Ch01 End of Chapter Solutions & Quiz

7/27/2019 Ch01 End of Chapter Solutions & Quiz

http://slidepdf.com/reader/full/ch01-end-of-chapter-solutions-quiz 1/16

Principles of Information Security, 2nd Edition

Chapter 1

Review Questions

1. What is the difference between a threat agent and a threat

A threat agent is the specific instance or component of a threat, whereas a threat is a

category of objects, persons, or other entities that represents a potential danger to anasset. Threats are always present. Some threats manifest themselves in accidental

occurrences and others are purposeful. Fire is a threat however a fire that has begun in a

building is an attac!. "f an arsonist set the fire then the arsonist is the threat#agent. "f an

accidental electrical short started the fire, the short is the threat#agent.

2. What is the difference between !ulnerability and e"posure

$%posure is an actual instance when the information system is compromised and is open

to potential danger. &ulnerability is a wea!ness in the system or protection mechanism

that allows information to be compromised or an attac! to cause damage. $%amples ofvulnerabilities are flaws in software that can allow hac!ers to enter and manipulate

system resources such as a flaw in 'S "nternet $%plorer. &ulnerability may lead to

e%posure. $%posure is the actual instance that a systems security is open to potentialdamage.

#. $ow has the definition of %hac&' e!ol!ed o!er the last #( years

"n the early days of computing, computer enthusiasts could tear apart the computer

instruction code, or the computer itself, to manipulate its output. This was often called

hac!ing the computer or hac!ing the program, as in hac!ing it to bits. (ac!ers had theability to ma!e computing technology wor! as desired in the face of adversity. Today, the

usage of the word hac! is perceived as part of a culture of illegal activities using

computers and telecommunications systems.

). What type of security was dominant in the early years of computing"n the early years of computing when security was addressed at all, it dealt only with the

physical security of the computers themselves and not the data or connections between

the computers. This led to circumstances where most information being stored oncomputers to be vulnerable since information security was often left out of the design

phase of most systems.



"SA )*++ # hapter * Questions for -roup +

///////////////////////////////////////////////////////////////////////////// /

*. What are the three components of the CI+ triangle What are they used for

The three components of the .".A. are0

• confidentiality 1assurance that the information is shared only among authori2ed

persons or organi2ations3• integrity 1assurance that the information is complete and uncorrupted3 and

• availability 1assurance that the information systems and the necessary data are

available for use when they are needed3.

These three components are fre4uently used to conveniently articulate the objectives of a

security program that must be used in harmony to assure an information system is secure

and useable.

. If the C.I.+. triangle is incomplete, why is it so commonly used in security

The "A triangle is commonly used in security because it addresses the fundamental

concerns of information0 confidentiality, integrity, and availability. "t is still used when

not complete because it addresses all of the major concerns with the vulnerability ofinformation systems.

-. escribe the critical characteristics of information. $ow are they used in the study

of computer security

The critical characteristics of information define the value of information. hanging any

one of its characteristics changes the value of the information itself. There are sevencharacteristics of information0

• Authenticity is the 4uality or state of being genuine or original, rather than a

reproduction or fabrication.

• onfidentiality is the 4uality or state of preventing disclosure or e%posure to

unauthori2ed individuals or systems.• "ntegrity is the 4uality or state of being whole, complete, and uncorrupted.

• 5tility is the 4uality or state of having value for some purpose or end. "nformation

has value when it serves a particular purpose. 6ossession is the 4uality or state of

having ownership or control of some object or item.

• onfidentiality is ensuring that only those with rights and privileges to access a

particular set of information are able to do so, and those who are not are prevented

from doing so.

• "ntegrity is the 4uality or state of being whole, complete, and uncorrupted

• Availability is enables users who need to access information to do so without

interference or obstruction, and to receive it in the re4uired format./. Identify the fi!e components of an information system. Which are most directly

impacted by the study of computer security Which are most commonly associated

with this study

The five components are software, hardware, data, people, and procedures.

