MIS CHAPTER 10 – SECURITY

A ________ is a person or an organization that seeks to obtain or alter data or other IS assets illegally, without the owner’s permission and often without the owner’s knowledge.

threat

Which of the following is considered a threat caused by human error?
A) an employee inadvertently installing an old database on top of the current one
B) an employee intentionally destroying data and system components
C) a virus and worm writer infecting computer systems
D) a hacker breaking into a system to steal for financial gain

an employee inadvertently installing an old database on top of the current one

Which of the following is considered a computer crime?
A) deletion of records by an employee who is unaware of operating procedures
B) poorly written programs resulting in data losses
C) loss of data as a result of flooding
D) hacking of information systems

hacking of information systems

________ occurs when someone deceives by pretending to be someone else.

Pretexting

In the context of security threats, pretexting, sniffing, spoofing, and phishing are all examples of ________.

unauthorized data disclosure

A ________ pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords,

phisher

Email spoofing is a synonym for ________.

phishing

________ is a technique for intercepting computer communications through a physical connection to a network or without a physical connection in the case of wireless

Sniffing

________ take computers with wireless connections through an area and search for unprotected wireless networks, and then monitor and intercept wireless traffic on unsecured wireless networks.

Drive-by sniffers

Which of the following is a sniffing technique?
A) IP spoofing
B) caches
C) denial of service
D) adware

adware

________ involves breaking into a network to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.
A) Pretexting
B) Phishing
C) Hacking
D) Spoofing

Hacking

Which of the following is most likely to be a result of hacking?
A) certain Web sites being censored for hurting sentiments
B) small amounts of spam in a user’s inbox
C) an unauthorized transaction from a user’s credit card
D) pop-up ads appearing frequently

an unauthorized transaction from a user’s credit card

________ occurs through human error when employees do not follow proper procedures or when procedures have not been well designed.

Incorrect data modification

________ occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications.

Usurpation

Which of the following usually happens in a malicious denial-of-service attack?
A) a hacker monitoring and intercepts wireless traffic at will
B) a hacker floods a Web server with millions of bogus service requests
C) an intruder using another site’s IP address to masquerade as that other site
D) a phisher pretending to be a legitimate company and requesting confidential data

a hacker floods a Web server with millions of bogus service requests

________ present(s) the largest risk for an organization’s infrastructure loss.

Natural disasters

Which of the following statements is true about losses to computer security threats?
A) Surveys on computer crimes provide accurate results since they use standard parameters to measure and tally computer crime costs.
B) Surveys suggest that some organizations do not report all their computer crime losses, and some will not report such losses at all.
C) Losses due to natural disasters can be measured accurately.
D) Losses due to human error are insignificant.

Surveys suggest that some organizations do not report all their computer crime losses, and some will not report such losses at all.

Which of the following is a personal security safeguard?
A) sending valuable data only via email or IM
B) using single password for all the sites
C) removing high-value assets from computers
D) storing browsing history, temporary files, and cookies

removing high-value assets from computers

Nonword passwords are vulnerable to a ________ attack in which the password cracker tries every possible combination of characters.

brute force

________ are small files that enables a browser to access Web sites without having to sign in every time.

Cookies

Removing and disabling ________ that may contain sensitive security data presents an excellent example of the trade-off between improved security and cost.

cookies

Which of the following is a critical security function that should be addressed by the senior management of an organization?
A) sharing the private key with all systems connected to the network
B) creating IS security software programs
C) establishing the security policy
D) avoiding the use of perimeter firewalls

establishing the security policy

In information security, which of the following is true about managing risk?
A) All organizations except financial institutions should invest heavily in security safeguards.
B) Organizations should implement safeguards that balance the trade-off between risk and cost.
C) Passwords are classified as technical safeguards.
D) Physical security is classified as human safeguards.

Organizations should implement safeguards that balance the trade-off between risk and cost.

Which of the following was passed to give individuals the right to access their own health data created by doctors and other healthcare providers?
A) the Privacy Act of 1974
B) the Sarbanes-Oxley Act
C) the HIPAA of 1996
D) the Gramm-Leach-Bliley Act

the HIPAA of 1996

Which of the following is classified as a technical safeguard?
A) cookies
B) firewalls
C) key escrow
D) passwords

firewalls

A(n) ________ has a microchip in it to hold data.

smart card

Users of smart cards are required to enter a ________ to be authenticated.

personal identification number

Which of the following is used for biometric authentication?
A) smart cards
B) facial features
C) passwords
D) personal identification numbers

facial features

Which of the following statements is true about biometric identification?
A) It involves the use of a personal identification number (PIN) for authentication.
B) It provides weak authentication.
C) It is a relatively inexpensive mode of authentication.
D) It often faces resistance from users for its invasive nature.

