Using MIS, 10e (Kroenke)

Chapter 10 Information Systems Security

1) A ________ is a person or an organization that seeks to obtain or alter data or other IS assets
illegally, without the owner's permission and often without the owner's knowledge.
A) target
B) vulnerability
C) threat
D) key escrow
E) cipher
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

2) Which of the following is considered a threat caused by human error?

A) an employee inadvertently installing an old database on top of the current one
B) an employee intentionally destroying data and system components
C) a virus and worm writer infecting computer systems
D) a hacker breaking into a system to steal for financial gain
E) a tsunami floods a data center causing total data loss
Answer: A
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

3) Which of the following is considered a computer crime?

A) accidental deletion of important records
B) poorly written programs resulting in information loss
C) loss of data as a result of flooding
D) hacking of information systems
E) failure to correctly back up customer data
Answer: D
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

1
Copyright © 2018 Pearson Education, Inc.
4) A person claiming to be from central IT called Chris and asked him to participate in a
password reset audit. The person had Chris change his password to the word "123456", and then
again to a secret passphrase only Chris knew. Later that day Chris noticed odd system behavior,
and then the system crashed. Chris was a victim of ________.
A) hacking
B) usurping
C) sniffing
D) pretexting
E) appropriating
Answer: D
Diff: 2
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Application

5) In the context of security threats, pretexting, sniffing, spoofing, and phishing are all examples
of ________.
A) unauthorized data disclosure
B) incorrect data modification
C) faulty services
D) loss of infrastructure
E) SQL injection
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

6) Stan loves collecting stamps. He receives an email that appears to come from a well-known
stamp auction site asking him to reset his username and password. He clicks on the link and it
takes him to a site that looks similar to the auction site, but the Web address is "scrambled" and
unreadable. He emails the customer service desk at the auction site and discovers they never sent
the email. This scenario is an example of attempted ________.
A) hacking
B) phishing
C) sniffing
D) wardriving
E) stack smashing
Answer: B
Diff: 3
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Application

2
Copyright © 2018 Pearson Education, Inc.
7) Email spoofing is a synonym for ________.
A) hacking
B) phishing
C) usurping
D) sniffing
E) baiting
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

8) ________ is a technique for intercepting computer communications through a physical

connection to a network or without a physical connection in the case of wireless networks.
A) Spoofing
B) Phishing
C) Sniffing
D) Pretexting
E) Port scanning
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

9) ________ take computers with wireless connections through an area and search for
unprotected wireless networks, and then monitor and intercept wireless traffic on unsecured
wireless networks.
A) Keyloggers
B) Pretexters
C) Wardrivers
D) Phishers
E) Tibutors
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

3
Copyright © 2018 Pearson Education, Inc.
10) Which of the following is a sniffing technique?
A) IP spoofing
B) caches
C) denial of service
D) adware
E) port scanner
Answer: D
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

11) Sally has been working really hard lately and asks her manager for a raise. Her manager tells
her that she is already the highest paid employee on the floor. Sally doesn't believe her manager,
and illegally accesses the employee database to look at salary data. Sally's act can be termed as
________.
A) pretexting
B) phishing
C) hacking
D) spoofing
E) skimming
Answer: C
Diff: 3
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Application

12) Which of the following is most likely to be a result of hacking?

A) certain Web sites being censored for hurting sentiments
B) small amounts of spam in a user's inbox
C) an unauthorized transaction from a user's credit card
D) pop-up ads appearing frequently
E) slowing of network speed
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

4
Copyright © 2018 Pearson Education, Inc.
13) ________ occurs through human error when employees do not follow proper procedures or
when procedures have not been well designed.
A) Unauthorized data disclosure
B) Incorrect data modification
C) Denial of service
D) Loss of infrastructure
E) Unauthorized data encryption
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

14) ________ occurs when computer criminals invade a computer system and replace legitimate
programs with their own, unauthorized ones that shut down legitimate applications.
A) Encryption
B) Spoofing
C) Phishing
D) Usurpation
E) Spear Phishing
Answer: D
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

15) Which of the following usually happens in a malicious denial-of-service attack?