6eople would be impacted most by the study of computer security. 7hen hardening

security, people dealing with the system could be a wea!est lin! because they can often

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 8




///////////////////////////////////////////////////////////////////////////// /

become a threat. 6olicy, education and training, awareness and technology should beunderstood properly in order to !eep those people from obtaining unauthori2ed access.

6rocedures, written instructions for accomplishing a specific tas!, could be another

component, which will be impacted. The information system will be effectively secured

by educating employees about safeguarding the procedures. Also, provision of propereducation on the protection of those procedures can avoid unauthori2ed access gained

using social engineering.

The hardware and software components are the components that are historically

associated with the study of computer security.

0. In the history of the study of computer security, what system is the father of almost

all multiuser systems

'59T"S

1(. What paper is the foundation of all subseuent studies of computer security

Rand Report R#:+;, sponsored by the <epartment of <efense.

11. $ow is the top down approach to information security superior to the bottom up

approach

The top down approach is superior because it typically has the bac!ing of the entireorgani2ation behind it. 'anagement is the !ey to this approach. 'ost successful projects

must have a champion. =See page 8+ of the te%t> This champion is usually a top e%ecutive

that can guarantee financial as well as, administrative bac!ing for the life of the project.Another success factor to the top down approach is that most of the time a methodology

such as the secS<9 is put in place in order to ensure that the proper steps are ta!en to

!eep the project efficient, organi2ed and on schedule. The bottom up approach issometimes used. 5sually in the bottom up approach a systems administrator is involved

in trying to secure his?her own systems. This can be good because the systems

administrator has a very comprehensive understanding of their system, but without achampion or top management behind the project they usually do not succeed.

12. Why is a methodology important in the implementations of information security

$ow does a methodology impro!e the process

A methodology is a formal techni4ue that has a structured se4uence of procedures that is

used to solve a problem. 'ethodology is important in the implementation of informationsecurity because it ensures that development is structured in an orderly, comprehensive

fashion. The methodology unifies the process of identifying specific threats and the

creation of specific controls to counter those threats into a coherent program. Thus, amethodology is important in the implementation of information security for two main

reasons.

• First, it entails all the rigorous steps for the organi2ations@ employees to follow,

therefore avoiding any unnecessary mista!es that may compromise the end goal1i.e., to have a comprehensive security posture3. An e%ample of this is that a

methodology guides an organi2ation to solve the root cause of information

security problem, not just its symptoms.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 )




///////////////////////////////////////////////////////////////////////////// /

• Second, methodology increases the probability of success. nce a methodology

is adopted, the personnel selected will be responsible for establishing !ey

milestones and ma!e accountable to achieve the project goals.

The methodology can greatly improve the process. For e%ample, following the si% stepsof the S<9 1Systems <evelopment 9ife ycle3 1investigation, analysis, logical design, physical design, implementation, and maintenance and change3 allows developments to

proceed in an orderly, comprehensive fashion. "ndividuals or groups assigned to do the

analysis step do not have to initiate their wor! until the investigation step is completelyfinished. 'oreover, each step of the methodology may determine whether the project

should be continued, outsourced, or postponed. For e%ample, the physical design step

may need to be postponed or outsourced if the organi2ation does not possess the

technology needed.

1#. Who is in!ol!ed in the security de!elopment life cycle Who leads the process

"nitiation and control of the SecS<9 is the responsibility of upper management.

Responsible managers, contractors and employees are then utili2ed to e%ecute the

SecS<9. The process is usually led by a senior e%ecutive, sometimes called thechampion, that promotes the project and secures financial, administrative, and company

wide bac!ing of the project, then a project manager is assigned the tas! of managing the

project.

1). $ow does the practice of information security ualify as both an art and a science

$ow does security as a social science influence its practice

The practice of information security is a never#ending process. A good effective

information security practice must be considered as a tripod that relates to three important

aspects 1science, art, and social science30

• First, information security is science because it re4uires various !inds of tools and

technologies used for technical configurations. "t can also include sound

information security plans and policies that may dictate the needs of particular

technologies.

