Chapter 7 MULTIPLE CHOICE

1. The AICPA and the CICA have created an evaluation service known as SysTrust. SysTrust follows four principles to determine if a system is reliable. The reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
a) availability. b) security. c) maintainability. d) integrity.

2. According to SysTrust, the reliability principle of integrity is achieved when

a) the system is available for operation and use at times set forth by agreement. b) the system is protected against unauthorized physical and logical access. c) the system can be maintained as required without affecting system availability, security, and integrity. d) system processing is complete, accurate, timely, and authorized.

3. Which of the following is not one of the five basic principles that contribute to systems reliability according to the Trust Services framework.
a) Confidentiality b) Processing speed c) Security d) System availability

4. Which of the following is the foundation of systems reliability?

a) Confidentiality b) Privacy c) Processing d) Security

5. Which of the following is not one of the three fundamental information security concepts?
a) Information security is a technology issue that hinges on prevention. b) Security is a management issue, not a technology issue. c) The idea of defense-in-depth employs multiple layers of controls. d) The time-based model of security focuses on the relationship between preventive, detective and corrective controls.

6. The trust services framework identifies four essential criteria for successfully implementing each of the principles that contribute to systems reliability. Which of the following is not one of those four essential criteria?
a) Developing and documenting policies b) Effectively communicating policies to all outsiders c) Designing and employing appropriate control procedures to implement policies d) Monitoring the system and taking corrective action to maintain compliance with policies

7. Giving users regular, periodic reminders about security policies and training in complying with them is an example of which of the following trust services criteria?

a) Policy development b) Effective communication of policies c) Design/use of control procedures d) Monitoring and remedial action

8. Because planning is more effective than reacting, this is an important criteria for successfully implementing systems reliability:
a) Policy development b) Effective communication of policies c) Design/use of control procedures d) Monitoring and remedial action

9. If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
a) effective b) ineffective c) overdone d) undermanaged

10. Preventive controls require two related functions, which are:

a) Access and control b) Authentication and authorization c) Detection and correction d) Physical access and logical access

11. Verifying the identity of the person or device attempting to access the system is
a) Authentication b) Authorization c) Identification d) Threat monitoring

12. Restricting access of users to specific portions of the system as well as specific tasks, is
a) Authentication b) Authorization c) Identification d) Threat monitoring

13. Which of the following is an example of a preventive control?

a) Encryption b) Log analysis c) Intrusion detection d) Emergency response teams

14. Which of the following is an example of a detective control?

a) Physical access controls b) Encryption c) Log analysis d) Emergency response teams

15. Which of the following is an example of a corrective control?

a) Physical access controls b) Encryption c) Intrusion detection d) Emergency response teams

16. Which of the following is not a requirement of effective passwords?

a) Passwords should be changed at regular intervals. b) Passwords should be no more than 8 characters in length. c) Passwords should contain a mixture of upper and lowercase letters, numbers and characters. d) Passwords should not be words found in dictionaries.

17. Which of the following is not a requirement of effective passwords?

a) Passwords should be changed at regular intervals. b) Passwords should be no more than 8 characters in length. c) Passwords should contain a mixture of upper and lowercase letters, numbers and characters. d) Passwords should not be words found in dictionaries.

18. Multi-factor authentication

a) Involves the use of two or more basic authentication methods. b) Is a table specifying which portions of the systems users are permitted to access. c) Provides weaker authentication than the use of effective passwords. d) Requires the use of more than one effective password.

19. An access control matrix

a) Does not have to be updated. b) Is a table specifying which portions of the system users are permitted to access. c) Is used to implement authentication controls. d) Matches the user's authentication credentials to his authorization.

20. Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security.
a) Training b) Controlling physical access c) Controlling remote access d) Host and application hardening

21. Which of the following preventive controls are necessary to provide adequate security that deals with social engineering?
a) Controlling remote access b) Encryption c) Host and application hardening d) Training

22. The device that connects an organization's information system to the Internet is a
a) Demilitarized zone b) Firewall c) Gateway d) Router

23. A special purpose hardware device or software running on a general purpose computer which filters information allowed to enter and leave the organization's information system.
a) Demilitarized zone b) Intrusion detection system c) Intrusion prevention system d) Firewall

24. This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
a) Access control list b) Internet protocol c) Packet switching protocol d) Transmission control protocol

25. This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.
a) Access control list b) Internet protocol c) Packet switching protocol d) Transmission control protocol

26. This determines which packets are allowed entry and which are dropped..
a) Access control list b) Deep packet inspection c) Stateful packet filtering d) Static packet filtering

27. Compatibility tests utilize a(n) __________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.
a) validity test b) biometric matrix c) logical control matrix d) access control matrix

28. This screens individual IP packets based solely on the contents of the source or destination fields in the packet header..
a) Access control list b) Deep packet inspection c) Stateful packet filtering d) Static packet filtering

29. This maintains a table that lists all established connections between the organization's computers and the Internet to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer..
a) Access control list b) Deep packet inspection c) Stateful packet filtering

d) Static packet filtering

30. This processes involves the firewall examining the data in the body of an IP packet.
a) Access control list b) Deep packet inspection c) Stateful packet filtering d) Static packet filtering

31. This is designed to identify and drop packets that are part of an attack.
a) Deep packet inspection b) Intrusion detection system c) Stateful packet filtering d) Static packet filtering

32. This is used to identify rogue modems (or by hackers to identify targets).
a) War chalking b) War dialing c) War driving d) None of the above

33. The process of turning off unnecessary features in the system is known as
a) Deep packet inspection b) Hardening c) Intrusion detection d) War dialing

34. The most common input-related vulnerability is

a) Buffer overflow attack b) Hardening c) War dialing d) Encryption

35. The final layer of preventive controls.

a) Authentication b) Authorization c) Encryption d) Intrusion detection

36. The process of transforming normal text into cipher text

a) Encryption b) Decryption c) Filtering d) Hardening

37. Which of the following is not one of the three important factors determining the strength of any encryption system?
a) Key length b) Key management policies c) Encryption algorithm

d) Privacy

38. Which of the following is not one of the three important factors determining the strength of any encryption system?
a) Key length b) Key management policies c) Encryption algorithm d) Privacy

39. These systems use the same key to encrypt and to decrypt.
a) Asymmetric encryption b) Hashing encryption c) Public key encryption d) Symmetric encryption

40. Which of the following descriptions is not associated with symmetric encryption?
a) A shared secret key b) Faster encryption c) Lack of authentication d) Separate keys for each communication party.

41. Which of the following is not associated with asymmetric encryption?

a) No need for key exchange b) Public keys c) Private keys d) Speed

42. A process that takes plaintext of any length and transforms it into a short code.
a) Asymmetric encryption b) Encryption c) Hashing d) Symmetric encryption

43. These are used to create digital signatures.

a) Asymmetric encryption and hashing b) Hashing and packet filtering c) Packet filtering and encryption d) Symmetric encryption and hashing

44. Information encrypted with the creator's private key that is used to authenticate the sender is.
a) Asymmetric encryption b) Digital certificate c) Digital signature d) Public key

45. An electronic document that certifies the identity of the owner of a particular public key.
a) Asymmetric encryption b) Digital certificate

c) Digital signature d) Public key

46. The system and processes used to issue and manage asymmetric keys and digital certificates.
a) Asymmetric encryption b) Certificate authority c) Digital signature d) Public key infrastructure

47. The system and processes used to issue and manage asymmetric keys and digital certificates.
a) Asymmetric encryption b) Certificate authority c) Digital signature d) Public key infrastructure

48. In a private key system the sender and the receiver have __________, and in the public key system they have __________.
a) different keys; the same key b) a decrypting algorithm; an encrypting algorithm c) the same key; two separate keys d) an encrypting algorithm; a decrypting algorithm

49. One way to circumvent the counterfeiting of public keys is by using

a) a digital certificate. b) digital authority. c) encryption. d) cryptography.