A) A hacker monitors and intercepts wireless traffic at will.
B) A hacker floods a Web server with many millions of bogus service requests.
C) An intruder uses another site's IP address to masquerade as that other site.
D) A phisher pretends to be a legitimate company and requests confidential data.
E) A hacker identifies vulnerabilities in network hosts.
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

5
Copyright © 2018 Pearson Education, Inc.
16) ________ present(s) the largest risk for an organization's infrastructure loss.
A) Employees' dissatisfaction
B) Natural disasters
C) Hackers
D) Competitors
E) Electromagnetic pulse weapons
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

17) ________ is a sophisticated, possibly long-running computer hack that is perpetrated by

large, well-funded organizations such as governments.
A) State sponsored threat
B) Lengthy collective
C) Poisoned pool
D) Hacker collective
E) Advanced persistent threat
Answer: E
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

18) A computer crime is committed if an employee inadvertently installs an old database on top
of the current one.
Answer: FALSE
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

19) Human error cannot cause unauthorized data disclosure.

Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

6
Copyright © 2018 Pearson Education, Inc.
20) Spoofing occurs when someone pretends to be someone else.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

21) Phishing is a technique for obtaining unauthorized data that uses pretexting via email.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

22) Email spoofing is a synonym for phishing.

Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

23) IP spoofing occurs when an intruder uses another site's IP address to masquerade as that
other site.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

24) Faulty service excludes problems that result due to incorrect data modification.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

7
Copyright © 2018 Pearson Education, Inc.
25) A denial-of-service attack is launched when a hacker takes computers with wireless
connections through an area and searches for unprotected wireless networks.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

26) Natural disasters present the largest risk for infrastructure loss.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

27) Define threat, vulnerability, safeguard, and target.

Answer: A threat is a person or organization that seeks to obtain or alter data or other IS assets
illegally, without the owner's permission and often without the owner's knowledge.
A vulnerability is an opportunity for threats to gain access to individual or organizational assets.
For example, when an individual buys something online, he or she provides his or her credit card
data; when that data is transmitted over the Internet, it is vulnerable to threats.
A safeguard is some measure that individuals or organizations take to block the threat from
obtaining the asset.
The target is the asset that is desired by the threat.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

28) What are the three general sources of security threats?

Answer: A security threat is a challenge to the integrity of information systems that arises from
one of three sources: human errors and mistakes, computer crime, and natural events and
disasters. Human errors and mistakes include accidental problems caused by both employees and
nonemployees. Computer crime includes employees and former employees who intentionally
destroy data or other system components. It also includes hackers who break into a system and
virus and worm writers who infect computer systems. Natural events and disasters include fires,
floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this
category include not only the initial loss of capability and service, but also losses stemming from
actions to recover from the initial problem.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept
8
Copyright © 2018 Pearson Education, Inc.
29) Define pretexting, phishing, spoofing, and sniffing.
Answer: Pretexting occurs when someone deceives by pretending to be someone else. A
common scam involves a telephone caller who pretends to be from a credit card company and
claims to be checking the validity of credit card numbers.
Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email.
The phisher pretends to be a legitimate company and sends an email requesting confidential data,
such as account numbers, Social Security numbers, account passwords, and so forth.
Spoofing is another term for someone pretending to be someone else. IP spoofing occurs when
an intruder uses another site's IP address to masquerade as that other site.
Sniffing is a technique for intercepting computer communications. With wired networks, sniffing
requires a physical connection to the network. With wireless networks, no such connection is
required.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

30) What is meant by denial of service?

