You are on page 1of 48

Management Information Systems, Cdn. 6e (Laudon et al.

)
Chapter 8 Securing Information Systems

1) The potential for unauthorized access is usually limited to the communications lines of a network.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

2) Large public networks, such as the Internet, are less vulnerable than internal networks because they
are virtually open to anyone.
Answer: FALSE
Diff: 2 Type: TF Page Ref: v
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

3) Malicious software programs are referred to as badware and include a variety of threats, such as
computer viruses, worms, and Trojan horses.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

4) A computer bacteria is a rogue software program that attaches itself to other software programs or
data files in order to be executed, usually without user knowledge or permission.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 349
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

5) Web 2.0 applications, such as blogs, wikis, and social networking sites such as Facebook and
MySpace, have are not conduits for malware or spyware.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 250
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

6) A Trojan horse is a software program that appears threatening but is really benign.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 250
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

1
2013 Pearson Canada Inc.
7) Keyloggers record every keystroke made on a computer to steal serial numbers for software, to
launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected computer
systems, or to pick up personal information such as credit card numbers.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

8) A hacker is an individual who intends to gain unauthorized access to a computer system.


Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

9) The term "cracker" is typically used to denote a hacker with criminal intent.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

10) The term "cybervandalism" is the intentional disruption, defacement, or even destruction of a Web
site or corporate information system.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

11) Computer crime is defined as "any criminal activity involving the copy of, use of, removal of,
interference with, access to, manipulation of computer systems, and/or their related functions, data or
programs."
Answer: TRUE
Diff: 2 Type: TF Page Ref: 252
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

12) Identity theft is a crime in which an imposter obtains key pieces of personal information, such as
social insurance numbers, driver's licence numbers, or credit card numbers, to impersonate someone
else.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

2
2013 Pearson Canada Inc.
13) Pharming redirects users to a bogus Web page, even when the individual types the correct Web page
address into his or her browser.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

14) One increasingly popular tactic is a form of spoofing called phishing.


Answer: TRUE
Diff: 2 Type: TF Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

15) Social Bookmarking is tricking people into revealing their passwords or other information by
pretending to be legitimate users or members of a company in need of information.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 254
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

16) Software errors are no threat to information systems, that could cause untold losses in productivity.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 255
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

17) Many firms spend heavily on security because it is directly related to sales revenue.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 257
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

18) Computer forensics is the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way that the information can
be used as evidence in a court of law.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 258
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

3
2013 Pearson Canada Inc.
19) General controls govern the design, security, and use of computer programs and the security of data
files throughout the organization's IT infrastructure.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 258
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

20) Application controls are specific controls unique to each computerized application, such as payroll
or order processing.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

21) Output controls check data for accuracy and completeness when they enter the system.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

22) A risk audit includes statements ranking information risks, identifying acceptable security goals, and
identifying the mechanisms for achieving these goals.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

23) Disaster recovery planning devises plans for the restoration of computing and communications
services before they have been disrupted.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 262
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

24) An MIS audit examines the firm's overall security environment as well as controls governing
individual information systems.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 262
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

4
2013 Pearson Canada Inc.
25) Authentication refers to the ability to know that a person is who he or she claims to be.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 263
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

26) An MIS audit examines the firm's overall security environment as well as controls governing
individual information systems.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 262
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

27) A firewall is a combination of hardware and software that controls the flow of incoming and
outgoing network traffic.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

28) Computers using cable modems to connect to the Internet are more open to penetration than those
connecting via dial-up.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

29) Wireless networks are vulnerable to penetration because radio frequency bands are easy to scan.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

30) The range of Wi-Fi networks can be extended up to two miles by using external antennae.
Answer: FALSE
Diff: 3 Type: TF Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

5
2013 Pearson Canada Inc.
31) The WEP specification calls for an access point and its users to share the same 40-bit encrypted
password.
Answer: TRUE
Diff: 3 Type: TF Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

32) Viruses can be spread through e-mail.


Answer: TRUE
Diff: 1 Type: TF Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

33) Computer worms spread much more rapidly than computer viruses.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 249
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

34) One form of spoofing involves forging the return address on an e-mail so that the e-mail message
appears to come from someone other than the sender.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

35) Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-
mail messages, company files, and confidential reports.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

36) DoS attacks are used to destroy information and access restricted areas of a company's information
system.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 252
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

6
2013 Pearson Canada Inc.
37) Zero defects cannot be achieved in larger software programs because fully testing programs that
contain thousands of choices and millions of paths would require thousands of years.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 255
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

38) An acceptable use policy defines the acceptable level of access to information assets for different
users.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 260
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

39) Biometric authentication is the use of physical characteristics such as retinal images to provide
identification.
Answer: FALSE
Diff: 1 Type: TF Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

40) Packet filtering catches most types of network attacks.


Answer: FALSE
Diff: 2 Type: TF Page Ref: 264
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

41) NAT conceals the IP addresses of the organization's internal host computers to deter sniffer
programs.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 265
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

42) SSL is a protocol used to establish a secure connection between two computers.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 266
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

7
2013 Pearson Canada Inc.
43) Public key encryption uses two keys.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 267
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

44) Fault-tolerant computers contain redundant hardware, software, and power supply components.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 268
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

45) High-availability computing is also referred to as fault tolerance.


Answer: FALSE
Diff: 2 Type: TF Page Ref: 268
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

46) Domestic or offshore partnering with another company adds to system vulnerability if valuable
information resides on networks and computers outside the organization's control.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

47) Smartphones share the same security weaknesses as other Internet devices and are vulnerable to
malicious software and penetration from outsiders.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

48) Popular IM applications for consumers do not use a secure layer for text messages, so they can be
intercepted and read by outsiders during transmission over the public Internet.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

8
2013 Pearson Canada Inc.
49) Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an
address to access the resources of a network without authorization.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 249
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

50) The Conficker worm uses flaws in Windows software to take over machines and link them into a
virtual computer that can be commanded remotely.
Answer: TRUE
Diff: 2 Type: TF Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

51) The Melissa worm affected millions of computers worldwide, disrupting British Airways flight
check-ins, operations of British Coast Guard stations, Hong Kong hospitals, Taiwan post office
branches, and Australia's Westpac Bank.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

52) The Sasser.ftp worm Word macro script mailed an infected Word file to the first 50 entries in a user's
Microsoft Outlook address book. Infected 15 to 29 percent of all business PCs, causing $300 million to
$600 million in damage.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

53) The Cornflicker worm was first identified in January 2007. It spreads via e-mail spam with a fake
attachment. Infected up to 10 million computers, causing them to join its zombie network of computers
engaged in criminal activity.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

9
2013 Pearson Canada Inc.
54) FLQ injection attacks are the largest malware threat, their attacks take advantage of vulnerabilities in
poorly coded Web application software to introduce malicious program code into a company's systems
and networks.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 251
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

55) Businesses must protect only their own information assets but not those of customers, employees,
and business partners.
Answer: FALSE
Diff: 2 Type: TF Page Ref: 251
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

56) ________ is/are methods, policies, and organizational procedures ensuring the safety of the
organization's assets, the accuracy and reliability of its records, and operational adherence to
management standards.
A) "Security"
B) "Controls"
C) "Benchmarking"
D) "Algorithms"
Answer: B
Diff: 2 Type: MC Page Ref: 246
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

