ITM 102 FINAL EXAM QUESTIONS
WITH CORRECT DETAILED
ANSWERS (GRADED A+)
Cybervandalism - Answer-the intentional disruption, defacement, or even destruction of
a website or corporate information system.
Spoofing and Sniffing - Answer-Spoofing is when hackers attempting to hide their true
identities often spoof, or misrepresent, themselves by using fake email addresses or
masquerading as someone else. Spoofing may also involve redirecting a web link to an
address different from the intended one, with the site masquerading as the intended
destination. For example, if hackers redirect customers to a fake website that looks
almost exactly like the true site, they can then collect and process orders, effectively
stealing business as well as sensitive customer information from the true site.
A sniffer is a type of eavesdropping program that monitors information traveling over a
network. When used legitimately, sniffers help identify potential network trouble spots or
criminal activity on networks, but when used for criminal purposes, they can be
damaging and very difficult to detect. Sniffers enable hackers to steal proprietary
information from anywhere on a network, including email messages, company files, and
confidential reports.
Denial-of-Service Attacks (DOS) - Answer-hackers flood a network server or web server
with many thousands of false communications or requests for services to crash the
network. The network receives so many queries that it cannot keep up with them and is
thus unavailable to service legitimate requests.
Distributed Denial of service (DDoS) - Answer-Attack uses numerous computers to
inundate and overwhelm the network from numerous launch points.
Botnet - Answer-Hackers create these botnets by infecting other people's computers
with bot malware that opens a back door through which an attacker can give
instructions. The infected computer then becomes a slave, or zombie, serving a master
computer belonging to someone else. When hackers infect enough computers, they can
use the amassed resources of the botnet to launch DDoS attacks, phishing campaigns,
or unsolicited spam email. Ninety percent of the world's spam and 80 percent of the
world's malware are delivered by botnets.
Computer Crime - Answer-Computer crime is defined by the U.S. Department of Justice
as "any violations of criminal law that involve a knowledge of computer technology for
their perpetration, investigation, or prosecution."
,Identity Theft - Answer-is a crime in which an imposter obtains key pieces of personal
information, such as social security numbers, driver's license numbers, or credit card
numbers, to impersonate someone else. The information may be used to obtain credit,
merchandise, or services in the name of the victim or to provide the thief with false
credentials. Identity theft has flourished on the Internet, with credit card files a major
target of website hackers (see the chapter-ending case study). According to the 2018
Identity Fraud Study by Javelin Strategy & Research, identity fraud affected 16.7 million
U.S. consumers in 2017, and they lost nearly $17 billion to identity fraud that year.
TYPES are Phishing, Evil Twins, and Pharming.
Phishing - Answer-Form of spoofing. Phishing involves setting up fake websites or
sending email messages that look like those of legitimate businesses to ask users for
confidential personal data. The email message instructs recipients to update or confirm
records by providing social security numbers, bank and credit card information, and
other confidential data, either by responding to the email message, by entering the
information at a bogus website, or by calling a telephone number.
Evil Twins - Answer-are wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet, such as those in airport lounges, hotels, or coffee shops.
The bogus network looks identical to a legitimate public network. Fraudsters try to
capture passwords or credit card numbers of unwitting users who log on to the network.
Pharming - Answer-Redirects users to a bogus web page, even when the individual
types the correct web page address into his or her browser. This is possible if pharming
perpetrators gain access to the Internet address information Internet service providers
(ISPs) store to speed up web browsing and flawed software on ISP servers allows the
fraudsters to hack in and change those addresses.
Click Fraud - Answer-occurs when an individual or computer program fraudulently clicks
an online ad without any intention of learning more about the advertiser or making a
purchase. Click fraud has become a serious problem at Google and other websites that
feature pay-per-click online advertising.
Cyberwarfare - Answer-is a state-sponsored activity designed to cripple and defeat
another state or nation by penetrating its computers or networks to cause damage and
disruption. One example is the efforts of Russian hackers to disrupt the U.S. elections
described in the chapter-opening case. The infamous 2014 hack on Sony has been
attributed to state actors from North Korea.