Answer: Human error in following procedures, or a lack of procedures, can result in denial of
service. For example, humans can inadvertently shut down a Web server or corporate gateway
router by starting a computationally intensive application. Computer criminals can launch an
intentional denial-of-service attack in which a malicious hacker floods a Web server, for
example, with millions of bogus service requests that so occupy the server that it cannot service
legitimate requests. Finally, natural disasters may cause systems to fail, resulting in denial of
service.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.1: What is the goal of information systems security?
Classification: Concept

31) Which of the following statements is TRUE about losses due to computer security threats?
A) Surveys on computer crimes provide accurate results since they use standard parameters to
measure and tally computer crime costs.
B) Surveys suggest that some organizations do not report all their computer crime losses, and
some will not report such losses at all.
C) Losses due to natural disasters can be measured accurately.
D) Losses due to human error are insignificant.
E) Losses due to hacking may be overstated.
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.2: How big is the computer security problem?
Classification: Concept
9
Copyright © 2018 Pearson Education, Inc.
32) The losses due to human error are minimal, and hence, organizations tend to ignore these
losses.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.2: How big is the computer security problem?
Classification: Concept

33) Describe the magnitude of security problems in the present day.

Answer: The full extent of the financial and data losses due to computer security threats is
unknown. Certainly, the losses due to human error are enormous, but few organizations compute
those losses and even fewer publish them. Losses due to natural disasters are also enormous and
impossible to compute. The earthquake in Japan, for example, shut down Japanese
manufacturing, and losses rippled through the supply chain from the Far East to Europe and the
United States. One can only imagine the enormous expense for Japanese companies as they
restored their information systems.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.2: How big is the computer security problem?
Classification: Concept

34) Which of the following is a personal security safeguard?

A) sending valuable data only via email or IM
B) using single password for all the sites
C) removing high-value assets from computers
D) storing browsing history, temporary files, and cookies
E) disabling operating system updates
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

10
Copyright © 2018 Pearson Education, Inc.
35) Nonword passwords are vulnerable to a ________ attack in which the password cracker tries
every possible combination of characters.
A) denial-of-service
B) sniffing
C) brute force
D) phishing
E) nuanced
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

36) ________ are small files that enables a browser to access Web sites without having to sign in
every time.
A) Cookies
B) Botnets
C) Payloads
D) Public keys
E) Web bugs
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

37) Removing and disabling ________ that may contain sensitive security data presents an
excellent example of the trade-off between improved security and cost.
A) bookmarks
B) pop-ups
C) cookies
D) toolbars
E) key loggers
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

11
Copyright © 2018 Pearson Education, Inc.
38) One of the personal security safeguards is to use https at trusted, reputable vendors.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

39) Most emails and IMs are protected by encryption.

Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

40) Cookies enable an individual to access Web sites without having to sign in every time.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

41) List various personal security safeguards.

Answer: The various personal security safeguards that one can implement for computer security:
• One should take security seriously.
• One should create strong passwords.
• One should use multiple passwords.
• One should not send valuable data via email or IM.
• One should use https at trusted, reputable vendors.
• One should remove high-value assets from computers.
• One should clear browsing history, temporary files, and cookies.
• One should update antivirus software.
• One should demonstrate security concern to one's fellow workers.
• One should follow organizational security directives and guidelines.
• One should consider security for all business initiatives.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.3: How should you respond to security threats?
Classification: Concept

12
Copyright © 2018 Pearson Education, Inc.
42) Which of the following is a critical security function that should be addressed by the senior
management of an organization?
A) sharing the private key with all systems connected to the network
B) creating IS security software programs
C) establishing the security policy
D) avoiding the use of perimeter firewalls
E) reducing internal systems auditing
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.4: How should organizations respond to security threats?
Classification: Concept

43) In information security, which of the following is TRUE about managing risk?
A) All organizations except financial institutions should invest heavily in security safeguards.
B) Organizations should implement safeguards that balance the trade-off between risk and cost.
C) Passwords are classified as technical safeguards.
D) Physical security is classified as human safeguards.
E) All risks should be eliminated.
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.4: How should organizations respond to security threats?
Classification: Concept

