Module 10

Question 1

Security Risks Overview

Answer 1

• Security risk varies by organization type and data sensitivity • Key questions: o What is at risk? o What is the potential loss if stolen, damaged, or destroyed? • Data breach: unauthorized access/use of sensitive data • Understanding risks requires familiarity with security terms and threats

Question 2

Hackers and Their Intentions

Answer 2

• Hacker (original meaning): skilled in understanding computer systems deeply • Current usage: individuals gaining unauthorized access (malicious or not) • Hacking: also means creative problem-solving or resource manipulation Categories of Hackers: • White Hat Hacker: o Ethical hackers hired to find security weaknesses o Operate under contracts and laws o Do not compromise private data outside agreed scope • Black Hat Hacker: o Malicious actors bypassing security to cause harm or steal data o Ignore legal restrictions o May be hired for malicious agendas • Gray Hat Hacker: o Act with mixed ethics, sometimes illegal but often for education/help o May report vulnerabilities without causing damage or theft o Risk legal prosecution; often remain anonymous

Question 3

Vulnerabilities and Exploits

Answer 3

• Vulnerability: weakness in system/process/architecture that risks unauthorized access or data compromise • Exploit: act of taking advantage of a vulnerability • Example: o Low fence = vulnerability o Climbing over fence = exploit/crime • Evil Twin Attack: o Malicious access point mimics legitimate Wi-Fi (same SSID, settings) o Tricks clients to connect, allowing data theft or system access o Exploits open SSID broadcasts and client scanning

Question 4

Tracking Vulnerabilities (CVE System)

Answer 4

• Managed by MITRE Corporation, funded by U.S. Department of Homeland Security • CVE (Common Vulnerabilities and Exposures): o Public dictionary assigning unique IDs to vulnerabilities o Tracks vulnerabilities across systems o Accessible and free to use; only MITRE can modify entries o Website: cve.mitre.org

Question 5

Zero-Day Exploits

Answer 5

• Exploit vulnerabilities unknown or very recently made public • Dangerous because no patches or fixes exist yet • Example: Microsoft Patch Tuesday (regular security updates) o Hackers study updates to attack unpatched systems immediately o Day after Patch Tuesday called “Exploit Wednesday” due to quick exploitation • Most vulnerabilities are known and patched regularly

Question 6

Security Risk Interactions

Answer 6

• Exploits often chained: one breach leads to another • Example attack sequence: o Hacker observes username during login o Uses password-cracking to gain access o Plants malicious code to overwhelm network (DoS attack) • No risk stands alone; one vulnerability can lead to multiple threats

Question 7

Human Risks to Network Security

Answer 7

• Human error, ignorance, omission = >50% of security breaches • Common source: social engineering • Prevention = regular employee training, awareness programs • Company responsibility: enforce security policies, ensure compliance • Consequences: potential data breaches, litigation costs

Question 8

Social Engineering Techniques (Part 1)

Answer 8

Phishing • Fake communication from a “legitimate” source • Requests credentials or personal info • Uses urgency, branding, formatting to appear authentic • Links often lead to malicious websites • May include mismatched company names or odd URLs Baiting • Malware disguised as a free item (e.g., music file, USB) • Victim installs it, unknowingly infecting their system • Common at hacking conventions Quid pro quo • Offers free gift/service for info or access • Preys on untrained users

Question 9

Social Engineering Techniques (Part 2)

Answer 9

Tailgating • Unauthorized person follows authorized user into secure area • Happens without the authorized person’s knowledge Piggybacking • Attacker deceives employee into granting access • Examples: “holding the door” or distracting conversation Shoulder Surfing • Observing someone enter credentials/access codes • Protection: cover keypad, be aware of surroundings

Question 10

Social Engineering Attack Lifecycle

Answer 10

Research o Collect info about target o May begin with harmless questions 2. Build Trust o Use gathered info to establish rapport 3. Exploit o Victim unknowingly grants access or data 4. Exit o Attacker leaves without raising suspicion o May restart cycle for deeper access

Question 11

Countermeasures: Social Engineering

Answer 11

• Frequent employee training & updates • Mandatory compliance checks, pass rates • Training = consistent exposure (use it or lose it) • IT staff should share current threats, countermeasures • Training must be well-designed to boost engagement • Simulations = test employee readiness