57) John clicks into his online banking Web site. He is already to type in his password when he notices
that something is just not right. Upon further examination he notices that it is not the actual bank site but
one that looks almost identical. John was almost a victim of ________.
A) spoofing
B) keyloggers
C) a Trojan horse
D) worms
Answer: A
Diff: 2 Type: MC Page Ref: 251
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

10
2013 Pearson Canada Inc.
58) Betty downloaded a peer to peer file sharing program. She is worried that it might have come with
spyware attached to it. She had a friend who had a spyware problem where all of her keystrokes were
stolen which included her bank passwords. Betty's friend was a victim of ________.
A) spoofing
B) keyloggers
C) a Trojan horse
D) worms
Answer: B
Diff: 2 Type: MC Page Ref: 251
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

59) Helen downloaded a greeting card program from the internet. She was surprised that it really didn't
do what it was supposed to do. What the program did was send nasty, profane e-mails to all the people in
her contact list. Helen is the victim of ________.
A) spoofing
B) keyloggers
C) a Trojan horse
D) worms
Answer: C
Diff: 2 Type: MC Page Ref: 250
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

60) Robert knows that he got an independent program off of his network on his computer. It deleted all
of his spreadsheet files on his hard drive. Robert feels that this problem may have resulted from him
opening up an attachment file on his e-mail. Robert is the victim of ________.
A) spoofing
B) keyloggers
C) a Trojan horse
D) worms
Answer: D
Diff: 2 Type: MC Page Ref: 249
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

61) A ________ is a type of eavesdropping program that monitors information travelling over a network.
A) sniffer
B) keyloggers
C) a Trojan horse
D) worms
Answer: A
Diff: 2 Type: MC Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

11
2013 Pearson Canada Inc.
62) ________ involves setting up fake Web sites or sending e-mail messages that look like those of
legitimate businesses to ask users for confidential personal data.
A) Farming
B) Fishing
C) Pharming
D) Phishing
Answer: D
Diff: 2 Type: MC Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

63) Jimmy Clark is sitting home one night and is very bored. He gets on his computer and starts to surf
the net. He comes to a military site. He thinks he might be able to get around the security of the site and
into the military computer system. He spends the next two hours trying to find his way into their system.
Jimmy is ________.
A) a hacker
B) a cracker
C) a dumpster diver
D) a social engineer
Answer: A
Diff: 3 Type: MC Page Ref: 251
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

64) Daniel is sitting home one night and is very bored. He gets on his computer and starts to surf the net.
He comes to a bank site. He thinks he might be able to get around the security of the site and into the
bank computer system. He spends the next two hours trying to find his way into their system. Daniel
gets into the system and puts $200 into his account from just some random name he found in the
banking system. Daniel is a ________.
A) hacker
B) cracker
C) dumpster diver
D) social engineer
Answer: B
Diff: 3 Type: MC Page Ref: 251
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

12
2013 Pearson Canada Inc.
65) Bart Black walks into a local bank. He does not work there but he has a tag on his shirt that reads
"IT Department." He goes up to a loans officer and tells him he needs to check the security on the loan
officer's computer. Bart sits in front of the keyboard and asks the officer for his username and password.
The loan officer gives him the information. Bart then thanks him and leaves the bank. Outside in his car
Bart Black gets into the bank system using the information. This loan officer is a victim of ________.
A) a hacker
B) a cracker
C) dumpster diving
D) social engineering
Answer: D
Diff: 3 Type: MC Page Ref: 254
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

66) ________ defects cannot be achieved in larger programs.


A) Two
B) One hundred
C) Thirty
D) Zero
Answer: D
Diff: 1 Type: MC Page Ref: 255
AACSB: Reflective thinking skills
CASE: Evaluation
A-level Heading: 8.1 System Vulnerability and Abuse

67) Many firms are reluctant to spend heavily on security because it is not directly related to ________.
A) sales expense
B) sales forecasting
C) sales tax
D) sales revenue
Answer: D
Diff: 2 Type: MC Page Ref: 257
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

68) ________ govern the design, security, and use of computer programs and the security of data files
throughout the organization's IT infrastructure.
A) Output controls
B) Input controls
C) Application controls
D) General controls
Answer: D
Diff: 2 Type: MC Page Ref: 257
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

13
2013 Pearson Canada Inc.
69) ________ are specific controls unique to each computerized application, such as payroll or order
processing.
A) Output controls
B) Input controls
C) Application controls
D) General controls
Answer: C
Diff: 2 Type: MC Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

70) ________ consists of all the policies and procedures a company uses to prevent improper access to
systems by unauthorized insiders and outsiders.
A) Output control
B) Input control
C) Access control
D) General control
Answer: C
Diff: 2 Type: MC Page Ref: 263
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

71) ________ is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the intended receiver.
A) Risk audit
B) Spoofing
C) Encryption
D) Application control
Answer: C
Diff: 1 Type: MC Page Ref: 266
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

72) ________ refers to policies, procedures, and technical measures used to prevent unauthorized
access, alternation, theft, or physical damage to information systems.
A) "Security"
B) "Controls"
C) "Benchmarking"
D) "Algorithms"
Answer: A
Diff: 2 Type: MC Page Ref: 246
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

14
2013 Pearson Canada Inc.
73) ________ refers to all of the methods, policies, and organizational procedures that ensure the safety
of the organization's assets, the accuracy and reliability of its accounting records, and operational
adherence to management standards.
A) "Legacy systems"
B) "SSID standards"
C) "Vulnerabilities"
D) "Controls"
Answer: D
Diff: 2 Type: MC Page Ref: 246
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

74) Large amounts of data stored in electronic form are ________ than the same data in manual form.
A) less vulnerable to damage
B) more secure
C) vulnerable to many more kinds of threats
D) more critical to most businesses
Answer: C
Diff: 1 Type: MC Page Ref: 246
AACSB: Analytic skills
CASE: Evaluation
A-level Heading: 8.1 System Vulnerability and Abuse

75) Electronic data are more susceptible to destruction, fraud, error, and misuse because information
systems concentrate data in computer files that
A) are usually bound up in legacy systems that are difficult to access and difficult to correct in case of
error.
B) are not secure because the technology to secure them did not exist at the time the files were created.
C) have the potential to be accessed by large numbers of people and by groups outside of the
organization.
D) are frequently available on the Internet.
Answer: C
Diff: 2 Type: MC Page Ref: 246
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

76) Specific security challenges that threaten the communications lines in a client/server environment
include
A) tapping; sniffing; message alteration; radiation.
B) hacking; vandalism; denial of service attacks.
C) theft, copying, alteration of data; hardware or software failure.
D) unauthorized access; errors; spyware.
Answer: A
Diff: 3 Type: MC Page Ref: 247
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

15
2013 Pearson Canada Inc.
77) Specific security challenges that threaten clients in a client/server environment include
A) tapping; sniffing; message alteration; radiation.
B) hacking; vandalism; denial of service attacks.
C) theft, copying, alteration of data; hardware or software failure.
D) unauthorized access; errors; spyware.
Answer: D
Diff: 2 Type: MC Page Ref: 247
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