44) Which of the following was passed to give individuals the right to access their own health
data created by doctors and other healthcare providers?
A) the Privacy Act of 1974
B) the Sarbanes-Oxley Act
C) the HIPAA of 1996
D) the Gramm-Leach-Bliley Act
E) the Computer Privacy Act of 2014
Answer: C
Diff: 1
AACSB: Ethical Understanding and Reasoning
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

13
Copyright © 2018 Pearson Education, Inc.
45) Which of the following is classified as a technical safeguard?
A) cookies
B) firewalls
C) key escrow
D) passwords
E) training
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.4: How should organizations respond to security threats?
Classification: Concept

46) What is the basic information that a security policy must stipulate?
Answer: At a minimum, a security policy should stipulate:
• What sensitive data the organization will store
• How it will process that data
• Whether data will be shared with other organizations
• How employees and others can obtain copies of data stored about them
• How employees and others can request changes to inaccurate data
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.4: How should organizations respond to security threats?
Classification: Concept

47) A(n) ________ has a microchip in it to hold data.

A) ATM card
B) smart card
C) cookie
D) key escrow
E) dropper
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

14
Copyright © 2018 Pearson Education, Inc.
48) Users of smart cards are required to enter a ________ to be authenticated.
A) Social Security number
B) public key
C) personal identification number
D) private key
E) passphrase
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

49) Which of the following is used for biometric authentication?

A) smart cards
B) facial features
C) passwords
D) personal identification numbers
E) MD5 hashes
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

50) Which of the following statements is TRUE about biometric identification?

A) It involves the use of a personal identification number (PIN) for authentication.
B) It provides weak authentication.
C) It is a relatively inexpensive mode of authentication.
D) It often faces resistance from users for its invasive nature.
E) It will decline in usage in the future.
Answer: D
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

15
Copyright © 2018 Pearson Education, Inc.
51) A ________ is a string of bits used to encrypt data.
A) key
B) honeypot
C) cookie
D) cache
E) cipher
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

52) In asymmetric encryption, each site has a ________ for encoding messages.
A) botnet
B) private key
C) public key
D) cookie
E) cipher
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

53) With ________, the sender and receiver transmit a message using different keys.
A) asymmetric encryption
B) a block cipher
C) symmetric encryption
D) a stream cipher
E) a Caesar shift
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Application

16
Copyright © 2018 Pearson Education, Inc.
54) Secure Sockets Layer is also known as ________.
A) Advanced Persistent Threat Layer
B) Transport Layer Security
C) Presentation Interface Layer
D) Network Interface Layer Security
E) Media Access Security
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

55) Which of the following statements is TRUE about the Secure Sockets Layer (SSL)?
A) It uses asymmetric encryption exclusively.
B) It is used to send sensitive data such as credit card numbers.
C) It uses one set of encryption keys for multiple sessions.
D) It is a stronger version of https.
E) It is used in wireless encryption suites.
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

56) Layla is purchasing a new laptop from an online vendor. Which of the following will be
displayed in the address bar of his browser that will let her know that the online retailer is using
the Secure Sockets Layer (SSL) protocol?
A) ftp
B) www
C) https
D) .com
E) smtp
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Application

17
Copyright © 2018 Pearson Education, Inc.
57) A ________ examines each part of a message and determines whether to let that part pass.
A) packet-filtering firewall
B) private key
C) mail server
D) wardriver
E) nmap
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

58) Packet-filtering firewalls ________.

