NTO ps Sec Bo Chapter 8 And the last part of Dr/ Ahmed Revisi ion Chapter 8 Controls for Information Security 1 ; And the last part of Dr/ Ahmed ) The Trust Services Framework reliabi ity principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as A) availability. B) security. C) maintainability, D) integrity. Answer: A 2) According to the Trust Services Framework, the reliability principle of integrity is achieved when the ‘system produces data that A) is available for operation and use at times set forth by agreement. B) is protected agains: unauthorized physical and logical access, C) can be maintained as Tequired without affecting system availability, security, and integrity. D) is complete, accurate, and valid. Answer: D 3) Kuzman Jovan called a meeting of the top management at Jovan Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "What do you intend to do?" Which of the following is the best answer? A) Evaluate and modify the system using COBOL. B) Evaluate and modify the system using the CTC checklist. C) Evaiuate and modify the system using the Trust Services framework . D) Evaluate and modify the system using the COSO Internal Control Framework. Answer: C ° 4) Which of the following is not one of the three fundamental information security concepts? | , A) Information security is a technology issue based on prevention. B) Security is a management issue, not a technology issue. C) The idea of defense-in-depth employs multiple layers of controls. 1| | | q a and the tt part of Dr/ Ahmed Revising Chapter AIS | based model of security focuses on the relationship between D) The time: \d corrective controls. preventive, detective an Answer: A 5) Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to ‘systems reliability, as discussed in the Trust Services Framework? -* A) developing and documenting policies B) effectively communicating policies to all outsiders C) designing and employing appropriate control procedures to implement policies D) monitoring the system and taking corrective action to maintain compliance with policies Answer: B 6) If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time Tequired to-detect the attack and the time required to respond to the attack, then security is A) effective. . B) ineffective, C) overdone. D) undermanaged. Answer: A 7) Tt was 8:03 A.M. when Jiao Jan, the Network Administrator for South Asian Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company's server. Using the notation for the time-based model of security, in this case A)D>P B)P>D C)P>c D)C>P Answer: AIe OO 8) There are “white hat" ha “ the "black hae hackers no and "black hat" hackers, Cowboy451 was one of Penetrate the target ster y Tesearched an exploit and determined that he could his tracks neice, a ‘ownload a file Containing valuable data, and cover the system, Using the tan Six minutes into the attack he was locked out of following mustbe tres lon of the time-based model of security, which of the A)P< B)D=6 C)P=6 D)P>6 Answer: D 9) Information security procedures protect information integrity by A) preventing fictitious transactions. B) reducing the system cost, C) making the system more efficient. D) making it impossible for unauthorized users to access the system. Answer: A 10) Identify one aspect of systems reliability that is nof a source of concem with regards to a public cloud. A) confidentiality B) privacy C) efficiency D) availability Answer: C 11) Identify the primary means of protecting data stored in a cloud from unauthorized access. A) authentication B) authorization * ©) virtualization D) securitization Answer: A \ AIS ‘pter 8 And the CO Dr/ Aime | Chi last hed ) t! Pa \a AIS Chapter 8 And the last part of Dr/ Ahmed oS Row | 12) True or False: Cloud computing can potentially generate significany Som, savings for an organization. Answer: TRUE 13) True or False: Cloud computing is generally more, secure than traditional Answer: FALSE 14) The Trust Services Framework reliability principle that states sensitive information be protected from unauthorized disclosure is known as A) availability. B) security. C) confidentiality. D) integrity. Answer: C 15) The Trust Services Framework reliability principle that states personal information should be protected from unauthorized disclosure is known as A) availability. B) security. C) privacy. D) integrity. Answer: C rk reliability principle that states access to the 16) The Trust Services Framewo! led and restricted to legitimate users is known system and its data should be control as A) availability. B) security. C) privacy. D) integrity. Answer: BChapt Pler8 And the tast Part of Dr/ Ahmed 17) Identify the stateme, Revision nt beloy Ly { ACCESS {0 System outputs,” Which is not a usefal control procedure regarding A) restricting access tt B) coding reports to ©) allowing visitors D) requiring empl Answer: ¢ Teflect their importance {0 move through the building without supervision ‘S¥ees to log out of applications when leaving their desk 18) Verifying the identity ofthe person or device attempting to access the system 1S an example of A) authentication. B) authorization. C) identification. D) threat monitoring. Answer: A © 19) Restricting access of users to specific portions of the system as well as specific + tasks, is an example of 2 A) authentication. .B) authorization. C) identification. D) threat