Ch13 Information Security Full Test Bank

Chapter 13

Information Security

Question Type: True/False

1) Having one backup of your business data is sufficient for security purposes.

Learning Objective: Describe a real-world application of information security.

Section Reference 1: IT’s About Business 13.1: Thomas Tax Service

Difficulty: Easy

2) The security of each computer on the Internet is independent of the security of all other computers on the Internet.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Easy

3) The computing skills necessary to be a hacker are decreasing.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Easy

4. Human errors cause more than half of the security-related problems in many organizations.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

5) The higher the level of an employee in organization, the greater the threat that he or she poses to the organization.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

6) Dumpster diving is always illegal because it involves trespassing on private property.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

7) Software can be copyrighted.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

8) Trojan horses are software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

9) Zero-day attacks use deceptive e-mails to acquire sensitive personal information.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

10) In most cases, cookies track your path through Web sites and are therefore invasions of your privacy.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

11) Cyberterrorism and cyberwarfare can attack supervisory control and data acquisition (SCADA) systems to cause widespread physical damage.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

12) Supervisory control and data acquisition (SCADA) systems require human data input.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

13) Cyberterrorism is usually carried out by nations.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

14) IT security is the responsibility of everyone in the organization.

Learning Objective: Define the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

15) Risk analysis involves determining whether security programs are working.

Learning Objective: Define the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Medium

16) A password refers to “something the user is.”

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

17) Organizations utilize layers of controls because they face so many diverse threats to information security.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

18) Public-key encryption uses two different keys, one public and one private.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

19) Voice recognition is an example of “something a user does” authentication.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

20) Organizations use authentication to establish privileges to systems operations.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

21) The area located between two firewalls within an organization is called the demilitarized zone.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

22) A VPN is a network within the organization.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

23) A URL that begins with https rather than http indicates that the site transmits using an extra layer of security called transport layer security.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

24) Backup plans are not always necessary.

Learning Objective: Describe a real-world application of information security.

Section Reference: Opening Case

Difficulty: Medium

25) Social engineers often impersonate legitimate employees.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

26) Cookies in your web browser are not tracked by businesses.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

27) The University of Exeter had an excellent IT staff, so their systems were completely functional even after a virus attack.

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference: 13.3 IT’s About Business: Virus Attack Hits the University of Exeter

Difficulty: Easy

28) SCADA attacks like Stuxnet are an act of cyberwarfare.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference: 13.3 IT’s About Business: The Stuxnet Worm

Difficulty: Easy

29) Authentication and authorization are synonyms.

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.6 Information Security Controls

Difficulty: Easy

30) Employees needing access to the Web was City National Bank and Trust’s most significant security problem.

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 IT’s About Business: Information Security at City National Bank and Trust

Difficulty: Easy

31) You start a dog-walking service, and you store your client’s records on your cell phone. You don’t need to worry about information security.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Easy

Question Type: Multiple Choice

32) Which of the following is not a consequence of poor information security practices?

a) Stolen information

b) Stolen identities

c) Financial loss

d) Loss of service

e) All of the above are consequences of poor information security practices.

Learning Objective: Describe a real-world application of information security.

Section Reference 1: IT’s About Business 13.1: Thomas Tax Service

Difficulty: Easy

33) In its study of various organizations, the Ponemon Institute found that the most common cause of data breaches was:

a) Weak passwords.

b) Unattended computers.

c) Employee negligence.

d) Contract labor, such as consultants.

e) Poor antivirus software.

Learning Objective: Describe a real-world application of information security.

Section Reference 1: IT’s About Business 13.1: Thomas Tax Service

Difficulty: Hard

34) Which of the following factors is not increasing the threats to information security?

a) Smaller computing devices

b) Downstream liability

c) The Internet

d) Limited storage capacity on portable devices

e) Due diligence

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Medium

35) The computing skills necessary to be a hacker are decreasing for which of the following reasons?

a) More information systems and computer science departments are teaching courses on hacking so that their graduates can recognize attacks on information assets.

b) Computer attack programs, called scripts, are available for download from the Internet.

c) International organized crime is training hackers.

d) Cybercrime is much more lucrative than regular white-collar crime.

e) Almost anyone can buy or access a computer today.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Hard

36) Rank the following in terms of dollar value of the crime, from highest to lowest.

a) Robbery – white collar crime – cybercrime

b) White collar crime – extortion – robbery

c) Cybercrime – white collar crime – robbery

d) Cybercrime – robbery – white collar crime

e) White collar crime – burglary – robbery

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Medium

37) A _____ is any danger to which an information resource may be exposed.