It often faces resistance from users for its invasive nature.

A ________ is a number used to encrypt data.

key

In asymmetric encryption, each site has a ________ for encoding messages.

public key

With ________, the sender and receiver transmit a message using different keys.

asymmetric encryption

Secure Sockets Layer is also known as ________.

Transport Layer Security

Which of the following statements is true about the Secure Sockets Layer (SSL)?
A) It uses asymmetric encryption exclusively.
B) It is used to send sensitive data such as credit card numbers.
C) It uses one set of encryption keys for multiple sessions.
D) It is a stronger version of https.

It is used to send sensitive data such as credit card numbers.

Mark is transferring funds online through the Web site of a reputed bank. Which of the following will be displayed in the address bar of his browser that will let him know that the bank is using the Secure Sockets Layer (SSL) protocol?

https

A ____ examines each part of a message and determines whether to let that part pass.

packet-filtering firewall

Packet-filtering firewalls ________.

can filter both inbound and outbound traffic

________ is a broad category of software that includes viruses, spyware, and adware.

Malware

In the context of malware protection, the program code that causes the unwanted actions is called the ________.

payload

________ are viruses that masquerade as useful programs or files.

Trojan horses

A ________ is a type of virus that self-propagates using the Internet or other computer network.

worm

________ is similar to spyware in that it is installed without the user’s permission and that it resides in the background and observes user behavior.

Adware

Which of the following is likely to be accepted by a poorly designed application thereby leading to improper disclosure of data?
A) public key
B) asymmetric encryption
C) key escrow
D) SQL injection

SQL injection

________ refers to an organization-wide function that is in charge of developing data policies and enforcing data standards.

Data administration

________ is a function pertaining to a particular database that develops procedures and practices to control and protect the database.

Database administration

Which of the following statements is true about data administration?
A) It is a line function to the chief information officer.
B) It merely involves developing data policies.
C) It applies to individuals and not to the entire organization.
D) It is involved in establishing data safeguards.

It is involved in establishing data safeguards.

Key escrow is a(n) ________.

safety procedure that allows a trusted party to have a copy of the encryption key

________ protect databases and other organizational data.

Data safeguards

The computers that run the DBMS and all devices that store database data should reside in locked, controlled-access facilities. This is done to ________.

provide physical security

Which of the following statements is true about the position definitions component of human safeguards?
A) System administrators should retain user accounts after an employee has been terminated.
B) All employees must be provided with uniform, general training on security regardless of the sensitivity of their positions.
C) Documenting position sensitivity enables security personnel to prioritize their activities based on possible risk.
D) Holding public users of Web sites accountable for security violations is easy and inexpensive.

Documenting position sensitivity enables security personnel to prioritize their activities based on possible risk.

________ involve the people and procedure components of information systems.

Human safeguards

Which of the following statements is true about human safeguards for employees?
A) Security screening in an organization is a one-time process and applies only to new employees.
B) User accounts should be defined to give users the least possible privilege needed to perform their jobs.
C) Companies should provide user accounts and passwords to employees prior to their security training.
D) System administrators should retain user accounts after an employee has been terminated.

User accounts should be defined to give users the least possible privilege needed to perform their jobs.

When an employee is terminated, IS administrators should receive advance notice so that they can ________.

remove the user account and password

________ a Web site means to take extraordinary measures to reduce a system’s vulnerability using special versions of the operating system.

Hardening

The process of hardening a Web site is a ________ safeguard.

technical

________ are the primary means of authentication for a user’s computer and other networks and servers to which the user may have access.

Passwords

Which of the following systems procedures is specifically the responsibility of operations personnel?
A) writing software program codes
B) using systems to perform job tasks
C) creating back up of system databases
D) knowing whom to contact when a security breach occurs

creating back up of system databases

________ involves accomplishing job tasks during failure.

Recovery

Firewalls produce ________ that include lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall.

activity logs

________ are false targets for computer criminals to attack.

Honeypots