Chapter 7

MULTIPLE CHOICE

1. The AICPA and the CICA have created an evaluation service known as SysTrust.
SysTrust follows four principles to determine if a system is reliable. The reliability
principle that states that users must be able to enter, update, and retrieve data during
agreed-upon times is known as
a)
b)
c)
d)

availability.
security.
maintainability.
integrity.

2. According to SysTrust, the reliability principle of integrity is achieved when

a) the system is available for operation and use at times set forth by agreement.
b) the system is protected against unauthorized physical and logical access.
c) the system can be maintained as required without affecting system availability, security, and
integrity.
d) system processing is complete, accurate, timely, and authorized.

3. Which of the following is not one of the five basic principles that contribute to
systems reliability according to the Trust Services framework.
a)
b)
c)
d)

Confidentiality
Processing speed
Security
System availability

4. Which of the following is not one of the three fundamental information security
concepts?
a)
b)
c)
d)

Information security is a technology issue that hinges on prevention.

Security is a management issue, not a technology issue.
The idea of defense-in-depth employs multiple layers of controls.
The time-based model of security focuses on the relationship between preventive, detective and
corrective controls.

5. The trust services framework identifies four essential criteria for successfully
implementing each of the principles that contribute to systems reliability. Which of
the following is not one of those four essential criteria?
a)
b)
c)
d)

Developing and documenting policies

Effectively communicating policies to all outsiders
Designing and employing appropriate control procedures to implement policies
Monitoring the system and taking corrective action to maintain compliance with policies

6. Giving users regular, periodic reminders about security policies and training in
complying with them is an example of which of the following trust services criteria?
a)
b)
c)
d)

Policy development
Effective communication of policies
Design/use of control procedures
Monitoring and remedial action

7. Because planning is more effective than reacting, this is an important criteria for
successfully implementing systems reliability:
a)
b)
c)
d)

Policy development
Effective communication of policies
Design/use of control procedures
Monitoring and remedial action

8. If the time an attacker takes to break through the organization's preventive controls is
greater than the sum of the time required to detect the attack and the time required to
respond to the attack, then security is
a)
b)
c)
d)

effective
ineffective
overdone
undermanaged

9. Preventive controls require two related functions, which are:

a)
b)
c)
d)

Access and control

Authentication and authorization
Detection and correction
Physical access and logical access

10. Verifying the identity of the person or device attempting to access the system is
a)
b)
c)
d)

Authentication
Authorization
Identification
Threat monitoring

11. Restricting access of users to specific portions of the system as well as specific tasks,
is
a)
b)
c)
d)

Authentication
Authorization
Identification
Threat monitoring

12. Which of the following is an example of a preventive control?

a)
b)
c)
d)

Encryption
Log analysis
Intrusion detection
Emergency response teams

13. Which of the following is an example of a detective control?

a)
b)
c)
d)

Physical access controls

Encryption
Log analysis
Emergency response teams

14. Which of the following is an example of a corrective control?

a) Physical access controls
b) Encryption

c) Intrusion detection
d) Emergency response teams

15. Which of the following is not a requirement of effective passwords?

a)
b)
c)
d)

Passwords should be changed at regular intervals.

Passwords should be no more than 8 characters in length.
Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
Passwords should not be words found in dictionaries.

16. Multi-factor authentication

a)
b)
c)
d)

Involves the use of two or more basic authentication methods.

Is a table specifying which portions of the systems users are permitted to access.
Provides weaker authentication than the use of effective passwords.
Requires the use of more than one effective password.

17. An access control matrix

a)
b)
c)
d)

Does not have to be updated.

Is a table specifying which portions of the system users are permitted to access.
Is used to implement authentication controls.
Matches the user's authentication credentials to his authorization.

