Home > Articles

This chapter is from the book

Test Your Skills

Multiple Choice Questions

  1. Which of the following represents the three goals of information security?

    1. Confidentiality, integrity, and availability
    2. Prevention, detection, and response
    3. People controls, process controls, and technology controls
    4. Network security, PC security, and mainframe security
  2. Which of the following terms best describes the assurance that data has not been changed unintentionally due to an accident or malice?

    1. Availability
    2. Confidentiality
    3. Integrity
    4. Auditability
  3. Related to information security, confidentiality is the opposite of which of the following?

    1. Closure
    2. Disclosure
    3. Disaster
    4. Disposal
  4. The CIA triad is often represented by which of the following?

    1. Triangle
    2. Diagonal
    3. Ellipse
    4. Circle
  5. Defense in depth is needed to ensure that which three mandatory activities are present in a security system?

    1. Prevention, response, and prosecution
    2. Response, collection of evidence, and prosecution
    3. Prevention, detection, and response
    4. Prevention, response, and management
  6. Which of the following statements is true?

    1. The weakest link in any security system is the technology element.
    2. The weakest link in any security system is the process element.
    3. The weakest link in any security system is the human element.
    4. Both B and C
  7. Which of the following best represents the two types of IT security requirements?

    1. Functional and logical
    2. Logical and physical
    3. Functional and assurance
    4. Functional and physical
  8. Security functional requirements describe which of the following?

    1. What a security system should do by design
    2. What controls a security system must implement
    3. Quality assurance description and testing approach
    4. How to implement the system
  9. Which of the following statements is true?

    1. Security assurance requirements describe how to test the system.
    2. Security assurance requirements describe how to program the system.
    3. Security assurance requirements describe to what degree the testing of the system is conducted.
    4. Security assurance requirements describe implementation considerations.
  10. Which of the following terms best describes the probability that a threat to an information system will materialize?

    1. Threat
    2. Vulnerability
    3. Hole
    4. Risk
  11. Which of the following terms best describes the absence or weakness in a system that may possibly be exploited?

    1. Vulnerability
    2. Threat
    3. Risk
    4. Exposure
  12. Which of the following statements is true?

    1. Controls are implemented to eliminate risk and eliminate the potential for loss.
    2. Controls are implemented to mitigate risk and reduce the potential for loss.
    3. Controls are implemented to eliminate risk and reduce the potential for loss.
    4. Controls are implemented to mitigate risk and eliminate the potential for loss.
  13. Which of the following terms best describes a cookbook on how to take advantage of a vulnerability?

    1. Risk
    2. Exploit
    3. Threat
    4. Program
  14. Which of the following represents the three types of security controls?

    1. People, functions, and technology
    2. People, process, and technology
    3. Technology, roles, and separation of duties
    4. Separation of duties, processes, and people
  15. Which of the following statements is true?

    1. Process controls for IT security include assignment of roles for least privilege.
    2. Process controls for IT security include separation of duties.
    3. Process controls for IT security include documented procedures.
    4. All of the above

Exercises

EXERCISE 2.1: Understanding the Importance of Information Confidentiality

Why is confidentiality important to corporate information? What kinds of abuses can you think of in the absence of controls on confidentiality? What criminal activities could be reduced or eliminated if confidentiality controls were effectively implemented?

EXERCISE 2.2: Evaluating Real-World Defense in Depth

Find some analogies to the principle of defense in depth in the physical world, and make some diagrams of the mechanism you locate. Consider how a bank implements defense in depth and how corporations protect themselves from intruders entering their buildings.

EXERCISE 2.3: Avoiding Security Through Obscurity

Why is security through obscurity a bad idea for the overall security of a system?

EXERCISE 2.4: Identifying a Phishing Scam

Go to www.opendns.com/phishing-quiz/ and take the “Think You Can Outsmart Internet Scammers?” quiz. How well did you perform at identifying phishing scams?

EXERCISE 2.5: Evaluating Risk Management

Every day, you make risk-management decisions in your daily life. Should you get in the car and drive to the store? Should you jaywalk or cross at the light? Should you get on that airplane? Think about the risk-management decisions you make when using your PC:

  1. What kinds of judgments do you make before downloading a piece of software?
  2. What kinds of judgments do you make before writing an email to your boss?
  3. What mental steps do you go through before taking some action?

Projects

mPROJECT 2.1: Understanding Email-Borne Viruses

  1. Visit one or more of the antivirus software developer sites (Symantec, MacAfee, Computer Associates, Trend Micro, and so forth), and see if you can identify which viruses and worms require a user to click on an email attachment to replicate.
  2. Trace the sophistication of the virus writers over time, and try to determine how they circumvent any improvements in user awareness of and education toward preventing viruses from spreading.

PROJECT 2.2: Researching Hackers

Open disclosure of software vulnerabilities is often associated with gray-hat hackers, described as security researchers who aren’t particular about who learns about their findings. Research the three types of hackers (white hat, gray hat, and black hat), and try to determine their typical positions on full disclosure of software problems before patches or new versions of the software are made available in the marketplace. Use Google or your favorite Internet search engine with a query of “Open Disclosure of Software Vulnerabilities” to help you formulate your answers.

PROJECT 2.3: Comparing Physical and Virtual Risk-Management Techniques

  1. How is risk management for physical systems similar to risk management for computer systems?
  2. How are the two different?
  3. What skill sets are required for each type?
  • + Share This
  • 🔖 Save To Your Account