QUESTION 1 : Which of the following is an information security goal that an e-commerce system should endeavor to meet for its users and asset holders?
- Exactness
- Access authority
- Non-repudiation
- Systems reliability
Non-repudiation is an information security goal that an e-commerce system should strive to provide its users and asset holders. It refers to a method used to guarantee that the parties involved in an e-commerce transaction cannot repudiate (deny) participation in that transaction. Non-repudiation is obtained through the use of digital signatures, Additional information security goals that should be achieved to ensure the security of information systems for users and account holders include: Confidentiality of data Integrity of data Availability of data Authentication
QUESTION 2 : Which of the following is NOT a symptom that might indicate a malware infection?
- A system’s files are erased with no warning.
- Excessive pop-up windows appear without cause.
- Several system programs launch automatically at startup.
- Unexplained changes to the system’s memory occur.
Detecting malware might be as simple as reading a message on the screen, but some malware goes undetected. The following are some symptoms that might indicate a malware infection: The system suddenly, and for no apparent reason, slows down its response time to commands. The computer stops responding or locks up frequently. The computer crashes and then restarts every few minutes. The computer restarts on its own. The computer does not run as usual. The computer experiences a sudden and sometimes dramatic decrease of free space. The size of some files increases. The operating system or other programs and applications begin behaving in unpredictable ways. Files cannot be accessed or are suddenly erased with no warning. There has been a change in the length of executable files, a change in their content, or a change in their file date or timestamps. Disks or disk drives are inaccessible. An attachment that was recently opened has a double extension, such as a .jpg, .vbs, .gif, or .exe extension. The system does not boot up. There are unusual graphics and messages. The user cannot access a hard disk drive. There are unexplained and repeated maintenance repairs. There are unexplained changes to memory. System or data files disappear or become fragmented. Items cannot be printed correctly. Unusual error messages appear. Menus and dialog boxes are distorted. New icons, which are not associated with any new programs, appear on the desktop. Programs experience unexplained changes in size. Antivirus program is disabled for no reason. Antivirus program cannot be restarted. Antivirus program displays messages stating that a virus has been encountered. The Web browser’s homepage is changed automatically. When performing an Internet search, the Web browser visits a strange website. The user is unable to stop the excessive pop-up windows that appear without cause. The user receives a lot of bounced back email. There is evidence that emails are being sent without the user’s knowledge. Unusual and unexpected toolbars appear in the system’s Web browser.
QUESTION 3 : Which of the following is NOT a type of physical access control device that can be used to control access to physical objects?
- Electronic access cards
- Profiling software
- Locks and keys
- Biometric systems
There are various types of physical access control devices that can be used to control access to physical objects. Some common types of physical access control devices include: Locks and keys Electronic access cards Biometric systems Profiling software is a type of logical access control device that authenticates users by monitoring their statistical characteristics, such as typing speed and keystroke touch.
QUESTION 4 : _________ is an attack in which a user is fooled into entering sensitive data into a malicious website that imitates a legitimate website.
- Pharming
- Spear phishing
- Phishing
- SMiShing
Pharming is an attack in which a user is fooled into entering sensitive data (such as a password or credit card number) into a malicious website that imitates a legitimate website.
QUESTION 5 : Which of the following best describes phishing?
- A method for acquiring sensitive information by falsely claiming through electronic communication to be from an entity with which the target does business
- A method for acquiring sensitive information needed to facilitate a specific scheme by searching through large quantities of available data
- A method for acquiring sensitive information in which an attacker hides near the target to gain unauthorized access to a computer system
- A method for acquiring sensitive information by bypassing a computer system’s security through the use of an undocumented operating system and network functions
Phishing is a type of social engineering scheme that involves impersonating a trusted individual or entity. Generally, phishers manipulate victims into providing sensitive information by falsely claiming to be from an actual business, bank, Internet service provider (ISP), or other entity with which the target does business. In these schemes, phishers typically use emails to direct Internet users to websites that look like legitimate ecommerce websites, such as online banks, retailers, or government agencies. Phishers control these imitation websites and use them to steal sensitive information, such as bank account details and passwords.
