Assurance, Security and Prvy - Chapter 2
Attacks on information systems are a daily occurrence
True
False
Attacks on information systems are a rare occurrence
True
False
Primary mission of information security is to ensure systems and contents stay the same
True
False
Primary mission of information security is to ensure systems and contents are always changing
True
False
What do organizations protect when it comes to information security?
Protect functionality of organization - Protect operation of applications - Protect data and information - Safeguard technology assets
Contain budget - Authorize transactions - Allowance of application usage
An object, person, or other entity that represents a constant danger to an asset
Threat
Vulnerability
Exploit
None of the above
Management must be informed of the different threats facing the organization
Threat
Vulnerability
Exploit
None of the above
Existence of a weakness that can lead to undesirable event compromising the system
Threat
Vulnerability
Exploit
None of the above
A breach of an IT system through vulnerability
Threat
Vulnerability
Exploit
None of the above
If no threats existed, resources could be focused on improving systems, resulting in vast improvements in ease of use and usefulness
True
False
Management (general and IT) is responsible for implementation
True
False
Only IT is responsible for implementation
True
False
Information security is both management issue and people issue
True
False
Information security is a management issue only.
True
False
Organization should address information security in terms of business impact and cost
True
False
Organization should not address information security
True
False
Organization needs environments that safeguard applications using IT systems
True
False
Organization does not need environments that safeguard applications using IT systems
True
False
Management must continue to oversee infrastructure once in place, not relegate to IT department
True
False
Management must relegate infrastructure to IT department
True
False
Organization, without data, loses its record of transactions and/or ability to deliver value to customers
True
False
Organizations can still deliver value to its customers and record transactions even without data
True
False
Protecting data in motion and data at rest are both critical aspects of information security
True
False
Protecting data in motion is the only critical aspect of information security
True
False
Organizations must have secure infrastructure services based on size and scope of enterprise
True
False
Organizations must have insecure infrastructure services based on size only
True
False
Additional security services may be needed as organization grows
True
False
No additional security services is needed even if the organization grows
True
False
More robust solutions may be needed to replace security programs the organization has outgrown
True
False
No robust solution is needed to replace security programs the organization has outgrown
True
False
Piracy, copyright infringement
Compromises to intellectual property
Software attacks
Deviations in quality of service
Espionage or trespass
Viruses, worms, macros, denial of service
Compromises to intellectual property
Software attacks
Deviations in quality of service
Espionage or trespass
ISP, power, or WAN service issues from service providers
Compromises to intellectual property
Software attacks
Deviations in quality of service
Espionage or trespass
Unauthorized access and/or data collection
Compromises to intellectual property
Software attacks
Deviations in quality of service
Espionage or trespass
Fire, flood, earthquake, lightning
Forces of nature
Human error or failure
Information extortion
Missing, inadequate, or incomplete
Accidents, employee mistakes
Forces of nature
Human error or failure
Information extortion
Missing, inadequate, or incomplete
Blackmail, information disclosure
Forces of nature
Human error or failure
Information extortion
Missing, inadequate, or incomplete
Loss of access to information systems due to disk in place drive failure without proper backup and recovery plan organizational policy or planning
Forces of nature
Human error or failure
Information extortion
Missing, inadequate, or incomplete
Network compromised because no firewall security controls
Missing, inadequate, or incomplete controls
Sabotage or vandalism
Theft
Technical hardware failures or errors
Destruction of systems or information
Missing, inadequate, or incomplete controls
Sabotage or vandalism
Theft
Technical hardware failures or errors
Illegal confiscation of equipment or information
Missing, inadequate, or incomplete controls
Sabotage or vandalism
Theft
Technical hardware failures or errors
Equipment failure
Missing, inadequate, or incomplete controls
Sabotage or vandalism
Theft
Technical hardware failures or errors
Bugs, code problems, unknown loopholes
Theft
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Antiquated or outdated technologies
Theft
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Ownership of ideas and control over the tangible or virtual representation of those ideas
Intellectual property
Physical property
The most common IP breaches involve ______
Hardware piracy
Software piracy
Which one is a watchdog organization that investigates software abuse?
Software & Information Industry Association (SIIA)
Baltic System Association (BSA)
Which one is a watchdog organization that investigates software abuse?
System & Initiation Industry Alliance (SIIA)
Business Software Alliance (BSA)
Enforcement of copyright law has been attempted with technical security mechanisms
True
False
Enforcement of copyright law has never been attempted
True
False
Acts or actions that exploits vulnerability (i.e., an identified weakness) in a system
Software Attacks
Hardware Attacks
Accomplished by threat agent (e.g. Hacker or script) that damages or steals organization’s information
Software Attacks
Hardware Attacks
What are the two types of software attacks?
Aiding code - Honesty
Malicious code - Hoaxes
Includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
Malicious code
Hoaxes
Transmission of a virus hoax with a real virus attached; more devious form of attack
Malicious code
Hoaxes
______ is designed to damage, destroy, or deny service to target systems
Malicious software (malware)
Advertisement software (adware)
Which one is a type of malware?
Cells
Viruses
Which one is a type of malware?
Worms
Maggots
Which one is a type of malware?
Bull
Trojan
Which one is a type of malware?
Logic bombs
Smart bombs
Which one is a type of malware?
Front door or roof access
Backdoor or trap door
Which one is a type of malware?
