IS3350 CHAPTER 1

Question 1

Management and regulatory controls are usually policies, standards, guidelines, and procedures. They can also be the laws an organization must follow. This is called ___.

Answer 1

ADMINISTRATIVE SAFEGUARDS

Question 2

The security goal of ensuring that you can access information systems and their data when you need them. They must be available in a dependable and timely manner. This is called ___.

Answer 2

AVAILABILITY

Question 3

The designs, blueprints, or plans that make an organizations product or service unique is ___.

Answer 3

COMPETITIVE EDGE

Question 4

The security goal of ensuring that only authorized persons can access information systems and their data. This is called ___.

Answer 4

CONFIDENTIALITY

Question 5

Any protective action that reduces information security risks. These actions may eliminate or lesson vulnerabilities, control threats, or reduce risk. Safeguards is another term for controls. This is called ___.

Answer 5

CONTROL

Question 6

The science and practice of hiding information so that unauthorized persons can’t read it is called ___.

Answer 6

CRYPTOGRAPHY

Question 7

Attack that disrupts information systems so that they’re no longer available to users is called ___.

Answer 7

DENIAL OF SERVICE (DoS) ATTACK

Question 8

A successful attack against a vulnerability is called ___.

Answer 8

EXPLOIT

Question 9

An attacker that has no current relationship with the organization they’re attacking is called ___.

Answer 9

EXTERNAL ATTACKER

Question 10

Intelligence, knowledge, and data. You can store information in paper or electronic form is called ___.

Answer 10

INFORMATION

Question 11

The study and practice of protecting information. The main goal of information security is to protect its confidentiality, integrity, and availability is called ___.

Answer 11

INFORMATION SECURITY

Question 12

The security goal of ensuring that no changes are made to information systems and their data without permissions is called ___.

Answer 12

INTEGRITY

Question 13

An attacker that has a current relationship with the organization he or she is attacking. It can be an angry employee. This is called ___.

Answer 13

INTERNAL ATTACKER

Question 14

A rule that systems should run with the lowest level of permissions needed to complete tasks. This means users should have the least amount of access needed to do their jobs is called ___.

Answer 14

LEAST PRIVILEGE

Question 15

This term refers to any software that performs harmful, unauthorized , or unknown activity and is called ___.

Answer 15

MALWARE

Question 16

A physical security safeguard that controls entry into a protected area. This entry method has two sets of doors on either end of a small room and is called ___.

Answer 16

MANTRAP

Question 17

This is a rule that users should have access to only the the information they need to do their jobs and called ___.

Answer 17

NEED TO KNOW

Question 18

A piece of software or code that fixes a programs’ security vulnerabilities. These are available for many types of software, including operating systems and is called ___.

Answer 18

PATCH

Question 19

Controls keep unauthorized individuals out of a building or other controlled areas. You can also use these to keep unauthorized individuals from using an information system. This is called ___.

Answer 19

PHYSICAL SAFEGUARD

Question 20

The amount of risk left over after safeguards lessen a vulnerability or threat is called ___.

Answer 20

RESIDUAL RISK

Question 21

A business decision to accept an assessed risk and take no action against it is called ___.

Answer 21

RISK ACCEPTANCE

Question 22

A business decision to apply safeguards to avoid a negative impact is called ___.

Answer 22

RISK AVOIDANCE

Question 23

A business decision to apply safeguards to lessen a negative impact is called ___.

Answer 23

RISK MITIGATION

Question 24

A business decision to transfer a risk to a third party to avoid that risk is called ___.

Answer 24

RISK TRANSFER

Question 25

Any protective action that reduces information security risks. They may eliminate or lesson vulnerabilities, control threats, or reduce risk and are also known as controls are called ___.

Answer 25

SAFEGUARD

Question 26

A rule that two or more employees must split critical task functions. Thus, no one employee know all of the steps required to complete the critical task is called ___.

Answer 26

SEPARATION OF DUTIES

Question 27

Looking over the shoulder of another person to obtain sensitive information. The attacker doesn’t have permission to see it. This usually describes an attack in which a person tries to learn sensitive information by viewing keystrokes on a monitor or keyboard is called ___.

Answer 27

SHOULDER SURFING

Question 28

In an information system, a piece of hardware or application critical to the entire system’s functioning. If that single item fails, then a critical portion or the entire system could fail and is called ___.

Answer 28

SINGLE POINT OF FAILURE

Question 29

An attack that relies on human interaction. They often involve tricking other people to break security procedures so the attacker can gain information about computer systems. This type of attack isn’t technical and is called ___.

