Security Chapter 7 Full Test Bank Pearlson

File: 6e chapter7TextBank.docx, Chapter 7, Security

Multiple Choice

1. In the Office of Personnel Management’s case, the security breach made many people vulnerable to this.

1. Loss of personal property
2. Inaccurate personal data
3. Identity theft
4. Loss of access to personal data
5. Credit card fees

2. When the Office of Personnel Management was hacked, all of the following are true EXCEPT:

1. The hackers gained access to the building to steal the records
2. It took the Office of Personnel Management many months to detect the break-in
3. The hackers likely exploited a stolen password
4. The hackers did not need to escape in the blue turbocharged vehicle
5. None of the above (indicating that all are true)

Response: See page 148

3. Many organizations and even consumers use what to control access to a network like the Internet, allowing only authorized traffic to pass?

1. Encryption
2. VPN
3. Firewall
4. Anonymizing tools
5. Filtering

4. If you receive an email that says it is from Sam Johnson, your boss, with an odd EXE file as an attachment, it could be dangerous for all of the following reasons EXCEPT:

1. The email might not really be from Sam.
2. The email might be from Sam’s computer without his or her knowledge.
3. It could be dangerous even if it was sent knowingly because Sam didn’t know a virus might be attached.
4. It could be dangerous because Sam gave someone his password once a long time ago
5. None of the above (indicating that all are true).

5. It is estimated that ___ % of all firms have been breached.

1. 5% or less
2. 10% to 20%
3. 40% to 60%
4. 70% to 90%
5. Over 95%

6. Who is responsible for decisions about security strategy?

1. IT people
2. Shared: IT leaders and business leaders
3. Business leaders
4. Consultants
5. Team of consultants and IT people

7. Who is responsible for developing a cybersecurity culture?

1. IT people
2. IT leaders and business leaders share responsibility
3. Business leaders
4. Consultants
5. Team of consultants and IT people

8. In the Anthem Blue Cross breach, where 80 million names, birthdays, social security numbers, etc., were stolen, the hackers got in by:

1. Breaking into the building where they were stored
2. Obtaining passwords of five or more high-level employees
3. Making phone calls to insiders posing as IT people needing to log into their accounts
4. Emailing each of the 80 million patients asking for their private information
5. Recovering patient records from a large recycling bin

9. Quantify breaches that are caused by stealing a password

1. A very low percentage (somewhere around 1%)
2. A low percentage (around 10%)
3. A moderate percentage (around 25%)
4. A high percentage (around 50%)
5. A very high percentage (around 80%)

10. The two most common passwords of all in 2018 were:

1. Your birth date and anniversary date
2. None at all—they most commonly skip passwords and just press ENTER to continue
3. “password” and “123456”
4. Spouse’s name and oldest child’s name
5. “Rihanna” and “Lizzo”

11. An “evil twin” in the context of computer security is:

1. A virus-laden attachment that looks just like a sincere attachment
2. A duplicate badge that allows a nasty person entry into a data center
3. Someone who looks just like the Chief Information Officer, but steals data
4. An operating system that is not genuine
5. A counterfeit wifi connection in a hotel or coffee shop that appears to be genuine

12. The cost of a data breach in 2018 is estimated to be:

1. between $13 and $18 per record
2. between $43 and 65 per record
3. between $148 and $408 per record
4. between $100 and $1,000 per record
5. between $4,520 and $4,580 per record

13. On the black market, stolen data in a “kit” that contains credit card information plus social security number and medical information is worth:

1. between $13 and $18 per record
2. between $43 and 65 per record
3. between $148 and $408 per record
4. between $100 and $1,000 per record
5. between $4,520 and $4,580 per record

14. It usually takes ____ for someone in a firm to discover a security compromise in a system, after the evidence shows up in logs or alerts

1. Several seconds
2. Several minutes
3. Several hours
4. Several days
5. Several months

15. Included in the five critical elements that are used to raise security in a firm are all of the following EXCEPT:

1. Infrastructure
2. Law enforcement
3. Policies
4. Training
5. Investments

16. Examples of multi-factor authentication are:

1. passwords and text messages.
2. passwords longer than one character.
3. a human will chat with you to see who you are.
4. using two badges to allow you into a building.
5. none of the above.