Social Engineering - Answer-Tricking people into revealing their passwords by
pretending to be legitimate users or members of a company in need of information.
Bugs - Answer-A major problem with software problem is the presence of hidden bugs
or program code defects. The main source of bugs is the complexity of decision-making
code. A relatively small program of several hundred lines will contain tens of decisions
,leading to hundreds or even thousands of paths. Important programs within most
corporations are usually much larger, containing tens of thousands or even millions of
lines of code, each with many times the choices and paths of the smaller programs.
HIPAA - Answer-Law outlining rules for medical security, privacy, and the management
of healthcare records.
Gramm-Leach-Bliley Act - Answer-Requires Financial institutions to ensure the security
and confidentiality of customer data.
Sarbanes-Oxley Act - Answer-Law passed in 2002 that imposes responsibility on
companies and their management to protect investors by safeguarding the accuracy
and integrity of financial information that is used internally and released externally.
Computer Forensics - Answer-is the scientific collection, examination, authentication,
preservation, and analysis of data held on or retrieved from computer storage media in
such a way that the information can be used as evidence in a court of law.
General Controls - Answer-Govern the design, security, and use of computer programs
and the security of data files in general throughout the organization's information
technology infrastructure. On the whole, general controls apply to all computerized
applications and consist of a combination of hardware, software, and manual
procedures that create an overall control environment.
Software controls - Answer-Monitor the use of system software and prevent
unauthorized access and use of software programs, system software, and computer
programs.
Hardware controls - Answer-Ensure that computer hardware is physically secure and
check for equipment malfunction. Organizations that are critically dependent on their
computers also must make provisions for backup or continued operation to maintain
constant service.
Computer operations controls - Answer-Oversee the work of the computer department
to ensure that programmed procedures are consistently and correctly applied to the
storage and processing of data. They include controls over the setup of computer
processing jobs and backup and recovery procedures for processing that ends
abnormally.
Data security controls - Answer-Ensure that valuable business data files maintained
internally or by an external hosting service are not subject to unauthorized access,
change, or destruction while they are in use or in storage.
Implementation controls - Answer-Audit the systems development process at various
points to ensure that the process is properly controlled and managed.
, Administrative controls - Answer-Formalize standards, rules, procedures, and control
disciplines to ensure that the organization's general and application controls are
properly executed and enforced.
Application Controls - Answer-are specific controls unique to each computerized
application, such as payroll or order processing. They include both automated and
manual procedures that ensure that only authorized data are completely and accurately
processed by that application. Application controls can be classified as (1) input
controls, (2) processing controls, and (3) output controls.
Input controls check data for accuracy and completeness when they enter the system.
There are specific input controls for input authorization, data conversion, data editing,
and error handling. Processing controls establish that data are complete and accurate
during updating. Output controls ensure that the results of computer processing are
accurate, complete, and properly distributed.
Risk Assessment - Answer-determines the level of risk to the firm if a specific activity or
process is not properly controlled. Not all risks can be anticipated and measured, but
most businesses will be able to acquire some understanding of the risks they face.
Security Policy - Answer-consists of statements ranking information risks, identifying
acceptable security goals, and identifying the mechanisms for achieving these goals.
Acceptable use policy (AUP) - Answer-defines acceptable uses of the firm's information
resources and computing equipment, including desktop and laptop computers, mobile
devices, telephones, and the Internet. A good AUP defines unacceptable and
acceptable actions for every user and specifies consequences for noncompliance.
Disaster Recovery Planning - Answer-Devises plans for the restoration of disrupted
computing and communications services. Disaster recovery plans focus primarily on the
technical issues involved in keeping systems up and running, such as which files to
back up and the maintenance of backup computer systems or disaster recovery
services.
Business Continuity Planning - Answer-Focuses on how the company can restore
business operations after a disaster strikes. The business continuity plan identifies
critical business processes and determines action plans for handling mission-critical
functions if systems go down.
Information Systems Audit - Answer-Software automates the process of keeping track
of all these users and their system privileges, assigning each user a unique digital
identity for accessing each system. It also includes tools for authenticating users,
protecting user identities, and controlling access to system resources.
