - vandalism within a network is more malicious intent and less public (p.61)
  17. 17. A mail bomb is a form of DoS. (T/F)
    True (p.70)
  18. 18. A sniffer program shows all the data going by on a network segment including passwords, the data inside files—such as word-processing documents—and screens full of sensitive data from applications. (T/F)
    True (p.70)
  19. 19. A timing attack involves the interception of cryptographic elements to determine keys and encryption algorithms. (T/F)
    True (p.74)
  20. 20. Organizations can use dictionaries to disallow passwords during the reset process and thus guard against easy-to-guess passwords. (T/F)
    True (p.67)
  21. 21. The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. (T/F)
    False - Law carry the authority of a governing body, Ethic DON'T (p.91)
  22. 22. HIPAA specifies particular security technologies for each of the security requirements to ensure the privacy of the health-care information. (T/F)
    False - HIPAA not specifies specific technologies (p.94)
  23. 23. Every state has implemented uniform laws and regulations placed on organizational use of computer technology. (T/F)
    False - Not Uniform (p.100)
  24. 24. The Association for Computing Machinery and the Information Systems Security Association have the authority to banish violators of their ethical standards from practicing their trade. (T/F)
    False - Not to banish violators (p.102)
  25. 25. Cultural differences can make it easy to determine what is and is not ethical—especially when it comes to the use of computers. (T/F)
    False - Cultural differences can make it difficult (p.102)
  26. 26. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. (T/F)
    True (p.107)
  27. 27. The Information Systems Security Association (ISSA) is a nonprofit society of information security professionals whose primary mission is to bring together qualified information security practitioners for information exchange and educational development. (T/F)
    True (p.109)
  28. 28. Established in January 2001, the National InfraGard Program began as a cooperative effort between the FBI’s Cleveland Field Office and local technology professionals. (T/F)
    True (p.110)
  29. 29. The NSA is responsible for signal intelligence and information system security. (T/F)
    True (p.112)
  30. 30. The Secret Service is charged with the detection and arrest of any person committing a United States federal offense relating to computer fraud and false identification crimes. (T/F)
    True (p.113)
  31. 31. Risk control is the application of controls to reduce the risks to an organization’s data and information systems. (T/F)
    True (p.119)
  32. 32. Once the organizational threats have been identified, an assets identification process is undertaken. (T/F)
    False -– Once the asset have been identified, a threat assessment process identifies (p.121)
  33. 33. When determining the relative importance of each asset, refer to the organization’s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. (T/F)
    True (p.131)
  34. 34. The amount of money spent to protect an asset is based in part on the value of the asset. (T/F)
    True (p.132)
  35. 35. Protocols are activities performed within the organization to improve security. (T/F)
    False - Programs are (p.145)
  36. 36. Eliminating a threat is an impossible proposition. (T/F)
    False - It's possible but difficult (p.147)
  37. 37. To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (T/F)
    True (p.150)
  38. 38. Some argue that it is virtually impossible to determine the true value of information and information-bearing assets. (T/F)
    True (p.153)
  39. 39. Metrics-based measures are generally less focused on numbers and more strategic than process-based measures. (T/F)
    False - Process-based less focus on number than Metric-based (p.157)
  40. 40. Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming. (T/F)
    True (p.162)
  41. 41. Quality security programs begin and end with policy. (T/F)
    True (p.177)
  42. 42. A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions. (T/F)
    False - Company WILL NOT protect them, and company IS NOT liable (p.184)
  43. 43. The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. (T/F)
    True (p.188)
  44. 44. Information security safeguards provide two levels of control: managerial and remedial. (T/F)
    False - 3 levels of control: Managerial, Operational, and Technical (p.204)
  45. 45. Informational controls guide the development of education, training, and awareness programs for users, administrators, and management. (T/F)
    False - Operational Controls (p.205)
  46. 46. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. (T/F)
    True (p.210)
  47. 47. A disaster recovery plan addresses the preparation for and recovery from a disaster, whether natural or man-made. (T/F)
    True (p.212)
  48. 48. A cold site provides many of the same services and options of a hot site. (T/F)
    False - Warm site provide many of the same service as hot site, Cold site only provides rudimentary services and facilities (p.233)
  49. 49. Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site. (T/F)
    False - Database shadowing also duplicates databases at the remote sites to multiple servers (p.235)
  50. 50. The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies. (T/F)
    True (p.238)
  51. 51. ____ was the first operating system to integrate security as its core functions.