18. Perimeter defense is an example of which of the following preventive controls that
are necessary to provide adequate security.
a)
b)
c)
d)

Training
Controlling physical access
Controlling remote access
Host and application hardening

19. Which of the following preventive controls are necessary to provide adequate security
that deals with social engineering?
a)
b)
c)
d)

Controlling remote access

Encryption
Host and application hardening
Training

20. The device that connects an organization's information system to the Internet is a
a)
b)
c)
d)

Demilitarized zone
Firewall
Gateway
Router

21. A special purpose hardware device or software running on a general purpose

computer which filters information that is allowed to enter and leave the
organization's information system.
a)
b)
c)
d)

Demilitarized zone
Intrusion detection system
Intrusion prevention system
Firewall

22. This protocol specifies the procedures for dividing files and documents into packets
to be sent over the Internet.

a)
b)
c)
d)

Access control list

Internet protocol
Packet switching protocol
Transmission control protocol

23. This protocol specifies the structure of packets sent over the internet and the route to
get them to the proper destination.
a)
b)
c)
d)

Access control list

Internet protocol
Packet switching protocol
Transmission control protocol

24. This determines which packets are allowed entry and which are dropped..
a)
b)
c)
d)

Access control list

Deep packet inspection
Stateful packet filtering
Static packet filtering

25. Compatibility tests utilize a(n) __________, which is a list of authorized users,
programs, and data files the users are authorized to access or manipulate.
a)
b)
c)
d)

validity test
biometric matrix
logical control matrix
access control matrix

26. This screens individual IP packets based solely on the contents of the source and/or
destination fields in the packet header..
a)
b)
c)
d)

Access control list

Deep packet inspection
Stateful packet filtering
Static packet filtering

27. This maintains a table that lists all established connections between the organization's
computers and the Internet to determine whether an incoming packet is part of an
ongoing communication initiated by an internal computer..
a)
b)
c)
d)

Access control list

Deep packet inspection
Stateful packet filtering
Static packet filtering

28. This processes involves the firewall examining the data in the body of an IP packet.
a)
b)
c)
d)

Access control list

Deep packet inspection
Stateful packet filtering
Static packet filtering

29. This is designed to identify and drop packets that are part of an attack.
a)

Deep packet inspection

b) Intrusion prevention system

c) Stateful packet filtering
d) Static packet filtering

30. This is used to identify rogue modems (or by hackers to identify targets).
a)
b)
c)
d)

War chalking
War dialing
War driving
None of the above

31. The process of turning off unnecessary features in the system is known as
a)
b)
c)
d)

Deep packet inspection

Hardening
Intrusion detection
War dialing

32. The most common input-related vulnerability is

a)
b)
c)
d)

Buffer overflow attack

Hardening
War dialing
Encryption

33. The final layer of preventive controls.

a)
b)
c)
d)

Authentication
Authorization
Encryption
Intrusion detection

34. The process of transforming normal text into cipher text

a)
b)
c)
d)

Encryption
Decryption
Filtering
Hardening

35. Which of the following is not one of the three important factors determining the
strength of any encryption system?
a)
b)
c)
d)

Key length
Key management policies
Encryption algorithm
Privacy

36. These systems use the same key to encrypt and to decrypt.
a)
b)
c)
d)

Asymmetric encryption
Hashing encryption
Public key encryption
Symmetric encryption

37. Which of the following descriptions is not associated with symmetric encryption?
a) A shared secret key
b) Faster encryption
c) Lack of authentication

d) Separate keys for each communication party.

38. Which of the following is not associated with asymmetric encryption?

a)
b)
c)
d)

No need for key exchange

Public keys
Private keys
Speed

39. A process that takes plaintext of any length and transforms it into a short code.
a)
b)
c)
d)

Asymmetric encryption
Encryption
Hashing
Symmetric encryption

40. These are used to create digital signatures.

a)
b)
c)
d)

Asymmetric encryption and hashing

Hashing and packet filtering
Packet filtering and encryption
Symmetric encryption and hashing

41. Information encrypted with the creator's private key that is used to authenticate the
sender is.
a)
b)
c)
d)

Asymmetric encryption
Digital certificate
Digital signature
Public key

42. An electronic document that certifies the identity of the owner of a particular public
key.
a)
b)
c)
d)

Asymmetric encryption
Digital certificate
Digital signature
Public key

43. The system and processes used to issue and manage asymmetric keys and digital
certificates.
a)
b)
c)
d)

Asymmetric encryption
Certificate authority
Digital signature
Public key infrastructure

