Chapter 4 What Companies Are Doing to Protect Information

b) Risk analysis

c) Risk mitigation

d) Risk acceptance

e) Risk transference

49) Which of the following statements is false?

a) Credit card companies usually block stolen credit cards rather than prosecute.

b) People tend to shortcut security procedures because the procedures are inconvenient.

c) It is easy to assess the value of a hypothetical attack.

d) The online commerce industry isn’t willing to install safeguards on credit card transactions.

e) The cost of preventing computer crimes can be very high.

50) In _____, the organization takes concrete actions against risks.

a) risk management

b) risk analysis

c) risk mitigation

d) risk acceptance

e) risk transference

51) Which of the following is not a strategy for mitigating the risk of threats against information?

a) Continue operating with no controls and absorb any damages that occur

b) Transfer the risk by purchasing insurance.

c) Implement controls that minimize the impact of the threat

d) Install controls that block the risk.

e) All of the above are strategies for mitigating risk.

52) In _____, the organization purchases insurance as a means to compensate for any loss.

a) risk management

b) risk analysis

c) risk mitigation

d) risk acceptance

e) risk transference

53) Which of the following statements concerning the difficulties in protecting information resources is not correct?

a) Computing resources are typically decentralized.

b) Computer crimes often remain undetected for a long period of time.

c) Rapid technological changes ensure that controls are effective for years.

d) Employees typically do not follow security procedures when the procedures are inconvenient.

e) Computer networks can be located outside the organization.

54) _____ controls are concerned with user identification, and they restrict unauthorized individuals from using

information resources.

a) Access

b) Physical

c) Data security

d) Administrative

e) Input

55) Access controls involve _____ before _____.

a) biometrics, signature recognition

b) authentication, authorization

c) iris scanning, voice recognition

d) strong passwords, biometrics

e) authorization, authentication

56) Biometrics are an example of:

a) something the user is.

b) something the user wants.

c) something the user has.

d) something the user knows.

e) something the user does.

57) Voice and signature recognition are examples of:

a) something the user is.

b) something the user wants.

c) something the user has.

d) something the user knows.

e) something the user does.

58) Passwords and passphrases are examples of:

a) something the user is.

b) something the user wants.

c) something the user has.

d) something the user knows.

e) something the user does.

59) Which of the following is not a characteristic of strong passwords?

a) They are difficult to guess.

b) They contain special characters.

c) They are not a recognizable word.

d) They are not a recognizable string of numbers

e) They tend to be short so they are easy to remember.

60) Which of the following is not an example of a weak password?

a) IloveIT

b) 08141990

c) 9AmGt/*

d) Rainer

e) InformationSecurity

61) Bob is using public key encryption to send a message to Ted. Bob encrypts the message with Ted’s _____ key, and

Ted decrypts the message using his _____ key.

a) public, public

b) public, private

c) private, private

d) private, public

e) none of these

62) Which of the following statements concerning firewalls is not true?

a) Firewalls prevent unauthorized Internet users from accessing private networks.

b) Firewalls examine every message that enters or leaves an organization’s network.

c) Firewalls filter network traffic according to categories of activities that are likely to cause problems.

d) Firewalls filter messages the same way as anti-malware systems do.

e) Firewalls are sometimes located inside an organization’s private network.

63) In a process called _____, a company allows nothing to run unless it is approved, whereas in a process called _____,

the company allows everything to run unless it is not approved.

a) whitelisting, blacklisting

b) whitelisting, encryption

c) encryption, whitelisting

d) encryption, blacklisting

e) blacklisting, whitelisting

64) Organizations use hot sites, warm sites, and cold sites to insure business continuity. Which of the following statements

is not true?

a) A cold site has no equipment.

b) A warm site has no user workstations.

c) A hot site needs to be located close to the organization’s offices.

d) A hot site duplicates all of the organization’s resources.

e) A warm site does not include actual applications.

65) Compare trade secrets, patents, and copyrights as forms of intellectual property.

66) Contrast unintentional and deliberate threats to an information resource. Provide examples of both.

67) Contrast the following types of remote attacks: virus, worm, phishing, and spear phishing.

68) Contrast the following types of attacks created by programmers: Trojan horse, back door, and logic bomb

69) Contrast spyware and spamware.

70) Contrast risk acceptance, risk limitation, and risk transference.

71) Describe public key encryption.

72) Compare a hot site, a warm site, and a cold site as strategies for business continuity.

73) Contrast the four types of authentication.

74) Identify and discuss the factors that are contributing to the increasing vulnerability of organizational information

assets.

75) Define identity theft, and explain the types of problems that it creates for the victims.

76) Discuss the possible consequences of a terrorist attack on a supervisory control and data acquisition (SCADA) system.

77) Define the principle of least privilege, and consider how an organization’s senior executives might view the

application of this principle.

78) Explain why anti-malware software is classified as reactive.

79) Describe how a digital certificate works.

80) You start a dog-walking service, and you store your client’s records on your cell phone. You don’t need to worry

about information security.

81) Your company’s headquarters was just hit head on by a hurricane, and the building has lost power. The company

sends you to their hot site to minimize downtime from the disaster. Which of the following statements is true?

a) The site will not have any servers.

b) The site will not have any workstations, so you need to bring your laptop.

c) The site is probably in the next town.

d) The site should be an almost exact replica of the IT configuration at headquarters.

e) The site will not have up-to-date data.

82) You receive an e-mail from your bank informing you that they are updating their records and need your password.

Which of the following statements is true?

a) The message could be an industrial espionage attack.

b) The message could be a phishing attack.

c) The message could be a denial of service attack.

d) The message could be a back door attack.

e) The message could be a Trojan horse attack.

83) You start a new job, and the first thing your new company wants you to do is create a user ID and a password. Which

of the following would be a strong password?

a) The name of the company

b) Your last name

c) Your birthdate

d) Your initials (capitalized) and the number of the floor you are on

e) The name of the company spelled backward

84) You start a new job, and human resources gives you a ten-page document that outlines the employee responsibilities

for information security. Which of the following statements is most likely to be true?

a) The document recommends that login passwords be left on a piece of paper in the center desk drawer so that others can

use the laptop if necessary.

b) You are expected to read the document, and you could be reprimanded if you don’t follow its guidelines.

c) You can back up sensitive data to a thumb drive so you can take them home to work with.

d) The document indicates that you can leave your laptop unlocked if you leave your desk for less than an hour.

e) The document permits you to lend your laptop to your brother for the weekend.

85) Tim ventured out into the world of retail by renting a cart at a local mall. His product is personalized coffee mugs. He

uses his laptop to track sales and to process credit card sales. He has a customer mailing list that is updated by customers

on the laptop as well. At the end of each day, Tim backs up all of his data to a thumb drive and puts the drive into the

laptop case with the laptop. Discuss Tim’s information security strategy.