QUESTION 6 : Implementing privilege escalation and using buffer overflow exploits are examples of administrative controls used for securing computer systems and communication networks.
- True
- False
Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical and administrative controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Administrative security involves the use of tools to provide an acceptable level of Common technical and administrative controls used to secure computer systems and communication networks include: Logical access controls Network security Operating system security Encryption Application security Separation of duties Buffer overflows and privilege escalation are not controls to prevent computer fraud. Rather, they are both methods of exploiting design flaws in computer systems to gain unauthorized access.
QUESTION 7 : ___________ is the deliberate scrambling of a message so that it is unreadable except to those who hold the key for unscrambling the message.
- Alteration of input
- Customer validation
- Encryption
- Firewall security
Encryption is one of the most effective methods of protecting networks and communications against attacks. Encryption is the deliberate scrambling of a message so that it is unreadable except to those who hold the key for unscrambling the message.
QUESTION 8 : ______________ is a term used to classify malicious software that is intended to facilitate criminal behavior.
- Adware
- Botnet
- Freeware
- Crimeware
Crimeware is not a type of malware but rather a classification of malware denoted by its intent to facilitate criminal behavior. Crimeware can be described as malware designed to simplify or automate online criminal activities, such as programs to fraudulently obtain financial gain from the affected user or other third parties.
QUESTION 9 : After paying the ransom demanded by the fraudster, a ransomware victim is always granted access to all locked files on the compromised computer.
- True
- False
Ransomware , as its name implies, is a form of malware that locks a user’s operating system and restricts access to data files until a ransom is paid. While some ransomware simply prevents access to files, other forms actually encrypt users’ files. This is of particular concern to businesses due to the potentially disastrous threat of encrypted network drives. These schemes typically promise that, after payment is received, the user will be provided with a key to release the system and unencrypt files; however, even after money is transferred, many victims find that the virus Less sophisticated forms of ransomware have also appeared that claim to have encrypted victims’ files when the malware has simply deleted the files, thus tricking victims into paying to regain access to files that no longer exist. Some forms of this imitation ransomware go a step farther by deleting the restore points and registry keys needed to reboot a system in safe mode or overwriting deleted files to make them nearly impossible to recover.
QUESTION 10 : Which of the following is the most accurate definition of a firewall?
- A system that blocks unauthorized or unverified access to network assets by surveying incoming and outgoing transmissions
- A system that authenticates users by monitoring their statistical characteristics, such as typing speed and keystroke touch
- A device that takes information and scrambles it so that it is unreadable by anyone who does not have a specific code
- None of the above
Firewalls are network hardware and software that block unauthorized or unverified access to computer systems and network assets. These tools survey incoming and outgoing transmissions and decide what type of traffic to permit onto an organization’s internal network based on factors such as origination or destination address, content of the message, protocol being used to transmit the message, and other filtering methods.
QUESTION 11 : Which of the following lists the information security goals that an e-commerce system should achieve for its users and asset holders?
- Exactness, invulnerability, accuracy, materiality, and data/systems response
- Penetrability, accuracy, exactness, materiality, and systems reliability
- Confidentiality, integrity, availability, authentication, and non-repudiation
- Penetrability, accuracy, availability, authentication, and systems reliability
All branches of an information system, including the e-commerce branch, strive to provide security to their users and asset holders. The following is a list of common information security goals that should be achieved to ensure the security of information systems for users and account holders: Confidentiality of data Integrity of data Availability of data Authentication Non-repudiation
QUESTION 12 : Which of the following is the most accurate definition of a Trojan horse?