• Second, information security is also an art because there are no clear#cut rules on

how to install various security mechanisms. <ifferent factors such as budgets,

time, threats, ris!s, vulnerabilities, and asset values can significantly affect the

numbers and types of passive and active controls an organi2ation needs. Theoverall goal is for the organi2ation to have a good sound information security

posture that can reduce the ris!s of being attac!ed as much as possible.

• Third, and most importantly, information security must be loo!ed at as a social

science mainly because social science deals with people, and information securityis a people issue, not a technology issue. Through the eye of a social scientist, an

organi2ation can greatly benefit from the Security $ducation, Training, and

Awareness program 1S$TA3, which can ma!e employees 1*3 !now how to perform their job more securely, 183 be fully aware of the security issues within

the organi2ation, and 1)3 be accountable for their actions.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 B




///////////////////////////////////////////////////////////////////////////// /

Therefore, information security must be viewed as having all three natures, with the mostemphasis on the social science perspective. After all, people are the ones who ma!e

other four components of information assets 1data, procedures, software, and hardware3

possible.

1*. Who is ultimately responsible for the security of information in the organi3ation

The hief "nformation Security ffice is primarily responsible for the security ofinformation. (is recommendations are important to the hief "nformation fficer who

advises the hief $%ecutive fficer therefore, the $ is ultimately responsible for the

security of information in the organi2ation.

1. What is the relationship between the 4567ICS pro8ect and early de!elopment of

computer security

'59T"S, 'ultiple%ed "nformation and omputing Service, was the first and only

operating system created with security as its primary goal. "t was a mainframe, time#

sharing operating system developed through a partnership with -$, Cell 9abs and '"T.This mainframe operating system was a major focus for most research on computer

security in the early stages.

1-. $ow has computer security e!ol!ed into modern information security

Cefore the creation and use of networ!ing technologies computer security consisted ofsecuring the physical location of the system by the use of badges, !eys and facial

recognition. As networ!ing came into use and with the creation of AR6AD$T it was no

longer safe to just physically secure a system. At this point it was not ade4uate to just

physically secure a system. "n order to insure total security the information itself and thehardware used to transmit and store the information needed to be addressed. "nformation

security arouse from this need and adopted computer security as just one of its

components.

1/. What was important about 9and 9eport 9(0

The move toward security relating to protect data integrity was the basis of this report

from the <epartment of <efense. This report attempted to address the multiple controls

and mechanisms necessary for the protection of a multilevel computer system. "n

addition, the Rand Report was the first to identify the role of management and policyissues in the e%panding arena of computer security.

10. What does it mean to disco!er an e"ploit $ow does an e"ploit differ from

!ulnerability

<iscovering an e%ploit means to find a way to perform an illegal use or misuse of asystem. &ulnerability is a wea!ness or fault in a system that has the potential of being

attac!ed by a hac!er.

2(: Who should lead a security team Should the approach to security be more

managerial or technical

The project manager or team leader would lead a security team. Typically, that personwould understand project management, personnel management, and information security

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 E




///////////////////////////////////////////////////////////////////////////// /

technical re4uirements and report up the chain of command to the ". The approach tosecurity should be more managerial than technical although the technical ability of the

resources actually doing the day#to#day maintenance is critical. The top#down approach

to security implementation is by far the best. "t has strong upper management support, a

dedicated champion, dedicated funding, clear planning and the opportunity to influenceorgani2ational culture.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 :




///////////////////////////////////////////////////////////////////////////// /

$%ercises

1. 6oo& up %the paper that started the study of computer security.' Prepare a

summary of the &ey points. What in this paper specifically addresses security in

areas pre!iously une"amined

Rand Report R#:+; noted that security for computers had moved beyond the physical

security of loc!ing the computers behind closed doors. 7ith the rise in computernetwor!ing, multiple users using resource#sharing systems could gain access to

confidential information. Dew forms of security had to be implemented that could protect

the safety of data, limit access, and handle different levels of personnel accessing the

system. "n order to accomplish this, R#:+; pointed out that a tas! force was beingimplemented by AR6A in order to focus on the potential security ris!s of multi#access

computer systems. The paper points out that security is no longer as simple as moving

the system to a secure location, and new measures must be implemented to provideacceptable security.