A) can filter both inbound and outbound traffic
B) examine the destination address but not the source address
C) are the most complex type of firewall
D) seldom examine the data or the addresses of the message
E) can examine the contents of VPN packets
Answer: A
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

59) ________ is a broad category of software that includes viruses, spyware, and adware.
A) Malware
B) Cookie
C) Firewall
D) Spam
E) Crackers
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

18
Copyright © 2018 Pearson Education, Inc.
60) In the context of malware protection, the program code that causes the unwanted actions is
called the ________.
A) payload
B) kernel
C) bot herder
D) key escrow
E) bundler
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

61) ________ are viruses that masquerade as useful programs or files.

A) Adware programs
B) Spyware programs
C) Trojan horses
D) Worms
E) Hydras
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

62) A ________ is a type of virus that self-propagates using the Internet or other computer
network.
A) worm
B) sniffer
C) Trojan horse
D) phisher
E) mole
Answer: A
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

19
Copyright © 2018 Pearson Education, Inc.
63) Sarah was browsing an online shopping site when a program got downloaded onto her
system without her knowledge. The next day she found that her search engine had been changed,
and she received pop-up advertisements of the shopping site she had visited the previous day.
The program on Sarah's system is ________.
A) a cookie
B) adware
C) a payload
D) a Trojan horse
E) a stack smasher
Answer: B
Diff: 3
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Application

64) Which of the following is likely to be accepted by a poorly designed application thereby
leading to improper disclosure of data?
A) public key
B) asymmetric encryption
C) key escrow
D) SQL injection
E) SHA1 hash
Answer: D
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

65) Technical safeguards involve the hardware and software components of an information
system.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

66) A magnetic strip holds far more data than a microchip.

Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

20
Copyright © 2018 Pearson Education, Inc.
67) Biometric authentication uses physical characteristics such as retinal scans to authenticate
users.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

68) Symmetric encryption is simpler and much faster than asymmetric encryption.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

69) Secure Sockets Layer (SSL) is a protocol that is restricted to asymmetric encryption.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

70) A Trojan horse is a virus that masquerades as a useful program or file.

Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

71) Most spyware programs are benign in that they do not perform malicious acts or steal data.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

21
Copyright © 2018 Pearson Education, Inc.
72) Improper data disclosure and data damage and loss are possible consequences of an SQL
injection attack.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

73) Define encryption and explain symmetric and asymmetric encryption for computer systems.
Answer: Encryption is the process of transforming clear text into coded, unintelligible text for
secure storage or communication. To encrypt a message, a computer program uses the
encryption method (say AES) combined with the key (say the word "key") to convert a plain text
message (in this case the word "secret") into an encrypted message. The resulting coded message
("U2FsdGVkX1+b637aTP80u+y2WYlUbqUz2XtYcw4E8m4=") looks like gibberish. Decoding
(decrypting) a message is similar; a key is applied to the coded message to recover the original
text.
In symmetric encryption, the same key is used to encode and to decode the message. With
asymmetric encryption, two keys are used; one key encodes the message, and the other key
decodes the message.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

74) What is a virus? Differentiate between Trojan horses and worms.

Answer: A virus is a computer program that replicates itself.
• Trojan horses are viruses that masquerade as useful programs or files.
• A worm is a virus that self-propagates using the Internet or other computer network.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

22
Copyright © 2018 Pearson Education, Inc.
75) What are spyware and adware programs?
Answer: Spyware programs are installed on the user's computer without the user's knowledge or
permission. Spyware resides in the background and, unknown to the user, observes the user's
actions and keystrokes, monitors computer activity, and reports the user's activities to sponsoring
organizations. Some malicious spyware, called key loggers, captures keystrokes to obtain user
names, passwords, account numbers, and other sensitive information.
Adware is similar to spyware in that it is installed without the user's permission and that it
resides in the background and observes user behavior. Most adware is benign in that it does not
perform malicious acts or steal data. It does, however, watch user activity and produce pop-up
ads. Adware can also change the user's default window or modify search results and switch the
user's search engine.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

