B4-3 Flashcards
Which of the following statements is correct concerning the security of messages in an electronic data interchange (EDI) system?
a.
When the confidentiality of data is the primary risk, message authentication is the preferred control rather than encryption.
b.
Security at the transaction phase in EDI systems is not necessary because problems at that level will usually be identified by the service provider.
c.
Encryption performed by physically secure hardware devices is more secure than encryption performed by software.
d.
Message authentication in EDI systems performs the same function as segregation of duties in other information systems.
Choice “c” is correct. Encryption performed by physically secure hardware is more secure than that performed by software because software may be more accessible from remote locations. In addition, because hardware decrypts faster than software, more complex algorithms (which are more difficult to “crack”) may be used.
Choice “a” is incorrect. If data confidentiality is a primary concern, encryption would be more important than verifying message authenticity.
Choice “d” is incorrect. Message authentication in EDI systems ensures that only authorized trading partners are submitting transactions, whereas controls related to the segregation of (many system) duties are designed to prevent any one person from having the ability to both perpetrate and conceal fraudulent activities.
Choice “b” is incorrect. The service provider does not provide transaction security.
Which of the following is true regarding Public Key Infrastructure (PKI)?
a.
PKI refers to the system and processes used to issue and manage asymmetric keys and digital certificates.
b.
PKI assumes asymmetric encryption to create legally-binding electronic documents.
c.
PKI is intended for e-business use and is typically available through commercial certificate authorities.
d.
PKI includes a “tree of trust” that’s checked each time a certificate is presented as proof of one’s identity.
Choice “a” is correct. Public key infrastructure represents the mechanisms used to issue keys and digital certificates.
Choice “c” is incorrect. Digital certificates are available through commercial certificate authorities, not public key infrastructure.
Choice “d” is incorrect. CA’s (Certificate Authorities) include a “tree of trust” to verify identities by checking certificates, not public key infrastructure.
Choice “b” is incorrect. Digital signatures facilitate the creation of legally binding electronic documents, not public key infrastructure.
An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information,except:
a.
Data encryption.
b.
Batch processing.
c.
Password management.
d.
Digital certificates.
Choice “b” is correct. An organization’s use of batch processing has no effect on unauthorized access to proprietary information. Batch processing is a processing methodology, not a security measure. Batch processing procedures include collection and grouping of input documents/transactions by type of transaction.
Choice “c” is incorrect. Password management is a method of preventing intrusion, since it regulates system access. Password management is the responsibility of the Security Administrator.
Choice “a” is incorrect. Data encryption is a method of preventing intrusion, since it uses a password or a digital key to scramble any readable data into a message unreadable to the intruder.
Choice “d” is incorrect. Digital certificates are forms of data security. They behave online in the same way driver’s licenses, passports, and other trusted documents behave. Digital certificates are electronic documents, created and digitally signed by a trusted party that certifies the identity of the owners of a particular public key.
Which of the following is the step where the intended recipient converts the cipher text into plain text?
a.
PKI.
b.
Digital certificates.
c.
Encryption.
d.
Decryption or decipherment.
Choice “d” is correct. Decryption or decipherment is the step where the intended recipient converts the cipher text into plain text.
Choice “c” is incorrect. Encryption involves using a password or a digital key to scramble a readable (plain text) message into an unreadable (cipher text) message.
Choice “b” is incorrect. Digital certificates are yet another form of data security. It behaves in the online world the same way driver’s licenses, passports, and other trusted documents behave outside the online world.
Choice “a” is incorrect. The term public key infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates
Which of the following is not considered a security policy supporting document?
a.
Corporate culture.
b.
Regulations.
c.
Procedures.
d.
Standard and baselines.
Choice “a” is correct. Corporate culture is generally not a document but instead defines the mutually understood manner in which a company does business. While corporate culture is compatible with security policy, it is not a supporting “document.”
Choices “b”, “d”, and “c” are incorrect. Security policy supporting documents might include regulations, company or industry adopted standards, and company procedures.
A digital signature is used primarily to determine that a message is:
a.
Not intercepted in route.
b.
From an authentic sender.
c.
Received by the intended recipient.
d.
Sent to the correct address.
Choice “b” is correct. A digital signature is a means of ensuring that the sender of a message is authentic. The digital signature uses encryption so that the recipient of a message can be assured that it is from the sender that is shown.
Choice “a” is incorrect. A digital signature will not keep a message from being intercepted in route, any more than a normal signature would.
Choice “c” is incorrect. A digital signature will not ensure that a message is received by the intended recipient, any more than a normal signature would.
Choice “d” is incorrect. A digital signature will not ensure that a message is sent to the correct address, any more than a normal signature would.