a) vulnerability

b) risk

c) control

d) threat

e) compromise

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Easy

38) An information system’s _____ is the possibility that the system will be harmed by a threat.

a) vulnerability

b) risk

c) control

d) danger

e) compromise

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Easy

39) The most overlooked people in information security are:

a) Consultants and temporary hires.

b) Secretaries and consultants.

c) Contract laborers and executive assistants.

d) Janitors and guards.

e) Executives and executive secretaries.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

40) Employees in which functional areas of the organization pose particularly grave threats to information security?

a) Human resources, finance

b) Human resources, management information systems

c) Finance, marketing

d) Operations management, management information systems

e) Finance, management information systems

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

41) Unintentional threats to information systems include all of the following except:

a) Malicious software

b) Tailgating

c) Power outage

d) Lack of user experience

e) Tornados

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Medium

42) _____ involves building an inappropriate trust relationship with employees for the purpose of gaining sensitive information or unauthorized access privileges.

a) Tailgating

b) Hacking

c) Spoofing

d) Social engineering

e) Spamming

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

43) The cost of a stolen laptop includes all of the following except:

a) Loss of intellectual property

b) Loss of data

c) Backup costs

d) Loss of productivity

e) Replacement cost

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

44) Dumpster diving is:

a) Always illegal because it is considered trespassing.

b) Never illegal because it is not considered trespassing.

c) Typically committed for the purpose of identity theft.

d) Always illegal because individuals own the material in the dumpster.

e) Always legal because the dumpster is not owned by private citizens.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

45) Cybercriminals can obtain the information they need in order to assume another person’s identity by:

a) Infiltrating an organization that stores large amounts of personal information.

b) Phishing.

c) Hacking into a corporate database.

d) Stealing mail.

e) All of the above are strategies to obtain information to assume another person’s identity.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

46) A _____ is intellectual work that is known only to a company and is not based on public information.

a) copyright

b) patent

c) trade secret

d) knowledge base

e) private property

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

47) A pharmaceutical company’s research and development plan for a new class of drugs would be best described as which of the following?

a) Copyrighted material

b) Patented material

c) A trade secret

d) A knowledge base

e) Public property

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

48) A _____ is a document that grants the holder exclusive rights on an invention for 20 years.

a) copyright

b) patent

c) trade secret

d) knowledge base

e) private property notice

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

49) An organization’s e-mail policy has the least impact on which of the following software attacks?

a) Virus

b) Worm

c) Phishing

d) Denial-of-Service attack

e) Spear phishing

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 4.3 Deliberate Threats to Information Systems

Difficulty: Hard

50) _____ are segments of computer code that attach to existing computer programs and perform malicious acts.

a) Viruses

b) Worms

c) Trojan horses

d) Back doors

e) Logic bombs

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

51) _____ are software programs that hide in other computer programs and reveal their designed behavior only when they are activated.

a) Viruses

b) Worms

c) Trojan horses

d) Back doors

e) Logic bombs

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

52) _____ are segments of computer code embedded within an organization’s existing computer programs that activate and perform a destructive action at a certain time or date.

a) Viruses

b) Worms

c) Trojan horses

d) Back doors

e) Logic bombs

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

53) A _____ attack uses deception to fraudulently acquire sensitive personal information by masquerading as an official e-mail.

a) Virus

b) Denial-of-service

c) Distributed denial-of-service

d) Phishing

e) Brute force dictionary

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

54) In a _____ attack, a coordinated stream of requests is launched against a target system from many compromised computers at the same time.

a) phishing

b) virus

c) worm

d) back door

e) distributed denial-of-service

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

55) The term _____ refers to clandestine software that is installed on your PC through duplicitous channels but is not particularly malicious.

a) Alien software

b) Virus

c) Worm

d) Back door

e) Logic bomb

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

56) Which of the following is(are) designed to use your computer as a launch pad for sending unsolicited e-mail to other computers?

a) Spyware

b) Spamware

c) Adware

d) Viruses

e) Worms

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

57) When companies attempt to counter _____ by requiring users to accurately select characters in turn from a series of boxes, attackers respond by using _____.

a) keyloggers, screen scrapers

b) screen scrapers, uninstallers

c) keyloggers, spam

d) screen scrapers, keyloggers

e) spam, keyloggers

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

58) _____ is the process in which an organization assesses the value of each asset being protected, estimates the probability that it will be compromised, and compares the probable costs of an attack with the costs of protecting the asset.

