B4-5 Flashcards
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?
a.
Contingency planning.
b.
Hash total.
c.
Access control software.
d.
Echo check.
Choice “c” is correct. Access control software is a preventive control. It prevents “bad people” from accessing an organization’s systems and data.
Choice “a” is incorrect. Contingency planning would be considered a corrective control.
Choice “b” is incorrect. A hash total is a detective control, not a preventive control. A hash total attempts to detect if numbers that are not normally added (such as account numbers) have been processed incorrectly. A batch total is used for numbers, such as dollars, that are normally added.
Choice “d” is incorrect. An echo check is a detective control, not a preventive control.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
a.
Detective.
b.
Preventive.
c.
Application.
d.
Corrective.
Choice “c” is correct. Application controls are written into the application and are specific to the particular process or subsystem. The words “specific to the particular process or subsystem” almost give it away. The words “process” and “subsystem” are quite similar to the word “application.”
Choices “b”, “d”, and “a” are incorrect. Preventive, corrective, and detective controls are control procedures that are part of the control environment.
Preventive Controls - Preventive controls are controls that are designed to prevent potential problems from occurring.
Corrective Controls - Corrective controls are controls that are designed to fix problems that have occurred and that have been located by detective controls.
Detective Controls - Detective controls are controls that are designed to locate problems that have occurred so that they can be fixed by corrective controls.
Which of the following statements is incorrect for threats in a computerized environment?
a.
A virus is a piece of computer program that inserts itself into some other program to propagate. Alternatively, it can run independently.
b.
Phishing is the sending of phony emails to try to lure people to phony web sites asking for financial information.
c.
A Trojan horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk.
d.
In a denial-of-service attack, one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network.
Choice “a” is correct. This statement is incorrect. A virus is a piece of computer program that inserts itself into some other program to propagate. A virus cannot run independently.
Choices “c”, “b”, and “d” are incorrect because these statements are correct.
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
a.
Collusion.
b.
Data entry errors.
c.
Firewall vulnerability.
d.
Failure of server duplicating function.
Choice “c” is correct. Since the a primary purpose of the firewall is to prevent unauthorized access to the network, requiring all users to have a password helps to minimize vulnerability.
Choice “a” is incorrect. Collusion would not be minimized at all by requiring employees to have passwords; the employees conspiring to do bad things could merely share their passwords.
Choice “b” is incorrect. Passwords would not do anything about data entry errors.
Choice “d” is incorrect. The usage of passwords or the lack of passwords would have no effect on failure of the server duplicating function.
Newt Corporation, headquartered in Los Angeles, is a nationwide provider of educational services to post-graduate students. Due to stringent federal guidelines for the protection of student information, Newt utilizes various firewalls to protect its network from access by outsiders. Which of the following statements with respect to firewalls is/are correct?
a.
All of the statements are correct.
b.
Circuit level gateways only allow data into a network that result from requests from computers inside the network.
c.
Application level gateways examine data coming into the gateway. They can be used to control which computers in a network can access the Internet but cannot be used to control which Internet websites or pages can be viewed once access is allowed.
d.
Packet filtering examines packets of data as they pass through the firewall. Packet filtering is the most complex type of firewall configuration.
Choice “b” is correct. Circuit level gateways, not packet filtering, only allow data into a network that result from requests from computers inside the network by keeping track of requests that are sent out of the network and only allowing data in that is in response to those requests.
Choice “d” is incorrect. Packet filtering examines packets of data as they pass through the firewall. Packet filtering is the simplest, not the most complex, type of firewall configuration.
Choice “c” is incorrect. Application level gateways examine data coming into the gateway. They can be used to control which computers in a network can access the Internet and can be used to control which Internet websites or pages can be viewed once access is allowed.
Choice “a” is incorrect. Choice “b” is the best answer.
Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?
a.
Systems assessment.
b.
Test of controls.
c.
Risk assessment.
d.
Disaster recovery plan assessment.
Choice “c” is correct. The first step in risk assessment is to identify the risks. The question is asking about the risk of unauthorized access to information. The steps would certainly be to identify whether the company has information that unauthorized individuals might want (and what company does not have such information), the value of the information, how those individuals could obtain the information, and the probability of unauthorized access occurring. The steps here are not necessarily in the same order as in the question; regardless, it is risk assessment.
Choice “d” is incorrect. It is not particularly clear exactly what “disaster recovery plan assessment” actually is. It probably means the review of a disaster recovery plan to determine if it will be effective. Regardless, it has nothing to do, per se, with the safeguarding of valuable information.
