Chapter 8

Question 1

We further need to protect information and environments from…

Answer 1

Employees, contractors, partners, customers, service providers, and others

Inappropriate actions of human being may compromise our security

Question 2

What is an RSA breach?

Answer 2

An example of social engineering attack

Hardware authentication tokens of RSA was stolen by attacking a company’s environment

Question 3

We need a solid security awareness and training program to…

Answer 3

avoid social engineering attack

Question 4

We need to consider following items to build security awareness among users

Answer 4

o protecting data 
o passwords
o social engineering
o network usage
o malware
o the use of personal equipment
o clean desk
o policy knowledge

Question 5

Data protection is essential in business because of

Answer 5

o Reputation and customer retention

o Avoid any penalties

Question 6

What are the practices of Data Protection?

Answer 6

o Regular training to educate employees and users

o May consider gamification techniques to increase users participation

Question 7

Most OSs and tools enforce certain levels of password strength:

Answer 7

at least eight characters, at least one upper case, at least one lower case, at least one symbol, at least one number

Question 8

balance the complexity of the password with the importance of what is being protected. For example…

Answer 8

bank account vs family photos

Question 9

Use a policy of resetting password in a _____ interval

Answer 9

regular

Question 10

We can stipulate that new passwords cannot be a _____ of the previous 10 passwords used

Answer 10

variation

Question 11

Users’ Mistakes include:

Answer 11

• Write their password down and stick it to the underside of their keyboard
• Passwords being shared among users
• Passwords being created based on pet names, birthdates, or other such personal information
• More damaging user behaviours is manually syncing passwords between systems or applications
• Train employees and users to avoid the above actions
• Users also need to use strong passwords in every applications and systems

Question 12

Social Engineering refers to…

Answer 12

psychological manipulation of people into performing actions or divulging confidential information

•”Any act that influences a person to take an action that may or may not be in their best interests”

Question 13

Pretexting means:

Answer 13

Attackers establish fabricated scenarios to access victim’s sensitive information

Question 14

Direct pretexting:

Answer 14

face-to-face communication

• Attacker’s confidence or body language is important

Question 15

Indirect pretexting:

Answer 15

Over some communication medium

over the phone or through e-mail

Question 16

Pretexting requires…

Answer 16

strong communication and psychological skills, specialized knowledge, and a quick mind in order to be successful

Question 17

Phishing happen mostly through…

Answer 17

mail, texting, or phone calls (electronic communications)

Question 18

Phishing involves convincing the potential victim to click on a link in the e-mail to…

Answer 18

to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system

Question 19

Fake sites are usually well-known websites

Answer 19

Some sites are cleverly crafted; thus, difficult to distinguish from the legitimate pages that they are imitating

Question 20

If the fake sites are not relevant for target victims, the attack will not be ______

Answer 20

successful

Question 21

Spear phishing is a…

Answer 21

targeted attack against a specific company, organization, or person

Question 22

The requirements for spear fishing are…

Answer 22

an advanced investigation to conduct a legitimate attack

The fake site may look valid

e-mail must be seen to come from a valid sender
E.g., from human resources, a manger, the corporate IT support team, a peer, or friend

Question 23

Tailgating is…

Answer 23

The act of following someone through an access control point

E.g., secure door

Question 24

Tailgating is common in locations that use _____ access controls

Answer 24

technical

Question 25

Tailgating attackers may play on the _______ of others

Answer 25

sympathies

Question 26

Network Usage involves...

Answer 26

wired vs. wireless OR closed vs. open networks | Institute, hotel, airport etc.

Question 27

An enterprise network gives _____ from outsiders. o Foreign devices are not ______ in corporate network o Offer alternative network, e.g., _____ wireless network

Answer 27

protection allowed guest

Question 28

To protect resources in outside networks, one must:

Answer 28

o Implement a VPN to access the corporate network o configure the VPN client to automatically connect the device to the VPN whenever it finds itself on a foreign network

Question 29

Users awareness about what devices they connect to which networks is important and how they need to handle _____ data that these devices might contain

Answer 29

sensitive

Question 30

We must train users about some _____ ____ to avoid malware

Answer 30

common items

Question 31

Common items for malware are (5 items):

Answer 31

1) mail attachments from people that you do not know 2) E-mail attachments containing certain file types (exe, zip, pdf, etc.) 3) Web links using shortened URLs such as http://bit.lyoWeb links using names that differ slightly from what we expect (myco.org when we expect myco.com) 4) Smart phone applications from nonofficial download sites 5) Pirated software

Question 32

Contact ______ for assistance in the presence of unfamiliar items

Answer 32

helpdesk

Question 33

Depending on policies employees may connect their ______ equipment to corporate or guest network

Answer 33

personal

Question 34

Noncorporate-owned devices such as vendor laptops or MP3 players may take a bit more work to ________

Answer 34

communicate

Question 35

Data needs to be handled appropriately regardless of ________ ___ _________ form

Answer 35

electronic or non-electronic

Question 36

Sensitive information is not to be left out on a desk when it is to be _______ for any significant period of time

Answer 36

unattended

Question 37

Sensitive data on physical media such as paper or tape needs to be disposed via

Answer 37

use of shred bins, data destruction services, media shredders, and so on

Question 38

How do you convey policies and regulations with which an organization must comply?

Answer 38

Convey most critical information Some portion of this critical information should be condensed and communicated directly to users as a policy crib notes or highlights reel

Question 39

We need to modifying the behavior of users in our environments in the direction of being more ______

Answer 39

secure

Question 40

The security awareness and training program may consist of...

Answer 40

instructor-led or computer-based training

Question 41

Security training must happen...

Answer 41

o during the new-employee onboarding process o at some regular interval o followed up by a mandatory quiz or attestation of understanding by the person taking the training

Question 42

An effective way of training employees about security is

Answer 42

the gamification for training and educating users

Question 43

Humans are considered____when it comes to cyber security a. Strong link b. Weak link c. Liability d. Asset

Answer 43

b.Weak link

Question 44

In business, data protection is essential because of a.Reputation b. Customer retention c. Saving money d. None of the above

Answer 44

a. Reputation | b. Customer retention

Question 45

A policy of changing password every _________ in a university with 30,000 users is considered a good practice. a. 15 days b. 30 days c. 90 days d. 120 days

Answer 45

c.90 days

Question 46

______ is the act of unauthorized individuals entering a restricted-access building following an authorized individual. a. Tailgating b. Pretexting c. Vishing d. Dumpster Driving

Answer 46

a.Tailgating

Question 47

In order to avoid malware, you must a. Use pirated software b. Download an exe c. Avoid shortened URLs d. None of the above

Answer 47

c.Avoid shortened URLs

Question 48

Why might we not want to allow personal equipment to be attached to the network of our organization

Answer 48

Answer: It is because a personal device may not have proper security and firewall configuration. Thus, the device can lead to compromising the enterprise network. The attackers can access the secured enterprise network through the non-secured personal device. Therefore, the enterprise can configure a guest wireless network to support personal equipment from employees.

Question 49

Why is it important not to use the same password for all of our accounts?

Answer 49

Answer: Using the same password for different services and applications is a bad practice. If the password is somehow disclosed or one of our accounts is compromised, then all our accounts can be compromised. It is better to use different and strong passwords for different accounts.

Question 50

Why might using the wireless network in a hotel with a corporate laptop be dangerous?

Answer 50

Answer: The WiFi in hotels, cafes, or airports is an open wireless network (WPA or WPA2). Thus, these locations are the sweet spots for packet sniffing and active hearing. Therefore, if someone connects a corporate device having sensitive information to such WiFi, hackers can easily access that information.