a) Risk management

b) Risk analysis

c) Risk mitigation

d) Risk acceptance

e) Risk transference

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

59) Which of the following statements is false?

a) Credit card companies usually block stolen credit cards rather than prosecute.

b) People tend to shortcut security procedures because the procedures are inconvenient.

c) It is easy to assess the value of a hypothetical attack.

d) The online commerce industry isn’t willing to install safeguards on credit card transactions.

e) The cost of preventing computer crimes can be very high.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

60) In _____, the organization takes concrete actions against risks.

a) risk management

b) risk analysis

c) risk mitigation

d) risk acceptance

e) risk transference

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 4.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

61) Which of the following is not a strategy for mitigating the risk of threats against information?

a) Continue operating with no controls and absorb any damages that occur

b) Transfer the risk by purchasing insurance.

c) Implement controls that minimize the impact of the threat

d) Install controls that block the risk.

e) All of the above are strategies for mitigating risk.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

62) In _____, the organization purchases insurance as a means to compensate for any loss.

a) risk management

b) risk analysis

c) risk mitigation

d) risk acceptance

e) risk transference

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Easy

63) Which of the following statements concerning the difficulties in protecting information resources is not correct?

a) Computing resources are typically decentralized.

b) Computer crimes often remain undetected for a long period of time.

c) Rapid technological changes ensure that controls are effective for years.

d) Employees typically do not follow security procedures when the procedures are inconvenient.

e) Computer networks can be located outside the organization.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Medium

64) _____ controls are concerned with user identification, and they restrict unauthorized individuals from using information resources.

a) Access

b) Physical

c) Data security

d) Administrative

e) Input

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

65) Access controls involve _____ before _____.

a) biometrics, signature recognition

b) authentication, authorization

c) iris scanning, voice recognition

d) strong passwords, biometrics

e) authorization, authentication

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

66) Biometrics are an example of:

a) Something the user is.

b) Something the user wants.

c) Something the user has.

d) Something the user knows.

e) Something the user does.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

67) Voice and signature recognition are examples of:

a) Something the user is.

b) Something the user wants.

c) Something the user has.

d) Something the user knows.

e) Something the user does.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

68) Passwords and passphrases are examples of:

a) Something the user is.

b) Something the user wants.

c) Something the user has.

d) Something the user knows.

e) Something the user does.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

69) Which of the following is not a characteristic of strong passwords?

a) They are difficult to guess.

b) They contain special characters.

c) They are not a recognizable word.

d) They are not a recognizable string of numbers

e) They tend to be short so they are easy to remember.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

70) Which of the following is not an example of a weak password?

a) IloveIT

b) 08141990

c) 9AmGt/*

d) Rainer

e) InformationSecurity

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

71) Bob is using public key encryption to send a message to Ted. Bob encrypts the message with Ted’s _____ key, and Ted decrypts the message using his _____ key.

a) public, public

b) public, private

c) private, private

d) private, public

e) none of these

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

72) Which of the following statements concerning firewalls is not true?

a) Firewalls prevent unauthorized Internet users from accessing private networks.

b) Firewalls examine every message that enters or leaves an organization’s network.

c) Firewalls filter network traffic according to categories of activities that are likely to cause problems.

d) Firewalls filter messages the same way as anti-malware systems do.

e) Firewalls are sometimes located inside an organization’s private network.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

73) In a process called _____, a company allows nothing to run unless it is approved, whereas in a process called _____, the company allows everything to run unless it is not approved.

a) whitelisting, blacklisting

b) whitelisting, encryption

c) encryption, whitelisting

d) encryption, blacklisting

e) blacklisting, whitelisting

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

74) Organizations use hot sites, warm sites, and cold sites to insure business continuity. Which of the following statements is not true?

a) A cold site has no equipment.

b) A warm site has no user workstations.

c) A hot site needs to be located close to the organization’s offices.

d) A hot site duplicates all of the organization’s resources.

e) A warm site does not include actual applications.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

75) Refer to IT’s About Business 13.2 – Virus Attack Hits the University of Exeter. Which of the following statements about the virus attack is true?

a) The attack was confined to the Exeter campus.

b) Telephone service was not disrupted.

c) It took three days to clean infected computers and bring the network back into operation.

d) Only the PCs owned by the University had to be scanned.

e) The attack did not affect the professors’ ability to run their classes.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: IT’s About Business 13.2: Virus Attack Hits the University of Exeter

Difficulty: Medium

76) Refer to IT’s About Business 13.3 – The Stuxnet Worm: Which of the following statements is true?

a) The worm targeted large data warehouses.

b) The worm was fairly simplistic.

c) The worm spread from Iran to other countries.

d) The worm probably only took a month to build.

e) The worm specifically targeted nuclear facilities.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: IT’s About Business 13.3: The Stuxnet Worm

Difficulty: Medium

77) Refer to IT’s About Business 13.4 – Information Security at City National Bank and Trust: Using the M86 Security software allowed City National Bank and Trust to do all of the following except:

a) Apply policy-based standards for e-mail.

b) Comply with Sarbanes-Oxley.

c) Categorize Web sites and block questionable ones.

d) Provide all employees with secure access to external e-mail.

e) Prevent employees from downloading potentially dangerous files.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: IT’s About Business 13.4 Information Security at City National Bank and Trust

Difficulty: Medium

78) Refer to Opening Case – 13.1 Cybercriminals Use Social Networks for Targeted Attacks: Cybercriminals use Facebook for all of the following reasons except:

a) It is easy to get into the Facebook code itself.

b) People trust messages from their Facebook friends.

c) Social networks aren’t closely regulated in corporate network defense systems.

d) Many social network users aren’t technology savvy and wouldn’t realize their computer is under the control of outsiders.

e) There is a black market for Facebook usernames and passwords.

Learning Objective: Describe a real-world application of information security.

Section Reference 1: 13.1 Chapter Opener: Cybercriminals Use Social Networks for Targeted Attacks

Difficulty: Medium

79) Your company’s headquarters was just hit head on by a hurricane, and the building has lost power. The company sends you to their hot site to minimize downtime from the disaster. Which of the following statements is true?

a) The site will not have any servers.

b) The site will not have any workstations, so you need to bring your laptop.

c) The site is probably in the next town.

d) The site should be an almost exact replica of the IT configuration at headquarters.

e) The site will not have up-to-date data.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

80) You receive an e-mail from your bank informing you that they are updating their records and need your password. Which of the following statements is true?

a) The message could be an industrial espionage attack.

b) The message could be a phishing attack.

c) The message could be a denial of service attack.

d) The message could be a back door attack.

e) The message could be a Trojan horse attack.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

81) You start a new job, and the first thing your new company wants you to do is create a user ID and a password. Which of the following would be a strong password?

a) The name of the company

b) Your last name

c) Your birthdate

d) Your initials (capitalized) and the number of the floor you are on

e) The name of the company spelled backward

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

82) You start a new job, and human resources gives you a ten-page document that outlines the employee responsibilities for information security. Which of the following statements is most likely to be true?

a) The document recommends that login passwords be left on a piece of paper in the center desk drawer so that others can use the laptop if necessary.

b) You are expected to read the document, and you could be reprimanded if you don’t follow its guidelines.

c) You can back up sensitive data to a thumb drive so you can take them home to work with.

d) The document indicates that you can leave your laptop unlocked if you leave your desk for less than an hour.

e) The document permits you to lend your laptop to your brother for the weekend.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Easy

83) Which of the following is NOT a way you can protect yourself on-line?

a) Creating a complex password

b) Clicking only on links from friends

c) Installing antivirus software

d) Manage your privacy settings

Learning Objective: Describe a real-world application of information security.

Section Reference: 13.0 Opening Case

Difficulty: Hard

84) In the “Thomas Tax Service” case, Dwight had to manually restore his data because __________.

a) his backups were corrupt

b) he didn’t trust the technician

c) he didn’t have backups

d) he liked doing lots of extra work

Learning Objective: Describe a real-world application of information security.

Section Reference: 13.0 IT’s About Business: Thomas Tax Service

Difficulty: Easy

85) Which of the following is a characteristic of a backup?

a) They prevent computer failures.

b) They never have any problems.

c) They should only be done on a USB drive.

d) They make it easy to restore data.

Learning Objective: Describe a real-world application of information security.

