Computer Security Principles And Practice 3rd Edition by Stalling - Test Bank

Chapter 1 – Computer Systems Overview TRUE/FALSE QUESTIONS: T F 1. Threats are attacks carried out. T F 2. Computer security is protection of the integrity, availability, and confidentiality of information system resources. T F 3. Data integrity assures that information and programs are changed only in a specified and authorized manner. T F 4. Availability assures that systems works promptly and service is not denied to authorized users. T F 5. The “A” in the CIA triad stands for “authenticity”. T F 6. The more critical a component or service, the higher the level of availability required. T F 7. Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the administrator who tries to close them. T F 8. Security mechanisms typically do not involve more than one particular algorithm or protocol. T F 9. Many security administrators view strong security as an impediment to efficient and user-friendly operation of an information system. T F 10. In the context of security our concern is with the vulnerabilities of system resources. T F 11. Hardware is the most vulnerable to attack and the least susceptible to automated controls. T F 12. Contingency planning is a functional area that primarily requires computer security technical measures. T F 13. X.800 architecture was developed as an international standard and focuses on security in the context of networks and communications. T F 14. The first step in devising security services and mechanisms is to develop a security policy. T F 15. Assurance is the process of examining a computer product or system with respect to certain criteria. MULTIPLE CHOICE QUESTIONS: 1. __________ assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. A. Availability C. System Integrity B. Privacy D. Data Integrity 2. ________ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. A. System Integrity C. Data Integrity B. Availability D. Confidentiality 3. A loss of _________ is the unauthorized disclosure of information. A. confidentiality C. integrity B. authenticity D. availability 4. A ________ level breach of security could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A. low C. normal B. moderate D. high 5. A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy is a(n) __________. A. countermeasure C. vulnerability B. adversary D. risk 6. An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is a(n) __________. A. risk C. asset B. attack D. vulnerability 7. A(n) __________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that correct action can be taken. A. attack C. countermeasure B. adversary D. protocol 8. A(n) _________ is an attempt to learn or make use of information from the system that does not affect system resources. A. passive attack C. inside attack B. outside attack D. active attack 9. Masquerade, falsification, and repudiation are threat actions that cause __________ threat consequences. A. unauthorized disclosure C. deception B. disruption D. usurpation 10. A threat action in which sensitive data are directly released to an unauthorized entity is __________. A. corruption C. disruption B. intrusion D. exposure 11. An example of __________ is an attempt by an unauthorized user to gain access to a system by posing as an authorized user. A. masquerade C. interception B. repudiation D. inference 12. The _________ prevents or inhibits the normal use or management of communications facilities. A. passive attack C. traffic encryption B. denial of service D. masquerade 13. A __________ is any action that compromises the security of information owned by an organization. A. security mechanism C. security attack B. security policy D. security service 14. The assurance that data received are exactly as sent by an authorized entity is __________. A. authentication C. data confidentiality B. access control D. data integrity 15. __________ is the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. A. Traffic padding C. Traffic routing B. Traffic control D. Traffic integrity SHORT ANSWER QUESTIONS: 1. __________ is the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources. 2. Confidentiality, Integrity, and Availability form what is often referred to as the _____. 3. A loss of _________ is the disruption of access to or use of information or an information system. 4. In the United States, student grade information is an asset whose confidentiality is regulated by the __________. 5. A(n) _________ is a threat that is carried out and, if successful, leads to an undesirable violation of security, or threat consequence. 6. A(n) _________ is any means taken to deal with a security attack. 7. Misappropriation and misuse are attacks that result in ________ threat consequences. 8. The assets of a computer system can be categorized as hardware, software, communication lines and networks, and _________. 9. Release of message contents and traffic analysis are two types of _________ attacks. 10. Replay, masquerade, modification of messages, and denial of service are example of _________ attacks. 11. Establishing, maintaining, and implementing plans for emergency response, backup operations, and post disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations is a __________ plan. 12. A(n) _________ assessment is periodically assessing the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission or organizational information. 13. The OSI security architecture focuses on security attacks, __________, and services. 