- A program or command procedure that gives the appearance that it is useful but in fact contains hidden malicious code that causes damage
- A software program that contains various instructions that are carried out every time a computer is turned on
- A virus that changes its structure to avoid detection
- A type of software that collects and reports information about a computer user without the user’s knowledge or consent
A Trojan horse is a program or command procedure that gives the appearance that it is useful but in fact contains hidden malicious code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming
QUESTION 13 : A virus that loads itself onto the target system’s memory, infects other files, and then unloads itself is called a:
- Direct-action virus
- Boot sector virus
- Network virus
- None of the above
Direct-action viruses load themselves onto the target system’s memory, infect other files, and then unload themselves
QUESTION 14 : Which of the following statements about ransomware is TRUE?
- Ransomware is a classification of malware designed to simplify or automate online criminal activities.
- Ransomware is a program or command procedure that gives the appearance of being useful but in fact contains hidden malicious code that causes damage.
- Ransomware is a form of malware that locks a user’s operating system and restricts access to data files until a payment is made.
- Ransomware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent.
Ransomware , as its name implies, is a form of malware that locks a user’s operating system and restricts access to data files until a ransom is paid. To intimidate Internet users into compliance, ransomware often employs a convincing professional interface, commonly emblazoned with police insignia or an official government logo. Messages sometimes consist of threatening accusations that the user has been caught viewing illegal videos, downloading pirated media, or otherwise accessing forbidden Internet content, with the only remedy being to pay a fine. Other forms are far more direct and make no effort to conceal their obvious attempts at extortion. Spyware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent. A Trojan horse is a program or command procedure that gives the appearance of being useful but in fact contains hidden malicious code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming Crimeware is not a type of malware but rather a classification of malware denoted by its intent to facilitate criminal behavior. Crimeware can be described as malware designed to simplify or automate online criminal activities, such as programs to fraudulently obtain financial gain from the affected user or other third parties.
QUESTION 15 : Which of the following types of malware can be used to generate illicit income in the form of cryptocurrency, while slowing down an infected computer and causing victims to incur costs related to power usage or cloud storage?
- Spyware
- Overwrite viruses
- Coin miners
- Keyloggers
Coin miners , or cryptojacking malware , are programs that, upon infecting a computer, use that computer’s processing power to mine for cryptocurrencies without the owner’s knowledge or consent. Many criminals who once used other malware and computer fraud methods for generating illicit income have shifted their focus to cryptojacking due to an increase in the value of numerous cryptocurrencies. Coin miners are relatively simple programs, so there is a low barrier of entry for cyber fraudsters. Cryptojacking can slow down infected devices due to the processing power required for cryptocurrency mining and potentially cause serious or permanent damage. Victims, including companies or corporate networks, can also incur exorbitant costs for power usage or cloud storage related to coin
QUESTION 16 : Which of the following is the term used to describe the method of gaining unauthorized access to a computer system in which attackers use an automated process to guess a system user’s passwords?
- Password logging
- Password cracking
- Password sniffing
- Password engineering
Password cracking is an automated process by which an attacker attempts to guess a system user’s most likely passwords
QUESTION 17 : A fraudster uses the email account of a company’s president to impersonate the president and ask an employee to make a wire transfer. This can best be described as which of the following types of fraud schemes?
- Pharming
- Rock phishing
- Reverse social engineering
- Business email compromise
Business email compromise (BEC) is a form of spear phishing attack that directly targets executives or other highranking corporate employees who have the ability to make large payments. BEC schemes typically involve fraudulent emails that appear to be from the company’s own CEO or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain is not disturbed. Increasingly, these emails are paired with an insistent phone call from someone posing as the email sender or as the sender’s attorney. Rock phishers use botnets to send massive amounts of phishing emails to huge volumes of Internet users. The emails contain a message from a financial institution, enticing users to click on a fraudulent URL. Pharming is a type of attack in which a user is fooled into entering sensitive data (such as a password or credit card number) into a malicious website that imitates a legitimate website. It is different from phishing in that in pharming schemes, the attacker does not have to rely on having the user click on a link in an email or other message to direct him to the malicious website that is impersonating a legitimate website. In most social engineering scams, the attacker approaches the computer user, pretending that he needs help; however, in reverse social engineering schemes, the attacker gets the user to make the contact. In these schemes, the attacker disguises himself as a technical assistant or someone from whom the user needs help (a need often created by the attacker through sabotage beforehand).