monitoring. Answer: B 20) is/are an example of a preventive control. A) Emergency response teams B) Encryption C) Log analysis D) Intrusion detection Answer: B 21) Which of the following is not a requirement of effective passwords? A) Passwords should be changed at regular intervals. B) Passwords should be no more than 8 characters in length. C) Passwords should contain a mixture of upper and lowercase letters, numbers . Ss| \ | | | | AIS Chapter 8 And the last part of Dr/ Ahmed ~ | 4 and characters, | D) Passwords should Not be words found in dictionaries. Answer: B 22) Malti-factor authentication A) involves the use of two or more basic authentication methods, B) isa table Specifying which portions of the systems users are permitted to access, C) provides weaker authentication than the use of effective Passwords, D) requires the use of more than ove effective password, Answer: A 23) Identify the best description ofan ace A) does not have to be updated B) is used to implement authentication controls C) matches the user's authentication credentials to his authorization D) is a table specifying which portions ofthe system users are permitied to access Answer: D €8S control matrix below. computer, which filters information that is allowed to enter and leave the organization's information sysiem, is known as a(n) - A) demilitarized zone, B) intrusion detection system. C) intrusion prevention system. D) firewall. Answer: D 25) This protocol specifies the procedures for dividing files and documents into packets to be scnt over the Internet. A) access control list B) Internet protocol C) packet switching protocol D) transmission control protocol Answer: DAnswer: B 27) This ) network access control determines which IP packets are allowed entry to a network and which are dropped, A) access contro! list B) deep packet inspection C) stateful packet filtering D) static packet filtering Answer: A 28) Compatibility tests utilize a(n) which is a list of authorized users, Programs, and data files the users are authorized to access or manipulate. ‘A) validity test :B) biometric matrix C) logical control matrix D) access control matrix Answer: D 29) The process that allows a firewall to be more effective by exumining the data in the body of an IP packet, instead of just the header, is known as A) deep packet inspection. B) stateful packet filtering. C) static packet filtering. D) an intrusion prevention system. Answer: AAIS Chapter 8 And the last part of Dr/ Ahmed Revising 30) The security technology that evaluates IP packet traffic pattems in order to identify attacks against a system is known as A) an intrusion prevention system. B) stateful packet filtering. C) static packet filtering. D) deep packet inspection. Answer: A 31) Which of the below keeps a record of the network traffic permitted to pass through a firewall? A) intrusion detection system B) vulnerability scan C) log analysis D) penetration test Answer: A 32) This is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. A) log analysis : B) intrusion detection system C) penetration test D) vulnerability scan Answer: C his own computer security consulting business prison. Many companies pay him to attempt to If he is successful, he offers advice as to What is the name of the testing for 33) A well-known hacker started shortly after being released from gain unauthorized access to their network. how to design and implement better controls. which the hacker is being paid? A) penetration test B) vulnerability scan C) deep packet inspection D) buffer overflow test Answer: ARevision 34) The improper syqu—~ “isseminates information ab i al ¥stem Uses and A) chier ing ir ut fraud, ay ‘error formation offices nse mentees. rs, breaches and other C) chi ief . D) compari officer mputer em rc ergency response team 35) In 200 j . compromin: bad us. financial institution hired a security firm to attempt to successfully ent mee ‘er network. A week later, the firm reported that it had analysis of the ikea an jiithost apparent detection and presented an meen ne t had been found. This is an example of a B) detective control. C) corrective control, D) standard control. Answer: B 32) Noseybook is a social networking site that boasts over a milion registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires, Each employee is provided with a mame badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(n) A) authentication control. B) biometric device. C) remote access control. D) authorization control. Answer: A they are assigned hired by Pacific Technologies, iat if the information 33) When new employees a user names and appropria ere +5 access control matrix. Thi te permissions are ent system is is an example of a(n) ‘A) authentication control. ;AIS Chapter 8 And the last part of Dr/ Abmed B) biometric device. C) remote access control, D) avthorization control. \ Answer: D 34) The most effective method for protecting an orgenization from social engineering attacks is providing A)a firewall. B) stateful packet filtering. C) a demilitarized zone. D) employee awareness training. Answer: D 35) The most effective way to protect network resources that are exposed to the internet, yet reside outside of a network is A) a firewall. B) employee training. C) a demilitarized zone. D) stateful packet