Question 12

Insider Threats

Answer 12

• Trusted individuals with malicious intent • Examples: employees, ex-employees, contractors • High risk: have knowledge of systems/security • May bypass multiple layers of protection

Question 13

Mitigating People Risks

Answer 13

• Background checks for hires/contractors • Least privilege: only enough access to do job • Checks and balances: o Scheduled access o Mandatory vacations o Job rotations • DLP (Data Loss Prevention): o Identifies sensitive data o Prevents external transfers (USB, email, cloud)

Question 14

OSI Layer Technology Risks

Answer 14

• Attacks can target any of the 7 OSI layers. • Common targets: transmission media, NICs, access methods (e.g., Ethernet), switches, routers, APs, gateways. • Eavesdropping on switched networks needs tools like protocol analyzers (e.g., Wireshark). • Routers vulnerable to TCP/IP flood attacks → disrupt legitimate traffic.

Question 15

DoS and DDoS Attacks

Answer 15

• DoS attack: Floods a system → legitimate users can’t access resources. o Simple to execute (e.g., looping email script). o Can also occur due to faulty software. • DDoS attack: o Uses multiple compromised machines (zombies). o Controlled remotely via bots by a bot herder. o Forms a botnet or zombie army. o Harder to mitigate than DoS. • DRDoS attack (Distributed Reflection DoS): o Uses uninfected reflectors. o Spoofed source IP → reflectors send traffic to victim. • Amplified DRDoS: o Small requests → large responses. o Exploits protocols: DNS, NTP, ICMP, SNMP, LDAP. • PDoS attack (Permanent DoS): o Destroys firmware → “bricks” device. o Targets: routers, switches. • Friendly DoS: o Accidental (e.g., flash sale traffic overload). o Not malicious in intent.

Question 16

Wireless & On-Path Attacks

Answer 16

• On-Path Attack (formerly MitM): o Attacker intercepts & redirects transmissions. o Example: Evil Twin → rogue AP impersonates legitimate AP. o Can steal credentials or redirect users to malicious sites. • Deauth Attack: o Exploits unencrypted deauthentication frames in Wi-Fi. o Sends spoofed frames to AP, client, or all users. o Kicks clients off network. o Enables further attacks (e.g., on-path). o Essentially a Wi-Fi DoS.

Question 17

Insecure Protocols

Answer 17

• Many TCP/IP protocols are insecure by default: o IP: spoofable. o UDP: lacks authentication. o TCP: weak authentication. o FTP: vulnerable (e.g., FTP bounce attack).  Attacker uses FTP server to connect to third-party host.  Used to scan ports or deliver payloads. o HTTP: use HTTPS (SSL/TLS) instead. o Telnet: use with IPsec or avoid. o SNMPv1/v2: use SNMPv3 instead.

Question 18

DNS & Software Vulnerabilities

Answer 18

• DNS poisoning / spoofing: o Alters DNS records to redirect traffic to malicious sites. o Affects multiple levels: DNS servers, ISPs, local devices. o Can spread globally (e.g., Great Firewall of China incident in 2010). • Back Doors: o Hidden or intentional vulnerabilities in software. o Allow unauthorized access. o Common in outdated/legacy systems. o Patch management is essential.

Question 19

Malware Types

Answer 19

• Malware = malicious software designed to harm or exploit systems • Virus o Self-replicates o Spreads via networks, piggybacking on files or devices o May damage files/systems or annoy users • Trojan Horse o Disguised as useful software o Does not self-replicate o Example: a fake game that deletes files or spams contacts • Worm o Independent program o Travels across networks (e.g., via email attachments) o Can carry and hide viruses • Bot o Autonomous process (malicious or benign) o Connects to C&C server to join botnet o Functions: DoS attacks, data theft, backdoor access • Ransomware o Encrypts user/system files o Demands ransom for decryption o Can encrypt cloud, removable, and backup data o May delete data over time or leak files online o Backups (disconnected) = best defense o Paying ransom ≠ guaranteed recovery