44. In a private key system the sender and the receiver have __________, and in the
public key system they have __________.
a)
b)
c)
d)

different keys; the same key

a decrypting algorithm; an encrypting algorithm
the same key; two separate keys
an encrypting algorithm; a decrypting algorithm

45. One way to circumvent the counterfeiting of public keys is by using

a)
b)
c)
d)

a digital certificate.
digital authority.
encryption.
cryptography.

46. Which of the following describes one weakness of encryption?

a)
b)
c)
d)

Encrypted packets cannot be examined by a firewall.

Encryption protects the confidentiality of information while in storage.
Encryption protects the privacy of information during transmission.
Encryption provides for both authentication and non-repudiation.

47. This creates logs of network traffic that was permitted to pass the firewall
a)
b)
c)
d)

Intrusion detection system

Log analysis
Penetration test
Vulnerability scan

48. This uses automated tools to identify whether a given system possesses any wellknown security problems.
a)
b)
c)
d)

Intrusion detection system

Log analysis
Penetration test
Vulnerability scan

49. This is an authorized attempt by an internal audit team or an external security

consultant to break into the organization's information system.
a)
b)
c)
d)

Intrusion detection system

Log analysis
Penetration test
Vulnerability scan

50. A more rigorous test of the effectiveness of an organization's computer security.

a)
b)
c)
d)

Intrusion detection system

Log analysis
Penetration test
Vulnerability scan

51. These are established to deal with major security breaches.

a)
b)
c)
d)

CERTs
CSOs
FIRSTs
Intrusion detection systems

52. The ___________ disseminates information about fraud, errors, breaches and other
improper system uses and their consequences.
a) Chief information officer
b) Chief operations officer

c) Chief security officer

d) Computer emergency response team

53. In 2007, a major U.S. financial institution hired a security firm to attempt to
compromise its computer network. A week later, the firm reported that it had
successfully entered the system without apparent detection and presented an analysis
of the vulnerabilities that had been found. This is an example of a
a)
b)
c)
d)

preventive control.
detective control.
corrective control.
standard control.

54. It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid
Technologies, was informed that the intrusion detection system had identified an
ongoing attempt to breach network security. By the time that Jiao had identified and
blocked the attack, the hacker had accessed and downloaded several files from the
companys server. Using the notation for the time-based model of security, in this
case
a)
b)
c)
d)

P>D
D>P
C>P
P>C

55. Encryption has a remarkably long and varied history. The invention of writing was
apparently soon followed by a desire to conceal messages. One of the earliest
methods, attributed to an ancient Roman emperor, was the simple substitution of
numbers for letters, for example A = 1, B = 2, etc. This is an example of
a)
b)
c)
d)

a hashing algorithm.
symmetric key encryption.
asymmetric key encryption.
a public key.

56. Encryption has a remarkably long and varied history. Spies have been using it to
convey secret messages ever since there were secret messages to convey. One
powerful method of encryption uses random digits. Two documents are prepared with
the same random sequence of numbers. The spy is sent out with one and the spy
master retains the other. The digits are used as follows. Suppose that the word to be
encrypted is SPY and the random digits are 352. Then S becomes V (three letters
after S), P becomes U (five letters after P), and Y becomes A (two letters after Y,
restarting at A after Z). The spy would encrypt a message and then destroy the
document used to encrypt it. This is an early example of
a)
b)
c)
d)

a hashing algorithm.
asymmetric key encryption.
symmetric key encryption.
public key encryption.

57. Using a combination of symmetric and asymmetric key encryption, Chris Kai sent a
report to her home office in Syracuse, New York. She received an email

acknowledgement that the document had been received and then, a few minutes later,
she received a second email that indicated that the hash calculated from the report
differed from that sent with the report. This most likely explanation for this result is
that
a)
b)
c)
d)

the public key had been compromised.

the private key had been compromised.
the symmetric encryption key had been compromised.
the asymmetric encryption key had been compromised.

