CHAPTER 8 Controls for Information Security Flashcards
- Which of the following statements is true?
a. The concept of defense-in-depth reflects the fact that security involves the use of a few
sophisticated technical controls.
b. information security is necessary for protecting confidentiality, privacy, integrity
of processing, and availability of information resources.
c. The time-based model of security can be expressed in the following formula: P
b. information security is necessary for protecting confidentiality, privacy, integrity
of processing, and availability of information resources. (Correct. As Figure 8-2
shows, security is the foundation for achieving the other four components of system
reliability.)
- Which of the following is a preventive control?
a. training
b. log analysis
c. CIRT
d. virtualization
a. training (Correct. Training is designed to prevent employees from falling victim to
social engineering attacks and unsafe practices such as clicking on links embedded in
e-mail from unknown sources.)
- The control procedure designed to restrict what portions of an information system an employee
can access and what actions he or she can perform is called ________.
a. authentication
b. authorization
c. intrusion prevention
d. intrusion detection
b. authorization (Correct. Authorization is the process of controlling what actions—read,
write, delete, etc.—a user is permitted to perform.)
4. A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n) \_\_\_\_\_\_\_\_\_. a. exploit b. patch c. vulnerability d. attack
c. vulnerability (Correct. A vulnerability is any weakness that can be used to disable or
take control of a system.)
- Which of the following is a corrective control designed to fix vulnerabilities?
a. virtualization
b. patch management
c. penetration testing
d. authorization
b. patch management (Correct. Patch management involves replacing flawed code that
represents a vulnerability with corrected code, called a patch.)
- Which of the following is a detective control?
a. endpoint hardening
b. physical access controls
c. penetration testing
d. patch management
c. penetration testing (Correct. Penetration testing is a detective control designed to identify
how long it takes to exploit a vulnerability.)
- Which of the following statements is true?
a. “Emergency” changes need to be documented once the problem is resolved.
b. Changes should be tested in a system separate from the one used to process transactions.
c. Change controls are necessary to maintain adequate segregation of duties.
d. All of the above are true.
d. All of the above are true. (Correct.)
- Which of the following techniques is the most effective way for a firewall to use to protect
the perimeter?
a. deep packet inspection
b. packet filtering
c. access control lists
d. All of the above are equally effective
a. deep packet inspection (Correct. Deep packet inspection examines the contents of the
data in the body of the IP packet, not just the information in the packet header. This is
the best way to catch malicious code.)
- Which of the following combinations of credentials is an example of multifactor
authentication?
a. voice recognition and a fingerprint reader
b. a PIN and an ATM card
c. password and a user ID
d. all of the above
b. a PIN and an ATM card (Correct. The PIN is something a person knows, the ATM card
is something the person has.)
10. Modifying default configurations to turn off unnecessary programs and features to improve security is called \_\_\_\_\_\_\_. a. user account management b. defense-in-depth c. vulnerability scanning d. hardening
d. hardening (Correct. This is the definition of hardening.)