QUESTION 18 : Physical access controls refer to the process by which users are allowed access to computer programs, systems, and networks.
- True
- False
Physical access controls refer to the process by which users are allowed access to physical objects (e.g., buildings). In contrast, logical access controls are tools used to control access to computer information systems
QUESTION 19 : All of the following are best practices for ensuring separation of duties within the information technology department and between information systems and business unit personnel EXCEPT:
- Program developers should not be responsible for testing programs.
- End users should not have access to production data outside the scope of their normal job duties.
- Only programmers should be server administrators.
- IT departments should not overlap with information user departments.
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information technology department and between information systems and business unit personnel are as Programmers should not have unsupervised access to production programs or have access to production data sets (data files). Information systems personnel’s access to production data should be limited. Application system users should only be granted access to those functions and data required for their job duties. Program developers should be separated from program testers. System users should not have direct access to program source code. Computer operators should not perform computer programming. Development staff should not have access to production data. Development staff should not access system-level technology or database management systems. End users should not have access to production data outside the scope of their normal job duties. End users or system operators should not have direct access to program source code. Programmers should not be server administrators or database administrators. IT departments should be separated from information user departments. Functions involving the creation, installation, and administration of software programs should be assigned to different individuals. Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties. Employees’ access to documents should be limited to those that correspond with their related job tasks.
QUESTION 20 : Which of the following is the most accurate definition of a computer worm?
- Any software application in which advertising banners are displayed while a program is running
- A type of software that, while not definitely malicious, has a suspicious or potentially unwanted aspect to it
- A self-replicating computer program that penetrates operating systems to spread malicious code to other systems
- A program or command procedure that gives the appearance that it is useful but in fact contains hidden malicious code that causes damage
A computer worm is a malicious self-replicating computer program that penetrates operating systems to spread malicious code to other computers.
QUESTION 21 : Which of the following is the most accurate definition of a software keylogger?
- A self-replicating computer program that penetrates operating systems to spread malicious code to other systems
- A program or command procedure that gives the appearance that it is useful but in fact contains hidden malicious code that causes damage
- A type of program that monitors and logs the keys pressed on a system’s keyboard
- A type of software that, while not definitely malicious, has a suspicious or potentially unwanted aspect to it
Keyloggers monitor and log (or track) the keys pressed on a system’s keyboard, and they can be either software or hardware based. Accordingly, some keyloggers are malware, but others are not.
QUESTION 22 : Which of the following is NOT an example of a business email compromise scheme?
- Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters.
- Fraudsters use botnets to send massive amounts of emails for the purpose of enticing users to click on a fraudulent URL.
- Fraudsters use the compromised email account of a high-level executive to request employees’ tax information or other personally identifiable information from the person responsible for maintaining such information.
- Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account.
Business email compromise (BEC) is a form of spear phishing attack that directly targets executives or other highranking corporate employees who have the ability to make large payments. BEC schemes typically involve fraudulent emails that appear to be from the company’s own CEO or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain is not disturbed. Increasingly, these emails are paired with an insistent phone call from someone posing as the email sender or as the sender’s attorney. Although these schemes can take numerous forms, the FBI has identified five common scenarios for BEC schemes: Business working with a foreign supplier : Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters. Business executive requesting a wire transfer : Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account. Vendors receiving fraudulent request for payment : Fraudsters use an employee’s compromised email account to identify the company’s vendors and ask them to transfer funds to the fraudsters’ account. Attorney impersonation : Fraudsters posing as the company’s attorney contact an employee and request a transfer of funds to the fraudsters’ account, often insisting that the employee act quickly and secretly. Data theft : Fraudsters use the compromised email account of a high-level executive to request employees’ tax information or other personally identifiable information from the person responsible for maintaining such information (e.g., human resources personnel). This stolen data may then be used to commit one of the BEC schemes described Rock phishers use botnets to send massive amounts of phishing emails to huge volumes of Internet users. The emails contain a message from a financial institution, enticing users to click on a fraudulent URL.
