Principles and Practice of Information Security Sources of Digital Liability.docx

Principles and Practice of Information Security Sources of Digital Liability True-False Questions (25) 2-1. Liability exposure refers to needless risk from the organization’s failure to take action, resulting in harm. Answer: True 2-2. The Uniform Electronic Transaction Act relates only to stored records. Answer: False 2-3. Opportunity costs relate to damage from disrupted business functions. Answer: True Shifting responsibility for viruses and attacks from the IT staff to vendors can be covered by rewriting the licensing and purchase contracts. Answer: True Internal intrusions are carried out by employees. Answer: True From a legal perpective, “ intent to defraud” and “ intent to mislead” are the same. Answer: False Access that is easy and convenient for employees is also easy and convenient for hackers. Answer: True When a computer file is deleted, only the file name is removed from the directory and FAT so the file remains on the hard drive. Answer: True When a hard drive is formatted, the Data Area is wiped out and files can no longer be recovered. Answer: False As long as the actual file in the Data Area is not overwritten by a new file or wiped out, the deleted file can be recovered. Answer: True Deleted files are never recovered. Answer: False Before 1999, viruses were spread primarily via contaminated floppy disks. Answer: True Before viruses spread by email were developed, viruses were spread primarily via contaminated floppy disks. Answer: True ROI is a measurement of the cost versus saving of computer security expenditures. Answer: True Companies are not liable for Internet and email usage by their employees. Answer: False IM is not vulnerable to exposure to bugs and vulnerabilities as it is a one-to-one communication. Answer: False Acceptable use policies (AUP) require large investments beyond what it takes to document the rules and communicate them effectively. Answer: False Malicious software programs, such as viruses, worms, and Trojan horses are called malware. Answer: True Social engineering involves tricking the users into doing something risky or damaging. Answer: True Viruses spread by exploiting software vulnerabilities. Answer: True The technical reason why firewalls cannot block all viruses is that they cannot block what they do not recognize as a virus. Answer: True Electronic fraud is a nonviolent crime committed by computer use. Answer: True The Goner virus was spread by an email attachment via the Internet. Answer: True Computers that are controlled by the attacker are called zombies. Answer: True Page: 28 If a firm fails to take prudent action to limit network intrusions, a DOS may occur. Answer: True Page: 28 Multiple-Choice Questions (25) Liability exposure increases when a company uses each of the following technologies except: A. networked computers. B. e-commerce Websites. C. email. D. directories. Answer: D Page: 14 The definition of electronic record is clearly defined by the _______________ Act. A. Uniform Electronic Transfer B. Uniform Electronic Transaction C. U.S Privacy D. Freedom of Information Answer: B Difficulty: Hard Page: 15 When an activity is created, generated, sent, communicated, received, or stored by electronic means, it is referred to as a(n): A. electronic record. B. electronic document . C. transmitted. D. A or B. Answer: D Difficulty: Hard Page: 15 Opportunity costs are measurements of _______________ when a computer attack occurs. A. missed sales B. loss of profit C. recovery costs D. A, B, and C Answer: D Page: 15 Intrusions that are carried out by employees or other insiders at a company are referred to as: A. work-phase intrusions. B. insider intrusions. C. employee intrusions. D. internal intrusions. Answer: D Page: 16 An FBI study found that _______________ % of all computer attacks enter via the Internet. A. 70 B. 50 C. 25 D. 80 Answer: A Page: 16 According to an FBI study, 75% of all computer crime dollars losses stem from: A. hackers. B. internal intrusions. C. careless mistakes by employees. D. upper management budget cuts. Answer: B Page: 16 Lost revenue can result from: A. denial of Website services. B. virus infections. C. network intrusions. D. lost laptops. Answer: A Page: 17 All of the ways that information on computers and networks can hurt a company or an individual are defined as: A. computer liabilities. B. digital liabilities. C. network errors. D. password problems. Answer: B Page: 17 When a file is created and saved, _______________. A. the first character of the Directory filename is changed B. the data is written to the Data Area of the hard drive C. the data is saved on the A drive D. the FAT entry for the file is zeroed out Answer: B Difficulty: Hard Page: 18 When a file is deleted, the computer: A. makes the space occupied by that file available for new files. B. saves the file on the hard drive. C. re-links the FAT entry to a file. D. zeroes out the FAT entry. Answer: A Difficulty: Hard Page: 18 Viruses can cause damage due to: A. wasted time. B. loss of bandwidth. C. A and B. D. viruses only spread but do not cause damage. Answer: C Page: 19 _______________ computer network accounts are portals between hackers on the Internet and corporate networks. A. Employees, B. Managers, C. Vendors, D. Customers, Answer: A Page: 20 Hardware and software devices that are used to protect a computer or network from exposure to other computers or networks are called: A. intrusion detection hardware. B. antivirus (AV) software. C. portal protection devices. D. firewalls. Answer: D Page: 20 _______________ scans files to detect and deter viruses. A. Firewalls B. AV mechanisms C. Scanners D. Hardware checks Answer: B Page: 20 According to the CSI/FBI Computer Crime and Security