50. Which of the following describes one weakness of encryption?

a) Encrypted packets cannot be examined by a firewall. b) Encryption protects the confidentiality of information while in storage. c) Encryption protects the privacy of information during transmission. d) Encryption provides for both authentication and non-repudiation.

51. This creates logs of network traffic that was permitted to pass the firewall
a) Intrusion detection system b) Log analysis c) Penetration test d) Vulnerability scan

52. This uses automated tools to identify whether a given system possesses any well-known security problems.
a) Intrusion detection system b) Log analysis c) Penetration test d) Vulnerability scan

53. This is an authorized attempt by an internal audit team or an external security consultant to break into the organization's information system.
a) Intrusion detection system b) Log analysis c) Penetration test d) Vulnerability scan

54. A more rigorous test of the effectiveness of an organization's computer security.

a) Intrusion detection system b) Log analysis c) Penetration test d) Vulnerability scan

55. These are established to deal with major security breaches.

a) CERTs b) CSOs c) FIRSTs d) Intrusion detection systems

56. The ___________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.
a) Chief information officer b) Chief operations officer c) Chief security officer d) Computer emergency response team SHORT ANSWER

57. Identify the five basic principles that contribute to systems reliability according to the Trust Services framework developed by the AICPA and the CICA. 58. What are the three fundamental information security concepts? 59. What are three ways users can be authenticated? 60. What three factors determine the strength of any encryption system? 61. How does an intrusion detection system work? 62. What is a penetration test?
ESSAY

63. Describe four requirements of effective passwords 64. Explain social engineering. 65. What are the problems with symmetric encryption? 66. Explain the value of penetration testing.

ANSWER KEY 1) A 2) D 3) B 4) D 5) A 6) B 7) B 8) A 9) B 10) B 11) A 12) B 13) A 14) C 15) D 16) B 17) B 18) A 19) B 20) C 21) D 22) D 23) D 24) D 25) B 26) A 27) D 28) D 29) C 30) B 31) B 32) B 33) B 34) A 35) C 36) A 37) D 38) D 39) D 40) C 41) D 42) C 43) A 44) C 45) B 46) D 47) D 48) C 49) A 50) A 51) A 52) D

53) C 54) C

55) C 56) C 57) Security, confidentiality, privacy, processing integrity, availability. 58) 1. Security is a management issue, not a technology issue. 2. The time-based model of security. 3. Defense-indepth. 59) Users can be authenticated by verifying: 1. something they know (password). 2. something they have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint). 60) 1. Key length. 2. Key management policies. 3. Encryption algorithm. 61) An intrusion detection system creates logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions. 62) An authorized attempt by either an internal audit team or an external security consultant to break into the organization's information system. 63) 1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture of upper and lowercase letters, numbers and characters. 3. Passwords should be random and not words found in dictionaries. 4. Passwords should be changes frequently. 64) Social engineering attacks use deception to obtain unauthorized access to information resources, such as attackers who post as a janitor or as a legitimate system user. Employees must be trained not to divulge passwords or other information about their accounts to anyone who contacts them and claims to be part of the organization's security team. 65) Symmetric encryption is much faster than asymmetric encryption, but it has several problems. 1. Both parties (sender and receiver) need to know the shared secret key. 2. Separate secret keys must be maintained for use with each different communication party. 3. There is no way to prove who created a specific document. 66) Penetration testing involves an authorized attempt by an internal audit team or an external security consultant to break into the organization's information system. This type of service is provided by risk management specialists in all the Big Four accounting firms. These specialists spend more than half of their time on security matters. The team attempts to compromise the system using every means possible. With a combination of systems technology skills and social engineering, these teams often find weaknesses in systems that were believed