1. Which of the following statements is true?
a. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls. (Incorrect. The concept of defense-in-depth is based on the idea that, given enough time and resources, any single control, no matter how sophisticated, can be overcome—therefore, the use of redundant, overlapping controls maximizes security.) b. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources. (Correct. As Figure 8-2 shows, security is the foundation for achieving the other four components of system reliability.) c. The time-based model of security can be expressed in the following formula: P < D + C (Incorrect. The formula is P > D + C.) d. Information security is primarily an IT issue, not a managerial concern. (Incorrect. Security is primarily a managerial issue because only management can choose the most appropriate risk response to protect the organization’s information resources.)
2. Which of the following is a preventive control?
a. training (Correct. Training is designed to prevent employees from falling victim to social engineering attacks and unsafe practices such as clicking on links embedded in e-mail from unknown sources.) b. log analysis (Incorrect. Log analysis involves examining a record of events to discover anomalies. Thus, it is a detective control.) c. CIRT (Incorrect. The purpose of a computer incident response team is to respond to and remediate problems and incidents. Thus, it is a corrective control.) d. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.)
3. The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called. a. authentication (Incorrect. Authentication is the process of verifying a user’s identity to decide whether or not to grant that person access.) b. authorization (Correct. Authorization is the process of controlling what actions—read, write, delete, etc.—a user is permitted to perform.) c. intrusion prevention (Incorrect. Intrusion prevention systems monitor patterns in network traffic to identify and stop attacks.) d. intrusion detection (Incorrect. Intrusion detection is a detective control that identifies when an attack has occurred.)
4. A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n)_____. a. exploit (Incorrect. An exploit is the software code used to take advantage of a weakness.) b. patch (Incorrect. A patch is code designed to fix a weakness.) c. vulnerability (Correct. A vulnerability is any weakness that can be used to disable or take control of a system.) d. attack (Incorrect. An attack is the action taken against a system. To succeed, it exploits a vulnerability.)
5. Which of the following is a corrective control designed to fix vulnerabilities? a. virtualization (Incorrect. Virtualization involves using one physical computer to run multiple virtual machines. It is primarily a cost-control measure, not an information security control procedure.) b. patch management (Correct. Patch management involves replacing flawed code that represents a vulnerability with corrected code, called a patch.) c. penetration testing (Incorrect. Penetration testing is detective control.) d. authorization (Incorrect. Authorization is a preventive control used to restrict what users can do.)
6. Which of the following is a detective control?
a. Endpoint hardening (Incorrect. Hardening is a preventive control that seeks to eliminate vulnerabilities by reconfiguring devices and software.) b. Physical access controls (Incorrect. Physical access controls are a preventive control designed to restrict access to...
Please join StudyMode to read the full document