Chapter 8 – ‘Controls for Information and Security’ Flashcards
- Which of the following statements is true?
a. The concept of defense-in-depth reflects the fact that security involves the
use of a few sophisticated technical controls.
b. Information security is necessary for protecting confidentiality, privacy,
integrity of processing, and availability of information resources.
c. The time-based model of security can be expressed in the following formula:
P 6 D + C
d. Information security is primarily an IT issue, not a managerial concern.
b. Information security is necessary for protecting confidentiality, privacy,
integrity of processing, and availability of information resources. (Correct. As
Figure 8-2 shows, security is the foundation for achieving the other four
components of system reliability.)
- Which of the following is a preventive control?
a. training
b. log analysis
c. CIRT
d. virtualization
a. training (Correct. Training is designed to prevent employees from falling
victim to social engineering attacks and unsafe practices such as clicking on
links embedded in e-mail from unknown sources.)
- The control procedure designed to restrict what portions of an
information system an employee can access and what actions he or she can
perform is called ________.
a. authentication
b. authorization
c. intrusion prevention
d. intrusion detection
b. authorization (Correct. Authorization is the process of controlling what
actions—read, write, delete, etc.—a user is permitted to perform.)
- A weakness that an attacker can take advantage of to either disable or
take control of a system is called a(n) _________.
a.exploit
b. patch
c. vulnerability
d. attack
c. vulnerability (correct)
5. Which of the following is a corrective control designed to fix vulnerabilities? a. virtualization b. patch management c. penetration testing d. authorization
b. patch management (Correct. Patch management involves replacing flawed
code that represents a vulnerability with corrected code, called a patch.)
- Which of the following is a detective control?
a. endpoint hardening
b. physical access controls
c. penetration testing
d. patch management
c) penetration testing (Correct. Penetration testing is a detective control
designed to identify how long it takes to exploit a vulnerability.)
- Which of the following statements is true?
a. “Emergency” changes need to be documented once the problem is resolved.
b. Changes should be tested in a system separate from the one used to process
transactions.
c. Change controls are necessary to maintain adequate segregation of duties.
d. All of the above are true.
d. All of the above are true. (Correct.)
- Which of the following techniques is the most effective way for a
firewall to use to protect the perimeter?
a. deep packet inspection
b. packet filtering
c. access control lists
d. All of the above are equally effective
a. deep packet inspection (Correct. Deep packet inspection examines the
contents of the data in the body of the IP packet, not just the information in the
packet header. This is the best way to catch malicious code.)
- Which of the following combinations of credentials is an example of multifactor authentication?
a. voice recognition and a fingerprint reader
b. a PIN and an ATM card
c. password and a user ID
d. all of the above
b. a PIN and an ATM card (Correct. The PIN is something a person knows, the
ATM card is something the person has.)
- Modifying default configurations to turn off unnecessary programs
and features to improve security is called _______.
a. user account management
b. defense-in-depth
c. vulnerability scanning
d. hardening
d. hardening (Correct. This is the definition of hardening.)