23
Copyright © 2018 Pearson Education, Inc.
76) Describe six malware safeguards.
Answer: It is possible for users to avoid most malware using the following malware safeguards:
• Users should install antivirus and antispyware programs on the computer—The IS
department will have a list of recommended programs for this purpose. When users choose a
program for themselves, they should choose one from a reputable vendor. Reviews of
antimalware software should be checked on the Web before purchasing.
• Users should set up the antimalware programs to scan the computer frequently—Users
should scan their computers at least once a week and possibly more often. When they detect
malware code, they should use the antimalware software to remove it. If the code cannot be
removed, users should contact the IS department or antimalware vendor.
• Users should update malware definitions—Malware definitions are patterns that exist in
malware code and should be downloaded frequently. Antimalware vendors update these
definitions continuously, and users should install these updates as they become available.
• Users should open email attachments only from known sources—also, even when opening
attachments from known sources, users should do so with great care. Most antimalware
programs check email attachments for malware code. However, all users should form the habit of
never opening an email attachment from an unknown source. Also, if they receive unexpected
emails from a known source or an email from a known source that has a suspicious subject, odd
spelling, or poor grammar, users should not open the attachment without first verifying with the
known source that the attachment is legitimate.
• Users should promptly install software updates from legitimate sources—unfortunately, all
programs are chock full of security holes; vendors are fixing them as rapidly as they are
discovered, but the practice is inexact. Users should install patches to the operating system and
application programs promptly.
• Users should browse only reputable Web sites—It is possible for some malware to install
itself when users do nothing more than open a Web page.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

77) Describe the difference between a perimeter firewall and an internal firewall?
Answer: Organizations normally use multiple firewalls. A perimeter firewall sits outside the
organizational network; it is the first device that Internet traffic encounters. In addition to
perimeter firewalls, some organizations employ internal firewalls inside the organizational
network. Figure 10-10 shows the use of a perimeter firewall that protects all of an organization's
computers and a second internal firewall that protects a LAN.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.5: How can technical safeguards protect against security threats?
Classification: Concept

24
Copyright © 2018 Pearson Education, Inc.
78) ________ refers to an organization-wide function that is in charge of developing data
policies and enforcing data standards.
A) Data administration
B) Authentication
C) Usurpation
D) Data encryption
E) Access Control
Answer: A
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

79) ________ is a function pertaining to a particular database that develops procedures and
practices to control and protect the database.
A) Data encryption
B) Database administration
C) Data authentication
D) Database normalization
E) Data access control
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

80) Which of the following statements is TRUE about data administration?

A) It is a line function to the chief information officer.
B) It merely involves developing data policies.
C) It applies to individuals and not to the entire organization.
D) It is involved in establishing data safeguards.
E) It defines standards for the use of cryptographic suites.
Answer: D
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

25
Copyright © 2018 Pearson Education, Inc.
81) Key escrow is a(n) ________.
A) protocol used to secure communication over the internet
B) safety procedure that allows a trusted party to have a copy of the encryption key
C) device that prevents unauthorized network access
D) encryption algorithm that uses both public and private keys
E) the creation of related public and private keys
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

82) ________ protect databases and other organizational data.

A) Cookies
B) Payloads
C) Data safeguards
D) Data strings
E) Data tunnels
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

83) The computers that run the DBMS and all devices that store database data should reside in
locked, controlled-access facilities. This is done to ________.
A) stop SQL injection attacks
B) prevent email spoofing
C) prevent brute force attacks
D) provide physical security
E) prevent unauthorized encryption
Answer: D
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

26
Copyright © 2018 Pearson Education, Inc.
84) What is key escrow?
Answer: An organization should protect sensitive data by storing it in encrypted form. Such
encryption uses one or more keys. One potential problem with stored data, however, is that the
key might be lost or that disgruntled or terminated employees might destroy it. Because of this
possibility, when data are encrypted, a trusted party should have a copy of the encryption key.
This safety procedure is sometimes called key escrow.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.6: How can data safeguards protect against security threats?
Classification: Concept