WITH CORRECT DETAILED
ANSWERS (GRADED A+)
Cybervandalism - Answer-the intentional disruption, defacement, or even destruction of
a website or corporate information system.
Spoofing and Sniffing - Answer-Spoofing is when hackers attempting to hide their true
identities often spoof, or misrepresent, themselves by using fake email addresses or
masquerading as someone else. Spoofing may also involve redirecting a web link to an
address different from the intended one, with the site masquerading as the intended
destination. For example, if hackers redirect customers to a fake website that looks
almost exactly like the true site, they can then collect and process orders, effectively
stealing business as well as sensitive customer information from the true site.
A sniffer is a type of eavesdropping program that monitors information traveling over a
network. When used legitimately, sniffers help identify potential network trouble spots or
criminal activity on networks, but when used for criminal purposes, they can be
damaging and very difficult to detect. Sniffers enable hackers to steal proprietary
information from anywhere on a network, including email messages, company files, and
confidential reports.
Denial-of-Service Attacks (DOS) - Answer-hackers flood a network server or web server
with many thousands of false communications or requests for services to crash the
network. The network receives so many queries that it cannot keep up with them and is
thus unavailable to service legitimate requests.
Distributed Denial of service (DDoS) - Answer-Attack uses numerous computers to
inundate and overwhelm the network from numerous launch points.
Botnet - Answer-Hackers create these botnets by infecting other people's computers
with bot malware that opens a back door through which an attacker can give
instructions. The infected computer then becomes a slave, or zombie, serving a master
computer belonging to someone else. When hackers infect enough computers, they can
use the amassed resources of the botnet to launch DDoS attacks, phishing campaigns,
or unsolicited spam email. Ninety percent of the world's spam and 80 percent of the
world's malware are delivered by botnets.
Computer Crime - Answer-Computer crime is defined by the U.S. Department of Justice
as "any violations of criminal law that involve a knowledge of computer technology for
their perpetration, investigation, or prosecution."
,Identity Theft - Answer-is a crime in which an imposter obtains key pieces of personal
information, such as social security numbers, driver's license numbers, or credit card
numbers, to impersonate someone else. The information may be used to obtain credit,
merchandise, or services in the name of the victim or to provide the thief with false
credentials. Identity theft has flourished on the Internet, with credit card files a major
target of website hackers (see the chapter-ending case study). According to the 2018
Identity Fraud Study by Javelin Strategy & Research, identity fraud affected 16.7 million
U.S. consumers in 2017, and they lost nearly $17 billion to identity fraud that year.
TYPES are Phishing, Evil Twins, and Pharming.
Phishing - Answer-Form of spoofing. Phishing involves setting up fake websites or
sending email messages that look like those of legitimate businesses to ask users for
confidential personal data. The email message instructs recipients to update or confirm
records by providing social security numbers, bank and credit card information, and
other confidential data, either by responding to the email message, by entering the
information at a bogus website, or by calling a telephone number.
Evil Twins - Answer-are wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet, such as those in airport lounges, hotels, or coffee shops.
The bogus network looks identical to a legitimate public network. Fraudsters try to
capture passwords or credit card numbers of unwitting users who log on to the network.
Pharming - Answer-Redirects users to a bogus web page, even when the individual
types the correct web page address into his or her browser. This is possible if pharming
perpetrators gain access to the Internet address information Internet service providers
(ISPs) store to speed up web browsing and flawed software on ISP servers allows the
fraudsters to hack in and change those addresses.
Click Fraud - Answer-occurs when an individual or computer program fraudulently clicks
an online ad without any intention of learning more about the advertiser or making a
purchase. Click fraud has become a serious problem at Google and other websites that
feature pay-per-click online advertising.
Cyberwarfare - Answer-is a state-sponsored activity designed to cripple and defeat
another state or nation by penetrating its computers or networks to cause damage and
disruption. One example is the efforts of Russian hackers to disrupt the U.S. elections
described in the chapter-opening case. The infamous 2014 hack on Sony has been
attributed to state actors from North Korea.