14. A __________ is data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery. 15. Security implementation involves four complementary courses of action: prevention, detection, response, and _________. Chapter 4 – Access Control TRUE/FALSE QUESTIONS: T F 1. Access control is the central element of computer security. T F 2. The authentication function determines who is trusted for a given purpose. T F 3. An auditing function monitors and keeps a record of user accesses to system resources. T F 4. External devices such as firewalls cannot provide access control services. T F 5. The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. T F 6. Security labels indicate which system entities are eligible to access certain resources. T F 7. Reliable input is an access control requirement. T F 8. A user may belong to multiple groups. T F 9. An access right describes the way in which a subject may access an object. T F 10. The default set of rights should always follow the rule of least privilege or read-only access T F 11. A user program executes in a kernel mode in which certain areas of memory are protected from the user’s use and certain instructions may not be executed. T F 12. Any program that is owned by, and SetUID to, the “superuser” potentially grants unrestricted access to the system to any user executing that program. T F 13. Traditional RBAC systems define the access rights of individual users and groups of users. T F 14. A constraint is a defined relationship among roles or a condition related to roles. T F 15. An ABAC model can define authorizations that express conditions on properties of both the resource and the subject. MULTIPLE CHOICE QUESTIONS: 1. __________ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance. A. Audit control B. Resource control C. System control D. Access control 2. __________ is verification that the credentials of a user or other system entity are valid. A. Adequacy B. Authentication C. Authorization D. Audit 3. _________ is the granting of a right or permission to a system entity to access a system resource. A. Authorization B. Authentication C. Control D. Monitoring 4. __________ is the traditional method of implementing access control. A. MAC B. RBAC C. DAC D. MBAC 5. __________ controls access based on comparing security labels with security clearances. A. MAC B. DAC C. RBAC D. MBAC 6. A concept that evolved out of requirements for military information security is ______ . A. reliable input B. mandatory access control C. open and closed policies D. discretionary input 7. A __________ is an entity capable of accessing objects. A. group B. object C. subject D. owner 8. A(n) __________ is a resource to which access is controlled. A. object B. owner C. world D. subject 9. The final permission bit is the _________ bit. A. superuser B. kernel C. set user D. sticky 10. __________ is based on the roles the users assume in a system rather than the user’s identity. A. DAC B. RBAC C. MAC D. URAC 11. A __________ is a named job function within the organization that controls this computer system. A. user B. role C. permission D. session 12. __________ provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A. Constraints B. Mutually Exclusive Roles C. Cardinality D. Prerequisites 13. __________ refers to setting a maximum number with respect to roles. A. Cardinality B. Prerequisite C. Exclusive D. Hierarchy 14. Subject attributes, object attributes and environment attributes are the three types of attributes in the __________ model. A. DSD B. RBAC C. ABAC D. SSD 15. The __________ component deals with the management and control of the ways entities are granted access to resources. A. resource management B. access management C. privilege management D. policy management SHORT ANSWER QUESTIONS:¸ 1. X.800 defines __________ as the prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 2. An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures is a(n) __________ . 3. __________ access control controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles. 4. __________ access control controls access based on the identity of the requestor and on access rules stating what requestors are or are not allowed to do. 5. The basic elements of access control are: subject, __________, and access right. 6. Basic access control systems typically define three classes of subject: owner, __________ and world. 7. A __________ access control scheme is one in which an entity may be granted access rights that permit the entity, by its own volition, to enable another entity to access some resource. 8. The __________ user ID is exempt from the usual file access control constraints and has system wide access. 9. A __________ is a mapping between a user and an activated subset of the set of roles to which the user is assigned. 10. Role hierarchies make use of the concept of __________ to enable one role to implicitly include access rights associated with a subordinate role. 11. A __________ dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role and can be used to structure the implementation of the least privilege concept. 12. There are three key elements to an ABAC model: attributes which are defined for entities in a configuration; a policy model, which defines the ABAC policies; and the __________ model, which applies to policies that enforce access control. 13. The three types of attributes in the ABAC model are subject attributes, object attributes, and _________ attributes. 14. A __________ is an object or data structure that authoritatively binds an identity to a token possessed and controlled by a subscriber. 15. In digital identity systems, a __________ functions as a certification program.