QUESTION 23 : Pharming differs from phishing in that in a pharming scheme:
- The attacker delivers the solicitation message via SMS (the protocol used to transmit text messages via mobile devices) instead of email.
- The attacker has to rely on having the user click on a link in an email or other message to direct him to the malicious website that is imitating a legitimate website.
- The attacker delivers the solicitation message via telephones using Voice over Internet Protocol (VoIP) instead of email.
- The attacker does not have to rely on having the user click on a link in an email or other message to direct him to the malicious website that is imitating a legitimate website.
Pharming is an attack in which a user is fooled into entering sensitive data (such as a password or credit card number) into a malicious website that imitates a legitimate website. It is different from phishing in that the attacker in a pharming scheme does not have to rely on having the user click on a link in an email or other message to direct
QUESTION 24 : Which of the following is a technical or administrative control for securing computer systems and communication networks?
- Encrypting sensitive data files
- Installing network security defenses
- Installing operating system security
- All of the above
Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical and administrative controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Administrative security involves the use of tools to provide an acceptable level of Common technical and administrative controls used to secure computer systems and communication networks include: Logical access controls Network security Operating system security Encryption Application security Separation of duties
QUESTION 25 : Which of the following is a method that can be used to destroy or manipulate data?
- Transmitting data to an outside destination without authorization
- Using malware to infect computers
- Wire tapping into a computer’s communication links
- All of the above
Data manipulation refers to the use or manipulation of a computer to perpetrate a crime, and data destruction involves the unauthorized modification, suppression, or erasure of computer data or computer functions, with the intent to alter or hinder the normal functions of the targeted system. Data manipulation and destruction involves either direct or covert unauthorized access to a computer system by the introduction of malicious software such as viruses, worms, or logic bombs. Some of the methods used to destroy and manipulate data include: Using malware to infect computers Using the salami technique to steal a substantial amount of money by “slicing” off “thin” amounts of cash repeatedly over time Entering false or misleading information into a system to achieve a specific fraudulent purpose Transmitting data to an outside destination without authorization Wire tapping into a computer’s communication links Launching a buffer overflow attack Exploiting a vulnerability in an operating system or software application to gain access that is beyond the user’s authorized access level
QUESTION 26 : All of the following are options for authenticating users in information systems EXCEPT: A. Encryption
- Card-based systems
- Profiling software
- Biometrics
Logical access controls are tools used for identification, authentication, and authorization in computer information systems. All of the following are options for authenticating users in information systems: Passwords Card-based systems Biometrics Profiling software Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who does not have the decryption code
QUESTION 27 : Which of the following is a technical or administrative control for securing computer systems and communication networks?
- Using an intrusion admission system
- Implementing privilege escalation
- Implementing logical access controls
- Installing a network address prevention system
Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical and administrative controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Administrative security involves the use of tools to provide an acceptable level of Common technical and administrative controls used to secure computer systems and communication networks include: Logical access controls Network security Operating system security Encryption Application security Separation of duties Privilege escalation is not a control, but it is in fact a way that hackers gain unauthorized access to a computer system
QUESTION 28 : Non-repudiation refers to a method used to guarantee that parties involved in an e-commerce transaction cannot deny their participation in it.
- True
- False
Non-repudiation refers to a method used to guarantee that the parties involved in an e-commerce transaction cannot repudiate (deny) participation in that transaction. In e-commerce, non-repudiation is obtained through the use of digital signatures, confirmation services, and timestamps.
QUESTION 29 : Which of the following is an example of the piggybacking method used to gain access to restricted areas?