85) Which of the following statements is TRUE about the position definitions component of
human safeguards?
A) System administrators should retain user accounts after an employee has been terminated.
B) All employees must be provided with uniform, general training on security regardless of the
sensitivity of their positions.
C) Documenting position sensitivity enables security personnel to prioritize their activities based
on possible risk.
D) Holding public users of Web sites accountable for security violations is easy and inexpensive.
E) Security considerations should not be part of the hiring process.
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

86) ________ involve the people and procedure components of information systems.
A) Firewalls
B) Technical safeguards
C) Human safeguards
D) Payloads
E) Port scanners
Answer: C
Diff: 1
AACSB: Ethical Understanding and Reasoning
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

27
Copyright © 2018 Pearson Education, Inc.
87) Which of the following statements is TRUE about human safeguards for employees?
A) Security screening in an organization is a one-time process and applies only to new
employees.
B) User accounts should be defined to give users the least possible privilege needed to perform
their jobs.
C) Companies should provide user accounts and passwords to employees prior to their security
training.
D) System administrators should retain user accounts after an employee has been terminated.
E) There shouldn't be a separation of duty and authority.
Answer: B
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

88) When an employee is terminated, IS administrators should receive advance notice so that
they can ________.
A) destroy the employee's records
B) plan the recruitment of their positions
C) disseminate information
D) remove the user account and password
E) clear the employee's browser history
Answer: D
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

89) ________ a Web site means to take extraordinary measures to reduce a system's
vulnerability using special versions of the operating system.
A) Pretexting
B) Hardening
C) Phishing
D) Spoofing
E) Spooling
Answer: B
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

28
Copyright © 2018 Pearson Education, Inc.
90) The process of hardening a Web site is a ________ safeguard.
A) political
B) financial
C) technical
D) physical
E) virtual
Answer: C
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

91) ________ are the primary means of authentication for a user's computer and other networks
and servers to which the user may have access.
A) Private keys
B) User names
C) Passwords
D) Personal identification numbers
E) CA key rings
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

92) John has been appointed as an operations manager at a software company. Which of the
following systems procedures will be John's responsibility?
A) writing software program codes
B) using systems to perform job tasks
C) creating a backup of system databases
D) knowing whom to contact when a security breach occurs
E) prepare for loss of system functionality
Answer: C
Diff: 2
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Application

29
Copyright © 2018 Pearson Education, Inc.
93) PL Technologies suffered considerable data loss when its database was infected by a virus.
George, an operations personnel, attempts to fix the damage by retrieving information from
backed up data. George is involved in the process of ________.
A) authentication
B) hardening
C) usurpation
D) recovery
E) systems hardening
Answer: D
Diff: 2
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Application

94) Firewalls produce ________ that include lists of all dropped packets, infiltration attempts,
and unauthorized access attempts from within the firewall.
A) honeypots
B) blogs
C) activity logs
D) Rich Site Summary (RSS) feeds
E) blackboxes
Answer: C
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

95) Jason attempts to hack into a banking site to steal customer information. He finds the
security of the Web site lacking and is able to access the site with ease. Jason is arrested the next
day and charged with computer crime. The banking site was able to track Jason's IP address
because he had unknowingly attacked a ________.
A) botnet
B) hot site
C) honeypot
D) Web beacon
E) Trojan horse
Answer: C
Diff: 3
AACSB: Reflective Thinking
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Application

30
Copyright © 2018 Pearson Education, Inc.
96) Documenting position sensitivity enables security personnel to prioritize their activities in
accordance with the possible risk and loss.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

97) Business requirements do not necessitate opening information systems to nonemployee

personnel, such as temporary personnel, vendors, or partner personnel.
Answer: FALSE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

98) Hardening a site means to take extraordinary measures to reduce a system's vulnerability.
Answer: TRUE
Diff: 1
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