Question 20

Malware Characteristics

Answer 20

• Encryption o Hides malware from signature-based scanners • Stealth o Masquerades as legit programs or modifies legit code • Polymorphism o Changes structure/appearance per infection o Alters size, byte order, internal instructions • Time Dependence o Activates on set date or condition o Example: logic bomb (code that triggers on specific event/date)

Question 21

Cyberattack & Threat Monitoring Tools

Answer 21

• Kaspersky CyberMap o Interactive global threat visualization o Displays attack stats by country o Access: cybermap.kaspersky.com • SonicWall Security Center o Live attack tracking o Categories: malware, ransomware, spam, cryptojacking, IoT malware o IoT malware ↑ >350% YoY (notable spike in Oct 2019) o Access: securitycenter.sonicwall.com • McAfee Threat Center o Updated malware info, characteristics, removal techniques o Access: mcafee.com/enterprise/en-us/threat-center.html

Question 22

Ransomware Details

Answer 22

• Infection Vector o System + backups + cloud services (e.g., Dropbox, OneDrive) • Ransom Note o Instructions via on-screen message o Uses untraceable online payment systems • Threats o Deletes data on countdown o Leaks/stolen data if unpaid • Defensive Strategy o Frequent, offline backups o Ransom payments not always effective

Question 23

Botnet & Bot Details

Answer 23

• Bot o Runs without user interaction o Controlled via command-and-control (C&C) server • Botnet o Network of infected devices o Used for DoS, spam, spreading malware, opening backdoors • Risks o Distributed & stealthy—hard to detect o Fast propagation

Question 24

Layers of Risk Management

Answer 24

• Security risk assessment: Evaluates threats/vulnerabilities to the network • Business risk assessment: Evaluates impact of threats on business processes • Understand key business processes (e.g. operations, manufacturing) • Goal: Minimize security threat impact on processes

Question 25

Vendor Risk Assessment

Answer 25

• Also called third-party risk assessment • Evaluates risks from suppliers and vendors • Key considerations: o Trustworthiness o Financial stability o IT security reliability o Compliance maintenance • Assess before starting relationship and regularly (e.g. annually) • Include multiple departments • Example: Compromised HVAC vendor → data breach

Question 26

Posture Assessment

Answer 26

• Comprehensive review of how the network might be compromised • Should include threat assessment: identifies threats and related risk factors • Severity & likelihood of threats guide prioritization • Steps: 1. Identify threats and risk factors 2. Determine affected resources 3. Create response & risk mitigation plans 4. Document findings & next steps • Perform at least annually, ideally quarterly • Also after major network changes • Performed in-house or by external consulting firm

Question 27

Security Audits

Answer 27

• Conducted by accredited third parties • Qualifies as an IT audit • May be required by: o Customers (e.g. military) o Regulators (e.g. accounting firms) • Even if optional, benefits: o Identifies overlooked risks o Provides objective evaluation • May be expensive, but worth cost for critical/confidential data

Question 28

Auditing Policies and Monitoring

Answer 28

• Auditing policies can be set on devices/servers • Example: Windows Event Viewer logs security events (e.g. account changes) • Supports ongoing monitoring for unusual activity

Question 29

Vulnerability Assessment

Answer 29

• Identifies network vulnerabilities • Usually performed internally • Does not exploit vulnerabilities • Types: o Authenticated: Uses trusted user access o Unauthenticated: External attacker perspective • Often a preliminary step to other assessments or attacks

Question 30

Penetration Testing

Answer 30

• Ethical hacking to identify and exploit vulnerabilities • Begins with vulnerability assessment • May be simple (admin checks) or complex (professional pen test orgs) • Yields detailed report with critical recommendations • Tools: o Wireshark, Nmap o SimplyEmail: Email intelligence gathering o Hashcat / John the Ripper: Password cracking o Aircrack-ng: Wireless monitoring/manipulation o Metasploit: Vulnerability scanning o PowerShell scripts: Batch tasks

Question 31

Red Team–Blue Team Exercises

Answer 31

• Red team: Simulated attackers (consultants, security orgs) • Blue team: Internal defenders (IT/security staff) • Red team uses social engineering + technical exploits • Blue team may be unaware of exercise to simulate real conditions • Focus: Detection and response, not just technical flaws