The !ey points are security control in resource#sharing systems increase in the number of

resource#sharing systems protection of information in multi#access, resource#sharing

computer systems and necessity for the application of security rules and regulations.

The growing need to have resources available to a larger number of users, led in the*;:+s to the implementation of resource#sharing computer systems. Sharing data among

a bigger number of users highlighted the need for an appropriate security system because

data, in a multi#access computer environment, started not being any longer consideredsecure. Above all, the lac! of control on random and unauthori2ed access to shared data

started being seen as one of the biggest threats to the data itself. Another important issue

that specifically addressed security was the lac! of security rules and regulations. Rand

Report R#:+; was the first report to identify the important role of management and policeissues in computer security.

The <epartment of <efense, the Rand Report G R#:+; attempted to cover the broader

aspect of protecting a computer system. The Rand Report, R#:+; was the first to identifythe role of management and policy issues in computer security. R#:+; focused on the

protection of information in a multi#access, resource sharing computer system, more

specifically safety of data, limiting random and unauthori2ed access as well as the

involvement of personnel from multiple levels of the organi2ation.

2. +ssume that a security model is needed for protection of information in your class.

5sing the ;S7ISSC model, e"amine each of the cells and write a brief statement on

how you would address the three components represented in that cell.

"n general, "A represents onfidentiality, "ntegrity, and Availability.

onfidentiality0 Allow only those students access that have registered and paid for the"SA )*++ course at HS5 for the Fall Semester 8++8 to attend class. The controls in place

to prevent unauthori2ed access to class would be to ta!e roll call and learn each students

name to match student@s faces, and verify against the computeri2ed print out of eachstudent registered.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 I




///////////////////////////////////////////////////////////////////////////// /

"ntegrity0 Re4uire the students to carry and present on demand their picture "< card.6rovide each student with a syllabus on the policy and procedures that contain the course

description, course objectives, and instructors contact information to include office hours

and phone number. The syllabus must also include information on withdrawal policy,

grading, and an integrity statement that must be read and signed to receive a final gradefor the semester.

Availability0 $nsure that the classroom is accessible and provide a secured environment

from harm and danger to promote a well#organi2ed learning environment. The controls to put in place would be for the professor to be present at the beginning of class and have

e4uipment operational so that students can ma!e use of their laptops for note ta!ing

"n detail0

onfidentiality G 6olicy G Storage0 An e%ample of protecting the confidentiality of class

information in storage by means of policy could be simply issuing rules to !eepunauthori2ed viewers access restricted, such as a rule to loc! file cabinets that contain the

information.

onfidentiality G 6olicy G 6rocessing0 An e%ample of protecting the confidentiality of

class information in processing by means of policy could be simply issuing rules to !eepunauthori2ed viewers access restricted while information is being processed, such as only

allowing registered students in the class to attend and listen to lecture.

onfidentiality G 6olicy G Transmission0 An e%ample of protecting the confidentiality of

class information in transmission by means of policy could be simply issuing rules to!eep unauthori2ed viewers access restricted while information is being processed, such as

only allowing registered students in the class to attend and listen to lecture.

onfidentiality G $ducation G Storage0 An e%ample of protecting the confidentiality of

class information in storage by means of education could be accomplished by trainingstudents and faculty, such as teaching them what people are authori2ed access to the

information in storage.

onfidentiality G $ducation G 6rocessing0 An e%ample of protecting the confidentiality

of class information that is being processed by means of education could beaccomplished by training students and faculty, such as training how to verify if the

people are authori2ed to get the information before class starts by something such as a

student "< or schedule.

onfidentiality G $ducation G Transmission0 An e%ample of protecting theconfidentiality of class information that is being transmitted by means of education could

be accomplished by training students and faculty, such as training the students and

faculty to close doors to the classroom while in lecture so that others outside would nothear the lecture.

onfidentiality G Technology G Storage0 An e%ample of protecting the confidentiality of

class information that is being stored by means of technology could be accomplished by

something as simple as loc!s on file cabinets that contain the information while not inuse.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0




///////////////////////////////////////////////////////////////////////////// /

onfidentiality G Technology G 6rocessing0 An e%ample of protecting the confidentialityof class information that is being processed by means of technology could be

accomplished by forcing the use of electronic "<@s during classes.

onfidentiality G Technology G Transmission0 An e%ample of protecting the

confidentiality of class information that is being transmitted by means of technologycould be accomplished by having a password on a class website.

"ntegrity G 6olicy G Storage0 An e%ample of protecting the integrity of class information

that is being stored by means of policy could be accomplished by simply ma!ing rules

that state that only certified people may alter the information

"ntegrity G 6olicy G 6rocessing0 An e%ample of protecting the integrity of classinformation that is being processed by means of policy could be accomplished by ma!ing

a rule that forces students to study in only 4uiet areas without the help of other people not

in the class.

"ntegrity G 6olicy G Transmission0 An e%ample of protecting the integrity of classinformation that is being processed by means of policy could be accomplished by ma!ing

a rule that the teacher is not allowed to drin! alcohol before class.

"ntegrity G $ducation G Storage0 An e%ample of protecting the integrity of class

information that is being stored by means of education could be accomplished byteaching those who store the information who is authori2ed to change it.

"ntegrity G $ducation G 6rocessing0 An e%ample of protecting the integrity of class

information that is being processed by means of education could be accomplished by

informing the students that studying with other non students will give incorrectinformation.

"ntegrity G $ducation G Transmission0 An e%ample of protecting the integrity of classinformation that is being transmitted by means of education could be accomplished by

teaching the teachers effective ways to teach.

"ntegrity G Technology G Storage0 An e%ample of protecting the integrity of class

information that is being stored by means of technology could be accomplished by

electronically storing all the data that forces authori2ation to modify it.

"ntegrity G Technology G 6rocessing0 An e%ample of protecting the integrity of classinformation that is being processed by means of technology could be accomplished by

ma!ing 6ower6oint presentations to verify what the teacher says.

"ntegrity G Technology G Transmission0 An e%ample of protecting the integrity of class

information that is being transmitted by means of technology could be accomplished by printing the 6ower6oint presentations and giving a copy to each student.

Availability G 6olicy G Storage0 An e%ample of protecting the availability of class

information that is being stored by means of policy could be accomplished by ma!ing

certain that those who need access to the information get it.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 ;




///////////////////////////////////////////////////////////////////////////// /

Availability G 6olicy G 6rocessing0 An e%ample of protecting the availability of classinformation that is being processed by means of policy could be accomplished by ma!ing

a rule that only those authori2ed are allowed to enter the classroom.

Availability G 6olicy G Transmission0 An e%ample of protecting the availability of class

information that is being transmitted by means of policy could be accomplished byma!ing a rule that allows only students into the classroom and none other.

Availability G $ducation G Storage0 An e%ample of protecting the availability of class

information that is being stored by means of education could be accomplished by

teaching those who store the information the correct process of storage so that thingsdon@t get lost.

Availability G $ducation G 6rocessing0 An e%ample of protecting the availability of class

information that is being processed by means of education could be accomplished by

teaching those who teach the information the to spea! up so that everyone in theclassroom can hear what is being taught.

Availability G $ducation G Transmission0 An e%ample of protecting the availability of

class information that is being processed by means of education could be accomplished

by teaching the students to remain 4uiet in the classroom so that all can hear theinformation.

Availability G Technology G Storage0 An e%ample of protecting the availability of class

information that is being stored by means of technology could be accomplished by

ma!ing the information available on the internet via a database.

Availability G Technology G 6rocessing0 An e%ample of protecting the availability ofclass information that is being processed by means of technology could be accomplished

by the teacher providing the 6ower6oint files available to the student on the internet to

study.

Availability G Technology G Transmission0 An e%ample of protecting the availability ofclass information that is being transmitted by means of technology could be

accomplished by the teacher using a microphone to spea! into enabling it to be loud

enough for all students to hear.

#: Consider the information stored on your personal computer. <or each of the terms

listed, find an e"ample and document it: threat, threat agent, !ulnerability,

e"posure, ris&, attac&, and e"ploit.

Threat G The hundreds of people?machines that attempt to breach my security and gain

access to my system via my <S9 connection.Threat agent0 A specific attac!er could compromise my system.

&ulnerability0 " run 7indows ; on my 6 with file sharing enabled. "f " leave the 6

connected to an always#on connection without a firewall control, it can be accessed by

anyone who connects to it.

$%posure G A security e%posure for personal system occurred last night when " reducedmy firewall settings in order to run a specific software application.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *+




///////////////////////////////////////////////////////////////////////////// /

Ris! # Cased on the fact that my firewall logs appro%imately E+ attempts forunauthori2ed access a day, the ris! for each minute that " am connected to my <S9 and

the firewall is down is ).)J.

Attac!0 'y house was once stuc! my lightening and my 6@s motherboard and modem

were destroyed.

$%ploit G 'y machine was a victim of an e%ploit when it was utili2ed for K"6 hopping Kallowing hac!ers to use my system to connect to other systems.

). 5sing the Web, identify the CI=, CIS= and S+. Who represents the data owner,

data custodian

$ach organi2ation will have its own specific answer set.

*. 5sing the web, find out who >e!in 4itnic& was. What did he do Who caught him

Write a short summary of his acti!ities and why he is famous.

Hevin 'itnic! was one of the most notorious computer hac!ers in computer history. (e began his Lhac!ingL career by using a personal computer and a modem to gain access to a

digital central office switch of a local telephone company. (e as well as several othermembers of a phone phrea! gang would ma!e pran! calls, answer operator assisted calls

and eavesdrop on conversations. This however, didnt satisfy them for long. "n *;* over

'emorial <ay wee!end, Hevin and his gang tal!ed their way past a security guard at6acific Cells S'S center. nce inside they stole passwords, operating manuals and

combinations to doors at other 6acific Cell offices. They also did a little Lsocial

engineeringL while inside and left fa!e names and phone numbers for later use. The gang

was eventually caught when a girlfriend of one of the gang members went to the police.The gang was charged with stealing and destroying data. Hevin 'itnic! was only *I at

the time and was sentenced to three months in juvenile detention and one year probation.

"n *;;), Hevin was arrested again, but this time by the campus police at the 5niversity ofSouthern alifornia. This time he used one of the schools computers to brea! into the

6entagon using AR6Anet. (is sentence was si% months in a juvenile prison. "n *;I, he

received three years probation for stealing software from the Santa ru2 peration hewas caught by the use of illegal telephone credit card numbers.

"n *;;, he was again arrested and charged with one count of possession of illegal long

distance access codes and one count of computer fraud. (e and a friend tried to gain

access to <igital $4uipments 6alo Alto research laboratory with the hope of ac4uiring acopy of the &'S minicomputer operating system. (e was later caught when his

accomplice became frustrated with him and turned him in to the FC" and <$. Hevin

received jail time and was re4uired to undergo counseling at a halfway house. "n *;;8, anarrest warrant was issued on him for violating the terms of his probation. (e violated probation by associating with members of his original phone phrea! gang, and illegally

accessing a computer. Hevin was arrested in *;;E.

+lternate +nswer

Hevin 'itnic!, a.!.a. ondor, is one of the most famous computer hac!ers in the historyof computers. This famous hac!er was so prolific that it earned him a place on the FC"@s

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 **




///////////////////////////////////////////////////////////////////////////// /

'ost 7anted 9ist. 'itnic! started out as a phone phrea!er someone who brea!s into phone switches, but later turned his attention to computer systems. 'itnic! was brought

up on charges numerous times, but it was not until he went on a computer hac!ing spree

in *;;E that he made national attention. 'itnic! was finally trac!ed down after two years

on the run as a fugitive. Tsutomu Shimomura played a major role in the capture of'itnic!, after 'itnic! hac!ed into Shimomura@s computer system. 'itnic! was jailed for

E years without a trial or bond, and is said to be the longest held prisoner without a trial.

