Edit and limit checks, reconciliation, and exception reports are incorrect because they are an example of a detective control. Detective controls identify errors or events that were not prevented and identify undesirable events after they have occurred. Detective controls should identify expected error types, as well as those that are not expected to occur.

134. What is an attack in which someone compels system users or administrators into revealing information that can be used to gain access to the system for personal gain called?

a. Social engineering

b. Electronic trashing

c. Electronic piggybacking

d. Electronic harassment

134. a. Social engineering involves getting system users or administrators to divulge information about computer systems, including passwords, or to reveal weaknesses in systems. Personal gain involves stealing data and subverting computer systems. Social engineering involves trickery or coercion.

Electronic trashing is incorrect because it involves accessing residual data after a file has been deleted. When a file is deleted, it does not actually delete the data but simply rewrites a header record. The data is still there for a skilled person to retrieve and benefit from.

Electronic piggybacking is incorrect because it involves gaining unauthorized access to a computer system via another user’s legitimate connection. Electronic harassment is incorrect because it involves sending threatening electronic-mail messages and slandering people on bulletin boards, news groups, and on the Internet. The other three choices do not involve trickery or coercion.

135. Indicate the correct sequence in which primary questions must be addressed when an organization is determined to do a security review for fraud.

1. How vulnerable is the organization?

2. How can the organization detect fraud?

3. How would someone go about defrauding the organization?

4. What does the organization have that someone would want to defraud?

a. 1, 2, 3, and 4

b. 3, 4, 2, and 1

c. 2, 4, 1, and 3

d. 4, 3, 1, and 2

135. d. The question is asking for the correct sequence of activities that should take place when reviewing for fraud. The organization should have something of value to others. Detection of fraud is least important; prevention is most important.

136. Which of the following zero-day attack protection mechanisms is not suitable to computing environments with a large number of users?

a. Port knocking

b. Access control lists

c. Local server-based firewalls

d. Hardware-based firewalls

136. a. The use of port knocking or single packet authorization daemons can provide effective protection against zero-day attacks for a small number of users. However, these techniques are not suitable for computing environments with a large number of users. The other three choices are effective protection mechanisms because they are a part of multiple layer security, providing the first line-of-defense. These include implementing access control lists (one layer), restricting network access via local server firewalling (i.e., IP tables) as another layer, and protecting the entire network with a hardware-based firewall (another layer). All three of these layers provide redundant protection in case a compromise in any one of them is discovered.

137. A computer fraud occurred using an online accounts receivable database application system. Which of the following logs is most useful in detecting which data files were accessed from which terminals?

a. Database log

b. Access control security log

c. Telecommunications log

d. Application transaction log

137. b. Access control security logs are detective controls. Access logs show who accessed what data files, when, and from what terminal, including the nature of the security violation. The other three choices are incorrect because database logs, telecommunication logs, and application transaction logs do not show who accessed what data files, when, and from what terminal, including the nature of the security violation.

138. Audit trails should be reviewed. Which of the following methods is not the best way to perform a query to generate reports of selected information?

a. By a known damage or occurrence

b. By a known user identification

c. By a known terminal identification

d. By a known application system name

138. a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. An audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.

139. Which of the following can prevent dumpster diving?

a. Installing surveillance equipment

b. Using a data destruction process

c. Hiring additional staff to watch data destruction

d. Sending an e-mail message to all employees

139. b. Dumpster diving can be avoided by using a high-quality data destruction process on a regular basis. This should include paper shredding and electrical disruption of data on magnetic media such as tape, cartridge, or disk.

140. Identify the computer-related crime and fraud method that involves obtaining information that may be left in or around a computer system after the execution of a job.

a. Data diddling

b. Salami technique

c. Scavenging

d. Piggybacking

140. c. Scavenging is obtaining information that may be left in or around a computer system after the execution of a job. Data diddling involves changing data before or during input to computers or during output from a computer system. The salami technique is theft of small amounts of assets (primarily money) from a number of sources. Piggybacking can be done physically or electronically. Both methods involve gaining access to a controlled area without authorization.

141. An exception-based security report is an example of which of the following?

a. Preventive control

b. Detective control

c. Corrective control

d. Directive control

141. c. Detecting an exception in a transaction or process is detective in nature, but reporting it is an example of corrective control. Both preventive and directive controls do not either detect or correct an error; they simply stop it if possible.

142. There is a possibility that incompatible functions may be performed by the same individual either in the IT department or in the user department. One compensating control for this situation is the use of: