Busy. Please wait.

show password
Forgot Password?

Don't have an account?  Sign up 

Username is available taken
show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove Ads
Don't know
remaining cards
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
restart all cards

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how


Security and Risk Management Midterm

A ________ is a small program that, after installed, downloads a larger attack program. Downloader
A botmaster can remotely ________. Both A and B
A(n) ________ attack attempts to make a server or network unavailable to serve legitimate users by flooding it with attack packets. DoS
A(n) ________ attack requires a victim host to prepare for many connections, using up resources until the computer can no longer serve legitimate users. SYN Flooding
Another name for safeguard is ________. countermeasure
Following someone through a secure door for access without using an authorized ID card or pass code is called ________. piggybacking
ICMP Echo messages are often used in ________. IP address scanning
If TJX had met the PCI-DSS control objectives, it would have ________ avoided the data breach. probably
If a company wishes to prosecute people or companies that steal its trade secrets, it must take ________ precautions to protect those trade secrets. reasonable
In ________, the perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim's interest. extortion
In a virus, the code that does damage is called the ________. payload
Mobile code usually is delivered through ________. webpages
Most traditional external attackers were heavily motivated by ________. the thrill of breaking in
Penalties for hacking are ________. irrelevant of the amount stolen
Sending packets with false IP source addresses is called ________. IP address spoofing
Some ________ can jump directly between computers without human intervention. worms
Stealing credit card numbers is also known as ________. carding
Terrorists can use IT to ________. Both A and B
The TJX data breach was due to ________. multiple security weaknesses
The dominant type of attacker today is the ________. career criminal
The fastest propagation occurs with some types of ________. worms
The three common core goals of security are ________. confidentiality, integrity, and availability
To obtain IP addresses through reconnaissance, an attacker can use ________. a chain of attack computers
Watching someone type their password in order to learn the password is called ________. shoulder surfing
When a threat succeeds in causing harm to a business, this is a(n) ________. breach
When a threat succeeds in causing harm to a business, this is called a ________. All of the above
Which of the following CIA security goals did TJX fail to meet? confidentiality
Which of the following are examples of social engineering? All of the above
Which of the following are types of countermeasures? All of the above
Which of the following are ways that trade secret espionage occur? All of the above
Which type of program can hide itself from normal inspection and detection? rootkit
You receive an e-mail that seems to come from your bank. Clicking on a link in the message takes you to a website that seems to be your bank's website. However, the website is fake. This is called a ________ attack. (Pick the most precise answer) phishing
________ are programs that attach themselves to legitimate programs. Viruses
________ attacks take advantage of flawed human judgment by convincing the victim to take actions that are counter to security policies. (Choose the best answer) Social engineering
________ consists of activities that violate a company's IT use policies or ethics policies. Abuse
________ is a form of online fraud when bogus clicks are performed to charge the advertiser without creating potential new customers. Click fraud
________ is a generic term for "evil software." Malware
________ may engage in commercial espionage against a firm. Both A and B
________ threaten to do at least temporary harm to the victim company's IT infrastructure unless the victim pays the attacker. Extortionists
A ________ occur(s) when a single security element failure defeats the overall security of a system. weakest link failure
A governance framework specifies how to do ________. All of the above.
A technical security architecture should be created ________. before a firm creates individual countermeasures
Before doing a vulnerability test, a security employee must ensure that ________. he or she has a specific contract to do a specific test
COSO focuses on ________. corporate internal and financial controls
CobiT focuses on ________. controlling the entire IT function
Conducting stings on employees ________. Both A and B
In manual procedures, the segregation of duties ________. reduces risk
It is acceptable for an employee to reveal ________. None of the above.
Once a company's resources are enumerated, the next step is to ________. classify them according to sensitivity
Placing security within IT ________. is likely to give security stronger backing from the IT department
Policies drive ________. Both A and B
Policies should be written by ________. corporate teams involving people from multiple departments
SLE times APO gives the ________. expected annual loss
The FTC can ________. Both A and B
The first step in developing an IT security plan is to ________. assess the current state of the company's security
The key to security being an enabler is ________. getting it involved early within the project
The worst problem with classic risk analysis is that ________. we cannot estimate the annualized rate of occurrence
This book focuses on ________. defense
When risk analysis deals with costs and benefits that vary by year, the computations should use ________. Either A or B
When someone requests to take an action that is potentially dangerous, what protection should be put into place? Limit the number of people that may request an approval.
Which companies do PCI-DSS affect? companies that accept credit card payments
Which of the following gives the best estimate of the complete cost of a compromise? TCI
Which of the following is a formal process? Both A and B
Which of the following is a way of responding to risk with active countermeasures? risk reduction
Which of the following is an example of a conflict of interest? All of the above
Which of the following specifies how to do certification by external parties? ISO/IEC 27000
________ are prescriptive statements about what companies should do and are put together by trade associations and government agencies. Recommended practices
________ entails investigating the IT security of external companies and the implications of close IT partnerships before implementing interconnectivity. Due diligence
________ examines IT processes for efficiency, effectiveness, and adequate controls. IT auditing
________ examines financial processes for efficiency, effectiveness, and adequate controls. Financial auditing
________ is preferred by U.S. auditors. CobiT
________ is the plan-based creation and operation of countermeasures. Protection
________ means implementing no countermeasures and absorbing any damages that occur. Risk acceptance
________ means responding to risk by not taking a risky action. Risk avoidance
________ means responding to risk by taking out insurance. Risk transference
________ requires multiple countermeasures to be defeated for an attack to succeed. Defense in depth
________ specifically addresses data protection requirements at financial institutions. GLBA
________ specifically addresses data protection requirements at health care institutions. HIPAA
________ specify the low-level detailed actions that must be taken by specific employees. Procedures
A DES key is ________ bits long. 56
A ________ is a cryptographic system that provides secure communication over an untrusted network. virtual private network
Companies transmit over the Internet because the Internet ________. is inexpensive
Digital signatures are used for ________ authentication. message-by-message
Electronic signatures usually provide ________. Both A and B
HMACs provide the cryptographic protection of ________. authentication
Hashing is ________. repeatable
In MS-CHAP, the ________ creates the response message. supplicant
In SSL/TLS, a ________ is a specific set of security methods and options. cipher suite
In SSL/TLS, a specific set of protocols that a particular cryptographic system will use to provide protection is called a ________. cipher suite
In checking the digital signature, the verifier ________. hashes the plaintext message with the same algorithm used by the sender to get the message digest
In codes, code symbols may represent ________. All of the above
In mutual authentication between two parties, ________. there are two verifiers and two supplicants
In order to be considered strong today, a symmetric encryption key must be at least ________ bits long. 100
In public key encryption for authentication, the supplicant must prove that it knows ________, which nobody else should be able to know. the true party's private key
Nonces can be used in ________. client/server applications
SSL/TLS is used for ________ VPNs. Both A and B
SSL/TLS was developed for ________ VPNs. host-to-host
Someone who breaks encryption is called a ________. cryptanalyst
Someone who pretends to be someone else is ________. an impostor
The best way to thwart exhaustive searches by cryptanalysts is ________. to make the key very long
To check a certificate's revocation status, the verifier can ________. send an OCSP message to the CA
To ensure that a digital certificate is valid, the receiver of the certificate must check ________. Both A and B
To meet national export limitation in many countries, RC4 often uses a key length of ________ bits. 40
What protection do cryptographic systems provide on a message-by-message basis? All of the above
What usually is the longest stage in a cryptographic system dialogue? ongoing communication
When Joshua sends a message to Larry, Joshua will use ________ to encrypt the message. Larry's public key
When you make a purchase over the Internet, your sensitive traffic is almost always protected by ________ VPN transmission. SSL/TLS
Which encryption method does MS-CHAP use? Neither A nor B
Which of the following can be used as a keying method? public key encryption for confidentiality
Which of the following fields are contained on a digital certificate? All of the above
Which of the following is one of the key lengths offered by AES? 192 bits
Which of the following measures do HMACs use? hashing
Which of the following statements accurately describes RC4? RC4 is extremely fast
Which of the following statements accurately describes RC4? RC4 can use a broad range of key lengths
Which types of VPNs use VPN gateways? remote access VPNs
________ are proofs of identity. Credentials
________ is the use of mathematical operations to protect messages travelling between parties or stored on a computer. Cryptography
________ offers transparent protection. IPsec
________ thwart replay attacks by ensuring "freshness" using cutoff values. Time stamps
A ________ attack is when a victim is flooded with ICMP packets that appear to be normal supervisory traffic. Ping flood
A network administrator notices extensive damage to wireless packets. This might indicate a ________ attack. DoS flood attack
An EAP response message may contain ________. a negative acknowledgement
An attacker controlling bots in a coordinated attack against a victim is known as a ________. DDoS attack
Eavesdropping usually is more of a concern for ________ LANs than for ________ LANs. wireless, wired
In a man-in-the-middle attack, ________. Both A and B
In regards to network security, ________ is the policy-driven control of access to systems, data, and dialogues. access control
Most central authentication servers are governed by the ________ standard. RADIUS
Rerouting traffic using ARP poisoning is an attack on ________ of a network. Both A and B
The authenticator is the ________. workgroup switch
The most common attack against a wireless network is a(n) ________. unauthorized network access
The original 802.11 core security protocol, ________, was deeply flawed. WEP
The ultimate goal of a DoS attack is to ________. cause harm
WEP stands for ________. wired equivalent privacy
WEP typically takes ________ to crack today. minutes
When a new EAP authentication is added, software has to be changed on the ________. central authentication server
Which of the following measures offers strong security? None of the above
________ are an additional layer of compromised hosts that are used to manage large groups of bots. Handlers
________ are compromised hosts running malware controlled by the hacker. Bots
________ is a good option if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication. Rate limiting
________ is one method of thwarting DoS attacks by dropping all IP packets from an attacker. Black holing
________ is the process of obscuring an attackers source IP address. Spoofing
________ is used by ________ for authentication. EAP, RADUS
________ is/are effective method(s) to preventing ARP poisoning attacks. Both A and B
________ security uses 128-bit AES encryption for confidentiality and AES-CCMP for automatic rekeying. 802.11i
A security assertion may contain ________. Both A and B
A(n) ________ is a statement from Firm A that Firm B should accept as true if Firm B trusts Firm A. assertion
Directory servers from different vendors are synchronized through ________. None of the above
Hand geometry recognition is used heavily for ________. door access
If Directory Server A trusts Directory Server Band Directory Server B trusts Directory Server A, this is ________ trust. mutual
If a laptop needs to be taken off premises, ________. All of the above
In Kerberos, the ________ is an encrypted session key that only the verifier can decrypt. service ticket
In directory servers, information is organized ________. hierarchically
In the context of PKI, ________ is the process of accepting public keys and providing new digital certificates to the users. provisioning
LDAP can be used ________. Both A and B
Long passwords that use several types of keyboard characters are called ________ passwords. complex
The book recommends that passwords be at least ________ characters long. 8
The most widely used form of biometrics is ________. fingerprint scanning
The principle of ________ states that each person should only get the permissions that he or she absolutely needs to do his or her job. least permissions
The strongest form of authentication is ________. cryptographic authentication
Two-factor authentication can be defeated if ________. Both A and B
When an attacker deliberately attempts to fool the system, this is called ________. deception
Which of the following is one of the four bases for authentication credentials? Both A and B
Which of the following is not one of the AAA controls? accuracy
Which of the following is not one of the devices in RADIUS central authentication? the verifier
Which of the following statements accurately describes fingerprint recognition? fingerprint recognition is easily deceived
Which of the following statements is true about log files? All of the above
________ is the process of assessing the identity of each individual claiming to have permission to use a resource. Authentication
________ is the process of collecting information about the activities of each individual in log files for immediate and later analysis. Auditing
________ often get their authentication information from ________. Central authentication servers, directory servers
Created by: cclugston