- Following behind an individual who has been cleared for access into a restricted area
- Pretending to be a member of a large crowd of people authorized to enter a restricted area
- Taking advantage of a legitimate computer user’s active session when the user attends to other business while still logged on
- All of the above
Piggybacking is a method used to gain access to restricted areas, including computer systems, in which the attacker exploits another person’s access capability. Unlike most other methods of attack, piggybacking can be done to gain physical or electronic access. Physical access via piggybacking involves gaining access to an area that is secured by locked doors, and it occurs when an attacker exploits a false association with another person who has legitimate access to the area. Examples of piggybacking to gain physical access into a restricted area would include: Following behind an individual who has been cleared for access into the restricted area Tricking an authorized individual into believing the piggybacker is authorized and convincing the individual to agree to allow the piggybacker to tag along into the restricted area Surreptitiously following behind an individual who has been cleared for access into a restricted area, giving the appearance of being legitimately escorted Pretending to be a member of a large crowd of people authorized to enter a restricted area Electronic piggybacking occurs when an attacker gains access to an electronic system by exploiting the access capability of another person with legitimate access. One type of electronic piggybacking occurs when the attacker takes advantage of a legitimate computer user’s active session when the user did not properly terminate the session, the user’s logoff is unsuccessful, or the user attends to other business while still logged on
QUESTION 30 : All of the following can help prevent a computer from being infected by malicious software EXCEPT:
- Updating the operating system regularly
- Installing shareware into a system’s root directory
- Using anti-malware software
- Updating with the latest security patches
The following measures can help avoid infection from a malicious program: Use anti-malware software to scan all incoming email messages and files. Regularly update virus definitions in anti-malware programs. Use precaution when opening emails from acquaintances. Do not open email attachments unless they are from trusted sources. Only download files from reputable sources. Regularly update the operating system. Regularly update the computer with the latest security patches available for the operating system, software, browser, and email programs. Ensure that there is a clean boot disk to facilitate testing with antivirus software. Use a firewall and keep it turned on. Consider testing all computer software on an isolated system before loading it. In a network environment, do not place untested programs on the server. Secure the computer against unauthorized access from external threats such as hackers. Keep backup copies of production data files and computer software in a secure location. Scan pre-formatted storage devices before using them. Consider preventing the system from booting with a removable storage device; this might prevent accidental infection. Establish corporate policies and an employee education program to inform employees of how malware is introduced and what to do if malware is suspected. Encourage employees to protect their home systems as well. Many malware infections result from employees bringing infected storage devices or files from home.
QUESTION 31 : Which of the following is an accurate definition of SMiShing?
- Stealing private financial data through the use of voice mail
- Stealing data from payroll accounts through the use of computers
- Obtaining sensitive data by impersonating a government official
- Obtaining sensitive data through the use of short message services
SMiShing is a hybrid of phishing and short message service (text messaging). These schemes use text messages or other short message systems to conduct phishing activities. That is, in SMiShing schemes, the attacker uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or other entity with which the target does business.
QUESTION 32 : Password cracking is a method that attackers use to gain unauthorized access to a computer system by bypassing password security through the use of undocumented system functions.
- True
- False
Password cracking is an automated process by which an attacker attempts to guess a system user’s most likely passwords
QUESTION 33 : Which of the following is the most accurate description of logical access?
- The process by which computer systems’ contents are encrypted
- The process by which users are allowed to access and use physical objects
- The process by which users can bypass application security over the software and libraries
- The process by which users are allowed to use computer systems and networks
Logical access refers to the process by which users are allowed to use computer systems and networks, and logical access control refers to a process by which users are identified and granted certain privileges to information, systems, or resources. These controls are designed to protect the confidentiality, integrity, and availability of Logical access controls can be used to verify a person’s identity and privileges before granting the person logical access to information or other online resources.
QUESTION 34 : The primary purpose of physical access controls is to prevent unauthorized access to computer software.