    a. UNIX
    c. MULTICS
    b. DOS
    d. ARPANET
    c. MULTICS (p.6)
  52. 52. A(n) ____ attack is a hacker using a personal computer to break into a system.
    A. indirect
    B. software
    C. hardware
    D. direct
    D. direct (p.9)
    (this multiple choice question has been scrambled)
  53. 53. A computer is the ____ of an attack when it is used to conduct the attack.
    A. subject
    B. object
    C. target
    D. facilitator
    A. subject (p.11)
    (this multiple choice question has been scrambled)
  54. 54. In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ____ value.
    A. code
    B. hash
    C. key
    D. hashing
    B. hash (p.14)
    (this multiple choice question has been scrambled)
  55. 55. The most successful kind of top-down approach involves a formal development strategy referred to as a ____.
    A. systems design
    B. development life project
    C. systems development life cycle
    D. systems schema
    C. systems development life cycle (p.20)
    (this multiple choice question has been scrambled)
  56. 56. The ____ model consists of six general phases.
    A. waterfall
    B. pitfall
    C. 5SA&D
    D. SysSP
    A. waterfall (p.21)
    (this multiple choice question has been scrambled)
  57. 57. Which of the following phases is the longest and most expensive phase of the systems development life cycle?
    A. logical design
    B. maintenance and change
    C. investigation
    D. implementation
    B. maintenance and change (p.23)
    (this multiple choice question has been scrambled)
  58. 58. Organizations are moving toward more ____-focused development approaches, seeking to improve not only
    the functionality of the systems they have in place, but consumer confidence in their product.
    A. accessibility
    B. security
    C. reliability
    D. availability
    B. security (p.26)
    (this multiple choice question has been scrambled)
  59. 59. Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates
    what steps are taken when an attack occurs.
    A. Security response
    B. Disaster recovery
    C. Continuity planning
    D. Incident response
    D. Incident response (p.27)
    (this multiple choice question has been scrambled)
  60. 60. Which of the following is a valid type of data ownership?
    a. Data owners
    b. Data custodians
    c. Data users
    d. All of the above
    d. All of the above (p.30)
  61. 61. ____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to
    support the entire information infrastructure of an organization.
    A. PKC
    B. SSL
    C. PKI
    D. SIS
    C. PKI - Public Key Infrastructure (p.42)
    (this multiple choice question has been scrambled)
  62. 62. ____ are software programs that hide their true nature, and reveal their designed behavior only when
    activated.
    A. Viruses
    B. Worms
    C. Trojan horses
    D. Spam
    C. Trojan horses (p.48)
    (this multiple choice question has been scrambled)
  63. 63. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____.
    A. urban legends
    B. hoaxes
    C. false alarms
    D. power faults
    B. hoaxes (p.50)
    (this multiple choice question has been scrambled)
  64. 64. Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.
    A. MIN
    B. MSL
    C. SLA
    D. SSL
    C. SLA - Service Level Agreement (p.51)
    (this multiple choice question has been scrambled)
  65. 65. There are generally two skill levels among hackers: expert and ____.
    A. novice
    B. packet monkey
    C. professional
    D. journeyman
    A. novice (p.53)
    (this multiple choice question has been scrambled)
  66. 66. According to Mark Pollitt, ____ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.