17. All of the following are classic signs of a phishing message EXCEPT:

1. Your email in-box is full and you must click on a link to increase storage
2. You just won a lottery or contest, and you need to click on a link to claim your prize
3. Poor grammar or spelling in a note that purports to be from a large company
4. Goods or services are offered at an impossibly low price
5. An emailed ad that oddly does not provide any active links

18. Spoofing is:

1. When someone makes fun of you for falling for a phishing scam
2. When the “from” address says the name/email address of a person different from who really sent it
3. When hackers snoop around in a system
4. When a person from IT unlocks your email account
5. When you receive a notice of an inheritance

19. Which of the following are the five functions of the NIST Cybersecurity Framework?

1. Identify, communicate, detect, recover, prosecute
2. Communicate, detect, engage, respond, recover
3. Protect, identify, communicate, recover, prosecute
4. Identify, protect, detect, respond, recover
5. Detect, recover, communicate, respond, engage

20. Which of the following are popular types of multifactor authentication?

1. Knowledge, ownership, biometric
2. VPN, biometric, text message
3. Encryption, ownership, WEP/WPA
4. Firewall, antispy/virus software, knowledge
5. Biometric, system logs, transmission tools

21. The concept of having multiple layers of security policies and practices is known as:

1. Cybersecurity culture
2. Multifactor authentication
3. Defense in depth
4. Biometrics
5. Zero-day threat

22. All of the following are part of cybersecurity balanced scorecard EXCEPT:

1. Risk measures
2. People measures
3. Supply chain measures
4. Threat measures
5. Technology measures

True/False

1. Over time, attackers have not become more sophisticated to be able to attack systems or create viruses.
2. If you receive an email from your son, and the body of the email tells you to open an attachment because it is funny, the risk is pretty close to zero because it came from your son.
3. In the Target breach, the HVAC systems were actually attached to the retail sales system.
4. In the Target breach, the IT department was warned on or about the time the files were transferred.
5. According to the late L. Dain Gary, “You cannot make a computer secure.”
6. A hacker who buys credit card information from hackers receives a short-term guarantee in case the card is declined.
7. The Dark Web offers “as-a-service” with the technologies and tools cybercriminals purchasing, which can include help desk service.
8. The deep web is a part of the internet that includes unindexed websites offering both legal and illegal items, such as passports, citizenship, and even murders for hire.
9. The Deep Web is reputed to be 400 times larger than the public web.
10. A challenge question is when you are stopped at the gate and the guard asks who you are.
11. Two factor authentication is when you use two different methods for people trying to use the system. For instance, you can use a password and a challenge question
12. Cybersecurity is more about management actions than technology decisions.
13. Cyberinsurance can be one way a company manages its technology measure on the cybersecurity balanced scorecard.
14. Firewalls can be either in hardware or software form.

Short Answer

1. Taking action on a detected cybersecurity breach is part of the function of the NIST Cybersecurity Framework.
2. Continuous monitoring for anomalies and unplanned events is part of the function of the NIST CSF.
3. is a situation in which the thief counterfeits a different person’s address
4. is a piece of software that traps keystrokes and stores them for hackers to inspect later?
5. System updates and patches provided by system vendors is a best practice known as .
6. is a highly targeted cyber attack that usually mimics a familiar relationship to the user.
7. Cyber culture and behavior are defined by attitudes, beliefs, and .
8. What is Poulsen’s Law?

Essay

1. What security and controls should a company use to protect its computer infrastructure? Why do managers need to be involved in the governance of security and control measures?
2. Internal threats are considered the most lethal threat. What are they, why are they so lethal, and what can a company do to protect against them?
3. What are the shortcomings of passwords?
4. What is a challenge question?
5. Of the seven security policies noted in the (Figure 7.7), name and describe at least three.
6. Explain the importance of creating a cybersecurity culture and give examples of major symptoms of improper decisions.
7. Why is it important to measure how cybersecure we are and describe the purpose of the cybersecurity balanced scorecard?

Matching

52. Match the security tool to its security category.