42) Murray Snitzel called a meeting of the top management at Snitzel Capital

Management. Number one on the agenda was computer system security. "The risk of
security breach incidents has become unacceptable," he said, and turned to the Chief
Information Officer. "This is your responsibility! What do you intend to do?" Which of
the following is the best answer?
A) Evaluate and modify the system using the Trust Services framework
B) Evaluate and modify the system using the COSO Internal Control Framework.
C) Evaluate and modify the system using the CTC checklist.
D) Evaluate and modify the system using COBOL.
Answer: A
Page Ref: 221
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic
43) Which of the following is the most effective method of protecting against social
engineering attacks on a computer system?
A) stateful packet filtering
B) employee awareness training
C) a firewall
D) a demilitarized zone
Answer: B
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
44) The most effective way to protect network resources, like email servers, that are
outside of the network and are exposed to the Internet is
A) stateful packet filtering.
B) employee training.
C) a firewall.
D) a demilitarized zone.
Answer: D
Page Ref: 230
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
45) All employees of E.C. Hoxy are required to pass through a gate and present their
photo identification cards to the guard before they are admitted. Entry to secure areas,
such as the Information Technology Department offices, requires further procedures. This
is an example of a(an)
A) authentication control.
B) authorization control.
C) physical access control.
D) hardening procedure.

Answer: C
Page Ref: 229
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
46) On February 14, 2008, students enrolled in an economics course at Swingline College
received an email stating that class would be cancelled. The email claimed to be from the
professor, but it wasn't. Computer forensic experts determined that the email was sent
from a computer in one of the campus labs at 9:14 A.M. They were then able to uniquely
identify the computer that was used by means of its network interface card's ________
address. Security cameras revealed the identity of the student responsible for spoofing the
class.
A) TCP/IP
B) MAC
C) DMZ
D) IDS
Answer: B
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Difficult
AACSB: Analytic
47) There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the
"black hat" hackers. He had researched an exploit and determined that he could penetrate
the target system, download a file containing valuable data, and cover his tracks in eight
minutes. Six minutes into the attack he was locked out of the system. Using the notation
of the time-based model of security, which of the following must be true?
A) P < 6
B) D = 6
C) P = 6
D) P > 6
Answer: D
Page Ref: 224
Objective: Learning Objective 2
Difficulty : Difficult
AACSB: Analytic
48) Identify three ways users can be authenticated and give an example of each.
Answer: Users can be authenticated by verifying: 1. something they know (password). 2.
something they have (smart card or ID badge). 3. Something they are (biometric
identification of fingerprint).
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

49) Describe four requirements of effective passwords .

Answer: 1. Strong passwords should be at least 8 characters. 2. Passwords should use a
mixture of upper and lowercase letters, numbers and characters. 3. Passwords should be
random and not words found in dictionaries. 4. Passwords should be changes frequently.
Page Ref: 227
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

50) Explain social engineering.

Answer: Social engineering attacks use deception to obtain unauthorized access to
information resources, such as attackers who post as a janitor or as a legitimate system
user. Employees must be trained not to divulge passwords or other information about
their accounts to anyone who contacts them and claims to be part of the organization's
security team.
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
51) Explain the value of penetration testing.
Answer: Penetration testing involves an authorized attempt by an internal audit team or
an external security consultant to break into the organization's information system. This
type of service is provided by risk management specialists in all the Big Four accounting
firms. These specialists spend more than half of their time on security matters. The team
attempts to compromise the system using every means possible. With a combination of
systems technology skills and social engineering, these teams often find weaknesses in
systems that were believed to be secure.
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Reflective Thinking
52) Describe the function of a computer incident response team (CIRT) and the steps that
a CIRT should perform following a security incident.
Answer: A CIRT is responsible for dealing with major security incidents and breaches.
The team should include technical specialists and senior operations management. In
response to a security incident, first the CIRT must recognize that a problem exists. Log
analysis, intrusion detection systems can be used to detect problems and alert the CIRT.
Second, the problem must be contained, perhaps by shutting down a server or curtailing
traffic on the network. Third, the CIRT must focus on recovery. Corrupt programs may
need to be reinstalled and data restored from backups. Finally, the CIRT must follow-up
to discover how the incident occurred and to design corrective controls to prevent similar
incidents in the future.
Page Ref: 239
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
53) Identify six physical access controls.
Answer: Require visitors to sign in and receive a visitor badge before being escorted by
an employee; require employees to wear photo ID badges that are checked by security
guards; physical locks and keys; storing documents and electronic media in a fire-proof
safe or cabinet; restrict or prohibit cell phones, iPods and other portable devices; set
screen savers to start after a few minutes of inactivity; set computers to lock keyboards
after a few minutes of inactivity; utilize screen protection devices; use biometric devices

to authorize access to spaces and equipment; attach and lock laptops to immobile objects;
utilize magnetic or chip cards to authorize access to spaces and equipment; limit or
prohibit windows and glass walls in sensitive areas.
Page Ref: 229-230
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic