IS3230 CHAPTER 2

Question 1

The number of times per year we can expect a compromise to occur is called ___.

Answer 1

ANNUAL RATE OF OCCURRENCE (ARO)

Question 2

The total cost per year of the threat under assessment. ALE is calculated by multiplying the SLE by the ARO.

Answer 2

ANNUALIZED LOSS EXPECTANCY (ALE)

Question 3

The relative value, either in monetary terms or in overall impact, of the resource being protected by the access control system is called.

Answer 3

ASSET VALUE

Question 4

What it costs an organization to obtain or create an asset originally is called ___.

Answer 4

COST OF ATTAINMENT

Question 5

What an organization would lose if an asset were unavailable. Ex: The organization might lose $50,000 per hour in lost productivity if its internal network went down.

Answer 5

COST OF IMPACT

Question 6

What it would cost an organization to replace an asset if it were stolen or compromised is called ___.

Answer 6

COST OF REPLACEMENT

Question 7

An action taken to counter another action is called ___.

Answer 7

COUNTERMEASURE

Question 8

The approach of using multiple layers of security to protect against a single point of failure is called ___.

Answer 8

DEFENSE-IN-DEPTH STRATEGY

Question 9

The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access is called ___.

Answer 9

HEIGHTENED ACCESS

Question 10

A problem-solving system that uses a set of rules to select the best answer available. In virus scanning, ___ refers to an algorithm that uses a set of rules that is constantly revised based on feedback to determine whether a given file contains a virus.

Answer 10

HEURISTICS

Question 11

A combination of hardware and software used to analyze network traffic passing through a single point on the network. It is designed to analyze traffic patterns to find suspicious activity is called ___.

Answer 11

INTRUSION DETECTION SYSTEM (IDS)

Question 12

A combination of a firewall and an IDS. An ___ is designed to analyze network traffic patterns and react in real time to block suspicious activity.

Answer 12

INTRUSION PREVENTION SYSTEM

Question 13

Used to create secure pathways for data through a public network is called ___.

Answer 13

IP TUNNELING

Question 14

A network connecting computers and other assets in a small, physical location such as an office, home, or school is called ___.

Answer 14

LOCAL AREA NETWORK (LAN)

Question 15

The combination of more than one access control method to secure a single resource is called ___.

Answer 15

MULTILAYERED ACCESS CONTROL

Question 16

Guessing or deciphering passwords is called ___.

Answer 16

PASSWORD CRACKING

Question 17

Creating legitimate-looking Web sites or emails that trick a user into entering sensitive information such as passwords, Social Security numbers, or credit card numbers is called ___.

Answer 17

PHISHING

Question 18

The likelihood that an attack will occur is called ___.

Answer 18

PROBABILITY OF OCCURRENCE

Question 19

A method of risk assessment that assigns a subjective label (usually “high”, “medium”, and “low” to a risk scenario is called ___.

Answer 19

QUALITATIVE RISK ASSESSMENTS

Question 20

A method of risk assessment that assigns a dollar value to every data point is called ___.

Answer 20

QUANTITATIVE RISK ASSESSMENTS

Question 21

The probability that a particular threat will exploit an IT vulnerability causing harm to an organization is called ___. It is measured in terms of probability and consequence.

Answer 21

RISK

Question 22

The process of identifying and prioritizing risk is called ___.

Answer 22

RISK ASSESSMENT

Question 23

The cost incurred in one loss incident is called ___.

Answer 23

SINGLE LOSS EXPECTANCY (SLE)

Question 24

An ID badge or other card with an embedded RFID chip that stores basic identification and authentication information is called ___.

Answer 24

SMART CARD

Question 25

The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to an attacker is called ___.

Answer 25

SOCIAL ENGINEERING

Question 26

An attack targeted at specific, usually high-level, individuals within an organization is called ___.

Answer 26

SPEAR PHISHING

Question 27

A potential attack on a system is called a ___.

Answer 27

THREAT

Question 28

A system that uses a public network (usually the Internet) to transmit private data securely. Users on a ___ can exchange data and share resources as if they were directly connected via a LAN.

Answer 28

VIRTUAL PRIVATE NETWORK (VPN)

Question 29

Allows network managers to segment resources into local area networks despite geographical distance. EX: if a work group’s office space was reallocated and the individuals in the group were reassigned to new offices spread across the building, a ___ could be created to allow them the same resource sharing abilities they had when their offices were located in a geographically small area.

Answer 29

VIRTUAL LOCAL AREA NETWORK (VLAN)

Question 30

An unintended weakness in a system’s design that makes it possible for attackers to take control of a system, access resources to which they are not authorized, or damage the system in some way is called ___.

Answer 30

VULNERABILITY

Question 31

A network that connects several smaller networks. EX: a large corporation with offices in New York, Chicago, and Los Angeles might have a LAN in each local office, and then connect those three LANs via a ___.

Answer 31

WIDE AREA NETWORK (WAN)

Question 32

1. Risk is measured in terms of ___ and impact.

Answer 32

Probability of occurrence

Question 33

2. Risk assessment is the first step in designing any access control system.
   TRUE OR FALSE

Answer 33

TRUE

Question 34

3. The two types of risk assessments are qualitative and ___.

Answer 34

Quantitative

Question 35

4. Vulnerabilities and threats are synonymous.

TRUE OR FALSE

Answer 35

FALSE

Question 36

5. A vulnerability is a weakness purposely designed into the system.
   TRUE OR FALSE

Answer 36

FALSE

Question 37

6. You should consider probability of occurrence in order to prioritize limited time and resources.
   TRUE OR FALSE

Answer 37

FALSE

Question 38

7. What are the three primary threats to any access control system?
8. Password cracking
9. Heightened access
10. Social engineering
11. Forgotten passwords

Answer 38

Password cracking
Heightened access
Social engineering

Question 39

8. A strong password that would take an attacker 10 years to crack in 1990 would take 10 years to crack today.
   TRUE OR FALSE

Answer 39

FALSE

Question 40

9. As long as users choose strong, secure passwords, how those passwords are stored is irrelevant.
   TRUE OR FALSE

Answer 40

FALSE

Question 41

10. Insecure applications run as the administrative user are the most common heightened access vulnerability.
    TRUE OR FALSE

Answer 41

TRUE

Question 42

11. You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control.
    TRUE OR FALSE

Answer 42

TRUE

Question 43

12. You calculate ALE by multiplying SLE by 12.

TRUE OR FALSE

Answer 43

FALSE

Question 44

13. You should install every patch that is released for the applications running in your environment.
    TRUE OR FALSE

Answer 44

FALSE

Question 45

14. Calculate the ALE of a threat that can be expected to occur three times per year, and will cost the organization $50,000 per incident.
    ___.

Answer 45

$150,00

Question 46

15. Calculate the ARO of a threat with an SLE of $100,000 and an ALE of $200,000.

Answer 46

Annual Rate of Occurrence (ARO)=2

Question 47

16. Calculate the SLE of a threat with an ARO of 4 and an ALE of $100,000.

Answer 47

$25,000