31
Copyright © 2018 Pearson Education, Inc.
99) Discuss some human safeguards for employees that can ensure the security of information
systems.
Answer: Human safeguards involve the people and procedure components of information
systems. In general, human safeguards result when authorized users follow appropriate
procedures for system use and recovery. Restricting access to authorized users requires effective
authentication methods and careful user account management. In addition, appropriate security
procedures must be designed as part of every information system, and users should be trained on
the importance and use of those procedures.
The various human safeguards for employees are:
Position Definitions—It is impossible to have effective human safeguards unless job tasks and
responsibilities are clearly defined for each employee position. In general, job descriptions
should provide a separation of duties and authorities.
Hiring and Screening—Security considerations should be part of the hiring process. When hiring
for high-sensitivity positions, extensive interviews, references, and background investigations are
appropriate.
Dissemination and Enforcement—Employees need to be trained on security policies, procedures,
and the responsibilities they will have. Employee security training begins during new-employee
training, with the explanation of general security policies and procedures. That general training
must be amplified in accordance with the position's sensitivity and responsibilities.
Termination—Companies also must establish security policies and procedures for the
termination of employees. Standard human resources policies should ensure that system
administrators receive notification in advance of the employee's last day, so that they can remove
accounts and passwords. Procedures for recovering keys for encrypted data and any other
security assets must be part of the employee's out-processing.
Diff: 3
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.7: How can human safeguards protect against security threats?
Classification: Concept

100) If the incident-response plan is not well-prepared, there is substantial risk that the actions of
well-meaning people will make the problem worse.
Answer: TRUE
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.8: How should organizations respond to security incidents?
Classification: Concept

32
Copyright © 2018 Pearson Education, Inc.
101) How should organizations respond to security incidents?
Answer: First, every organization should have an incident-response plan as part of the security
program. No organization should wait until some asset has been lost or compromised before
deciding what to do. The plan should include how employees are to respond to security
problems, whom they should contact, the reports they should make, and steps they can take to
reduce further loss. An incident-response plan will stipulate what an employee should do when
he or she notices the virus. It should specify whom to contact and what to do. It may stipulate
that the employee should turn off his or her computer and physically disconnect from the
network. The plan should also indicate what users with wireless computers should do. When an
incident does occur, speed is of the essence. The longer the incident goes on, the greater the cost.
Viruses and worms can spread very quickly across an organization's networks, and a fast
response will help to mitigate the consequences. Because of the need for speed, preparation pays.
The incident-response plan should identify critical personnel and their off-hours contact
information. These personnel should be trained on where to go and what to do when they get
there. Finally, organizations should periodically practice incident response. Without such
practice, personnel will be poorly informed on the response plan, and the plan itself may have
flaws that only become apparent during a drill.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.8: How should organizations respond to security incidents?
Classification: Concept

102) How will computer crime change in the coming years?

Answer: Computer crime is a game of cat and mouse. Computer criminals find a vulnerability to
exploit, and they exploit it. Computer security experts discover that vulnerability and create
safeguards to thwart it. Computer criminals find a new vulnerability to exploit, computer security
forces thwart it, and so it goes. The next major challenges will likely be those affecting mobile
devices. However, security on these devices will be improved as threats emerge that exploit their
vulnerabilities. This cat-and-mouse game is likely to continue for at least the next 10 years. No
super-safeguard will be devised to prevent computer crime, nor will any particular computer
crime be impossible to thwart. However, the skill level of this cat-and-mouse activity is likely to
increase, and substantially so. Because of increased security in operating systems and other
software, and because of improved security procedures and employee training, it will become
harder and harder for the lone hacker to find some vulnerability to exploit—not impossible, but
vastly more difficult.
Diff: 2
AACSB: Information Technology
Course LO: Describe different methods of managing IS security
LO: 10.9: 2027?
Classification: Concept

33
Copyright © 2018 Pearson Education, Inc.