58. Which of the following is commonly true of the default settings for most
commercially available wireless access points?
a)
b)
c)
d)

The security level is set at the factory and cannot be changed.

Wireless access points present little danger of vulnerability so security is not a concern.
Security is set to the lowest level that the device is capable of.
Security is set to the highest level that the device is capable of.

59. In recent years, many of the attacks carried out by hackers have relied on this type of
vulnerability in computer software.
a)
b)
c)
d)

Code mastication
Boot sector corruption
Weak authentication
Buffer overflow

60. Meaningful Discussions is a social networking site that boasts over a million
registered users and a quarterly membership growth rate in the double digits. As a
consequence, the size of the information technology department has been growing
very rapidly, with many new hires. Each employee is provided with a name badge
with a photo and embedded computer chip that is used to gain entry to the facility.
This is an example of a(an)
a)
b)
c)
d)

authentication control.
biometric device.
remote access control.
authorization control.

61. When new employees are hired by Folding Squid Technologies, they are assigned
user names and appropriate permissions are entered into the information systems
access control matrix. This is an example of a(an)
a)
b)
c)
d)

authentication control.
biometric device.
remote access control.
authorization control.

62. When new employees are hired by Folding Squid Technologies, they are assigned
user names and passwords and provided with laptop computers that have an
integrated fingerprint reader. In order to log in, the users fingerprint must be
recognized by the reader. This is an example of a(an)
a) authorization control.
b) biometric device.

c) remote access control.

d) defense in depth.

63. Asymmetric key encryption combined with the information provided by a certificate
authority allows unique identification of
a)
b)
c)
d)

the user of encrypted data.

the provider of encrypted data.
both the user and the provider of encrypted data.
either the user or the provider of encrypted data.

64. Information technology managers are often in a bind when a new exploit is
discovered in the wild. They can respond by updating the affected software or
hardware with new code provided by the manufacturer, which runs the risk that a
flaw in the update will break the system. Or they can wait until the new code has been
extensively tested, but that runs the risk that they will be compromised by the exploit
during the testing period. Dealing with these issues is referred to as
a)
b)
c)
d)

change management.
hardening.
patch management.
defense in depth

65. Murray Snitzel called a meeting of the top management at Snitzel Capital
Management. Number one on the agenda was computer system security. The risk of
security breach incidents has become unacceptable, he said, and turned to the Chief
Information Officer. This your responsibility! What do you intend to do? Which of
the following is the best answer?
a)
b)
c)
d)

Evaluate and modify the system using the Trust Services framework
Evaluate and modify the system using the COBIT framework.
Evaluate and modify the system using the CTC checklist.
Evaluate and modify the system using COBOL.

66. Which of the following is the most effective method of protecting against social
engineering attacks on a computer system?
a)
b)
c)
d)

stateful packet filtering.

employee training.
a firewall.
a demilitarized zone.

67. The most effective way to protect network resources, like email servers, that are
outside of the network and are exposed to the internet is
a)
b)
c)
d)

stateful packet filtering.

employee training.
a firewall.
a demilitarized zone.

68. On March 3, 2008, a laptop computer belonging to Folding Squid Technology was
stolen from the trunk of Jiao Jans car while he was attending a conference in
Cleveland, Ohio. After reporting the theft, Jiao considered the implications of the

theft for the companys network security and concluded there was nothing to worry
about because
a)
b)
c)
d)

the computer was protected by a password.

the computer was insured against theft.
it was unlikely that the thief would know how to access the company data stored on the computer.
the data stored on the computer was encrypted.

69. All employees of E.C. Hoxy are required to pass through a gate and present their
photo identification cards to the guard before they are admitted. Entry to secure areas,
such as the Information Technology Department offices, requires further procedures.
This is an example of a(an)
a)
b)
c)
d)

authentication control.
authorization control.
physical access control.
hardening procedure.

70. On February 14, 2008, students enrolled in an economics course at Swingline College
received an email stating that class would be cancelled. The email claimed to be from
the professor, but it wasn't. Computer forensic experts determined that the email was
sent from a computer in one of the campus labs at 9:14 A.M. They were then able to
uniquely identify the computer that was used by means of its network interface card's
______ address. Security cameras revealed the identity of the student responsible for
spoofing the class.
a)
b)
c)
d)

TCP/IP
MAC
DMZ
IDS

71. There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the
latter. He had researched an exploit and determined that he could penetrate the target
system, download a file containing valuable data, and cover his tracks in eight
minutes. Six minutes into the attack he was locked out of the system. Using the
notation of the time-based model of security, which of the following must be true?
a)
b)
c)
d)

P<6
D=6
P=6
P>6

72. In developing policies related to personal information about customers, Folding Squid
Technologies adhered to the Trust Services framework. The standard applicable to
these policies is
a)
b)
c)
d)

security.
confidentiality.
privacy.
availability.

SHORT ANSWER

73. Identify the four basic principles that contribute to systems reliability according to the
Trust Services framework developed by the AICPA and the CICA.
74. What are the three fundamental information security concepts?
75. What are three ways users can be authenticated?
76. What three factors determine the strength of any encryption system?
77. How does an intrusion detection system work?
78. What is a penetration test?
ESSAY

79. Describe four requirements of effective passwords

80. Explain social engineering.
81. What are the problems with symmetric encryption?
82. Explain the value of penetration testing.
ANSWER KEY
1) A
2) D
3) B
4) A
5) B
6) B
7) A
8) A
9) B
10) A
11) B
12) A
13) C
14) D
15) B
16) A
17) B
18) C
19) D
20) D
21) D
22) D
23) B
24) A
25) D
26) D
27) C
28) B
29) B
30) B
31) B
32) A

33)
34)
35)
36)
37)
38)
39)
40)
41)
42)
43)
44)
45)
46)
47)
48)
49)
50)
51)
52)
53)
54)
55)
56)
57)
58)
59)
60)
61)
62)
63)
64)
65)
66)
67)
68)
69)
70)
71)
72)
73)
74)
75)
76)
77)
78)
79)

80)

C
A
D
D
C
D
C
A
C
B
D
C
A
A
A
D
C
C
A
C
B
A
B
C
C
C
D
A
D
B
D
C
A
B
D
D
C
B
D
C
Security, confidentiality, privacy, processing integrity, availability.
1. Security is a management issue, not a technology issue. 2. The time-based model of security. 3.
Defense-in-depth.
Users can be authenticated by verifying: 1. something they know (password). 2. something they
have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint).
1. Key length. 2. Key management policies. 3. Encryption algorithm.
An intrusion detection system creates logs of network traffic that was permitted to pass the
firewall and then analyze those logs for signs of attempted or successful intrusions.
An authorized attempt by either an internal audit team or an external security consultant to break
into the organization's information system.
1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture of upper
and lowercase letters, numbers and characters. 3. Passwords should be random and not words
found in dictionaries. 4. Passwords should be changes frequently.
Social engineering attacks use deception to obtain unauthorized access to information resources,
such as attackers who post as a janitor or as a legitimate system user. Employees must be trained
not to divulge passwords or other information about their accounts to anyone who contacts them

and claims to be part of the organization's security team.

81) Symmetric encryption is much faster than asymmetric encryption, but it has several problems. 1.
Both parties (sender and receiver) need to know the shared secret key. 2. Separate secret keys must
be maintained for use with each different communication party. 3. There is no way to prove who
created a specific document.
82) Penetration testing involves an authorized attempt by an internal audit team or an external security
consultant to break into the organization's information system. This type of service is provided by
risk management specialists in all the Big Four accounting firms. These specialists spend more
than half of their time on security matters. The team attempts to compromise the system using
every means possible. With a combination of systems technology skills and social engineering,
these teams often find weaknesses in systems that were believed to be secure.