Q&A Hero

Q: ________ entails investigating the IT security of external companies and the implications of close IT partnerships before implementing interconnectivity. A) Auditing B) Due diligence C) Peer-to-peer security D) Vulnerability testing

Q: Placing IT auditing in an existing auditing department would give independence from IT security.

Q: ________ examines IT processes for efficiency, effectiveness, and adequate controls. A) Internal auditing B) Financial auditing C) IT auditing D) None of the above

Q: ________ examines financial processes for efficiency, effectiveness, and adequate controls. A) Internal auditing B) Financial auditing C) IT auditing D) None of the above

Q: ________ examines organizational units for efficiency, effectiveness, and adequate controls. A) Internal auditing B) Financial auditing C) IT auditing D) None of the above

Q: In order to demonstrate support for security, top management must ________. A) ensure that security has an adequate budget B) support security when there are conflicts between the needs of security and the needs of other business functions C) follow security procedures themselves D) All of the above

Q: Most IT security analysts recommend placing IT security functions within the IT department.

Q: Independence is best provided for IT security by placing it within the IT department.

Q: Placing security within IT ________. A) creates independence B) is likely to give security stronger backing from the IT department C) Both A and B D) Neither A nor B

Q: The manager of the security department often is called ________. A) the chief security officer (CSO) B) the chief information security officer (CISO) C) Either A and B D) Neither A nor B

Q: In FISMA, ________ is done internally by the organization. A) certification B) accreditation C) Both A and B D) Neither A nor B

Q: What type of organization is subject to FISMA? A) E-commerce firms B) Medical firms C) Government organizations D) Companies that accept credit card payments

Q: Which companies do PCI-DSS affect? A) E-commerce firms B) Medical firms C) Government organizations D) Companies that accept credit card payments

Q: The FTC can ________. A) impose fines B) require annual audits by external auditing firms for many years C) Both A and B D) Neither A nor B

Q: The FTC can act against companies that fail to take reasonable precautions to protect privacy information.

Q: Data breach notification laws typically ________. A) require companies to notify affected people if sensitive personally identifiable information is stolen or even lost B) have caused companies to think more about security C) Both A and B D) Neither A nor B

Q: ________ specifically addresses data protection requirements at health care institutions. A) GLBA B) HIPAA C) Sarbanes-Oxley D) The SEC Act

Q: ________ specifically addresses data protection requirements at financial institutions. A) GLBA B) HIPAA C) The Revised SEC Act D) Sarbanes-Oxley

Q: When companies studied where they stored private information, they found that much of this information was stored inside spreadsheets and word processing documents.

Q: A ________ is a material deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected. A) material control failure B) material control deficiency C) critical control deficiency D) critical control failure

Q: Compliance laws and regulations ________. A) create requirements to which security must respond B) can be expensive for IT security C) Both A and B D) Neither A nor B

Q: The factors that require a firm to change its security planning, protection, and response are called driving forces.

Q: A company should consider list of possible remediation plans as an investment portfolio.

Q: After performing a preliminary security assessment, a company should develop a remediation plan for EVERY security gap identified.

Q: Once a company's resources are enumerated, the next step is to ________. A) create a protection plan for each B) assess the degree to which each is already protected C) enumerate threats to each D) classify them according to sensitivity

Q: The first step in developing an IT security plan is to ________. A) determine needs B) assess the current state of the company's security C) create comprehensive security D) prioritize security projects

Q: It is a good idea to view the security function as a police force or military organization.

Q: IT security people should maintain a negative view of users.

Q: The key to security being an enabler is ________. A) getting it involved early within the project B) having strong corporate policies C) extensive training D) adequate spending on security

Q: Strong security can be an enabler, allowing a company to do things it could not do otherwise.

Q: What is missing from the definition of response as "recovery?" A) The phrase "according to plan" must be added to "recovery." B) The definition must refer to specific resources. C) The phrase "Reasonable degree of" must begin the definition. D) The phrase "and prosecution" must be added after "recovery."

Q: ________ is the plan-based creation and operation of countermeasures. A) Planning B) Protection C) Response D) All of the above

Q: The stage of the plan-protect response cycle that consumes the most time is ________. A) planning B) protection C) response D) each of the above consumes about the same amount of time

Q: Planning, protection, and response follow a fairly strict sequence from one stage to another.

Q: Many compliance regimes require firms to adopt specific formal governance framework to drive security planning and operational management.

Q: The growing number of compliance laws and regulations is driving firms to use formal governance frameworks to guide their security processes.