'itnic! was later released in Sept. of 8+++, but was not allowed to use any type ofelectronic device as part of his terms of probation.

M Question *

E out of E points

7hen a computer is the subject of an attac!, it is the entity being attac!ed.

Answer

Selected Answer0 False

orrect Answer0 False

M Question 8

E out of E points

The roles of information security professionals are aligned with the goals and mission of

the information security community of interest.Answer

Selected Answer0 True

orrect Answer0 True

M Question )

E out of E points

To achieve balance N that is, to operate an information system that satisfies the user andthe security professional N the security level must allow reasonable access, yet protect

against threats.

Answer

Selected Answer0 Trueorrect Answer0 True

M Question B

E out of E points

The bottom#up approach to information security has a higher probability of success thanthe top#down approach.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *8




///////////////////////////////////////////////////////////////////////////// /

Answer



M Question EE out of E points

An e#mail virus involves sending an e#mail message with a modified field.Answer



M Question :

+ out of E points

The //// is the individual primarily responsible for the assessment, management, andimplementation of information security in the organi2ation.

Answer

Selected Answer0 b.

"

orrect Answer0 d.

"S

M Question I

E out of E points

The value of information comes from the characteristics it possesses.

Answer

Selected Answer0 True

orrect Answer0 True

M Question

E out of E points

Applications systems developed within the framewor! of the traditional S<9 aredesigned to anticipate a software attac! that re4uires some degree of application

reconstruction.

Answer



///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *)




///////////////////////////////////////////////////////////////////////////// /

M Question ;

E out of E points

//// security addresses the issues necessary to protect the tangible items, objects, orareas of an organi2ation from unauthori2ed access and misuse.Answer

Selected Answer0 d.

6hysical

orrect Answer0 d.

6hysical

M Question *+

+ out of E points

The investigation phase of the SecS<9 begins with a directive from upper management.

Answer


orrect Answer0 True

M Question **

E out of E points

The most successful !ind of top#down approach involves a formal development strategy

referred to as a ////.Answer

Selected Answer0 d.systems development life cycle

orrect Answer0 d.

systems development life cycle

M Question *8

E out of E points

The //// is a methodology for the design and implementation of an information systemin an organi2ation.

Answer

Selected Answer0 d.S<9

orrect Answer0 d.

S<9

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *B




///////////////////////////////////////////////////////////////////////////// /

M Question *)

E out of E points

//// presents a comprehensive information security model and has become a widelyaccepted evaluation standard for the security of information systems.Answer

Selected Answer0 a.

DST"SS" Do. B+**

orrect Answer0 a.

DST"SS" Do. B+**

M Question *B

E out of E points

The physical design is the blueprint for the desired solution.

Answer



M Question *E

E out of E points

rgani2ations are moving toward more ////#focused development approaches, see!ing

to improve not only the functionality of the systems they have in place, but consumerconfidence in their product.

Answer

Selected Answer0 c.

security

orrect Answer0 c.

security

M Question *:

E out of E points

//// of information is the 4uality or state of being genuine or original.

Answer

Selected Answer0 d.Authenticity

orrect Answer0 d.

Authenticity

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *E




///////////////////////////////////////////////////////////////////////////// /

M Question *I

E out of E points

(ardware is often the most valuable asset possessed by an organi2ation and it is the maintarget of intentional attac!s.Answer



M Question *

E out of E points

A famous study entitled K6rotection Analysis0 Final ReportO was published in ////.

AnswerSelected Answer0 b.

*;I

orrect Answer0 b.

*;I

M Question *;

E out of E points

6art of the logical design phase of the SecS<9 is planning for partial or catastrophic

loss. //// dictates what steps are ta!en when an attac! occurs.Answer

Selected Answer0 c."ncident response

orrect Answer0 c.

"ncident response

M Question 8+

E out of E points

7hich of the following is a valid type of data ownershipPAnswer

Selected Answer0 d.

All of the above

orrect Answer0 d.All of the above

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *:

Documents

Ch01 End of Chapter Solutions & Quiz