Pre Final Exam 360

Question 1

Definition: Information Security Management

Answer 1

An integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats

Question 2

Confidentiality

Answer 2

Information is not accessible to unauthorized individuals or processes

Question 3

Integrity

Answer 3

Information is accurate and complete

Question 4

Availability

Answer 4

Information and systems are accessible on demand

Question 5

Definition:Virus

Answer 5

A self-replicating program that runs and spreads by modifying other programs or files

Question 6

Definition:Worm

Answer 6

A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself

Question 7

Definition:Trojan horse

Answer 7

A non-self-replicating program that seems to have a useful purpose in appearance, but in reality has a different, malicious purpose

Question 8

Definition:Spam

Answer 8

Sending unsolicited bulk information

Question 9

Definition:Botnet (Bot)

Answer 9

A collection of software robots that overruns computers to act automatically in response to the bot-herder’s control inputs through Internet.

Question 10

Definition:Denial-of-service (DoS)

Answer 10

The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations

Question 11

Definition:Spyware

Answer 11

Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code

Question 12

Definition:Spoofing

Answer 12

Sending a network packet that appears to come from a source other than its actual source

Question 13

Definition:Social engineering

Answer 13

Manipulating someone to take certain action that may not be in that person’s best interest such as revealing confidential information or granting access to physical assets, networks, or information.

Question 14

Definition: Encryption

Answer 14

Preventive control providing confidentiality and privacy for data transmission and storage

Question 15

Plaintext is encrypted into _______

Answer 15

cyphertext

Question 16

Symmetric Key Encryption : General Info

Answer 16

Fast and used for large data sets
the sender and the receiver use the same key to encrypt and decrypt messages
Require one key for every set of users

Question 17

Asymmetric Key Encryption : General Info

Answer 17

slow and is not appropriate for encrypting large data sets
uses a public and private key
AKA public-key encryption or two-key encryption

Question 18

Definition:Authentication

Answer 18

Process that establishes the origin of information or determines the identity of a user, process, or device. KEY IN E-BUSINESS

Question 19

Common Use of encryption

Answer 19

Use asymmetric key to authenticate then use a symmetric or session key
Get the info with a public key and decrypt with private key

Question 20

Definition:digital signature

Answer 20

a message digest (MD) of a document (or data file) that is encrypted using the document creator’s private key

Question 21

Why do we use a digital signature

Answer 21

ensure data integrity and prevent repudiation of

transactions the digital signature also authenticates the document creator

Question 22

Definition:Certificate Authority (CA)

Answer 22

a trusted entity that issues and revokes digital certificates

Question 23

Definition: Digital Certificate

Answer 23

a digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key

Question 24

Public Key Infrastructure (PKI):

Answer 24

a set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

Question 25

3 parts of the fraud triangle

Answer 25

Incentive: provides a reason to commit fraud
Opportunity: for fraud to be perpetrated
Rationalize: the individuals committing the fraud possess an attitude that enables them to rationalize the fraud

Question 26

What is Disaster recovery planning (DRP)

Answer 26

identifies significant events that may threaten a firm’s operations, outlining the procedures that ensure the firm’s smooth resuming of operations in the case this event occurs.

Question 27

What does the operating system do?

Answer 27

1. ensure the integrity of the system
2. control the flow of multiprogramming and tasks of scheduling in the computer
3. Allocate computer resources to users and applications
4. Manage the interfaces with the computer

Question 28

Database: Definition

Answer 28

A database is a shared collection of logically related data which meets the information needs of a firm.

Question 29

Definition: data warehouse

Answer 29

is a centralized collection of firm-wide data for a relatively long period of time

Question 30

Definition: Operational databases

Answer 30

for daily operations and often includes data for the current fiscal year only

Question 31

Definition: Data mining

Answer 31

is the process of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making

Question 32

Definition:Data governance

Answer 32

the convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm

Question 33

Definition: LAN

Answer 33

A local area network (LAN): a group of computers, printers, and other devices connected to the same network that covers a limited geographic range

Question 34

Definition: hubs

Answer 34

(broadcasts through multiple ports)

Question 35

Definition:Switches

Answer 35

(provides a path for each pair of connections)

Question 36

Definition: Wide area networks

Answer 36

link different sites together, transmit information across geographically and cover a broad geographic area.

Question 37

Definition: Routers

Answer 37

connects different LANs, software-based intelligent devices, examines the Internet Protocol (IP) address

Question 38

Definition: Firewalls

Answer 38

a security system comprised of hardware and software that is built using routers, servers, and a variety of software; allows individuals on the corporate network to send/receive a data packet from the Internet.

Question 39

Definition: Virtual Private Network (VPN)

Answer 39

Securely connects a firm’s WANs by sending/receiving encrypted packets via virtual connections over the public Internet to distant offices, salespeople, and business partners.

Question 40

Definition: Wireless Network

Answer 40

is comprised of two fundamental architectural components: access points and stations.

Question 41

An access point logically connects

Answer 41

stations to a firm’s network.

Question 42

A station is a wireless endpoint device equipped with a wireless

Answer 42

Network Interface Card (NIC).

Question 43

Definition: Eavesdropping:

Answer 43

The attacker passively monitors wireless networks for data, including authentication credentials

Question 44

Definition: Man-in-the-Middle:

Answer 44

The attacker actively intercepts communications between wireless clients and access points to obtain authentication credentials and data.

Question 45

Masquerading

Answer 45

The attacker impersonates an authorized user and gains certain unauthorized privileges to the wireless network.

Question 46

Message Modification

Answer 46

The attacker alters a legitimate message sent via wireless networks by deleting, adding to, changing, or reordering it.

Question 47

Message Replay

Answer 47

The attacker passively monitors transmissions via wireless networks and retransmits messages, acting as if the attacker was a legitimate user

Question 48

Misappropriation

Answer 48

The attacker steals or makes unauthorized use of a service.

Question 49

Traffic Analysis

Answer 49

The attacker passively monitors transmissions via wireless networks to identify communication patterns and participants

Question 50

Rogue Access Points

Answer 50

The attacker sets up an unsecured wireless network near the enterprise with an identical name and intercepts any messages sent by unsuspecting users that log onto it

Question 51

Management Controls

Answer 51

management of risk and information system security

Question 52

Operational Controls

Answer 52

: protecting a firm’s premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users.

Question 53

Technical Controls

Answer 53

protecting a firm’s premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users

Question 54

Technical Controls

Answer 54

primarily implemented and executed through mechanisms contained in computing related equipment

Question 55

Auditing around the computer

Answer 55

the black-box approach)

First calculating expected results from the transactions entered into the system

Question 56

Auditing through the computer

Answer 56

the white-box approach

The white-box approach requires auditors to understand the internal logic of the system/application being tested.