Choice “a” is incorrect. It is not particularly clear exactly what “system assessment” actually is. It probably means the review of a system to determine if it is operating effectively and efficiently. Regardless, it has nothing to do, per se, with the safeguarding of valuable information.
Choice “b” is incorrect. Test of controls are audit tests to determine if described controls have been placed in operation and are working effectively. Tests of controls have nothing to do with the above scenario, although there are controls involved in the safeguarding of information and those controls may be tested in the course of an audit. This terminology is just terminology that might sound good to an accountant/auditor but which has no real relevance to the question.
Which of the following statements best characterizes the function of a physical access control?
a.
Provides authentication of users attempting to log into the system.
b.
Minimizes the risk of incurring a power or hardware failure.
c.
Separates unauthorized individuals from computer resources.
d.
Protects systems from the transmission of Trojan horses.
Choice “c” is correct. The function of a physical access control is to separate unauthorized individuals from computer resources. Examples are locks on doors to computer rooms, etc. which limit physical access to computer resources to people who need such access in the performance of their job responsibilities.
Choice “d” is incorrect. The function of a physical access control is not to protect systems from the transmission of Trojan horses. Trojan horses are software, and physical access controls would not have anything to do with them.
Choice “a” is incorrect. The function of a physical access control is not to provide authentication of users attempting to log into the system; that would be done by some kind of a security system.
Choice “b” is incorrect. The function of a physical access control is not to minimize the risk of incurring a power or hardware failure. A physical access control will do nothing to minimize the risk of power or hardware failures.
Which of the following activities would most likely detect computer-related fraud?
a.
Using data encryption.
b.
Conducting fraud-awareness training.
c.
Performing validity checks.
d.
Reviewing the systems-access log.
Choice “d” is correct. Because computer-related fraud often involves unauthorized access to systems and/or data, review of system access logs is the most likely of these choices to detect fraud. System access logs are electronic lists of who has accessed or has attempted to access systems or parts of systems or data or subsets of data.
Choice “a” is incorrect. Data encryption might keep intercepted data from being understood, but it will not detect fraud.
Choice “c” is incorrect. Validity checks might prevent erroneous data from being entered into a system, but they will not detect fraud.
Choice “b” is incorrect. Fraud-awareness training would help employees to identify possible fraudulent activity but it is not the most lilely to detect fraud.
Which of the following is a computer program that appears to be legitimate but performs an illicit activity when it is run?
a.
Web crawler.
b.
Parallel count.
c.
Redundant verification.
d.
Trojan horse.
Choice “d” is correct. A Trojan horse is a program that appears to have a useful function but that contains a hidden and unintended function that presents a security risk (appears to be legitimate but performs an illicit activity when it is run).
Choice “c” is incorrect. Redundant verification is not a computer program.
Choice “b” is incorrect. A parallel count is not a computer program.
Choice “a” is incorrect. A web crawler (also known as a web spider or web robot) is a program which browses the web in a methodical, automated manner. Web crawlers are mainly used to create a copy of visited web pages for later processing by a search engine. Web crawlers can also be used for automating maintenance tasks on a web site. Web crawlers can also be used to gather specific types of information from web pages. There is nothing illicit about a web crawler.
An auditor was examining a client’s network and discovered that the users did not have any password protection. Which of the following would be the best example of the type of network password the users should have?
a.
34787761.
b.
tr34ju78.
c.
tR34ju78.
d.
trjunpqs.
Choice “c” is correct. Of the choices listed, the best one is “tR34ju78” because it contains a combination of small letters, capital letters, and numbers. This password would be the most difficult to “crack.”
Choice “d” is incorrect. “trjunpgs” is not the best password because it is all small letters and not a combination of small letters, capital letters, and numbers.
Choice “a” is incorrect. “34787761” is not the best password because it is all numbers and not a combination of small letters, capital letters, and numbers.
Choice “b” is incorrect. “tr34ju78” is not the best password because it is just small letters and numbers and not a combination of small letters, capital letters, and numbers.
Which of the following statements presents an example of a general control for a computerized system?
a.
Creating hash totals from Social Security numbers for the weekly payroll.
b.
Limiting entry of sales transactions to only valid credit customers.
c.
Restricting access to the computer center by use of biometric devices.
d.
Restricting entry of accounts payable transactions to only authorized users.
