Deck 6: Information Systems Security

Black hat hackers formally probe systems for legitimate purposes in order to help with security control procedures.

One of the duties of the CSO is to present reports to the board of directors for approval.

System faults represent component equipment failures such as disk failures and power outages.

All hackers are malicious.

Social engineering is a form of manipulation of people in order to trick them into divulging privileged information.

The objective of the first phase of the security system life cycle is to design risk control measures such as various security measures and contingency plans.

Malware is short for malicious hardware that compromises the security of the victim's computer.

The ERM process is part of the information security management system.

Information security management system is an internal control process and manages risk.

The CSO should report directly to the president of the organization.

Passive threats include information systems fraud and computer sabotage.

White hat hackers legitimately probe systems for weaknesses in order to help with security control procedures.

Computer security and information security mean the same thing.

Information security is broader in concept than computer security and deals with all information,not just computerized information.

Pretexting and phishing are forms of social engineering.

An information security system has the basic elements of any information system: hardware,software,databases,procedures,and reports.

Using the qualitative approach to risk assessment,each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence.

ISO27001 includes 132 general security controls,organized under 11 topics and further broken down into over 5000 detailed controls.

ISO 27000 family of standards defines standards for building,operating,and maintaining ISMSs.

Malware can be hidden in email,downloaded software,disk or Web browser.

In the health insurance sector,the Gramm-Leach-Bliley Act,requires federal agencies that oversee the health insurance sector to implement regulatory standards aimed at protecting the security of critical information resources.

A trapdoor is a portion of a computer program that,upon detecting an intruder,"traps" the intruder by activating a firewall to prevent unauthorized access to critical data.

Using cloud-based services and data storage is referred to as cloud computing.

Three major groups of individuals that may attack information systems include information personnel,users,and hackers.

A serious business problem today is the theft of data.

Intruders who attack information systems for fun and challenge are known as hackers.

Logic bombs are dormant pieces of code placed in programs for activation at a later date by a specific event.

Business continuity planning and disaster recovery,in general,mean the same thing.

Hacker methods include social engineering,direct observation,electronic interception,and exploits.

Direct observation includes shoulder surfing and piggybacking.

Three major groups of individuals that may attack information systems include information personnel,users,and employees.

Criminal Code 301.2(1)makes it a federal crime in the United States to knowingly and with intent fraudulently gain unauthorized access to data stored in financial institution computers.

Input manipulation is the least-used method in most cases of computer fraud.

Direct observation includes shoulder surfing and dumpster diving.

GASB statement #34 requires utility companies to maintain business continuity plans.

Virtualization involves running multiple operating systems,or multiple copies of the same operating system,all on the same machine.

Implementing security measures and contingency plans help to control computer information threats.

In general,vulnerabilities arise from improperly installed or configured software and from unforeseen defects or deficiencies in the software.

A worm is any type of Trojan that silently spreads from one computer to another over a network,without the intervention of any individual or server.

The most sophisticated type of wire tapping is called ________.

Studies have shown that 45% of all disasters are due to human error.

Software should not be installed on any computer without prior approval of security.

The Treadway Commission has linked ________ ________ to computer crime.

In most organizations,accounting,computing,and data processing are all organized under the controller.

The least common method used to commit computer fraud is ________ ________.

With today's excellent computer security software,it is no longer necessary to physically separate unauthorized individuals from computer resources.

The problem with Web server attacks is that the Web server is essentially an extension of the operating system.

A defrauder may use ________ to cover up ________.

Employees should be laid off or terminated with the greatest care because terminated employees account for a significant portion of all sabotage incidents.

The information security management system is an organizational ________ ________ ________ that controls special risks associated with computer-based information systems.

Escalation procedures state the conditions under which a disaster should be declared,who should declare it,and whom that person should notify when executing the declaration.

No password system is of much value unless the passwords themselves are protected.

System-access controls prevent unauthorized individuals from physically accessing computer resources.

In a denial of service attack,an intruder is denied access to an organization's Web site after the intruder attempts to break through its firewalls and proxy server countermeasures.

An incremental backup backs up all files whose archive bit is set to 0 before termination of the session.

A program kept in a locked file is one which can be run but not looked at (i.e.,code)or altered in anyway.

Fault tolerance can be applied at any of three levels: input,processing,or output.

The ideal password should consist of easy-to-remember names such as banana,kitty,IBM,password,or Friday.

The method of risk assessment for computer systems where system vulnerabilities and threats are listed and subjectively ranked is known as the ________ approach.

________ authentication systems identify individuals based on their fingerprints,hand sizes,retina patterns,or voice patterns.

An alternate site that contains the wiring,equipment,and very up-to-date back-up data and software is a(n)________ site.

________ can be digitally signed in the same way that electronic messages are signed to authenticate the identity of the source of the program.

A security system where the user enters an identification number and the system responds with a sign (i.e.,code word)is known as a(n)________ system.

Instead of using the terms systems analysis,design,implementation,operation,evaluation,and control,ISO 27001 uses the terms ________,________,________,and ________.

The three objectives of information security are ________,________,and ________.

In computer environments,________ control is especially important as there is often a tendency to either overspend or spend on the wrong things.

The best security ________ will not help if the system ________ do not enforce the policies.

________ ________ includes unnoticed intruders,wiretrappers,piggybackers,impersonating intruders,and eavesdroppers.

In general,________ arise from improperly installed or configured software and from unforeseen defects or deficiencies in the software.

Backing up files is not the same thing as ________ them.

A weakness in the ________ system is also likely to create a related weakness in ________ server security.

________ is a form of social engineering in which one impersonates another typically in a phone call or electronic communication.

Information security management system is part of the larger ________ risk management process.

Information security management system is an internal control process and manages ________.

A(n)________ cell phone is an exact and illegitimate copy of another cell phone,including a copy of the internal SIM in order to intercept text and voice messages.

The distribution of ________ should be controlled by a formal,secure delivery system.

________ is a form of social engineering which is aimed directly at tricking victims into giving information,money,or other valuable assets to perpetrators.

________ ________ involves manipulating victims in order to trick them into divulging privileged information.

________ is the best defense against electronic interception.