Section Reference: 13.0 IT’s About Business: Thomas Tax Service

Difficulty: Easy

86) A(n) ______________ is any danger to which a system may be exposed.

a) Attack

b) Security failure

c) Threat

d) Vulnerability

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 13. 1 Introduction to Information Security

Difficulty: Easy

87) Which of the following is NOT a factor increasing the vulnerability of information resources?

a) Business environments are more connected than ever.

b) Our small, portable devices are much easier to steal or lose.

c) Hacking is more difficult, but hackers are more skilled.

d) Management support is lacking.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 13.1 Introduction to Information Security

Difficulty: Easy

88) The Internet is a(n) ___________ network.

a) trusted

b) untrusted

c) neutral

d) unbiased

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 13. 1Introduction to Information Security

Difficulty: Medium

89) The employees who pose the biggest risk to information security work in _____________.

a) customer service

b) IT

c) marketing

d) sales

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 14.1 Introduction to Information Security

Difficulty: Easy

90) Being careless with your computing devices is ______________.

a) a deliberate threat

b) a human error

c) an intentional threat

d) social engineering

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

91) Not logging off the company network when gone from the office for any extended period of time is an example of which type of human mistake?

a) Carelessness with computing devices

b) Poor password selection and use

c) Carelessness with one’s office

d) Carelessness using unmanaged devices

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

92) Social engineering is typically _____________ human error on the part of an employee, but it is _____________ on the part of the attacker.

a) intentional, unintentional

b) intentional, intentional

c) unintentional, intentional

d) unintentional, unintentional

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

93)____________ is an intellectual work, such as a business plan, that is a company secret and is not based on public information.

a) Copyright

b) Intellectual property

c) Patent

d) Trade secret

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

94) The main goal of phishing is _______________.

a) espionage

b) identity theft

c) sabotage

d) cyberterrorism

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

95) A copyright provides creators of intellectual property with ownership of the property for the life of the creator plus _________ years.

a) 20

b) 50

c) 70

d) 100

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

96) A segment of computer code that performs malicious actions and will spread by itself without requiring another computer program.

a)Logic bomb

b) Trojan horse

c) Virus

d) Worm

Learning Objective: Discuss the nine types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

97) ___________ record(s) a continuous “movie” of what you do on a screen.

a) Adware programs

b) Keystroke loggers

c) Screen scrapers

d) Spamware

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

98) What made the University of Exeter’s system vulnerable to attack?

a) The appropriate patches for the security software had not been applied in a timely fashion.

b) The students and faculty didn’t log off the system, so an intruder was able to get onto the system very easily.

c) The university did not have a good spam policy, so the intruder was able to send the virus via e-mail.

d) The university did not run background checks on employees and hired the hacker without knowing about his past actions.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference: 13.3 IT’s About Business: Virus Attack Hits the University of Exeter

Difficulty: Easy

99) Stuxnet is a _____________ that targets _____________ systems.

a) Virus, SCADA

b) Worm, SCADA

c) Virus, ERP

d) Worm, ERP

Learning Objective: 13.3 Discuss the ten types of deliberate attacks.

Section Reference: IT’s About Business: The Stuxnet Worm

Difficulty: Medium

100) _______________ assesses the value of each asset being protected, estimates the probability it might be compromised, and compares the probable costs of it being compromised with the cost of protecting it.

a) Risk analysis

b) Risk determination

c) Risk management

d) Risk mitigation

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: What Organizations are Doing to Protect Information Resources

Difficulty: Easy

101) Risk _________ involves minimizing the impact of a threat.

a) acceptance

b) diversion

c) limitation

d) transference

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: What Organizations are Doing to Protect Information Resources

Difficulty: Easy

102) Which of the following is NOT a reason it is difficult to protect information resources?

a) Many individuals control or have access to information assets.

b) There aren’t enough security procedures in place.

c) It is easy to be a hacker.

d) The costs of preventing hazards can be very high.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: What Organizations are Doing to Protect Information Resources

Difficulty: Medium

103) Purchasing insurance is an example of risk ___________.

a) acceptance

b) diversion

c) limitation

d) transference

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: 13. 4 What Organizations are Doing to Protect Information Resources

Difficulty: Easy

104) Walls, doors, and fences are examples of __________ controls.

a) access

b) communications

c) network

d) physical

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

105) Biometrics is an example of something user ____________.

a) does

b) has

c) is

d) knows

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

106) ______________ is a process in which a company allows all software to run unless it is on the list.

a) Blacklisting

b) Graylisting

c) Hitlisting

d) Whitelisting

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

107) ______________ is a private network that uses a public network to connect users securely to the organization’s internal systems.

a) SSL

b) VPN

c) URL

d) A firewall

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

108) A DMZ is located ______________.

a) inside the company’s firewalls

b) outside the company’s firewalls

c) between 2 firewalls

d) on the Internet

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Medium

109) A ___________ site does not include the actual applications the company runs.