Answer 29

SOCIAL ENGINEERING

Question 30

Controls implemented in an information system’s hardware and software. Technical controls include passwords, access control mechanisms, and automated logging. They improve the system’s security and is called ___.

Answer 30

TECHNICAL SAFEGUARD

Question 31

Any danger that takes advantage of a vulnerability and are unintentional or intentional are called ___.

Answer 31

THREAT

Question 32

A weakness or flaw in an information system. Exploiting a vulnerability harms information security. You reduce them by applying security safeguards are called ___.

Answer 32

VULNERABILITY

Question 33

The period between discovering a vulnerability and reducing or eliminating it is called ___.

Answer 33

WINDOW OF VULNERABILITY

Question 34

A vulnerability exploited shortly after it is discovered. The attacker exploits it before the vendor releases a patch and is called ___.

Answer 34

ZERO-DAY VULNERABILITY

Question 35

1. What are the goals of an information security program?
2. Authorization, integrity, and confidentiality
3. Availability, authorization, and integrity
4. Availability, integrity, and confidentiality
5. Availability, integrity, and safeguards
6. Access control, confidentiality, and safeguards

Answer 35

Availability, integrity, and confidentiality

Question 36

2. An employee can add other employees to the payroll database. The same person also can change all employee salaries and print payroll checks for all employees. What safeguard should you implement to make sure that this employee doesn’t engage in wrongdoing?
3. Need to know
4. Access control lists
5. Technical safeguards
6. Mandatory vacation
7. Separation of duties

Answer 36

Separation of duties

Question 37

3. An organization obtains an insurance policy against cybercrime. What type of risk response is this?
4. Risk mitigation
5. Residual risk
6. Risk elimination
7. Risk transfer
8. Risk management

Answer 37

Risk transfer

Question 38

4. Which of the following is an accidental threat?
5. A backdoor into a computer system
6. A hacker
7. A well-meaning employee who inadvertently deletes a file
8. An improperly redacted document
9. A poorly written policy

Answer 38

A well-meaning employee who inadvertently deletes a file

Question 39

5. What is the window of vulnerability?
6. The period between the discovery of a vulnerability and mitigation of the vulnerability
7. The period between the discovery of a vulnerability and exploiting the vulnerability
8. The period between exploiting a vulnerability and mitigating the vulnerability
9. The period between expiating a vulnerability and eliminating the vulnerability
10. A broken window

Answer 39

The period between the discovery of a vulnerability and mitigation of the vulnerability

Question 40

6. A technical safeguard is also known as ___.

Answer 40

Logical control

Question 41

7. Which of the following isn’t a threat classification?
8. Human
9. Natural
10. Process
11. Technology and Operational
12. Physical and Environmental

Answer 41

Process

Question 42

8. Which of the following is an example of a model for implementing safeguards?
9. Confidentiality
10. Integrity
11. Authentication
12. Availability
13. Privacy

Answer 42

Availability

Question 43

9. Which of the following is an example of a model for implementing safeguards?
10. ISO/IEC 27002
11. NIST SP 80-553
12. NIST SP 800-3
13. ISO/IEC 20072
14. ISO/IEC 70022

Answer 43

ISO/IEC 27002

Question 44

10. Which of the following is not a type of security safeguard?
11. Corrective
12. Preventative
13. Detective
14. Physical
15. Defective

Answer 44

Defective

Question 45

11. It is hard to safeguard against which of the following types of vulnerabilities?
12. Information leakage
13. Flooding
14. Buffer overflow
15. Zero-day
16. Hardware failure

Answer 45

Zero-day

Question 46

12. What are the classification levels for US national security information?
13. Public, Sensitive, Restricted
14. Confidential, Secret, Top Secret
15. Confidential, Restricted, Top Secret
16. Public, Secret, Top Secret
17. Public, Sensitive, Secret

Answer 46

Confidential, Secret, Top Secret

Question 47

13. Which safeguard is most likely violated if a system administrator logs into an administrator user account in order to surf the Internet and download music files?
14. Need to know
15. Access control
16. Least privilege principle
17. Using best available path
18. Separation of duties

Answer 47

Least privilege principle

Question 48

14. Which of the following are vulnerability classifications?
15. People
16. Process
17. Technology
18. Facility
19. All the above

Answer 48

People
Process
Technology
Facility

Question 49

15. What is a mantrap?
16. A method to control access to a secure area
17. A removable cover that allow access to underground utilities
18. A logical access control mechanism
19. An administrative safeguard
20. None of the above

Answer 49

A method to control access to a secure area