Question 32

Scanning Tools

Answer 32

• Purpose: Discover network info (used by both admins and hackers) • Information revealed: • Available hosts • Running services, OS, apps, and versions • Software configs • Open, closed, and filtered ports • Firewalls (type, placement, config) • Unencrypted or poorly encrypted data • Use in security: • Identify insecure ports • Patch outdated software/firmware • Restrict excessive permissions • Enhance asset management and auditing

Question 33

Nmap & Zenmap (GUI)

Answer 33

• Original function: Port scanning • Expanded capabilities: • Scan large networks • Identify hosts and their software • Customize scans based on needed info • Example: • Port 23 open → Telnet accessible → remote control possible • Project tool: Advanced Port Scanner (used later to find open ports)

Question 34

Nessus

Answer 34

• Developer: Tenable Security (tenable.com) • Function: Sophisticated vulnerability scanning • Capabilities: • Identifies unencrypted sensitive data (e.g. credit card numbers) • Scans from local or remote servers • Constantly updated by developer

Question 35

Metasploit

Answer 35

• Type: Penetration testing tool • Functions: • Combines scanning + exploit techniques • Tests multiple protocols (HTTP, SMTP, SMB, FTP, Telnet, UDP) • Detects plaintext credentials and known vulnerabilities • Example use: SOHO router admin username/password exposed • Open source: metasploit.com

Question 36

Scanning Tool Insights & Logs

Answer 36

• Dual use: Legitimate security or malicious attack • Firewall logs: • Record scanning attempts • Reveal possible exploits • Useful for identifying attack patterns • Takeaway: Even hostile scans can teach you about vulnerabilities

Question 37

Honeypots

Answer 37

• Definition: Decoy system made to appear vulnerable • Contents: Fake sensitive data (e.g. finance, DNS, storage) • Purpose: • Attract hackers • Log intruder behavior • Discover new attack methods • Design Tips: • Must not look too insecure • Monitoring tools must be hidden • Isolate from real systems to prevent misuse

Question 38

Honeynets

Answer 38

• Definition: Network of multiple honeypots • Advantages: • Provide insight into hacking techniques • Low maintenance • Fewer false positives • Common Users: • Security researchers • Curious analysts (not overworked admins) • Popular tools: • KFSensor (keyfocus.net) • Thinkst Canary (canary.tools) • Honeyd (honeyd.org)

Question 39

Scanning Tools

Answer 39

Purpose: Identify vulnerabilities and gather info on networked hosts Key Benefits: • Discover hosts, services, OS, open/closed/filtered ports • Find misconfigurations and weak encryption • Contribute to audits and asset management Tools: • Nmap / Zenmap (GUI) • Scans large networks quickly • Originally a port scanner (e.g., open port 23 → Telnet access) • Now gathers host, software, and version info • Customizable scan types • Nessus • Developed by Tenable • Performs advanced vulnerability scans • Can find unencrypted sensitive data (e.g., credit card numbers) • Available as a hosted/cloud option • Metasploit • Combines scanning with exploitation tools • Uses protocols like HTTP, SMTP, SMB, Telnet, FTP, UDP • Can uncover plaintext credentials • Open-source version available

Question 40

Honeypots & Honeynets

Answer 40

Purpose: Learn hacker behavior by luring them into decoy systems Honeypot: • Decoy system mimicking real targets • Contains false sensitive data • Monitored to track hacker activity • Must not be blatantly insecure • Should be isolated from real systems Honeynet: • Network of honeypots • Simulates full network environment • Offers broader behavioral insight Tools/Examples: • KFSensor • Thinkst Canary • Honeyd Usage Notes: • Provides low-maintenance, useful threat intel • Rarely managed by admins—more for researchers • Logging from real systems (e.g., firewalls) also reveals scanning behavior

Question 41

Physical Security – Overview

Answer 41

Purpose: Prevent direct physical attacks on network equipment Key Areas to Secure: • Server rooms • Data rooms • Network closets • Storage rooms • Entrance facilities • Equipment cabinets • Office/data center access Risks of Physical Access: • Theft • Device tampering • Resetting hardware • Unauthorized connections • Admin session hijacking Needs: • Restricted access to trusted personnel • Prevention and detection mechanisms

