c. Noting discrepancies by those who receive reports
d. Reviewing undocumented transactions
115. a. Superzapping, which is an IBM utility program, leaves no evidence of file changes, and the only reliable way to detect this activity is by comparing current data files with previous generations of the same file. Computer usage logs may not capture superzapping activity. Users may not detect changes in their reports. It is difficult to find, let alone review, the undocumented transactions. Even if these transactions are found, there is no assurance that the task is complete.
116. With respect to computer security, a legal liability exists to an organization under which of the following conditions?
a. When estimated security costs are greater than estimated losses.
b. When estimated security costs are equal to estimated losses.
c. When estimated security costs are less than estimated losses.
d. When actual security costs are equal to actual losses.
116. c. Courts do not expect organizations to spend more money than losses resulting from a security flaw, threat, risk, or vulnerability. Implementing countermeasures and safeguards to protect information system assets costs money. Losses can result from risks, that is, exploitation of vulnerabilities. When estimated costs are less than estimated losses, then a legal liability exists. Courts can argue that the organization’s management should have installed safeguards but did not, and that management did not exercise due care and due diligence.
When estimated security costs are greater than estimated losses they pose no legal liability because costs are greater than losses. When estimated security costs are equal to estimated losses the situation requires judgment and qualitative considerations because costs are equal to losses. The situation when actual security costs are equal to actual losses is not applicable because actual costs and actual losses are not known at the time of implementing safeguards.
117. Which of the following is used by major software vendors to update software for their customers?
a. Pull technology
b. Push technology
c. Pull-push technology
d. Push-pull technology
117. b. For convenience, major vendors are offering software updates via secure channels using “push” technology. This technology automatically installs the update files at a scheduled time or upon user request. There is a trade-off here between convenience and security. An attacker can “spoof” a customer into accepting a Trojan horse masquerading as an update. Security technical staff should always review update files and patches before installing them. It is safe to download the update files and patches directly from the vendor’s website via a secure connection. The pull technology is used by customers to receive information from websites.
118. Changing firewall rulesets is a part of which of the following recovery actions for a computer security incident?
a. Restoring systems from clean backups
b. Replacing compromised files with clean versions
c. Employing higher levels of network monitoring
d. Tightening network perimeter security
118. d. In recovery from incidents, administrators restore systems to normal operation and harden systems to prevent similar incidents. Changing firewall rule sets is done to tighten network perimeter security. The other three choices are part of the recovery process.
119. Which of the following security techniques allow time for response by investigative authorities?
a. Deter
b. Detect
c. Delay
d. Deny
119. c. If a system perpetrator can be delayed longer while he is attacking a computer system, investigative authorities can trace his origins and location. The other three choices would not allow such a trap.
120. What is most of the evidence submitted in a computer crime case?
a. Corroborative evidence
b. Documentary evidence
c. Secondary evidence
d. Admissible evidence
120. b. Documentary evidence is created information such as letters, contracts, accounting records, invoices, and management information reports on performance and production.