78) Specific security challenges that threaten corporate servers in a client/server environment include
A) tapping; sniffing; message alteration; radiation.
B) hacking; vandalism; denial of service attacks.
C) theft, copying, alteration of data; hardware or software failure.
D) unauthorized access; errors; spyware.
Answer: B
Diff: 3 Type: MC Page Ref: 247
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

79) An independent computer program that copies itself from one computer to another over a network is
called a
A) worm.
B) Trojan horse.
C) bug.
D) pest.
Answer: A
Diff: 2 Type: MC Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

80) Sobig.F and MyDoom.A are


A) viruses that use Microsoft Outlook to spread to other systems.
B) worms attached to e-mail that spread from computer to computer.
C) multipartite viruses that can infect files as well as the boot sector of the hard drive.
D) Trojan horses used to create bot nets.
Answer: B
Diff: 3 Type: MC Page Ref: 250
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

16
2013 Pearson Canada Inc.
81) Redirecting a Web link to a different address is a form of
A) snooping.
B) spoofing.
C) sniffing.
D) war driving.
Answer: B
Diff: 2 Type: MC Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

82) A key logger is a type of


A) worm.
B) Trojan horse.
C) virus.
D) spyware.
Answer: D
Diff: 1 Type: MC Page Ref: 252
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

83) How do hackers create a botnet?


A) by infecting Web search bots with malware
B) by using Web search bots to infect other computers
C) by causing other people's computers to become "zombie" PCs following a master computer
D) by infecting corporate servers with "zombie" Trojan horses that allow undetected access through a
back door
Answer: C
Diff: 2 Type: MC Page Ref: 252
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

84) Using numerous computers to inundate and overwhelm the network from numerous launch points is
called a ________ attack.
A) DDoS
B) DoS
C) pharming
D) phishing
Answer: A
Diff: 2 Type: MC Page Ref: 252
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

17
2013 Pearson Canada Inc.
85) Which of the following is NOT an example of a computer used as a target of crime?
A) knowingly accessing a protected computer to commit fraud
B) accessing a computer system without authority
C) illegally accessing stored electronic communication
D) threatening to cause damage to a protected computer
Answer: C
Diff: 2 Type: MC Page Ref: 253
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

86) Which of the following is NOT an example of a computer used as an instrument of crime?
A) theft of trade secrets
B) intentionally attempting to intercept electronic communication
C) unauthorized copying of software
D) breaching the confidentiality of protected computerized data
Answer: D
Diff: 2 Type: MC Page Ref: 253
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

87) Phishing is a form of


A) spoofing.
B) spinning.
C) snooping.
D) sniffing.
Answer: A
Diff: 2 Type: MC Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

88) Phishing involves


A) setting up bogus Wi-Fi hot spots.
B) setting up fake Web sites to ask users for confidential information.
C) pretending to be a legitimate business's representative in order to garner information about a security
system.
D) using e-mails for threats or harassment.
Answer: B
Diff: 2 Type: MC Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

18
2013 Pearson Canada Inc.
89) Evil twins are
A) Trojan horses that appears to the user to be a legitimate commercial software application.
B) e-mail messages that mimic the e-mail messages of a legitimate business.
C) fraudulent Web sites that mimic a legitimate business's Web site.
D) bogus wireless networks that look legitimate to users.
Answer: D
Diff: 1 Type: MC Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

90) Pharming involves


A) redirecting users to a fraudulent Web site even when the user has typed in the correct address in the
Web browser.
B) pretending to be a legitimate business's representative in order to garner information about a security
system.
C) setting up fake Web sites to ask users for confidential information.
D) using e-mails for threats or harassment.
Answer: A
Diff: 2 Type: MC Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

91) You have been hired as a security consultant for a legal firm. Which of the following constitutes the
greatest threat, in terms of security, to the firm?
A) wireless network
B) employees
C) authentication procedures
D) lack of data encryption
Answer: B
Diff: 2 Type: MC Page Ref: 254
AACSB: Analytic skills
CASE: Evaluation
A-level Heading: 8.1 System Vulnerability and Abuse

92) Tricking employees to reveal their passwords by pretending to be a legitimate member of a company
is called
A) sniffing
B) social engineering
C) phishing
D) pharming
Answer: B
Diff: 1 Type: MC Page Ref: 254
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

19
2013 Pearson Canada Inc.
93) How do software vendors correct flaws in their software after it has been distributed?
A) issue bug fixes
B) issue patches
C) re-release software
D) issue updated versions
Answer: B
Diff: 2 Type: MC Page Ref: 255
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

94) The most common type of electronic evidence is


A) voice-mail.
B) spreadsheets.
C) instant messages.
D) e-mail.
Answer: D
Diff: 2 Type: MC Page Ref: 258
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

95) Electronic evidence on computer storage media that is not visible to the average user is called
________ data.
A) defragmented
B) ambient
C) forensic
D) recovery
Answer: B
Diff: 2 Type: MC Page Ref: 258
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

96) Application controls


A) can be classified as input controls, processing controls, and output controls.
B) govern the design, security, and use of computer programs and the security of data files in general
throughout the organization.
C) apply to all computerized applications and consist of a combination of hardware, software, and
manual procedures that create an overall control environment.
D) include software controls, computer operations controls, and implementation controls.
Answer: A
Diff: 2 Type: MC Page Ref: 259
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

20
2013 Pearson Canada Inc.
97) ________ controls ensure that valuable business data files on either disk or tape are not subject to
unauthorized access, change, or destruction while they are in use or in storage.
A) Software
B) Administrative
C) Data security
D) Implementation
Answer: C
Diff: 3 Type: MC Page Ref: 259
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

98) Analysis of an information system that rates the likelihood of a security incident occurring and its
cost is included in a(n)
A) security policy.
B) AUP.
C) risk assessment.
D) business impact analysis.
Answer: C
Diff: 2 Type: MC Page Ref: 259
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

99) Statements ranking information risks and identifying security goals are included in a(n)
A) security policy.
B) AUP.
C) risk assessment.
D) business impact analysis.
Answer: A
Diff: 2 Type: MC Page Ref: 260
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

100) An analysis of the firm's most critical systems and the impact a system's outage would have on the
business is included in a(n)
A) security policy.
B) AUP.
C) risk assessment.
D) business impact analysis.
Answer: D
Diff: 3 Type: MC Page Ref: 262
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

21
2013 Pearson Canada Inc.
101) Rigorous password systems
A) are one of the most effective security tools.
B) may hinder employee productivity.
C) are costly to implement.
D) are often disregarded by employees.
Answer: B
Diff: 2 Type: MC Page Ref: 263
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

102) An authentication token is a(n)


A) device the size of a credit card that contains access permission data.
B) type of smart card.
C) gadget that displays passcodes.
D) electronic marker attached to a digital authorization file.
Answer: C
Diff: 2 Type: MC Page Ref: 263
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

103) Biometric authentication


A) is inexpensive.
B) is used widely in Europe for security applications.
C) can use a person's face as a unique, measurable trait.
D) only uses physical traits as a measurement.
Answer: C
Diff: 2 Type: MC Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

104) A firewall allows the organization to


A) enforce a security policy on traffic between its network and the Internet.
B) check the accuracy of all transactions between its network and the Internet.
C) create an enterprise system on the Internet.
D) check the content of all incoming and outgoing e-mail messages.
Answer: A
Diff: 2 Type: MC Page Ref: 264
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

22
2013 Pearson Canada Inc.
105) In which technique are network communications are analyzed to see whether packets are part of an
ongoing dialogue between a sender and a receiver?
A) stateful inspection
B) intrusion detection system
C) application proxy filtering
D) packet filtering
Answer: A
Diff: 3 Type: MC Page Ref: 264
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

106) ________ use scanning software to look for known problems such as bad passwords, the removal
of important files, security attacks in progress, and system administration errors.
A) Stateful inspections
B) Intrusion detection systems
C) Application proxy filtering technologies
D) Packet filtering technologies
Answer: B
Diff: 2 Type: MC Page Ref: 265
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

107) Currently, the protocols used for secure information transfer over the Internet are
A) TCP/IP and SSL.
B) S-HTTP and CA.
C) HTTP and TCP/IP.
D) SSL, TLS, and S-HTTP.
Answer: D
Diff: 1 Type: MC Page Ref: 266
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

108) Most antivirus software is effective against


A) only those viruses active on the Internet and through e-mail.
B) any virus.
C) any virus except those in wireless communications applications.
D) only those viruses already known when the software is written.
Answer: D
Diff: 2 Type: MC Page Ref: 266
AACSB: Analytic skills
CASE: Synthesis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

23
2013 Pearson Canada Inc.
109) In which method of encryption is a single encryption key sent to the receiver so both sender and
receiver share the same key?
A) SSL
B) symmetric key encryption
C) public key encryption
D) private key encryption
Answer: B
Diff: 2 Type: MC Page Ref: 267
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

110) A digital certificate system


A) uses third-party CAs to validate a user's identity.
B) uses digital signatures to validate a user's identity.
C) uses tokens to validate a user's identity.
D) are used primarily by individuals for personal correspondence.
Answer: A
Diff: 2 Type: MC Page Ref: 267
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

111) Downtime refers to periods of time in which a


A) computer system is malfunctioning.
B) computer system is not operational.
C) corporation or organization is not operational.
D) computer is not online.
Answer: B
Diff: 2 Type: MC Page Ref: 268
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

112) Online transaction processing requires


A) more processing time.
B) a large server network.
C) fault-tolerant computer systems.
D) dedicated phone lines.
Answer: C
Diff: 1 Type: MC Page Ref: 268
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

24
2013 Pearson Canada Inc.
113) In controlling network traffic to minimize slow-downs, a technology called ________ is used to
examine data files and sort low-priority data from high-priority data.
A) high availability computing
B) deep-packet inspection
C) application proxy filtering
D) stateful inspection
Answer: B
Diff: 3 Type: MC Page Ref: 269
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

114) The development and use of methods to make computer systems recover more quickly after
mishaps is called
A) high availability computing.
B) recovery oriented computing.
C) fault tolerant computing.
D) disaster recovery planning.
Answer: B
Diff: 2 Type: MC Page Ref: 268
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

115) Smaller firms can outsource security functions to


A) MISs
B) CSOs
C) MSSPs
D) CAs
Answer: C
Diff: 2 Type: MC Page Ref: 269
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

116) Domestic or offshore partnering with another company adds to system vulnerability if valuable
information resides on networks and computers ________ the organization's control.
A) inside
B) within
C) outside
D) internal to
Answer: C
Diff: 2 Type: MC Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

25
2013 Pearson Canada Inc.
117) Smartphones share the same security ________ as other Internet devices and are vulnerable to
malicious software and penetration from outsiders.
A) strengths
B) fortes
C) weaknesses
D) muscles
Answer: C
Diff: 2 Type: MC Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

118) Popular IM applications for consumers ________ use a secure layer for text messages, so they can
be intercepted and read by outsiders during transmission over the public Internet.
A) always
B) continually
C) do not
D) sometimes
Answer: C
Diff: 2 Type: MC Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

119) Many Wi-Fi networks can be penetrated easily by intruders using ________ programs to obtain an
address to access the resources of a network without authorization.
A) phishing
B) sniffer
C) pharming
D) encryption
Answer: B
Diff: 2 Type: MC Page Ref: 249
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

120) The ________ worm uses flaws in Windows software to take over machines and link them into a
virtual computer that can be commanded remotely.
A) Sasser.ftp
B) Conficker
C) ILOVEYOU
D) Melissa
Answer: B
Diff: 2 Type: MC Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

26
2013 Pearson Canada Inc.
121) The ________ worm affected millions of computers worldwide, disrupting British Airways flight
check-ins, operations of British Coast Guard stations, Hong Kong hospitals, Taiwan post office
branches, and Australia's Westpac Bank.
A) Sasser.ftp
B) Conficker
C) ILOVEYOU
D) Melissa
Answer: A
Diff: 2 Type: MC Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

122) The ________ worm word macro script mailing infected Word file to first 50 entries in
user's Microsoft Outlook address book. Infected 15 to 29 percent of all business PCs, causing $300
million to $600 million in damage.
A) Sasser.ftp
B) Conficker
C) ILOVEYOU
D) Melissa
Answer: D
Diff: 2 Type: MC Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

123) The ________ worm was first identified in January 2007. It spreads via e-mail spam with a fake
attachment. Infected up to 10 million computers, causing them to join its zombie network of computers
engaged in criminal activity.
A) Sasser.ftp
B) Conficker
C) ILOVEYOU
D) Storm
Answer: D
Diff: 2 Type: MC Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

27
2013 Pearson Canada Inc.
124) ________ injection attacks are the largest malware threat, their attacks take advantage of
vulnerabilities in poorly coded Web application software to introduce malicious program code into a
company's systems and networks.
A) QLS
B) SLQ
C) FLQ
D) SQL
Answer: D
Diff: 2 Type: MC Page Ref: 251
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

125) Businesses must protect not only their own information assets but also those of ________.
A) customers. employees, and competitors
B) competitors. employees, and business partners
C) customers. competitors and business partners
D) customers. employees, and business partners
Answer: D
Diff: 2 Type: MC Page Ref: 257
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

126) ________ consists of business processes and software tools for identifying the valid users of a
system and controlling their access to system resources.
A) Access management
B) Identity management
C) Firewall management
D) Encryption management
Answer: B
Diff: 2 Type: MC Page Ref: 261
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

127) ________ is a complete, internationally accepted process framework for IT that supports business,
IT executives, and management in the definition and achievement of business and related IT goals by
providing a comprehensive IT governance, management, control, and assurance model.
A) TOBIT
B) COBIT
C) TOBIC
D) BOCIT
Answer: B
Diff: 2 Type: MC Page Ref: 261
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

28
2013 Pearson Canada Inc.
128) ________ planning focuses on how the company can restore business operations after a disaster
strikes.
A) Disaster recovery
B) Business continuity
C) Disaster continuity
D) Business recovery
Answer: B
Diff: 2 Type: MC Page Ref: 262
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

129) A practice in which eavesdroppers drive by buildings or park outside and try to intercept wireless
network traffic is referred to as ________.
Answer: war driving
Diff: 2 Type: SA Page Ref: 248
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

130) ________ refers to the policies, procedures, and technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to information systems.
Answer: Security
Diff: 2 Type: SA Page Ref: 246
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

131) ________ are methods, policies, and organizational procedures ensuring the safety of the
organization's assets, the accuracy and reliability of its records, and operational adherence to
management standards.
Answer: Controls
Diff: 2 Type: SA Page Ref: 246
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

132) Large public networks, such as the Internet, are more ________ than internal networks because
they are virtually open to anyone.
Answer: vulnerable
Diff: 2 Type: SA Page Ref: 247
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

29
2013 Pearson Canada Inc.
133) A fixed Internet address creates a ________ target for hackers.
Answer: fixed
Diff: 2 Type: SA Page Ref: 248
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

134) Malicious software programs are referred to as ________.