Question 42

Physical Access Prevention Methods

Answer 42

Access Control Devices: • Cipher Lock / Keypad • Requires code entry • Reduces key loss risk • Code can be changed periodically • Can log access, allow/deny unescorted entry • May support hostage code to trigger alarm • Access Badge / Smart Card • Identifies person (name/photo/title) • Smart cards unlock doors & log access • Can restrict access by room • Proximity (prox) cards: o 5–10 cm read range o Can work from inside a wallet • Biometrics • Scans physical features (e.g., iris, hand geometry) • Used at gates or physical barriers • Access Control Vestibule (Mantrap) • Two-lock system • First door must close before second opens • Prevents tailgating • Locking Rack / Locking Cabinet • Secures installed equipment (servers, routers, switches, firewalls) • Prevents unauthorized physical changes • Locking cabinets also protect spare devices, tools, etc. • Smart Locker • Controlled access for equipment, tools, credentials • Opens via barcodes (e.g., on phone) • Logs user access and time • Can send alerts for late returns • Temp credentials possible for package lockers • Example: Amazon Hub Locker o Students get barcode on phone o Scans at locker to retrieve package

Question 43

Physical Security - Prevention Methods

Answer 43

• Keypad/Cipher Lock o Requires code to open doors o Reduces lost key risk o Supports:  Entry/exit logging  Scheduled access  Hostage code (alarm trigger) • Access Badge / Smart Card o Includes name, photo, title o Can be magnetic, RFID, proximity o Time-stamped access logs o Can restrict access to certain rooms o Works through wallets/purses (5–10 cm range) • Biometrics o Verifies via unique physical features (e.g., iris, hand geometry) o Used for gates, secure entries • Access Control Vestibule (Mantrap) o Two-door system o One door must close before the other opens • Locking Rack & Locking Cabinet o Racks: Secure access to servers, routers, switches, firewalls o Cabinets: Store unused equipment, tools, spare hardware • Smart Locker o Access via barcode/smartphone o Logs who accessed and when o Can issue temporary credentials o Sends alerts for late returns o Example: Amazon Hub Lockers

Question 44

Physical Security - Detection Methods

Answer 44

• Motion Detection o Detects movement; triggers alarms/lights/video o AI reduces false positives (e.g., ignores animals or trees) • Cameras (CCTV) o Placed in secure areas (data rooms, entrances) o Managed centrally o May record continuously or on motion o Video footage is securely stored for later review • Tamper Detection o Detects:  Physical penetration  Temperature extremes  Voltage/frequency changes  Radiation exposure o May:  Trigger alarms/shutdowns  Activate other security systems (e.g., cameras)  Use tamper-evident stickers or latches • Asset Tags o Track equipment, inventory, people o Types: Barcodes, RFID, Bluetooth, GPS, NFC o Reports to centralized system o Enables real-time monitoring o Often paired with IoT/cloud for enhanced security and analytics

Question 45

Physical Security - Audit & Planning Questions

Answer 45

• Secured Areas o Which rooms house critical systems/data? • Entry Points o How might intruders gain access?  Doors, windows, ceilings, vents, walls, hallways • Personnel Access o How are access rights granted? o Are background/reference checks done? o Are hours of access limited? o Who handles lost key/card reporting? • Employee Awareness o Are staff trained not to prop open secure doors? • Authentication o Are ID badges/digital methods hard to forge or bypass? • Supervision o Do security staff do routine physical checks? • Access Method Security o Are codes/passwords kept secure and changed regularly? • Incident Response o Is there a plan for logging and reacting to breaches?

