135. Indicate the correct sequence in which primary questions must be addressed when an organization is determined to do a security review for fraud.
1. How vulnerable is the organization?
2. How can the organization detect fraud?
3. How would someone go about defrauding the organization?
4. What does the organization have that someone would want to defraud?
a. 1, 2, 3, and 4
b. 3, 4, 2, and 1
c. 2, 4, 1, and 3
d. 4, 3, 1, and 2
135. d. The question is asking for the correct sequence of activities that should take place when reviewing for fraud. The organization should have something of value to others. Detection of fraud is least important; prevention is most important.
136. Which of the following zero-day attack protection mechanisms is not suitable to computing environments with a large number of users?
a. Port knocking
b. Access control lists
c. Local server-based firewalls
d. Hardware-based firewalls
136. a. The use of port knocking or single packet authorization daemons can provide effective protection against zero-day attacks for a small number of users. However, these techniques are not suitable for computing environments with a large number of users. The other three choices are effective protection mechanisms because they are a part of multiple layer security, providing the first line-of-defense. These include implementing access control lists (one layer), restricting network access via local server firewalling (i.e., IP tables) as another layer, and protecting the entire network with a hardware-based firewall (another layer). All three of these layers provide redundant protection in case a compromise in any one of them is discovered.
137. A computer fraud occurred using an online accounts receivable database application system. Which of the following logs is most useful in detecting which data files were accessed from which terminals?
a. Database log
b. Access control security log
c. Telecommunications log
d. Application transaction log
137. b. Access control security logs are detective controls. Access logs show who accessed what data files, when, and from what terminal, including the nature of the security violation. The other three choices are incorrect because database logs, telecommunication logs, and application transaction logs do not show who accessed what data files, when, and from what terminal, including the nature of the security violation.
138. Audit trails should be reviewed. Which of the following methods is not the best way to perform a query to generate reports of selected information?
a. By a known damage or occurrence
b. By a known user identification
c. By a known terminal identification
d. By a known application system name
138. a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. An audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.
139. Which of the following can prevent dumpster diving?
a. Installing surveillance equipment
b. Using a data destruction process
c. Hiring additional staff to watch data destruction
d. Sending an e-mail message to all employees
139. b. Dumpster diving can be avoided by using a high-quality data destruction process on a regular basis. This should include paper shredding and electrical disruption of data on magnetic media such as tape, cartridge, or disk.
140. Identify the computer-related crime and fraud method that involves obtaining information that may be left in or around a computer system after the execution of a job.
a. Data diddling
b. Salami technique
c. Scavenging
d. Piggybacking