Answer: malware
Diff: 2 Type: SA Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

135) A ________ is a rogue software program that attaches itself to other software programs or data files
in order to be executed, usually without user knowledge or permission.
Answer: virus
Diff: 2 Type: SA Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

136) ________ are independent computer programs that copy themselves from one computer to other
computers over a network.
Answer: Worms
Diff: 2 Type: SA Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

137) A ________ is a software program that appears to be benign but then does something other than
expected.
Answer: Trojan horse
Diff: 2 Type: SA Page Ref: 250
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

138) A ________ is an individual who intends to gain unauthorized access to a computer system.
Answer: hacker
Diff: 2 Type: SA Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

30
2013 Pearson Canada Inc.
139) The term ________ is typically used to denote a hacker with criminal intent.
Answer: cracker
Diff: 2 Type: SA Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

140) ________ is the intentional disruption, defacement, or even destruction of a Web site or corporate
information system.
Answer: Cybervandalism
Diff: 2 Type: SA Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

141) ________ also may involve redirecting a Web link to an address different from the intended one,
with the site masquerading as the intended destination.
Answer: Spoofing
Diff: 2 Type: SA Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

142) A ________ is a type of eavesdropping program that monitors information travelling over a
network.
Answer: sniffer
Diff: 2 Type: SA Page Ref: 251
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

143) In a ________, hackers flood a network server or Web server with many thousands of false
communications or requests for services to crash the network.
Answer: denial-of-service (DoS) attack
Diff: 2 Type: SA Page Ref: 252
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

144) ________ involves setting up fake Web sites or sending e-mail messages that look like those of
legitimate businesses to ask users for confidential personal data.
Answer: Phishing
Diff: 2 Type: SA Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

31
2013 Pearson Canada Inc.
145) ________ redirects users to a bogus Web page, even when the individual types the correct Web
page address into his or her browser.
Answer: Pharming
Diff: 2 Type: SA Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

146) ________ occurs when an individual or computer program fraudulently clicks on an online ad
without any intention of learning more about the advertiser or making a purchase.
Answer: Click fraud
Diff: 2 Type: SA Page Ref: 254
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

147) ________ is tricking people into revealing their passwords or other information by pretending to be
legitimate users or members of a company in need of information.
Answer: Social engineering
Diff: 2 Type: SA Page Ref: 254
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

148) Growing complexity and size of software programs, coupled with demands for timely delivery to
markets, have contributed to an increase in software ________ or vulnerabilities.
Answer: flaws
Diff: 2 Type: SA Page Ref: 254
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

149) ________ defects cannot be achieved in larger programs.


Answer: Zero
Diff: 2 Type: SA Page Ref: 255
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

150) Many firms are reluctant to spend heavily on security because it is not directly related to ________.
Answer: sales revenue
Diff: 2 Type: SA Page Ref: 257
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

32
2013 Pearson Canada Inc.
151) ________ controls are specific controls unique to each computerized application, such as payroll or
order processing.
Answer: Application
Diff: 2 Type: SA Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

152) ________ controls establish that data are complete and accurate during updating.
Answer: Processing
Diff: 2 Type: SA Page Ref: 159
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

153) ________ controls ensure that the results of computer processing are accurate, complete, and
properly distributed.
Answer: Output
Diff: 2 Type: SA Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

154) A ________ determines the level of risk to the firm if a specific activity or process is not properly
controlled.
Answer: risk assessment
Diff: 2 Type: SA Page Ref: 259
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

155) A ________ includes statements ranking information risks, identifying acceptable security goals,
and identifying the mechanisms for achieving these goals.
Answer: security policy
Diff: 2 Type: SA Page Ref: 260
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

156) An ________ defines acceptable uses of the firm's information resources and computing
equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet.
Answer: acceptable-use policy (AUP)
Diff: 2 Type: SA Page Ref: 260
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

33
2013 Pearson Canada Inc.
157) ________ devises plans for the restoration of computing and communications services after they
have been disrupted.
Answer: Disaster recovery planning
Diff: 2 Type: SA Page Ref: 262
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

158) A ________ is a physical device, similar to an identification card, that is designed to prove the
identity of a single user.
Answer: token
Diff: 2 Type: SA Page Ref: 262
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

159) A ________ is a device about the size of a credit card that contains a chip formatted with access
permission and other data.
Answer: smart card
Diff: 2 Type: SA Page Ref: 263
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

160) ________ uses systems that read and interpret individual human traits, such as fingerprints, irises,
and voices, in order to grant or deny access.
Answer: Biometric authentication
Diff: 2 Type: SA Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

161) A ________ is a combination of hardware and software that controls the flow of incoming and
outgoing network traffic.
Answer: firewall
Diff: 2 Type: SA Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

162) ________ examines selected fields in the headers of data packets flowing back and forth between
the trusted network and the Internet, examining individual packets in isolation.
Answer: Packet filtering
Diff: 2 Type: SA Page Ref: 264
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

34
2013 Pearson Canada Inc.
163) ________ feature full-time monitoring tools placed at the most vulnerable points or "hot spots" of
corporate networks to detect and deter intruders continually.
Answer: Intrusion detection systems
Diff: 2 Type: SA Page Ref: 265
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

164) ________ is designed to check computer systems and drives for the presence of computer viruses.
Answer: Antivirus software
Diff: 2 Type: SA Page Ref: 266
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

165) ________ is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the intended receiver.
Answer: Encryption
Diff: 2 Type: SA Page Ref: 266
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

166) ________ encryption uses two keys: one shared (or public) and one private.
Answer: Public key
Diff: 2 Type: SA Page Ref: 267
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

167) A ________ system uses a trusted third party, known as a certificate authority (CA), to validate a
user's identity.
Answer: digital certificate
Diff: 2 Type: SA Page Ref: 267
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

168) ________ computer systems contain redundant hardware, software, and power supply components
that create an environment that provides continuous, uninterrupted service.
Answer: Fault-tolerant
Diff: 2 Type: SA Page Ref: 268
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

35
2013 Pearson Canada Inc.
169) Malicious software programs referred to as ________ include a variety of threats such as computer
viruses, worms, and Trojan horses.
Answer: malware
Diff: 1 Type: SA Page Ref: 249
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

