a. Spread spectrum

b. Radio spectrum

c. Radio signals

d. Radio carriers

226. a. New digital communications systems such as time division multiple access (TDMA) or code division multiple access (CDMA) use spread spectrum much more efficiently than analog cellular and other traditional radio systems. The spread spectrum technology uses a wide band of frequencies to send radio signals. The other three choices are not relevant here.

227. Which of the following is inherently efficient and difficult to intercept in the use of wireless technologies?

a. Code division multiple access (CDMA)

b. Time division multiple access (TDMA)

c. Public-switched telephone network (PSTN)

d. Very small aperture terminal (VSAT)

227. a. Code division multiple access (CDMA) is more efficient and secure than time division multiple access (TDMA) because it uses spread spectrum technology more efficiently. Instead of assigning a time slot on a single channel, CDMA uses many different channels simultaneously. CDMA is also inherently more difficult to crack because the coding scheme changes with each conversation and is given only once at the beginning of the transmission.

228. Voice encryption in cell/mobile phones uses which of the following algorithms?

a. RSA

b. 3DES

c. IDEA

d. DES

228. a. Voice encryption schemes are based on Rivest, Shamir, and Adelman (RSA) algorithm to provide privacy protection over mobile or cellular phones. The main constraints with encryption are the slow speed of processing and the lag that occurs if signals take too long to pass through the system. The other three choices (i.e., 3DES, IDEA, and DES) are not used in voice encryption because they are used in transaction encryption.

229. Which of the following network connectivity devices require in-band and out-of-band management services such as administrative access to distributed local-area networks (LANs)?

a. Firewalls and gateways

b. Switches and routers

c. Sensors and bridges

d. Repeaters and modems

229. b. Switches and routers require in-band and out-of-band management services. In in-band management, a secure shell (SSH) session is established with the connectivity device (e.g., switches and routers) in a distributed local-area network (LAN). This method is fast and convenient but less secure due to use of Telnet, line sniffing, and interception of privileged passwords.

In out-of-band management, the communications device is accessed via a dial-up circuit with a modem, directly connected terminal device, or LANs dedicated to managing traffic. Whether in-band or out-of-band, network paths and sessions used to access the device should be protected. The other three choices do not require in-band and out-of-band management services such as administrative access because they have their own access methods.

230. For information system monitoring, which of the following anomaly within an information system is most risky?

a. Large file transfers

b. Unusual protocols and ports in use

c. Attempted communications with suspected external addresses

d. Long-time persistent connections

230. c. Anomalies at selected interior points within a system (e.g., subnets and subsystems) include large file transfers, unusual protocols and ports in use, long-time persistent connections, and attempted communications with suspected external addresses. Of these, the attempted communications with suspected (malicious) external addresses is most risky. The other three choices are less risky.

231. Which of the following are especially needed to provide a trustworthy cloud computing infrastructure?

1. ISO/IEC 27001 certification

2. AICPA/SAS 70 attestation

3. Security training

4. Risk management

a. 1 and 2

b. 1 and 3

c. 3 and 4

d. 1, 2, 3, and 4

231. d. Microsoft, for example, has achieved a trustworthy cloud computing infrastructure by earning the International Organization for Standardization/International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) certification and American Institute of Certified Public Accountants/Statement on Auditing Standards (AICPA/SAS)70 Type I and Type II attestation. The Type I attestation report states that information systems at the service organizations for processing user transactions are suitably designed with internal controls to achieve the related control objectives. The Type II attestation report states that internal controls at the service organizations are properly designed and operating effectively. These two accomplishments of certification and attestation were combined with security training, adequate and effective security controls, continuous review and management of risks, and rapid response to security incidents and legal requests.

232. Which of the following is the true purpose of “ping” in cellular wireless technologies?

a. The pinging tells the filters on the network.

b. The pinging tells the frequencies of the network.

c. The pinging tells the location of a phone user.

d. The pinging tells the troubles on the network.

232. c. To monitor the state of the network and to respond quickly when calls are made, the main cellular controlling switch periodically “pings” all cellular telephones. This pinging lets the switch know which users are in the area and where in the network the telephone is located. This information can be used to give a rough idea of the location of the phone user to help catch the fraud perpetrator. Vehicle location service is an application of the ping technology. The other three choices are not true.

233. Telecommuting from home requires special considerations to ensure integrity and confidentiality of data stored and used at home. Which of the following is not an effective control?

a. Employee accountability

b. Removable hard drives

c. Storage encryption

d. Communications encryption

233. a. In addition to risks to internal corporate systems and data in transit, telecommuting from home raises other concerns related to whether employees are using their own computers or using computers supplied to them by the organization. Other members of the employee’s household may want to use the computer used for telecommuting. Children, spouses, or other household members may inadvertently corrupt files, introduce viruses, or snoop. Therefore, employee accountability is difficult to monitor or enforce.

The other three choices provide effective controls. Removable hard drives are incorrect because they reduce the risk if corporate data is stored on them due to their removability, which can be safely stored away. Storage encryption and communications encryption are incorrect because they both provide confidentiality of data during its storage as well as in transit.