Test 2

Question 1

Able was chatting online with Baker. "I can't believe how lame some people are! :) I can get into any system by checking out the company website to see how user names are defined and who is on the employee directory. Then, all it takes is brute force to find the password." Able is a \_\_\_\_\_, and the fraud he is describing is \_\_\_\_\_.  
A. hacker; social engineering
B. phreaker; dumpster diving
C. hacker; password cracking
D. phreaker; the salami technique

Answer 1

C. hacker; password cracking

Question 2

Computers that are part of a botnet are controlled by a bot herder are referred to as 
A. posers
B. zombies
C. botsquats
D. evil twins

Answer 2

B. zombies

Question 3

Josie Jerkwater, a first time computer user, purchased a brand new PC two months ago and it was now operating much more slowly an sluggishly. Since purchasing the computer, she had been accessing the Internet and had installed a variety of free software.  The problem is most likely to be
A. a zero-day attack
B. a virus
C. a spoof
D. bluesnarfing

Answer 3

B. a virus

Question 4

Which of the following would b least effective to reduce exposure to a computer virus?
A. Only transfer files between employees with USB flash drives
B. Install and frequently update antivirus software
C. Install all new software on a stand-alone computer for until it is tested.
D. Do not open email attachments from unknown senders

Answer 4

A. Only transfer files between employees with USB flash drives

Question 5

Developers of computer systems often include a sure name and password that is hidden in the system, just in case they need to get into the system and correct problems in the future. This is referred to as a 
A. Trojan horse
B. key logger
C. spoof
D. back door

Answer 5

D. back door

Question 6

Narang direct sales is a telemarketing firm that operates out of India. The turnover rate among employees is quite high.  Recently, the information technology manager discovered that an unknown employee had used Bluetooth-enabled mobile phone to their credit card information. Narang Direct Sales was a victim of 
A. Bluesnarffing
B. splogging
C. vishing
D. typosquatting

Answer 6

A. Bluesnarffing

Question 7

A control procedure designed so that the employee that records cash received from customers does not have access to the cash itself is an example of a 
A. preventive control
B. detective control
C. corrective control
D. authorization control

Answer 7

A. preventive control

Question 8

Duplicate checking of calculations is an example of a \_\_\_\_\_ control, and procedures to resubmit rejected transactions are an example of a \_\_\_\_control
A. corrective; detective
B. detective; corrective
C. preventive; corrective
D. detective; preventive

Answer 8

B. detective; corrective

Question 9

The largest differences between the COSO Integrated Control (IC) framework and the COSO Enterprise Risk Management (ERM) framework is
A) IC is controls-based, while the ERM is risk-based
B) IC is risk-based, while ERM is controls-based
C) IC is required, while ERM is optional
D) IC is more applicable to international accounting standards, while ERM is more applicable to generally accepted accounting principles

Answer 9

A) IC is controls-based, while the ERM is risk-based

Question 10

The audit committee of the board of directors
A. is usually chaired by the CFO
B. conducts testing of controls on behalf of the external auditors
C. provides a check and balance on management
D. does all of the above.

Answer 10

C. provides a check and balance on management

Question 11

Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter
A. unintentional errors
B. employee fraud or embezzlement
C. fraud by outsiders
D. disgruntled employees

Answer 11

B. employee fraud or embezzlement

Question 12

The first step of the risk assessment process is generally to
A. identify controls to reduce all risk to zero
B. estimate the exposure from negative events
C. identify the threats that the company currently faces
D. estimate the risk probability of negative events occurring

Answer 12

C. identify the threats that the company currently faces

Question 13

According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except
A. reporting potential risks to auditors
B. identifying events that could impact the enterprise
C. evaluating the impact of potential events on achievement of objectives
D. establishing objectives for the enterprise

Answer 13

A. reporting potential risks to auditors

Question 14

Upon getting into your new car, you suddenly became worried that you might become injured in an auto accident. You decided to buckle your seatbelt in response. You chose to \_\_\_\_\_\_ the risk of being injured in an auto accident
A. reduce
B. share
C. avoid
D. accept

Answer 14

A. reduce

Question 15

Petty cash is disbursed by the Manuela Luisina in the Cashier's Office. Manuela also maintains records of disbursements, places requests to the Finance Department to replace expended funds, and periodically reconciles the petty cash balance. This represents\_\_\_\_\_\_ segregation of duties. 
A. ideal
B. effective
C. ineffective
D. limited

Answer 15

C. ineffective

Question 16

If the time an attacker takes to break through the organization's preventative controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
A. effective
B. ineffective
C. overdone
D. undermanaged

Answer 16

A. effective

Question 17

Identify the primary means of protecting data stored in a cloud form unauthorized access.
A. authentication
B. authorization
C. virtualization
D. securitization

Answer 17

A. authentication

Question 18

Identify the statement below which is not a useful control procedure regarding access to system outputs
A. restricting access to rooms with printers
B. coding reports to reflect their importance
C. allowing visitors to move through the building without supervision
D. requiring employees to log out of applications when leaving their desk

Answer 18

C. allowing visitors to move through the building without supervision

Question 19

Restricting access of users to specific portions of the system as well as specific tasks, is an example of 
A. authentication
B. authorization
C. identification
D. threat monitoring