    A. hacking
    B. cyberterrorism
    C. infoterrorism
    D. cracking
    B. cyberterrorism (p.62)
    (this multiple choice question has been scrambled)
  67. 67. The ____ data file contains the hashed representation of the user’s password.
    A. SAM
    B. SLA
    C. SNMP
    D. FBI
    A. SAM - Security Account Manager (p.67)
    (this multiple choice question has been scrambled)
  68. 68. In a ____ attack, the attacker sends a large number of connection or information requests to a target.
    A. distributed denial-of-service
    B. denial-of-service
    C. spam
    D. virus
    B. denial-of-service (p.67)
    (this multiple choice question has been scrambled)
  69. 69. ____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
    A. Drones
    B. Zombies
    C. Helpers
    D. Servants
    B. Zombies (p.67)
    (this multiple choice question has been scrambled)
  70. 70. In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and
    inserts them back into the network.
    A. man-in-the-middle
    B. zombie-in-the-middle
    C. server-in-the-middle
    D. sniff-in-the-middle
    A. man-in-the-middle (p.70)
    (this multiple choice question has been scrambled)
  71. 71. ____ law comprises a wide variety of laws that govern a nation or state.
    A. Civil
    B. Private
    C. Public
    D. Criminal
    A. Civil (p.92)
    (this multiple choice question has been scrambled)
  72. 72. The Computer ____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.
    A. Theft
    B. Usage
    C. Violence
    D. Fraud
    D. Fraud (p.96)
    (this multiple choice question has been scrambled)
  73. 73. The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any ____ purposes.
    A. billing
    B. customer service
    C. marketing
    D. troubleshooting
    C. marketing (p.93)
    (this multiple choice question has been scrambled)
  74. 74. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?
    A. Electronic Communications Privacy Act
    B. Sarbanes-Oxley Act
    C. Economic Espionage Act
    D. Financial Services Modernization Ac
    A. Electronic Communications Privacy Act (p.94)
    (this multiple choice question has been scrambled)
  75. 75. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
    A. Economic Espionage Act
    B. Communications Act
    C. Computer Security Act
    D. Financial Services Modernization Act
    D. Financial Services Modernization Act (p.97)
    (this multiple choice question has been scrambled)
  76. 76. ____ defines stiffer penalties for prosecution of terrorist crimes.
    A. Gramm-Leach-Bliley Act
    B. Economic Espionage Act
    C. USA Patriot Act
    D. Sarbanes-Oxley Act
    C. USA Patriot Act (p.97)
    (this multiple choice question has been scrambled)
  77. 77. ____ attempts to prevent trade secrets from being illegally shared.
    A. Sarbanes-Oxley Act
    B. Economic Espionage Act
    C. Electronic Communications Privacy Act
    D. Financial Services Modernization Act
    B. Economic Espionage Act (p.98)
    (this multiple choice question has been scrambled)
  78. 78. The Council of Europe adopted the Convention of Cybercrime in ____.
    A. 1986
    B. 2001
    C. 1976
    D. 1998
    B. 2001 (p.100)
    (this multiple choice question has been scrambled)
  79. 79. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage ____.
    A. with malice
    B. by accident
    C. with negligence
    D. with intent
    B. by accident (p.107)
    (this multiple choice question has been scrambled)
  80. 80. Laws and policies and their associated penalties only deter if which of the following conditions is present?
    a. Fear of penalty
    b. Probability of being caught
    c. Probability of penalty being administered
    d. All of the above
    d. All of the above (p.107)
  81. 81. The concept of competitive ____ refers to falling behind the competition.
    A. drawback
    B. failure
    C. disadvantage
    D. shortcoming
    C. disadvantage (p.119)
    (this multiple choice question has been scrambled)
  82. 82. ____ addresses are sometimes called electronic serial numbers or hardware addresses.
    A. DHCP
    B. MAC
    C. IP
    D. HTTP
    B. MAC (p.124)
    (this multiple choice question has been scrambled)
  83. 83. Many corporations use a ____ to help secure the confidentiality and integrity of information.
    A. data restoration scheme
    B. data classification scheme
    C. data hierarchy
    D. system classification scheme
    B. data classification scheme (p.126)
    (this multiple choice question has been scrambled)
  84. 84. In the U.S. military classification scheme, ____ data is any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
    A. confidential
    B. sensitive
    C. secret
    D. top secret
    D. top secret (p.127)
    (this multiple choice question has been scrambled)
  85. 85. In a(n) ____, each information asset is assigned a score for each of a set of assigned critical factor.
    A. COMSEC
    B. weighted factor analysis
    C. OPSEC
    D. data classification scheme
    B. weighted factor analysis (p.133)
    (this multiple choice question has been scrambled)
  86. 86. The ____ security policy is an executive-level document that outlines the organization’s approach and attitude
    towards information security and relates the strategic value of information security within the organization.
    A. general
    B. system-specific
    C. agency
    D. issue-specific
    A. general (p.144)
    (this multiple choice question has been scrambled)
  87. 87. The ____ strategy attempts to prevent the exploitation of the vulnerability.
    A. defined control
    B. suspend control
    C. transfer control
    D. defend control
    D. defend control (p.146)
    (this multiple choice question has been scrambled)
  88. 88. The actions an organization can and perhaps should take while an incident is in progress should be specified
    in a document called the ____ plan.
    A. BC
    B. BR
    C. IR
    D. DR
    C. IR (p.148)
    (this multiple choice question has been scrambled)
  89. 89. The ____ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
    A. mitigation
    B. accept control
    C. transference
    D. avoidance of risk
    B. accept control (p.149)
    (this multiple choice question has been scrambled)
  90. 90. When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as a(n) ____.
    A. due diligence action
    B. best practice
    C. standard of due care
    D. golden standard action
    C. standard of due care (p.157)
    (this multiple choice question has been scrambled)
  91. 91. Strategic planning is the process of moving the organization towards its ____.
    A. mission
    B. vision
    C. standard
    D. policy
    B. vision (p.179)
    (this multiple choice question has been scrambled)
  92. 92. A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
    A. framework
    B. blanket
    C. mission
    D. plan
    A. framework (p.190)
    (this multiple choice question has been scrambled)
  93. 93. Effective management includes planning and ____.
    a. organizing
    b. leading
    c. controlling
    d. All of the above
    d. All of the above (p.196)
  94. 94. ____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
    A. Operational
    B. Technical
    C. Managerial
    D. Informational
    C. Managerial (p.204)
    (this multiple choice question has been scrambled)
  95. 95. Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
    a. firewalls
    b. proxy servers
    c. access controls
    d. All of the above
    d. All of the above (p.205)
  96. 96. ____ controls address personnel security, physical security, and the protection of production inputs and
    outputs.
    A. Informational
    B. Technical
    C. Operational
    D. Managerial
    C. Operational (p.205)
    (this multiple choice question has been scrambled)
  97. 97. A buffer against outside attacks is frequently referred to as a(n) ____.
    A. firewall
    B. proxy server
    C. DMZ
    D. no-man’s land
    C. DMZ (p.207)
    (this multiple choice question has been scrambled)
  98. 98. A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.
    A. BC
    B. CM
    C. IR
    D. DR
    C. IR (p.212)
    (this multiple choice question has been scrambled)
  99. 99. A ____ site provides only rudimentary services and facilities.
    A. cold
    B. warm
    C. hot
    D. cool
    A. cold (p.233)
    (this multiple choice question has been scrambled)
  100. 100. The transfer of large batches of data to an off-site facility is called ____.
    A. remote journaling
    B. electronic vaulting
    C. database shadowing
    D. security perimeter
    B. electronic vaulting (p.235)
    (this multiple choice question has been scrambled)

What would you like to do?

Home > Flashcards > Print Preview