Passwords are designed to protect access to secure sites and information. Which of the following is incorrect?
a.
Passwords are generally more effective when they are longer.
b.
Alternating between a minimum of three to five passwords provides optimal protection.
c.
Passwords are generally more effective when they are complex passwords (e.g., combinations of: uppercase characters, lowercase characters, numeric characters, and ASCII characters (e.g., !, @, #, $, %, ^, &, *, or ?).
d.
Passwords should be changed every 90 days.
Choice “b” is correct. The NSA (National Security Agency) recommends that password reuse of the previous 24 passwords be restricted. The goal is to prevent users from alternating between their favorite two or three passwords.
Choice “a” is incorrect. Passwords are more difficult to guess if they are longer.
Choice “c” is incorrect. Passwords are more difficult to guess if they are complex.
Choice “d” is incorrect. The NSA (National Security agency) recommends changing passwords every 3 months.
What is a major disadvantage to using symmetric encryption to encrypt data?
a.
The private key is used by the sender for encryption but not by the receiver for decryption.
b.
The private key cannot be broken into fragments and distributed to the receiver.
c.
Both sender and receiver must have the private key before this encryption method will work.
d.
The private key is used by the receiver for decryption but not by the sender for encryption.
Choice “c” is correct. With symmetric encryption, both parties use the same key to encrypt and decrypt the message so that the key must be shared. This would require a unique private key for each entity with which one wanted to share encrypted data. In asymmetric encryption, the private key is not shared and the public key provides the other half necessary to encrypt/decrypt.
Choice “b” is incorrect. The private key in symmetric encryption has to be transmitted to the receiver in some manner. Breaking the private key into fragments is a way to attempt to keep the private key as secure as possible.
Choice “a” is incorrect. In symmetric encryption, both the sender and the receiver must have the private key.
Choice “d” is incorrect. In symmetric encryption, both the sender and the receiver must have the private key.
When a client’s accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
a.
User passwords are not required to be in alpha-numeric format.
b.
User accounts are not removed upon termination of employees.
c.
Management procedures for user accounts are not documented.
d.
Security logs are not periodically reviewed for violations.
Choice “b” is correct. User accounts should immediately be disabled or removed upon termination of any employee. Enabled accounts for terminated employees present a great security risk since they allow unauthorized access to the system.
Choice “a” is incorrect. Passwords are usually required to be a combination of characters, but in comparison to failing to disable accounts for former employees, weak passwords do not present the greatest risk. Passwords, however weak they may be, provide at least some security.
Choice “c” is incorrect. While management procedures should always be documented, lack of documentation does not present a high security risk as long as there are procedures in place that are being used.
Choice “d” is incorrect. Security logs should be reviewed periodically by the administrator regardless of whether employees have left the company. While reviewing logs might detect unauthorized system access, allowing former employees to maintain active passwords has a high security risk of allowing the unauthorized access.
After reviewing the end-user computing (EUC) policy of an organization, an internal auditor audits the actuarial function and notices that some minimum control requirements are missing. Which of the following is a risk of using potentially incorrect end-user developed files?
a.
Management continues to incur additional cost because it takes more hours to do the tasks using EUC.
b.
Management receives limited information for decision making due to a lack of flexibility in EUC files.
c.
Management is unable to respond to competitive pressures quickly.
d.
Management places the same degree of reliance on the files as they do on files generated from mainframe systems.
If Friday’s file is destroyed, a new Friday file can be reproduced by using the Friday transaction file (which is stored separately) and Thursday’s file. The backup concept that serves as the foundation for this process is often called:
a.
Critical Application Backup.
b.
Backups of Systems That Do Not Shut Down.
c.
Son-Father-Grandfather Concept.
d.
Disk Only Backup.
Choice “c” is correct. The Son-Father-Grandfather concept describes this backup file system. The most recent file is called the son, the second most recent file is called the father, and the preceding file is called the grandfather. The process includes reading the previous file, recording transactions being processed, and then creating a new updated master file.
Choice “a” is incorrect. All critical application data should be backed up somehow. This concept, while good, is not specifically related to the identified procedure.
Choice “d” is incorrect. Disk only backup relates to the medium used to backup files and not to the sequence or procedure of backup steps.
Choice “b” is incorrect. There are often systems that are never scheduled to be down and they may involve some application of the Son-Father-Grandfather concept to achieve data safeguarding objectives, however, the concept underlying the procedure is not purely systems that do not shut down.
A company began issuing handheld devices to key executives. Each of the following factors is a reason for requiring changes to the security policy, except:
a.
Convenience of the device.
b.
Storage of sensitive data.
c.
Portability of the device.
d.
Vulnerability of the device.
Choice “a” is correct. The convenience of a handheld device is a benefit, rather than a reason for requiring a change to a security policy.