Answer 19

B. authorization

Question 20

Multi-factor authentication
A. involves the use of two or more basic authentications methods
B. is a table specifying with portions of the systems users are permitted to access
C. provides weaker authentication than the use of effective passwords
D. requires the use of more than one effective password

Answer 20

A. involves the use of two or more basic authentications methods

Question 21

The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is know as
A. deep packet inspection
B. stateful packet filtering
C. static packet filtering
D. an intrusion prevention system

Answer 21

A. deep packet inspection

Question 22

In 2007, a major US financial institution hired a security firm to attempt to compromise its computer network. A week later, the firm reported that it had successfully entered the system without apparent detection and presented an analysis of the vulnerabilities that had been found.  This is an example of a 
A. preventive control
B. detective control
C. corrective control
D. standard control

Answer 22

B. detective control

Question 23

Identify the type of information below that is least likely to be considered "sensitive" by an organization
A. financial statements
B. legal documents
C. strategic plans 
D. product cost information

Answer 23

C. strategic plans

Question 24

If an organization asks you to disclose your social security number, yet fails to properly dispose of your private information once it has fulfilled its purpose, the organization has likely violated which of the Generally Accepted Privacy Principles?
A. management
B. notice
C. choice and consent
D. use and retention

Answer 24

D. use and retention

Question 25

If an organization asks you to disclose your date of birth an d your address, but refuses to let you review or correct the information you provided, the organization has likely violated which of the GAAP?
A. collection
B. access
C. security
D. choice and consent

Answer 25

B. access

Question 26

The system and processes used to issue and manage asymmetric keys and digital certificates are known as 
A. asymmetric encryption
B. certificate authority
C. digital signature
D. public key infrastructure

Answer 26

D. public key infrastructure

Question 27

Identify one weakness of encryption below
A. encrypted packets cannot be examined by a firewall
B. encryption provides for both authentication and non-repudiation
C. Encryption protects an privacy of information during transmission
D. Encryption protects the confidentiality of information while in storage

Answer 27

A. encrypted packets cannot be examined by a firewall

Question 28

These are used to create digital signatures
A. asymmetric encryption
B. hashing and packet filtering
C. packet filtering and encryption
D. symmetric encryption and hashing

Answer 28

A. asymmetric encryption

Question 29

A process that takes plaintext of any length and transforms it into a short code
A. asymmetric encryption
B.encryption
C. hashing
D. symmetric encryption

Answer 29

C. hashing

Question 30

One way to circumvent the counterfeiting of public keys is by using
A. a digital certificate
B. digital authority
C. encryption
D. cryptography

Answer 30

A. a digital certificate

Question 31

Definition of symmetric encryption systems

Answer 31

encryption systems that use the same key both to encrypt and to decrypt

Question 32

Advantages of symmetric encryption

Answer 32

speed-much faster because there is only one key

Question 33

Disadvantages of symmetric encyption

Answer 33

1. Requires separate key for everyone who wishes to communicate
2. Must find a secure way to share the key with other party

Question 34

Asymmetric encryption

Answer 34

encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt

Question 35

advantages of asymmetric encryption

Answer 35

1. Everyone can use your public key to communicate with you.
2. No need to store keys for each party with whom you communicate
3. Can be used to create legally binding digital signatures

Question 36

disadvantages of asymmetric encryption

Answer 36

1. speed-much slower because there are two keys

2. Requires public key infrastructure (PKI) to validate ownership of public keys

Question 37

Five components of COSO Internal Control Framework

Answer 37

1. Control Environment
2. Risk Assessment
3. Information and Communication
4. Control Activities
5. Monitoring

Question 38

techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network for the purpose of obtaining confidential data

Answer 38

Social engineering

Question 39

illegally obtaining confidential information about an individual such as social security number or a bank account or credit card in order to pretend to be them, usually for financial gain

Answer 39

identity theft

Question 40

voice phishing; it is like phishing except that the victim enters confidential data by phone

Answer 40

vishing

Question 41

redirecting website traffic to a spoofed website to obtain confidential information

Answer 41

pharming

Question 42

setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.

Answer 42

typosquatting

Question 43

stealing tiny slices of money from many different accounts

Answer 43

salami technique

Question 44

unwanted release or copying of data or information

Answer 44

data leakage

Question 45

linking up with or entering a system with or via a legitimate use who is authenticated to use the system

Answer 45

piggybacking

Question 46

a computer attack in which the attacker sends so many email bombs or web page requests, often from randomly generated false addresses, that the Internet service provider’s email server or the web server is overloaded and shuts down.

Answer 46

denial-of-service

Question 47

the practice driving around looking for unprotected hoe or corporate wireless networks.

Answer 47

war driving

Question 48

an encrypted tunnel used to transmit information securely across the Internet

Answer 48

Virtual Private Network (VPN)

Question 49

a has encrypted with the creator’s private key

Answer 49

digital signature

Question 50

used to store an entity’s public key, often found on web sites

Answer 50

digital certificate

Question 51

a document or file that must be decrypted to be read

Answer 51

ciphertext

Question 52

unwanted email

Answer 52

spam

Question 53

an encryption process that uses the same key to both encrypt an decrypt

Answer 53

symmetric encryption

Question 54

the inability to unilaterally deny having created a document or file or having agreed to perform a transaction

Answer 54

non-repudiation

Question 55

a document or file that can be read by anyone who accesses it

Answer 55

plaintext

Question 56

a process that transforms a document or file into a fixed length string of data

Answer 56

hashing