Choice “c” is correct. Restricting access to the computer center by use of biometric devices represents a general control. General controls are designed to ensure that an organization’s control environment is stable and well managed.
Choice “b” is incorrect. Limiting entry of sales transaction to only valid credit customers likely represents an application control (imbedded within the software). Application controls prevent, detect and correct transaction errors and fraud and are application specific.
Choice “a” is incorrect. Creating hash totals from Social Security numbers for the weekly payroll is a processing control. Processing controls include recalculation of batch totals and similar procedures.
Choice “d” is incorrect. Restricting entry of accounts payable to only authorized users represents a user control.
Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks?
a.
Keyword.
b.
Firewall.
c.
Query program.
d.
Image browser.
Choice “b” is correct. A firewall is an “electronic device” (a firewall may actually be both hardware and software and not just hardware) that prevents unauthorized users from gaining access to network resources. A firewall isolates a private network of some type from a public network (or a network segment from the main network). It also maintains a (controlled) connection between those two networks.
Choice “c” is incorrect. A query program has nothing to do with connecting networks or with separating or isolating a network segment from the main network. A query program is a program that allows a user to obtain information from a database or other data source.
Choice “d” is incorrect. An image browser is a program that displays a stored graphical image. It has nothing to do with connecting networks or with separating or isolating a network segment from the main network. An image browser is used to display information from a database or other data source.
Choice “a” is incorrect. In computer programming, a keyword is a word or identifier that has a particular meaning to the programming language being used. For example, some people have seen things like (IF…THEN) in some basic programming languages (FORTRAN, COBOL, Visual Basic, and many others). Both IF and THEN are keywords, and they cannot be used in that language out of their specified context. Alternatively, in a search, a keyword is a word that is used to find information somewhere that contains that word. Either way, however, a keyword has nothing to do with connecting networks or with separating or isolating a network segment from the main network.
Which of the following statements is/are correct?
a.
Phishing is the sending of phony emails to try to convince people to divulge information.
b.
A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is that it can be installed and forgotten, allowing security personnel to devote their attention to other areas.
c.
A denial-of-service attack is an attack in which one computer bombards another computer with a flood of information.
d.
Choices “c” and “a” are correct.
Choice “d” is correct, which means that both “c” and “a” are incorrect.
Choice “b” is incorrect. A virus is a piece of computer program that inserts itself into some other program. Virus protection software can be utilized to protect against viruses. One of the benefits of such software is definitely not that it can be installed and forgotten. Virus protection software must be continually updated because new viruses are being continually developed. Security personnel who install and forget virus protection software will soon be looking for new jobs.
Choice “c” is the incorrect choice because it is not the only correct answer. A denial-of-service attack is an attack in which one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network.
Choice “a” is the incorrect choice because it is not the only correct answer. Phishing is the sending of phony emails to try to convince people to divulge information like account numbers and social security numbers. It is often accomplished by luring people to authentic-looking but fake websites.
The protective device that allows private intranet users to access the Internet without allowing Internet users access to private intranet information is called a (an):
a.
Anti-virus protection program.
b.
Browser.
c.
Password.
d.
Firewall.
Choice “d” is correct. The protective device that keeps Internet users from accessing intranet data is termed a firewall.
Choice “a” is incorrect. Anti-virus protection programs scan computers for viruses and, in some cases, destroy them but do not provide security from external access to an organization’s private data.
Choice “b” is incorrect. A browser is a software mechanism that allows for research on the Internet or intranet. It is not a security measure.
Choice “c” is incorrect. A password provides security regarding internal access to information but is not a comprehensive security device or procedure to prevent access to a computer system and its data.
A company’s web server has been overwhelmed with a sudden surge of false requests that caused the server to crash. The company has most likely been the target of:
a.
Piggybacking.
b.
Spoofing.
c.
A denial of service attack.
d.
An eavesdropping attack.
Choice “c” is correct. In a denial of service attack, one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network. A sudden surge of false requests that cause a company’s server to crash is a denial of service attack.
Choice “b” is incorrect. A spoofing attack is a breach of network security resulting from a person or program successfully impersonating a legitimate network user for illegitimate purposes.
Choice “a” is incorrect. Piggybacking is the practice of using another person or organization’s wireless network connection without the express permission of the subscriber or owner of the network.
Choice “d” is incorrect. An eavesdropping attack seeks to access a network and steal or eavesdrop on communications in an attempt to illicitly obtain passwords or other confidential or sensitive information.