Choice “b” is incorrect. The fact that a handheld device stores sensitive data makes it higher risk and would therefore require a change in a security policy.
Choice “c” is incorrect. Because of its small size, a handheld device can easily be picked up and transported by an unintended user. A company’s security policy must address how situations such as this can be managed and how the sensitive data contained on the device can be protected.
Choice “d” is incorrect. Any device (whether handheld or not) that is vulnerable to unintended users or usage must be addressed in a company’s security policy.
Kinney Corporation operates parking lots throughout the U.S. and Canada. Its computer systems are run at a data center in a newly redeveloped area of the South Bronx. On all of its application systems, Kinney uses program modification control software. Which of the following statements is correct for such program modification control software?
a.
Program modification controls are controls over the modification of programs being used in production applications.
b.
Program modification controls include both controls that attempt to prevent changes by unauthorized personnel and controls that track program changes so that there is an exact record of what versions of what programs were running in production at any specific point in time.
c.
Program change control software normally includes a software change management tool and a change request tracking tool.
d.
All of the statements are correct.
Choice “d” is correct. All of the statements are correct.
Program modification controls are controls over the modification of programs being used in production applications.
Program modification controls include both controls that attempt to prevent changes by unauthorized personnel and also that track program changes so that there is an exact record of what versions of what programs were running in production at any specific point in time.
Program change control software normally includes a software change management tool and a change request tracking tool. Program change control often involves changing what are effectively the same programs in two different ways simultaneously. Normally, an environment has both production programs and programs that are being tested. Sometimes, production programs require changes (production fixes) at the same time the test versions of the same programs are being worked on. This process must be controlled so that one set of changes does not incorrectly overlay the other.
Choices “a”, “b”, and “c” are incorrect, per the above explanation.
HideIt Company uses data encryption for certain key data in its application systems. Which of the following statements is correct with respect to data encryption?
a.
In asymmetric encryption, a public key is used to encrypt messages. A private key is normally used to decrypt the message at the other end.
b.
Data encryption is based on the concept of keys. With data encryption, the sophistication of the encryption algorithm is important and the length of the key is not significant.
c.
In asymmetric encryption, a public key is used to encrypt messages. The same public key is transmitted along with the message and is used to decrypt the message at the other end.
d.
Symmetric encryption techniques are much more computationally intensive than asymmetric encryption techniques.
Choice “a” is correct. In asymmetric encryption, a public key is used to encrypt messages. A private key (which is never transmitted) is used to decrypt the message at the other end. There are two keys. Effectively, anyone can encrypt a message, but only the intended recipient can decrypt the message.
Choice “b” is incorrect. Data encryption is, in fact, based on the concept of keys. However, the length of the key is extremely important in data encryption. The longer the key is, the harder it is to crack the key. There are a number of different encryption algorithms, and sooner or later, they are almost always discovered, even if the developers attempt to keep them secret (and these days, many of the more popular algorithms are public). The algorithm is important, but the length of the key is more important.
Choice “c” is incorrect. In asymmetric encryption, a public key is used to encrypt messages. However, the public key is not transmitted along with the message (if it were, why have it in the first place?). The private key of the recipient is used to decrypt the message. There is always a problem of how to transmit the key (when there is only one key such as in symmetric encryption).
Choice “d” is incorrect. Asymmetric encryption techniques are much more computationally intensive than symmetric encryption techniques and thus are considerably slower because a different key is used to decrypt the message than the one used to encrypt it. This requires more time and resources to accomplish.
Which of the following is not a true statement of user access?
a.
Involvement of an Information Security Officer may depend upon the level of security granted to an account.
b.
Human Resources and Information Technology should coordinate to monitor changes in position and thereby control user access.
c.
User accounts are often the first target of a hacker who has gained access to an organization’s network.
d.
The Information Officer does not need to know about position promotions, demotions, or lateral moves.
Choice “d” is correct. The information officer needs to know about position promotions, demotions or lateral moves. From a productivity standpoint, it is important to have procedures in place to address promotions, lateral moves, or demotions within the company. If job/roles change and access doesn’t, the employee may not be able to perform new job functions since unrevised access rights associated may no longer be appropriate.
Also, if access needed for a previous position is not removed, a single individual could have access to incompatible areas of the system, thus compromising segregation of duties.
Choice “b” is incorrect. Human Resources is generally the authoritative source on official changes in position or employment status. Coordination of employee status with IT allows for more effective limitation of employee access.
Choice “a” is incorrect. The Information Security Officer will not be involved in all user accounts but may have increased involvement depending on the level and scope of access granted.
Choice “c” is incorrect. User accounts are often the first target of a hacker who has gained access to an organization’s network.