filtering. Answer: C 36) A border router . A) routes electronic communications within an organization. B) connects an organization's information system to the Internet. C) permits controlled access from the Internet to selected resources. D) serves as the main firewall. Answer: B 37) A demilitarized zone A) routes electronic communications within an 1 organization. B) connects an organization's information system to the Internet. C) permits controlled access from the Internet to selected resources. D) serves as the main firewall. Answer: C 10Revision the performance, ©) the procedure(s), D) the penalty, Answer: A. 39) Which of the following statements is true? A) The con: i cept of defense-in-depth reflects th security i Mt few sophisticated technical contole, a = eeliatem > Taformation Security is necessary for protecting confidentiality, privacy, : grity of processing, and availability of information resources. . - time-based model of security can be expressed in the following formula: P , D) Information security is primarily an IT issue, not a managerial concer. ‘Answer: B “ 40) Which of the following is a preventive control? A) training B) log analysis Cc) CcIRT D) virtualization Answer: A 41) The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called . A) authentication B) authorization C) intrusion prevention - D) intrusion detection ‘Answer: B 42) Which of the following is a detective control? A) hardening endpoints B) physical access controls nAIS Chapter 8 And the last part of Dr/ Ahmed C) penetration testing D) patch management Answer: C 43) Which of the following techniques is the most effective way for a firewall to use to protect the perimeter? A) deep packet inspection B) packet filtering C) access control list D) All of the above are equally effective. Answer: A 44) Which of the following combinations of credentials is an example of multifactor authentication? A) voice recognition and a fingerprint reader B) a PIN and an ATM card C) a password and a user ID D) all of the above Answer: B 45) According to SysTrust, the reliability principle of integrity is achiev eration and use at times set forth by agreement. rized physical and logical access. ired without affecting system availability, ed when a) the system is available for op 6) the system is protected against unauth c) the system can be maintained as requi security, and integrity. . d) system processing is complete, accurate, timely, and authorized. Answer: D 46) Which of the following is not one of the five basic principles that contribute to systems reliability according to the Trust Services framework. a) Confidentiality . b) Processing speed ©) Security 4) System availability : Answer: B 1248) Preventi ve controls i . 8) Access and control ne NO ated finetions, which are: b) Authentication and authorization ©) Detection and correction 4) Physical access and logical access Answer: B an ae i identity of the person or device attempting to access the system is b) Authorization c) Identification ¢) Threat monitoring Answer: A © 50) Restricting access of users to specific portions of the system as well as specific tasks, is a) Authentication b) Authorization ¢) Identification 4) Threat monitoring Answer: B 51) An access control matrix a) Does not have to be updated. b) Is a table specifying which portions of the system users are c) Is used to implement authentication controls. ; d) Matches the user's authentication credentials to his authorization. permitted to access. Answer: B 2BAhmed als Chapter 8 And the last part of Dr/ Alm Reva, 52) This determines which packets are allowed entry and which are dropped. a) Access control list b) Deep packet inspection ¢) Stateful packet filtering d) Static packet filtering Answer: A 53) This processes involves the firewall examining the data in the body of an IP packet. a) Access control list b) Deep packet inspection c) Stateful packet filtering d) Static packet filtering Answer: B $4) The final layer of preventive controls. a) Authentication b) Authorization ©) Encryption ° 4) Intrusion detection Answer: C 55) The process of: transforming normal text into cipher text a) Encryption b) Decryption c) Filtering d) Hardening Answer: A 56), Which of the following is not one of the three important factors determining the strength of any encryption system? . ee nett b) Key management policies ©) Encryption algorithm 4) Privacy 14Re Answer: D evislon c) Encryption Protects the d) Encryption Answer: A 58) This creates logs of network traf that was permitted to pass the firewall a) Intrusion detection system b) Log analysis C) Penetration test d) Vulnerability scan Answer: A : ¢ privacy of information during transmission. Provides for both authentication and non-repudiation. 