Surveys, the major loss(es) from computer crime is/are: A. theft of proprietary information. B. financial fraud, insider abuse. C. funds diversion and viruses. D. theft of propriety information, financial fraud, insider abuse. Answer: D Difficulty: Hard Page: 20 An investment in _______________ can save companies millions of dollars in damages and fees because it shows that the company developed rules to prevent misuse of computer systems: A. acceptable use policy B. malware C. antivirus (AV) software D. firewalls Answer: A Viruses, worms, Trojan horses, and other malicious software programs are referred to as: A. fakes. B. social engineering. C. malware. D. hacking. Answer: C Which virus was not spread due to its attention-grabbing email subject? A. backdoor B. KLEZ.H C. ILoveYou D. Goner Answer: B Page: 22 Any type of discrimination based on gender, race, national origin, or age is prohibited by _______________. A. the Freedom of Information Act B. the Privacy Act C. the Civil Rights Act D. the U.S Constitution Answer: C Page: 22 Embezzlement, threats, or fraud can be considered: A. white-collar crime. B. malware. C. email misuse. D. social engineering. Answer: A Page: 23 PIII protects information in what profession? A. health care B. financial institutions C. higher education institutions D. legal firms Answer: A Page: 27 The economic model of marginal cost-benefit analysis addresses the issue(s) of: A. negligence but not liability. B. liability. C. diligence and negligence. D. liability and prudence. Answer: B Difficulty: Hard Page: 27 The Goner virus was spread via: A. infected floppy disks. B. email attachments. C. chat rooms. D. faulty software. Answer: B Page: 28 Computers that are controlled by attackers are called: A. zombies. B. viruses. C. DOSs. D. UPXs. Answer: A Page: 28 Fill-in the Blanks Questions (10) A(n) _______________ is/are often installed in computer systems to protect against unauthorized users. Answer: patch Page: 15 _______________ are measurements of missed or lost sales or profits or how long it might take to recover from an attack. Answer: Opportunity costs Page: 15 _______________ intrusions are those carried out by employees. Answer: Internal Page: 16 Employees and users should _______________ unsolicited attachments to avoid virus infection. Answer: delete Page: 19 _______________ measures savings that exceed the cost of computer security. Answer: Return on Investment (ROI) _______________ lets users chat in real time. Answer: Instant messaging (IM) Entrapping software is referred to as _______________. Answer: malware Manipulating or tricking the enduser into doing something risky or damaging is called _______________. Answer: social engineering Computers that are controlled by hackers are called _______________. Answer: zombies According to _______________, a firm is not negligent if and only if the marginal costs of safeguards are greater than the marginal benefits of those safeguards, Answer: marginal analysis Essay Questions (10) What issues are involved in an organization’s assessment prior to implementing security procedures? Suggested Answer: A determination of which assets require protection, real or perceived threats, budget available, the organization’s values, as well as the nature of its business. What are opportunity costs as they relate to computer security? Suggested Answer: Opportunity costs result from disrupted business functions and are measured by measurement of missed or lost sales or profits or how long it might take to recover from and attack. From a legal standpoint, what is the definition of an electronic record or electronic document? Suggested Answer: It is a record created, generated, sent, communicated, received, or stored by electronic means. Why are systems administrators reluctant to install software patches? Suggested Answer: Patches are risky if they are not first verified to determine that the patch will not cause more damage than the hackers. If patches do not work properly, disruption of critical business applications may result. Discuss the statement, “access that is easy and convenient for employees is also easy and convenient for hackers.” Suggested Answer: (Page: 17) If systems do not have enough protection, it becomes relatively easy for the hacker to penetrate. A comfortable balance must be achieved by developing security procedures that are relatively uncomplicated for employees, yet difficult for hackers to breach. What is digital liability as it relates to computer security? Suggested Answer: It defines all the ways the information on computer devices and networks can actually hurt a company or individual. It also accurately represents the consequences and significance of cyber security. What three actions take place when a file is created and saved? Suggested Answer: An entry is made into the File Allocation Table (FAT) to indicate where the file is stored. A directory entry is made. The data is written to the Data Area of the hard drive. Discuss the Civil Rights Act of 1964. Suggested Answer: This act prohibits any type of discrimination based on gender, race, national origin, or age. Also requires employees to provide nonhostile, nonarassing workplaces and holds them legally responsible for failure to maintain such workplaces. Define what actions are considered as white-collar crime. Suggested Answer: Any nonviolent crime committed in a commercial context, such as embezzlement, threats, or fraud. When reasonable security measures are not in place, what are some of the potential detrimental consequences that may occur? Suggested Answer: -Successful litigation by employees for breach of responsibility -Personal injury, lawsuits by customers, clients, or patients -Lost judgments based on damage caused -Class-action lawsuits on behalf of stockholders