- True
- False
Physical access controls refer to the process by which users are allowed access to physical objects (e.g., buildings). In contrast, logical access controls are tools used to control access to computer information systems and their
QUESTION 35 : Which of the following statements is TRUE regarding e-commerce?
- Digital signatures function to authenticate e-commerce transactions
- E-commerce entities must make sure that they can determine with whom they (or their computers) are communicating
- In e-commerce transactions, non-repudiation is obtained through confirmation services and timestamps
- All of the above
Authentication refers to the authentication of a customer’s identity. E-commerce entities must make sure that they can determine with whom they (or their computers) are communicating. Digital signatures function to authenticate eNon-repudiation refers to a method used to guarantee that the parties involved in an e-commerce transaction cannot repudiate (deny) participation in that transaction. In e-commerce, non-repudiation is obtained through the use of digital signatures, confirmation services, and timestamps.
QUESTION 36 : Matthew receives a voice mail message telling him that his credit card might have been used fraudulently. He is asked to call a phone number. When he calls the number, he hears a menu and a list of choices that closely resembles those used by his credit card company. The phone number even appears to be similar to that of his card issuer. Of which of the following types of schemes has Matthew become the target?
- Pharming
- SMiShing or tishing
- Spear phishing
- Vishing
Vishing , or voice phishing , is the act of leveraging Voice over Internet Protocol (VoIP) in using the telephone system to falsely claim to be a legitimate enterprise in an attempt to scam users (both consumers and businesses) into disclosing personal information. Government and financial institutions, as well as online auctions and their payment A vishing scheme is generally transmitted as an incoming recorded telephone message that uses a spoofed (fraudulent) caller ID matching the identity of a misrepresented organization. The message uses an urgent pretext to direct unsuspecting users to another telephone number. The victim is invited to punch his personal information on his telephone keypad. The criminals capture the key tones and convert them back to numerical format.
QUESTION 37 : Which of the following is the most accurate definition of spyware?
- A program or command procedure that gives the appearance that it is useful but in fact contains hidden malicious code that causes damage
- A type of software that collects and reports information about a computer user without the user’s knowledge or consent
- A self-replicating computer program that penetrates operating systems to spread malicious code to other systems
- Any software application in which advertising banners are displayed while a program is running
Spyware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent.
QUESTION 38 : Which of the following best describes social engineering?
- A method for gaining unauthorized access to a computer system in which an attacker hides near the target to obtain sensitive information that he can use to facilitate his intended scheme
- A method for gaining unauthorized access to a computer system in which an attacker bypasses a system’s security through the use of an undocumented operating system and network functions
- A method for gaining unauthorized access to a computer system in which an attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker’s intended scheme
- A method for gaining unauthorized access to a computer system in which an attacker searches through large quantities of available data to find sensitive information that he can use to facilitate his intended scheme
Social engineering is a method for gaining unauthorized access to a computer system in which the attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker’s intended
QUESTION 39 : Which of the following are information security goals that an e-commerce system should endeavor to meet for its users and asset holders?
- Penetrability of data
- Materiality of data
- Integrity of data
- Availability of data
- I, II, and III only
- I, II, III, and IV
- II and III only
- III and IV only
QUESTION 40 : Which of the following is NOT a common carrier of malware?
- Freeware and shareware files
- Email attachments
- Dual in-line memory modules
- Files downloaded from the Internet
Malware can infect computer systems from many sources. Some of the more common carriers of malware include: Unknown or unchecked application software Infected websites Banner ads Software or media that employees bring to work Files downloaded from the Internet Infected software from vendors and suppliers Uncontrolled and shared program applications Demonstration software Freeware and shareware files Email attachments
QUESTION 41 : To ensure separation of duties within the information technology department and between information systems and business unit personnel, computer operators should be responsible for performing computer programming.