59) This is an authorized attempt by an internal audit team or an external security consultant to break into the organization's information system. a) Inirusion detection system b) Log analysis c) Penetration test d) Vulnerability scan Answer: C -60)"A- more’ rigorous test of the effectiveness of an organization's computer security. a) Intrusion detection system b) Log analysis c) Penetration test d) Vulnerability scan Answer: C 61)____An arrangement whereby a user remotely accesses software, hardware, or other resources via a browser a) Intrusion detection system b) cloud computing 15AIS Chapter 8 And the last part of Dr/ Ahmed c) Penetration test d) Filtering Answer: B 62) Spoofing means: a) Kidding someone about their firewall b) Simulating a disaster to test the effectiveness of its recovery system c) Posing as an authentic user to gain access to a computer system d) Enerypting data for security purposes Answer: C 63) An advantage of an extranet is that: a) It can disseminate information corporate-wide b) It can be accessed by selected trading partners c) Users can employ common web browsers to access information in them d) all of the above Answer: D 64) Which of these is not an advantage of cloud computing? even if stcred in the cloud ust update their own software, b) Companies save money on hardware or software costs c) Gives access to distant vendors or software developers d) Organizations pay as they go Answer: A .a) Companies m ing authentic users by “what they rm of access security is determini ample of such authentication? 65) One fe: know.” Which of the following would be an ex: a) Verifying a password . b) Biometric tests such as retina scans c) Requesting that the user provide an employee identification card 4) Requiring the user to show a valid driver’s license Answer: A 16| als Chapter 8 And the last part ot be Abi med 66) Tricking users into Providing “ues number ona web site Personal information such as a 4 satan eon social security b) Spoofing ¢) Proxy Serving 4) Phishing Answer: D 67) The term “spoofing” refers to: a) Computer hijacking b) Kidding ©) Posing as a legitimate computer user 4) Distributing junk mail Answer; C 68) The purpose of a company firewall is to: a) Guard against spoofing b) Assist the IETF” c) Deny computer hackers access to sensitive data d) all of the above Answer: C 69) The term key in the context of data encryption refers to: a) A physical key similar to a house key b) A logical key similar to the primary key cf a data file c) A mathematical function used for encryption purposes d) A computer function key that can be found on keyboards Answer: C 7 = 70) Because Internet software is so convenient to use, many companies also create these items for internal communications purposes: a) Intranets b) Extranets c) Firewalls d) Domain address 17Revi Als. Chapter 8 And the last part of Dr/ Ahmed evion Answer: A 71) Utilizing tax preparation software from a cloud service provider is an example of: a) SaaS b) PaaS c) DEA d) XML Answer: A 72) All of the following are advantages of cloud computing except: a) The client only pays for resources that it actually uses b) The client gains additional control over its data ¢) The provider, not the client, handles changes in processing volume d) all of these are advantages of cloud computing Answer: B 73) Which of these is not an example of a cloud service provider? a) A company that performs backup services over the Internet b) A company that performs payroll processing over the Internet c) A company that provides janitorial services 4) all of these are examples of cloud service providers Answer: C 74) An activity designed to steal a person's financial identity is a) Phishing b) hacking c) password cracking d) spyware Answer: A 18\ Chapter 8 And the las Part of Dr/ Abmed mi 75)___ is a public and Revision connection to anyone oy, ication network th; , ofa virtual newone local area network (L, AN) at_provides a) Extranet b) intranet c) intemet d) browser Answer: C Blobal communi a direct and represents an example east is an intemal organizational network that is based on Intemet gies and can be accessed only by authorized employees a) Extranet b) intranet c) intemet d) browser Answer: B 77) ___ is used for intemal communications purposes a) Extranet . b) intranet ~ c) internet Answer: C 78) True or False: While most of the Internet has open access to the public, an intranet is private and is protected by a firewall Answer: True 79) True or False: One of the main advantages of an intranet is that it allows. confidential internal information sharing. Answer: True 19AIS Chapter 8 And the last part of Dr/ Ahmed Revi 80)___an access control system that consists of hardware and software and tha, is placed between an organization's internal and external networks a) firewall b) Access control list ) Deep packet inspection ¢) Stateful packet filtering Answer: A 81) ___ The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext a) Decryption 82) is normal text that has not been encrypted a) ciphertext b) Encryption c) plaintext d) Cookie Answer: C 83) Transforming ciphertext back into plaintext is called___ a) Decryption b) Encryption c) plaintext 4) Cookie Answer: A. 84) Pilantext that was transformed into unreadable gibberish using encryption is _ a) ciphertext ’b) Encryption ©) plaintextals d) Cookie Re Revision Answer: A 85)__isaformor decrypt information, a) Decryption b) Public key enc, ©) Cookie pee ) Pe ey ern Sneryption in which a si le priv, both encrypt and has ‘ ‘ingle private key can Typ t Tyption 86) Truc or False: i . Ansviee Fag tt Public and pivate keys ean deny information 87) __is-protecting privacy % sng senshi —i privacy by replaci 1 i tion wi fake : placing sensitive personal information with a) Decryption b) tokenization c) data masking d) both b and c are the same Answer: D 88) cloud computing is____ a).is a method of outsourcing the IT