170) ________ is a crime in which an imposter obtains key pieces of personal information to
impersonate someone else.
Answer: Identity theft
Diff: 1 Type: SA Page Ref: 253
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

171) ________ is the scientific collection, examination, authentication, preservation, and analysis of
data held on or retrieved from computer storage media in such a way that the information can be used as
evidence in a court of law.
Answer: Computer forensics
Diff: 2 Type: SA Page Ref: 258
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.2 Business Value of Security And Control

172) On the whole, ________ controls apply to all computerized applications and consist of a
combination of hardware, software, and manual procedures that create an overall control environment.
Answer: general
Diff: 3 Type: SA Page Ref: 258
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

173) A(n) ________ examines the firm's overall security environment as well as the controls governing
individual information systems.
Answer: MIS audit
Diff: 2 Type: SA Page Ref: 262
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.3 Establishing A Framework For Security and Control

174) ________ consists of all the policies and procedures a company uses to prevent improper entry to
systems by unauthorized insiders and outsiders.
Answer: Access control
Diff: 3 Type: SA Page Ref: 263
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

36
2013 Pearson Canada Inc.
175) ________ refers to the ability to know that a person is who he or she claims to be.
Answer: Authentication
Diff: 2 Type: SA Page Ref: 263
AACSB: Reflective thinking skills
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

176) Comprehensive security management products, with tools for firewalls, VPNs, intrusion detection
systems, and more, are called ________ systems.
Answer: unified threat management
Diff: 3 Type: SA Page Ref: 266
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

177) When errors are discovered in software programs, the sources of the errors are found and
eliminated through a process called ________.
Answer: debugging
Diff: 1 Type: SA Page Ref: 271
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

178) Domestic or offshore partnering with another company adds to system vulnerability if valuable
information resides on networks and computers ________ the organization's control.
Answer: outside
Diff: 1 Type: SA Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

179) Smartphones share the same ________ weaknesses as other Internet devices and are vulnerable to
malicious software and penetration from outsiders.
Answer: security
Diff: 1 Type: SA Page Ref: 247
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

180) Popular IM applications for consumers do not use a ________ for text messages, so they can be
intercepted and read by outsiders during transmission over the public Internet.
Answer: secure layer
Diff: 1 Type: SA Page Ref: 248
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

37
2013 Pearson Canada Inc.
181) Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an
address to access the resources of a network without ________.
Answer: authorization
Diff: 1 Type: SA Page Ref: 249
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

182) The ________ worm uses flaws in Windows software to take over machines and link them into a
virtual computer that can be commanded remotely.
Answer: Conficker
Diff: 1 Type: SA Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

183) The ________ worm affected millions of computers worldwide, disrupting British Airways flight
check-ins, operations of British Coast Guard stations, Hong Kong hospitals, Taiwan post office
branches, and Australia's Westpac Bank.
Answer: Sasser.ftp
Diff: 1 Type: SA Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

184) The ________ worm Word macro script mailed an infected Word file to the first 50 entries in a
user's Microsoft Outlook address book. Infected 15 to 29 percent of all business PCs, causing $300
million to $600 million in damage.
Answer: Melissa
Diff: 1 Type: SA Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

185) The ________ worm was first identified in January 2007. It spreads via e-mail spam with a fake
attachment. Infected up to 10 million computers, causing them to join its zombie network of computers
engaged in criminal activity.
Answer: Storm
Diff: 1 Type: SA Page Ref: 250
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

38
2013 Pearson Canada Inc.
186) ________ attacks are the largest malware threat, their attacks take advantage of vulnerabilities in
poorly coded Web application software to introduce malicious program code into a company's systems
and networks.
Answer: SQL injection
Diff: 1 Type: SA Page Ref: 251
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

187) Businesses must protect not only their own information assets but also those of ________,
employees, and business partners.
Answer: customers
Diff: 1 Type: SA Page Ref: 257
AACSB: Use of information technology
CASE: Content
A-level Heading: 8.1 System Vulnerability and Abuse

188) Discuss the issue of security challenges on the Internet as that issue applies to a global enterprise.
List at least five Internet security challenges.
Answer: Large public networks, including the Internet, are more vulnerable because they are virtually
open to anyone and because they are so huge that when abuses do occur, they can have an enormously
widespread impact. When the Internet becomes part of the corporate network, the organization's
information systems can be vulnerable to actions from outsiders. Computers that are constantly
connected to the Internet via cable modem or DSL line are more open to penetration by outsiders
because they use a fixed Internet address where they can be more easily identified. The fixed Internet
address creates the target for hackers. To benefit from electronic commerce, supply chain management,
and other digital business processes, companies need to be open to outsiders such as customers,
suppliers, and trading partners. Corporate systems must be extended outside the organization so that
employees working with wireless and other mobile computing devices can access them. This requires a
new security culture and infrastructure, allowing corporations to extend their security policies to include
procedures for suppliers and other business partners.
Diff: 2 Type: ES Page Ref: 246-247
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

39
2013 Pearson Canada Inc.
189) How can a firm's security policies contribute and relate to the six main business objectives? Give
examples.
Answer:
Operational excellence: Security policies are essential to operational excellence. A firm's daily
transactions can be severely disrupted by cybercrime such as hackers. A firm's efficiency relies on
accurate data. In addition, information assets have tremendous value, and the repercussions can be
devastating if they are lost, destroyed, or placed in the wrong hands.

New products, services, business models. Security policies protect a company's ideas for new products
and services, which could be stolen by competitors. Additionally, enhanced security could be seen by a
customer as a way to differentiate your product.

Customer and supplier intimacy: Customers rely on your security if they enter personal data into your
information system, for example, credit card information into your e-commerce site. The information
you receive from customers and suppliers directly affects how able you are to customize your product,
service, or communication with them.

Improved decision making: Secure systems make data accuracy a priority, and good decision making
relies on accurate and timely data. Lost and inaccurate data would lead to compromised decision
making.

Competitive advantage: The knowledge that your firm has superior security than another would, on an
otherwise level playing field, make your firm more attractive to do business with. Also, improved
decision-making, new products and services, which are also affected by security (see above), will
contribute to a firm's competitive advantage. Strong security and control also increase employee
productivity and lower operational costs.

Survival: New laws and regulations make keeping your security system up-to-data a matter of survival.
Inadequate security and control may result in serious legal liability. Firms have been destroyed by errors
in security policies.
Diff: 3 Type: ES Page Ref: 258-259
AACSB: Analytic skills
CASE: Synthesis
A-level Heading: 8.2 Business Value of Security And Control

40
2013 Pearson Canada Inc.
190) Three major concerns of system builders and users are disaster, security, and human error. Of the
three, which do you think is most difficult to deal with? Why?
Answer: Disaster might be the most difficult because it is unexpected, broad-based, and frequently life
threatening. In addition, the company cannot know if the disaster plan will work until a disaster occurs,
and then it's too late to make corrections.

Security might be the most difficult because it is an ongoing problem, new viruses are devised
constantly, and hackers get smarter every day. Furthermore, damage done by a trusted employee from
inside cannot be obviated by system security measures.