- True
- False
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information technology department and between information systems and business unit personnel are as Programmers should not have unsupervised access to production programs or have access to production data sets (data files). Information systems personnel’s access to production data should be limited. Application system users should only be granted access to those functions and data required for their job duties. Program developers should be separated from program testers. System users should not have direct access to program source code. Computer operators should not perform computer programming. Development staff should not have access to production data. Development staff should not access system-level technology or database management systems. End users should not have access to production data outside the scope of their normal job duties. End users or system operators should not have direct access to program source code. Programmers should not be server administrators or database administrators. IT departments should be separated from information user departments
QUESTION 42 : Which of the following refers to the type of network security systems that are designed to supplement firewalls and other forms of network security by detecting malicious activity coming across the network or on a host?
- Network access controls
- Intrusion detection systems
- Network address prevention systems
- Intrusion admission systems
An intrusion detection system (IDS) is a device or software application that monitors an organization’s inbound and outbound network activity and identifies any suspicious patterns of activity that might indicate a network or system attack or security policy violations. These systems are designed to supplement firewalls and other forms of network security by detecting malicious activity coming across the monitored entity’s network or system activities. They act much like a motion sensor would by detecting individuals who have bypassed perimeter security
QUESTION 43 : Which of the following are considered red flags of insider computer fraud?
- Access privileges limited to those required to perform assigned tasks.
- Access logs are not reviewed
- Production programs are run during normal business hours
- Exception reports are not reviewed and resolved.
- I and III only
- III and IV only
- I, II, III, and IV
- II and IV only
QUESTION 44: Rock phishing is a type of phishing scheme that uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or
- True
- False
SMiShing is a hybrid of phishing and short message service (text messaging). These schemes use text messages or other short message systems to conduct phishing activities. That is, in SMiShing schemes, the attacker uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or other entity with which the target does business. Rock phishers use botnets to send massive amounts of phishing emails to huge volumes of Internet users. The emails contain a message from a financial institution, enticing users to click on a fraudulent URL.
QUESTION 45 : The emerging environment of everyday objects that use embedded sensors to collect and transmit data through the Internet is best known as:
- The Emerging Technology Domain
- The Deep Web
- The Smart Technology Network
- The Internet of Things
The Internet of Things (IOT) is the emerging environment of everyday objects that use embedded sensors to collect and transmit data through the Internet. Examples of useful IOT applications include wearable fitness devices, homeautomation products, and smart parking systems. Unfortunately, the development of IOT technology tends to focus on innovative design rather than privacy or security. IOT devices commonly connect to networks using inadequate security and can be impractical to update when This is a concern because as the number of potentially vulnerable smart products increases so, too, do the opportunities for fraudsters seeking alternate ways into otherwise secure networks. Furthermore, IOT devices often record huge volumes of sensitive data and personal information that must be protected from misuse
QUESTION 46 : Which of the following is a measure that management can take to prevent an organization’s computers from being infected by malicious software?
- Require that users reuse passwords for important accounts.
- Prevent employees from opening any emails with attachments.
- Only allow systems to boot with removable storage devices.
- Regularly update the organization’s operating systems.
The following measures can help avoid infection from a malicious program: Use anti-malware software to scan all incoming email messages and files. Regularly update virus definitions in anti-malware programs. Use precaution when opening emails from acquaintances. Do not open email attachments unless they are from trusted sources. Only download files from reputable sources. Regularly update the operating system. Regularly update the computer with the latest security patches available for the operating system, software, browser, and email programs. Ensure that there is a clean boot disk to facilitate testing with antivirus software. Use a firewall and keep it turned on. Consider testing all computer software on an isolated system before loading it. In a network environment, do not place untested programs on the server. Secure the computer against unauthorized access from external threats such as hackers. Keep backup copies of production data files and computer software in a secure location. Scan pre-formatted storage devices before using them. Consider preventing the system from booting with a removable storage device; this might prevent accidental infection. Establish corporate policies and an employee education program to inform employees of how malware is introduced and what to do if malware is suspected. Encourage employees to protect their home systems as well. Many malware infections result from employees bringing infected storage devices or files from home.