function b) the use of applications offered by service provider over the internet, c) is the delivery of different services through the Internet d) storing and accessing data and programs over the intemet instead of on a computer’s hard drive. ) all of the above is correct Answer: B aAls Chapter 8 And the last part of Dr/ Ahmed Revision he cloud services being provided 89) ___is the hardware resources that support t and other computing including servers, storage capabilities, network components, resources thai allow customers to run software a) Software as a service (SaaS) b) Infrastructure as a service (Laas) c) Piatform as a service (PaaS) d) cloud services Answer: B 90) The resources or services provided by cloud providers include_ a) Software as a service (SaaS) b) Infrastructure as a service (laas) c) Platform as a service (PaaS) d) all of the above Answer: D 91)____ is a software that have been developed by cloud providers for use by multiple businesses : a) Software as a service (SaaS) b) Infrastructure as a service (Iaas) c) Platform as a service (PaaS) d) all of the above Answer: A 5 allow customers to develop, run, and manage 92) Which type of cloud service: a ing cloud provider's operating system, services, applications. Examples include usi and database. a) Software as a service (SaaS) 'b) Infrastructure as a service (Iaas) c) Platform as a service (PaaS) d) all of the above Answer: C 22Deo - Chapter 8 And the last part 48m Part of Dr! Ahmed ws 93) The following are ad Revi a) cost saving Wantages of clo evs b) pay as you go c) difficulty to custom . om . d) avoiding peak ae cloud services ‘Answer: C ing problems tud computing except 94) Which of i is the following a di Decree a disadvantages of cloud computing b) fail or disasters of cloud providers c) network connection dependency 4) all are disadvantages Answer: D 95) True or False one of the advantages of cloud computing is that you do not need to invest in IT infrastructure Answer: True 96) Which of is the following is an advantages of cloud computing: a) keeping Virtual remote backup b) higher speed c).improving competition d) access to distant vendors through E-mails e) all are advantages of cloud computing Answer: E ud computing manage and control the underlying the users of clo g system OF storage 97) True or False: including, networks, cloud infrastructure Answer: False operating disadvantage of cloud sents an advantage and or False: Security repre 98) True the same time computing in Answer: True| Revi | als Chapter 8 And the last part of Dr/ Abmed io | | 99) all of the following are disadvantage of cloud computing except \ a) language barriers when contracting with foreign providers b) privacy problems ¢) Fail or disasters of cloud providers d) all are disadvantages Answer: D 100) Which of the following is not an a software provided by cloud providers a) customer relationship management . b) ERP c) microsoft applications d) accounting software ¢) all are software provided by cloud providers Answer: E 101) True or False: cloud computing is away to increase IT capacity or add capabilities without having to invest in new infrastructure or new software. Answer: True 2 102) Advantages of cloud computing include all of the following except a) off-site access . b) network failure , c) access to specialized expertise or programs d) keeping the software updated frequently Answer: B 103) all of the following are disadvantages of cloud computing except a) storage capabilities b) loss of data control c) language barriers d) privacy problems Answer: A 24 js(F inate the following terms with their definitions: ert Authentication —m_ Authorization f Chapter 8 And the last part of tye) Ahmed Revision Definition Code that corrects a flaw Ina Program. . Verification of claimed identity. —f_ Demilitarized zone MZ) + The firewall technique that filters traffic by comparing the information in packet headers to a table of established connections. ;__ Deep packet inspection |. A flaw or weakness in a program, __0__ router . A test to determine the time it takes to compromise a system. _j__ social‘engineering from the Internet but separate from the organization's internal network. A subnetwork that is se k_ firewall » The device that connects the organization to the Intemet. g border router The rules (protocol) that.govern routing of packets networks. across __€__ penetration test The rules (protocol) that govern the division of a large file into packets and subsequent reassembly of the file from those packets. i An attack that involves deception to obtain access. 25Chapter 8 And the last part of Dr/ Abmed Revision Te A device that provides perimeter security by filtering packets. - The set of employees assigned responsibility for resolving problems and incidents. e Restricting the actions that a user is permitted to perform. ni. Improving security by removal or disabling of unnecessary programs and features. o. A device that uses the Intemet Protocol (IP) to send packets across networks. p- A detective control that identifies weaknesses in - devices or software. q. A firewall technique that filters traffic by examining the packet header of a single packet in isolation. r. A firewall technique that filters traffic by examining not just packet header information but also the contents of a packet. 26 nA aac