Polymorphic threats
Trans-formative threats
Which one is a type of malware?
Cells and maggots bamboozle
Virus and worm hoaxes
A small program written to alter the way a computer operates, without the permission or knowledge of the user.
Virus
Worm
Trojan
None of the above
Programs that replicate themselves from system to system without the use of a host file.
Virus
Worm
Trojan
None of the above
Files that claim to be something desirable but, in fact, are malicious.
Virus
Worm
Trojan
None of the above
Attacker sends large number of requests to a target
Denial-of-service (DoS)
Distributed denial-of-service (DDoS)
Mail bombing
None of the above
Target system cannot handle successfully along with other, legitimate service requests - May result in system crash or inability to perform ordinary functions
DoS/DDoS
Virus/Worms
Coordinated stream of requests is launched against target from many locations simultaneously
Denial-of-service (DoS)
Distributed denial-of-service (DDoS)
Mail bombing
None of the above
Attacker routes large quantities of e-mail to target
Denial-of-service (DoS)
Distributed denial-of-service (DDoS)
Mail bombing
None of the above
Floods the target with requests
DoS
DDoS
Use Zombie computers to launch the attack
DoS
DDoS
Program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
Sniffers
Spoofing
Man-in-the-middle
None of the above
Technique used to gain unauthorized access; intruder assumes a trusted IP address
Sniffers
Spoofing
Man-in-the-middle
None of the above
Attacker monitors network packets, modifies them, and inserts them back into network
Sniffers
Spoofing
Man-in-the-middle
None of the above
DoS
DDoS
DoS
DDoS
IP Spoofing
Man-In-The-Middle Attack
IP Spoofing
Man-In-The-Middle Attack
Using social skills to convince people to reveal access credentials or other valuable information to attacker
Social engineering
Phishing
Pharming
None of the above
An attempt to gain personal/financial information from individual, usually by posing as legitimate entity
Social engineering
Phishing
Pharming
None of the above
Redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information
Social engineering
Phishing
Pharming
None of the above
Unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
Spam
Scams and Hoaxes
Don’t believe everything you read and don’t help spread hoaxes - Be smart about it - Breaking news don’t come from your friends (there are sources for news)
Spam
Scams and Hoaxes
______ is the overall performance of a network as seen by the users
Quality of service (QoS)
Shoulder surfing
We have expectations. Problems occur when our expectations are not met.
True
False
Information system depends on many interdependent support systems
True
False
Information system depends on many interdependent support systems, such as:
Whole budget, location and permission
Internet service, communications, and power irregularities
Internet service, communications, and power irregularities dramatically affect availability of information and systems
True
False
Access of protected information by unauthorized individuals
Permission and movement
Espionage or Trespass
Competitive intelligence is ______
Legal
Illegal
Industrial espionage is ______
Legal
Illegal
______ can occur anywhere a person accesses confidential information
Shoulder surfing
Web surfing
Without full understanding, uses software written by others to exploit a system
Expert hacker
Unskilled hacker
A master of many skills who develops software scripts and program exploits
Expert hacker
Unskilled hacker
Removes software protection designed to prevent unauthorized duplication
Cracker
Phreaker
Hacks the public telephone network
Cracker
Phreaker
Includes acts performed without malicious intent (Inexperience - Improper training)
Human Error or Failure
Software Error and Failure
Employees are among the greatest threats to an organization’s data
True
False
Employees are the least threating aspect to an organization’s data
True
False
Which one is not considered a human error?
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Bribing employees for data
Which one is not considered a human error?
Planting a logic bomb
Data storage in unprotected areas
Failure to protect information
Revelation of classified data
Many of human error threats can be prevented with controls
True
False
All human errors can be prevented by using controls
True
False
Tom Twostory
Dick Davis
Harriet Allthumbs
None of the above
______ is defined as the practice of obtaining something, especially money, through force or threats
Extortion
Theft
Attacker steals information from computer system and demands compensation for its return or nondisclosure
Information Extortion
Information Theft
Internal threat due to Missing, Inadequate, or Incomplete organizational policies and/or controls
Incomplete organizational policies and/or controls
Missing, Inadequate, or Incomplete
Threats can range from petty vandalism to organized sabotage, such as ______
Web site defacing
Web site improvement
Threats can range from petty vandalism to organized sabotage
True
False
Threat of hacktivist or Cyber-activists groups is rising
True
False
Threat of hacktivist or Cyber-activists groups is declining
True
False
Much more sinister form of hacking
Cyberterrorism
Cyberhacking
Web site defacing can erode consumer confidence, dropping sales and organization’s net worth
True
False
Web site defacing can increase consumer confidence, sales and organization’s net worth
True
False
Theft can be physical or digital
True
False
Theft is physical only
True
False
Directly associated with physical security (stealing a laptop for example)
Physical theft
Digital theft
Is often more technical and complex
Physical theft
Digital theft
Bugs and poorly written ______ can lead to serious security breaches
Hardware
Software
______ defects can lead to failure and ultimately affect system and business operations
Hardware
Software
An example of Technical Failure: Software is ______
Memory underflow
Buffer overflow
Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems
True
False
Proper managerial planning should prevent technology obsolescence
True
False
Proper managerial planning cannot prevent technology obsolescence
True
False
{"name":"Assurance, Security and Prvy - Chapter 2", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"z","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}