Q: A planned series of actions in a corporation is a(n) ________. A) strategy B) sequence C) process D) anomaly

Q: Which of the following is a formal process? A) Annual corporate planning B) Planning and developing individual countermeasures C) Both A and B D) Neither A nor B

Q: A ________ occur(s) when a single security element failure defeats the overall security of a system. A) spot failure B) weakest link failure C) defense in depth departure D) critical failure

Q: Closing all routes of attack into an organization's system(s) is called ________. A) defense in depth B) comprehensive security C) total security D) access control

Q: This book focuses on ________. A) offense B) defense C) offense and defense about equally D) None of the above

Q: Terrorists can use IT to ________. A) destroy utilities B) finance their terrorism C) Both A and B D) Neither A nor B

Q: Countries would engage in cyberwar ________. A) before a physical attack B) after a physical attack C) Both A and B D) Neither A nor B

Q: Cyberwar consists of computer-based attacks conducted by ________. A) national governments B) terrorists C) Both A and B D) Neither A nor B

Q: ________ may engage in commercial espionage against a firm. A) Competitors B) National governments C) Both A and B D) Neither A nor B

Q: Which of the following are ways that trade secret espionage occur? A) Theft through interception B) By bribing an employee C) None of the above D) All of the above

Q: Trade secret theft can occur through interception, hacking, and other traditional cybercrimes.

Q: If a company wishes to prosecute people or companies that steal its trade secrets, it must take ________ precautions to protect those trade secrets. A) at least some B) reasonable C) extensive D) no (Trade secret protection is automatic under the law.)

Q: When a company visits a website to collect public information about a competitor, this is a form of trade secret espionage.

Q: Under current U.S. federal laws, if a company allows personal information to be stolen, it may be subject to government fines.

Q: Carding is more serious than identity theft.

Q: Stealing credit card numbers is also known as ________. A) identity theft B) carding C) Both A and B D) Neither A nor B

Q: Identity theft is stealing credit card numbers.

Q: ________ threaten to do at least temporary harm to the victim company's IT infrastructure unless the victim pays the attacker. A) Extortionists B) Fraudsters C) Bluffers D) DoSers

Q: ________ is form of online fraud when bogus clicks are performed to charge the advertiser without creating potential new customers. A) Click fraud B) Extortion C) E-theft D) False reporting

Q: In fraud, the attacker deceives the victim into doing something against the victim's financial self-interest.

Q: Money mules transfer stolen money for criminals and take a small percentage for themselves.

Q: Many e-commerce companies will not ship to certain countries because of a high rate of consumer fraud. To get around this, attackers use ________. A) IP address spoofing B) host name spoofing C) money mules D) transshippers

Q: Cybercriminals avoid black market forums.

Q: Prosecuting attackers in other countries is relatively straightforward under existing computer crime laws.

Q: Compared to non-computer crime, computer crime is very small.

Q: The dominant type of attacker today is the ________. A) wizard hacker B) IT or security employer C) national government D) career criminal

Q: Sophisticated attacks often are difficult to identify amid the "noise" of many ________ attacks. A) distributed malware B) DoS attacks C) script kiddie D) virus

Q: One of the two characterizations of expert hackers is ________. A) automated attack tools B) dogged persistence C) Both A and B D) Neither A nor B

Q: Botnets usually have multiple owners over time.

Q: A botmaster can remotely ________. A) fix a bug in the bots B) update bots with new functionality C) Both A and B D) Neither A nor B

Q: A(n) ________ attack requires a victim host to prepare for many connections, using up resources until the computer can no longer serve legitimate users. (Choose the most specific choice.) A) DoS B) directly-propagating worm C) distributed malware D) SYN Flooding

Q: Generally speaking, script kiddies have high levels of technical skills.

Q: Which of the following are examples of social engineering? A) Wearing a uniform to give the appearance that you work at a business B) Gaining unauthorized access by following an authorized individual in to a business C) None of the above D) All of the above

Q: A(n) ________ attack attempts to make a server or network unavailable to serve legitimate users by flooding it with attack packets. A) virus B) directly-propagating worm C) DoS D) bot

Q: Social engineering is rarely used in hacking.

Q: In pretexting, an attacker calls claiming to be a certain person in order to ask for private information about that person.

Q: Watching someone type their password in order to learn the password is called ________. A) piggybacking B) shoulder surfing C) Both A and B D) Neither A nor B

Q: Following someone through a secure door for access without using an authorized ID card or pass code is called ________. (Choose the most specific answer.) A) door hacking B) social engineering C) piggybacking D) shoulder surfing

Q: To obtain IP addresses through reconnaissance, an attacker can use ________. A) IP address spoofing B) a chain of attack computers C) Both A and B D) Neither A nor B

Q: The primary purpose for attackers to send port scanning probes to hosts is to identify which ports are open.

Q: Attackers cannot use IP address spoofing in port scanning attack packets.

Q: Sending packets with false IP source addresses is called ________. A) a IP address scanning attack B) IP address spoofing C) a port scanning attack D) None of the above.

Q: ICMP Echo messages are often used in ________. A) IP address scanning B) port scanning C) Both A and B D) Neither A nor B

Q: In response to a chain of attack, victims can often trace the attack back to the final attack computer.