Social Engineering - Answer-Tricking people into revealing their passwords by
pretending to be legitimate users or members of a company in need of information.
Bugs - Answer-A major problem with software problem is the presence of hidden bugs
or program code defects. The main source of bugs is the complexity of decision-making
code. A relatively small program of several hundred lines will contain tens of decisions
,leading to hundreds or even thousands of paths. Important programs within most
corporations are usually much larger, containing tens of thousands or even millions of
lines of code, each with many times the choices and paths of the smaller programs.
HIPAA - Answer-Law outlining rules for medical security, privacy, and the management
of healthcare records.
Gramm-Leach-Bliley Act - Answer-Requires Financial institutions to ensure the security
and confidentiality of customer data.
Sarbanes-Oxley Act - Answer-Law passed in 2002 that imposes responsibility on
companies and their management to protect investors by safeguarding the accuracy
and integrity of financial information that is used internally and released externally.
Computer Forensics - Answer-is the scientific collection, examination, authentication,
preservation, and analysis of data held on or retrieved from computer storage media in
such a way that the information can be used as evidence in a court of law.
General Controls - Answer-Govern the design, security, and use of computer programs
and the security of data files in general throughout the organization's information
technology infrastructure. On the whole, general controls apply to all computerized
applications and consist of a combination of hardware, software, and manual
procedures that create an overall control environment.
Software controls - Answer-Monitor the use of system software and prevent
unauthorized access and use of software programs, system software, and computer
programs.
Hardware controls - Answer-Ensure that computer hardware is physically secure and
check for equipment malfunction. Organizations that are critically dependent on their
computers also must make provisions for backup or continued operation to maintain
constant service.
Computer operations controls - Answer-Oversee the work of the computer department
to ensure that programmed procedures are consistently and correctly applied to the
storage and processing of data. They include controls over the setup of computer
processing jobs and backup and recovery procedures for processing that ends
abnormally.
Data security controls - Answer-Ensure that valuable business data files maintained
internally or by an external hosting service are not subject to unauthorized access,
change, or destruction while they are in use or in storage.
Implementation controls - Answer-Audit the systems development process at various
points to ensure that the process is properly controlled and managed.
, Administrative controls - Answer-Formalize standards, rules, procedures, and control
disciplines to ensure that the organization's general and application controls are
properly executed and enforced.
Application Controls - Answer-are specific controls unique to each computerized
application, such as payroll or order processing. They include both automated and
manual procedures that ensure that only authorized data are completely and accurately
processed by that application. Application controls can be classified as (1) input
controls, (2) processing controls, and (3) output controls.
Input controls check data for accuracy and completeness when they enter the system.
There are specific input controls for input authorization, data conversion, data editing,
and error handling. Processing controls establish that data are complete and accurate
during updating. Output controls ensure that the results of computer processing are
accurate, complete, and properly distributed.
Risk Assessment - Answer-determines the level of risk to the firm if a specific activity or
process is not properly controlled. Not all risks can be anticipated and measured, but
most businesses will be able to acquire some understanding of the risks they face.
Security Policy - Answer-consists of statements ranking information risks, identifying
acceptable security goals, and identifying the mechanisms for achieving these goals.
Acceptable use policy (AUP) - Answer-defines acceptable uses of the firm's information
resources and computing equipment, including desktop and laptop computers, mobile
devices, telephones, and the Internet. A good AUP defines unacceptable and
acceptable actions for every user and specifies consequences for noncompliance.
Disaster Recovery Planning - Answer-Devises plans for the restoration of disrupted
computing and communications services. Disaster recovery plans focus primarily on the
technical issues involved in keeping systems up and running, such as which files to
back up and the maintenance of backup computer systems or disaster recovery
services.
Business Continuity Planning - Answer-Focuses on how the company can restore
business operations after a disaster strikes. The business continuity plan identifies
critical business processes and determines action plans for handling mission-critical
functions if systems go down.
Information Systems Audit - Answer-Software automates the process of keeping track
of all these users and their system privileges, assigning each user a unique digital
identity for accessing each system. It also includes tools for authenticating users,
protecting user identities, and controlling access to system resources.