a) cold

b) hot

c) warm

d) neutral

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

110) Auditing _____________ the computer means inputs, outputs, and processing are checked.

a) around

b) through

c) using

d) with

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13,5 Information Security Controls

Difficulty: Easy

111) City National Bank and Trust’s policies are an example of _____________.

a) blacklisting

b) graylisting

c) whitelisting

d) paranoia

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 IT’s About Business: Information Security at City National Bank and Trust

Difficulty: Medium

Question Type: Essay

112) Compare trade secrets, patents, and copyrights as forms of intellectual property.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

113) Contrast unintentional and deliberate threats to an information resource. Provide examples of both.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.2 Unintentional Threats to Information Systems

Section Reference 2: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

114) Contrast the following types of remote attacks: virus, worm, phishing, and spear phishing.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

115) Contrast the following types of attacks created by programmers: Trojan horse, back door, and logic bomb

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

116) Contrast spyware and spamware.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Easy

117) Contrast risk acceptance, risk limitation, and risk transference.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference 1: 13.4 What Organizations Are Doing to Protect Information Resources

Difficulty: Medium

118) Describe public key encryption.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

119) Compare a hot site, a warm site, and a cold site as strategies for business continuity.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

120) Contrast the four types of authentication.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

121) Identify and discuss the factors that are contributing to the increasing vulnerability of organizational information assets.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference 1: 13.1 Introduction to Information Security

Difficulty: Hard

122) Define identity theft, and explain the types of problems that it creates for the victims.

Learning Objective: Discuss the ten types of deliberate attacks.

Section Reference 1: 13.3 Deliberate Threats to Information Systems

Difficulty: Medium

123) Discuss the possible consequences of a terrorist attack on a supervisory control and data acquisition (SCADA) system.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Hard

124) Define the principle of least privilege, and consider how an organization’s senior executives might view the application of this principle.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Hard

125) Explain why anti-malware software is classified as reactive.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Hard

126) Describe how a digital certificate works.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Hard

127) Tim ventured out into the world of retail by renting a cart at a local mall. His product is personalized coffee mugs. He uses his laptop to track sales and to process credit card sales. He has a customer mailing list that is updated by customers on the laptop as well. At the end of each day, Tim backs up all of his data to a thumb drive and puts the drive into the laptop case with the laptop. Discuss Tim’s information security strategy.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference 1: 13.5 Information Security Controls

Difficulty: Medium

Question Type: Fill-in-the-Blank

128) Security is the _____________ against criminal activity, danger, damage, and/or loss.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 13. 1 Introduction to Information Security

Difficulty: Easy

129) Social engineering is where the attacker uses _____________ to trick a legitimate employee into providing confidential company information such as passwords.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

130) Risk is the ___________ that a threat will impact information resources.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: 13.4 What Organizations are Doing to Protect Information Resources

Difficulty: Easy

131) ______________ is when permission is issued to individuals and groups to do certain activities that can be performed by users of the system.

Learning Objective: Identify the three major types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

132) Security is the _____________ against criminal activity, danger, damage, and/or loss.

Learning Objective: Identify the five factors that contribute to the increasing vulnerability of information resources, providing an example for each.

Section Reference: 13,1 Introduction to Information Security

Difficulty: Easy

133) Social engineering is where the attacker uses _____________ to trick a legitimate employee into providing confidential company information such as passwords.

Learning Objective: Compare and contrast human mistakes and social engineering, providing an example for each.

Section Reference: 13.2 Unintentional Threats to Information Systems

Difficulty: Easy

134) Risk is the ___________ that a threat will impact information resources.

Learning Objective: Discuss the three risk mitigation strategies, providing an example for each in the context of owning a home.

Section Reference: 13.4 What Organizations are Doing to Protect Information Resources

Difficulty: Easy

135) _______________ is when permission is issued to individuals and groups to do certain activities that can be performed by users of the system.

Learning Objective: Identify the types of controls that organizations can use to protect their information resources, providing an example for each.

Section Reference: 13.5 Information Security Controls

Difficulty: Easy

Legal Notice

Copyright © 2014 by John Wiley & Sons Canada, Ltd. or related companies. All rights reserved.

The data contained in these files are protected by copyright. This manual is furnished under licence and may be used only in accordance with the terms of such licence.

The material provided herein may not be downloaded, reproduced, stored in a retrieval system, modified, made available on a network, used to create derivative works, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without the prior written permission of John Wiley & Sons Canada, Ltd.