Human error might be most difficult because it isn't caught until too late, and the consequences may be
disastrous. Also, administrative error can occur at any level and through any operation or procedure in
the company.
Diff: 2 Type: ES Page Ref: 247
AACSB: Analytic skills
CASE: Evaluation
A-level Heading: 8.1 System Vulnerability and Abuse

191) What are the security challenges faced by wireless networks?


Answer: Wireless networks are vulnerable because radio frequency bands are easy to scan. Both
Bluetooth and Wi-Fi networks are susceptible to hacking by eavesdroppers. Local area networks (LANs)
using the 802.11 standard can be easily penetrated by outsiders armed with laptops, wireless cards,
external antennae, and hacking software. Hackers use these tools to detect unprotected networks,
monitor network traffic, and, in some cases, gain access to the Internet or to corporate networks. Wi-Fi
transmission technology was designed to make it easy for stations to find and hear one another. The
service set identifiers (SSIDs) identifying the access points in a Wi-Fi network are broadcast multiple
times and can be picked up fairly easily by intruders' sniffer programs. Wireless networks in many
locations do not have basic protections against war driving, in which eavesdroppers drive by buildings
or park outside and try to intercept wireless network traffic. A hacker can employ an 802.11 analysis tool
to identify the SSID. An intruder that has associated with an access point by using the correct SSID is
capable of accessing other resources on the network, using the Windows operating system to determine
which other users are connected to the network, access their computer hard drives, and open or copy
their files. Intruders also use the information they have gleaned to set up rogue access points on a
different radio channel in physical locations close to users to force a user's radio NIC to associate with
the rogue access point. Once this association occurs, hackers using the rogue access point can capture
the names and passwords of unsuspecting users.
Diff: 3 Type: ES Page Ref: 248
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

41
2013 Pearson Canada Inc.
192) Why is software quality important to security. What specific steps can an organization take to
ensure software quality?
Answer: Software errors pose a constant threat to information systems, causing untold losses in
productivity. Growing complexity and size of software programs, coupled with demands for timely
delivery to markets, have contributed to an increase in software flaws or vulnerabilities. A major
problem with software is the presence of hidden bugs or program code defects. Studies have shown that
it is virtually impossible to eliminate all bugs from large programs. Flaws in commercial software not
only impede performance but also create security vulnerabilities that open networks to intruders. To
correct software flaws once they are identified, the software vendor creates small pieces of software
called patches to repair the flaws without disturbing the proper operation of the software. Organizations
must maintain best efforts to both make sure purchased software is up to date and make sure their own
software and programming is as bug-free as possible by employing software metrics and rigorous
software testing. Ongoing use of metrics allows the information systems department and end users to
jointly measure the performance of the system and identify problems as they occur. Examples of
software metrics include the number of transactions that can be processed in a specified unit of time,
online response time, the number of payroll checks printed per hour, and the number of known bugs per
hundred lines of program code. For metrics to be successful, they must be carefully designed, formal,
objective, and used consistently. Early, regular, and thorough testing will contribute significantly to
system quality. Good testing begins before a software program is even written by using a walkthrough
a review of a specification or design document by a small group of people carefully selected based on
the skills needed for the particular objectives being tested. Once developers start writing software
programs, coding walkthroughs also can be used to review program code. However, code must be tested
by computer runs. When errors are discovered, the source is found and eliminated through a process
called debugging.
Diff: 2 Type: ES Page Ref: 255
AACSB: Analytic skills
CASE: Evaluation
A-level Heading: 8.3 Establishing A Framework For Security and Control

193) Hackers and their companion viruses are an increasing problem, especially on the Internet. What
are the most important measurers for a firm to take to protect itself from this? Is full protection feasible?
Why or why not?
Answer: For protection, a company must institute good security measures, which will include firewalls,
investigation of personnel to be hired, physical and software security and controls, antivirus software,
and internal education measures. These measures are best put in place at the time the system is designed,
and careful attention paid to them. A prudent company will engage in disaster protection measures,
frequent updating of security software, and frequent auditing of all security measures and of all data
upon which the company depends. Full protection may not be feasible in light of the time and expenses
involved, but a risk analysis can provide insights into which areas are most important and vulnerable.
These are the areas to protect first.
Diff: 2 Type: ES Page Ref: 263
AACSB: Analytic skills
CASE: Synthesis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

42
2013 Pearson Canada Inc.
194) You have just been hired as a security consultant by MegaMalls Inc., a national chain of retail
malls, to make sure that the security of their information systems is up to par. Outline the steps you will
take to achieve this.
Answer:
1. Establish what data and processes are important and essential to the company. Determine what
external and internal information is essential to the different employee roles in the company.
2. Conduct an MIS audit, a security audit, and create a risk assessment analysis
3. Establish what legal/governmental/industry standards need to be adhered to and which international
standards are relevant.
4. Conduct a business impact analysis and determine a disaster recovery and business continuity plan.
5. Create a security policy that defines an acceptable use policy, authorization policies and processes.
6. Plan for any change management needed.
7. Determine how the success of your policy will be measured and set up means for measuring this.
8. Implement such policies
9. Measure and evaluate the effectiveness of the policy and make any additional adjustments.
Diff: 3 Type: ES Page Ref: 254-262
AACSB: Analytic skills
CASE: Synthesis
A-level Heading: 8.3 Establishing A Framework For Security and Control

195) What is a digital certificate? How does it work?


Answer: Digital certificates are data files used to establish the identity of users and electronic assets for
protection of online transactions. A digital certificate system uses a trusted third party, known as a
certification authority, to validate a user's identity. The CA verifies a digital certificate user's identity
offline. This information is put into a CA server, which generates an encrypted digital certificate
containing owner identification information and a copy of the owner's public key. The certificate
authenticates that the public key belongs to the designated owner. The CA makes its own public key
available publicly either in print or perhaps on the Internet. The recipient of an encrypted message uses
the CA's public key to decode the digital certificate attached to the message, verifies it was issued by the
CA, and then obtains the sender's public key and identification information contained in the certificate.
Using this information, the recipient can send an encrypted reply. The digital certificate system would
enable, for example, a credit card user and a merchant to validate that their digital certificates were
issued by an authorized and trusted third party before they exchange data. Public key infrastructure
(PKI), the use of public key cryptography working with a certificate authority, is now widely used in e-
commerce.
Diff: 2 Type: ES Page Ref: 267-268
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

43
2013 Pearson Canada Inc.
196) Define a fault-tolerant computer system and a high-availability computer system. How do they
differ? When would each be used?
Answer: Both systems use backup hardware resources. Fault-tolerant computer systems contain extra
memory chips, processors, and disk storage devices that can back the system up and keep it running to
prevent a system failure. High-availability computing places the emphasis on quick recovery from a
system crash. A high-availability system includes redundant servers, mirroring, load balancing,
clustering, storage area networks, and a good disaster recovery plan. The main difference between them
is that fault-tolerant computer systems don't go down; high-availability computer systems go down, but
can recover quickly.

Companies needing a technology platform with 100 percent, 24-hr system availability, use fault-tolerant
computer systems. High-availability computing environments are a minimum requirement for firms with
heavy electronic commerce processing or that depend on digital networks for their internal operations.
Diff: 2 Type: ES Page Ref: 268
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

197) How is the security of a firm's information system and data affected by its people, organization, and
technology? Is the contribution of one of these dimensions any more important than the other? Why?
Answer: There are various technological essentials to protecting an information system: firewalls,
authentication, encryption, anti-virus protection etc. Without technology implemented correctly, there is
no security. A firm's employees are its greatest threat, in terms of embezzlement and insider fraud,
errors, and lax enforcement of security policies. Probably the most important dimension is organization,
because this is what determines a firm's business processes and policies. The firm's information policies
can most enhance security by stressing intelligent design of security systems, appropriate use of security
technology, the usability of its security processes.
Diff: 3 Type: ES Page Ref: 257-258
AACSB: Analytic skills
CASE: Evaluation
A-level Heading: 8.2 Business Value of Security And Control

44
2013 Pearson Canada Inc.
198) Robert is in charge of security and control at his financial trading firm. He needs to approach
management about investing large sums of money to the area of security and control. He knows that it
will be a hard sell to this group because they are very focused on sales revenue and this is not directly
related to that. Give Robert some arguments that he might use to convince the board to invest these
funds in security and control.
Answer: Protecting information systems is so critical to the operation of the business that it deserves to
funded and made a priority in the firm. The firm has very valuable information assets to protect. Our
systems house confidential information about individuals' taxes, financial assets, medical records, and
job performance reviews. They also contain information on corporate operations, including trade secrets,
new product development plans, and marketing strategies. One study estimated that when the security of
a large firm is compromised, the company loses approximately 2.1 percent of its market value within
two days of the security breach, which translates into an average loss of $1.65 billion in stock market
value per incident. Inadequate security and control may result in serious legal liability. Businesses must
protect not only their own information assets but also those of customers, employees, and business
partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An
organization can be held liable for needless risk and harm created if the organization fails to take
appropriate protective action to prevent loss of confidential information, data corruption, or breach of
privacy. A sound security and control framework that protects business information assets can thus
produce a high return on investment. Strong security and control also increase employee productivity
and lower operational costs.
Diff: 3 Type: ES Page Ref: 257
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.2 Business Value of Security And Control

45
2013 Pearson Canada Inc.
199) Sally is the CEO of a chain of health clinics in Ontario. She is growing more and more concerned
about the security of records in her company. She is wondering about the legal and regulatory
requirements for electronic record management in Canada. What would you advise Sally about the legal
and regulatory requirements for electronic record management in Canada?
Answer: Recent Canadian government regulations are forcing companies to take security and control
more seriously by mandating the protection of data from abuse, exposure, and unauthorized access.
Firms face new legal obligations for the retention and storage of electronic records as well as for privacy
protection. If you work in the health care industry, your firm will need to comply with the provincial
health information privacy legislation mandated in several provinces or with the original Canada
Privacy Act or the newer Personal Information Protection and Electronic Documents Act (PIPEDA).
These acts specify privacy, security, and electronic transaction standards for health care providers
handling patient information, providing penalties for breaches of medical privacy or disclosure of patient
records.
Almost all organizations, specifically those that conduct transaction, must conform to the Personal
Information Protection and Electronic Documents Act. In 2002, the Ontario Legislature passed Bill 198,
known as Canadian SOX, or C-SOX, in response to the U.S. Sarbanes-Oxley Act. It imposes
responsibility on companies and their management to safeguard the accuracy and integrity of financial
information that is used internally and released externally. One of the Learning Tracks for this chapter
discusses C-SOX in detail. C-SOX is fundamentally about ensuring that internal controls are in place to
govern the creation and documentation of information in financial statements. Because information
systems are used to generate, store, and transport such data, the legislation requires firms to consider
information systems security and other controls required to ensure the integrity, confidentiality, and
accuracy of their data. Each system application that deals with critical financial reporting data requires
controls to make sure the data are accurate. Controls to secure the corporate network, prevent
unauthorized access to systems and data, and ensure data integrity and availability in the event of
disaster or other disruption of service are essential as well.
Diff: 3 Type: ES Page Ref: 257
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.2 Business Value of Security And Control

46
2013 Pearson Canada Inc.
200) Bob wants to use encryption tools in his firm but he is not sure if he should use public key or
private key encryption. He really doesn't understand the differences between the two. Describe the two
types of encryption for Bob.
Answer: There are two alternative methods of encryption: symmetric key encryption and public key
encryption. In symmetric key encryption, the sender and receiver establish a secure Internet session by
creating a single encryption key and sending it to the receiver so both the sender and receiver share the
same key. The strength of the encryption key is measured by its bit length. Today, a typical key will be
128 bits long (a string of 128 binary digits).
The problem with all symmetric encryption schemes is that the key itself must be shared somehow
among the senders and receivers, which exposes the key to outsiders who might just be able to intercept
and decrypt the key. A more secure form of encryption called public key encryption uses two keys: one
shared (or public) and one totally private. The keys are mathematically related so that data encrypted
with one key can be decrypted using only the other key. To send and receive messages, communicators
first create separate pairs of private and public keys. The public key is kept in a directory and the private
key must be kept secret. The sender encrypts a message with the recipient's public key. On receiving the
message, the recipient uses his or her private key to decrypt it.
Diff: 3 Type: ES Page Ref: 267
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

201) Your company notices that many of its employees peruse face during their day at work. Should
your business be concerned? Why?
Answer: Your business should be concerned from the aspect of securing your information systems
Facebook is also a great place for losing your identity or being attacked by malicious software.
Malicious software on social networking sites such as Facebook and MySpace is 10 times more
successful at infecting users than e-mail-based attacks. Moreover, IT security firm Sophos reported that
Facebook poses the greatest security risk of all the social networking sites. Recovering from these
attacks is time-consuming and costly, especially for business firms.
Diff: 3 Type: ES Page Ref: 244
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.4 Technologies and Tools For Safeguarding Information Resources

47
2013 Pearson Canada Inc.
202) We are looking at putting antivirus software on all of our business computers. One employee stated
that he thought it was a bad idea because he felt that antivirus software is the virus. Does this employee
have a point?
Answer: Yes, he has a point. McAfee is a prominent antivirus software and computer security company
based in Santa Clara, California. Its popular VirusScan product is used by companies and individual
consumers across the world.

April 21, 2010, McAfee made a blunder that threatened to destroy that track record and prompted the
possible departure of hundreds of valued customers. McAfee released what should have been a routine
update for its flagship VirusScan product that was intended to deal with a powerful new virus known as
"W32/wecorl.a." Instead, McAfee's update caused potentially hundreds of thousands of McAfee
equipped machines running Windows XP to crash and fail to reboot.

Another reason that the problem spread so quickly without detection was the increasing demand for
faster antivirus updates. Most companies aggressively deploy their updates to ensure that machines
spend as little time exposed to new viruses as possible. McAfee's update reached a large number of
machines so quickly without detection because most companies trust their antivirus provider to get it
right.
Diff: 3 Type: ES Page Ref: 255-256
AACSB: Analytic skills
CASE: Analysis
A-level Heading: 8.1 System Vulnerability and Abuse

48
2013 Pearson Canada Inc.