Question 46

Security Patch Management

Answer 46

• Purpose: Fix bugs, close security gaps, add features • Patches: Smaller, more frequent updates focused on security • Patch Management Process: o Discovery: Identify devices, assess patch relevance/impact o Standardization: Use consistent OS/app versions across network o Defense in Depth: Use multiple security layers, assess overlap/gaps o Vulnerability Reporting: Prioritize updates, subscribe to alerts o Implementation: Validate → prioritize → test → apply  Use phased rollouts & formal change management o Assessment: Confirm coverage & effectiveness, check for gaps o Risk Mitigation: Apply alternate protections if patching isn't possible (e.g., legacy system conflicts)

Question 47

Equifax Breach Case Study

Answer 47

• Date: May–July 2017 • Impact: 143 million+ records compromised o Names, SSNs, DOBs, addresses, license #s, ~209k credit cards • Cause: o Failed/late patch on open-source software o Unrenewed public key certificate → failed internal traffic monitoring • Lesson: Timely, effective patching & certificate renewal are critical

Question 48

Default Admin Credentials

Answer 48

• Defaults: Common (e.g., admin / password / 1234) → insecure • Best Practices: o Change default credentials immediately during setup o Use strong, unique usernames & passwords o Store securely • Remote Access (e.g., SSH): o Remove default keys: rm command o Generate new keys: ssh-keygen or PuTTY Key Generator o SSH keys safer than passwords for long-distance automation

Question 49

Privileged User Account Security

Answer 49

• Purpose: Elevated access for sensitive operations (config, finance, access control) • Access Levels: o Device admin accounts o Domain admin (e.g., AD changes, backups) o User-level accounts with limited admin rights • Security Practices: o Limited Use: Only for tasks requiring elevated rights o Least Privilege: Users get minimum access needed o Limited Location: On-site access only; no remote admin o Limited Duration: Disable when no longer needed (e.g., employee leaves) o Limited Access: Strong passwords + multi-factor authentication o Limited Privacy:  All actions logged  Logs reviewed by 3rd party (not account owner)  Tools: Imperva, ManageEngine, Splunk

Question 50

Services & Protocols (Device Hardening)

Answer 50

• Disable insecure services (e.g. Telnet, FTP) • Prefer secure alternatives (e.g. SSH, SFTP) • Reduce access paths: o Disable unused: Bluetooth, Wi-Fi, NFC, IR • Minimize startup processes • Disable unneeded OS/network services (search “[OS] unneeded services”) • Uninstall unused apps • Remove unused network segments • Close unused TCP/IP ports on firewalls: o e.g. Close ports 137–139 (NetBIOS) to avoid malware like WannaCry o Keep port 22 (SSH) closed unless remote access is needed • Port scanning can reveal vulnerabilities—exploit via code injection or DDoS • Unsecured ports can lead to daisy-chained system compromises

Question 51

Password Security & Hashing

Answer 51

• Hashing = irreversible transformation of data (vs. encryption = reversible) • Used for password storage & data integrity • Verifies data hasn’t been altered (like checksums) • Password storage process: o User password is hashed o Hash is compared to stored hash o System authenticates only if hash matches • Even if hashes are stolen, they can't be reversed to original passwords • System won’t accept a hash—must receive real password to generate correct hash

Question 52

SHA Hashing Algorithms

Answer 52

• SHA-0: 160-bit, flawed & retired • SHA-1: 160-bit, vulnerable to collisions, deprecated • SHA-2 (NSA): o SHA-256 = 256-bit o SHA-512 = 512-bit o More secure, slower • SHA-3: o Publicly developed, structurally different from SHA-2 o Uses same 256- & 512-bit lengths • SHA-2 & SHA-3 often layered together • Multiple hash/encryption passes = stronger security • File Hashing: o Used to verify file integrity (e.g. after download) o Match your hash with provider’s hash to confirm safety

Question 53

Anti-Malware Software

Answer 53

• Not just install & forget—requires active monitoring, updates, & user education • Popular solutions: o Embedded: Microsoft Defender Antivirus o Third-party: Bitdefender, Kaspersky, Malwarebytes • Malware symptoms: o Unusual file size growth o Laggy performance o Strange error messages o System memory loss o Random reboots o Fluctuating display quality

Question 54

Anti-Malware Deployment Types

Answer 54

• Host-based o Installed on individual devices o Misses server-based threats o Weak in virtualized environments • Server-based o Protects critical files o Can reduce network performance • Network-based o Defends at gateways (internet entry) o Doesn’t stop internal threats (USBs, smartphones) o Must be implemented throughout network • Cloud-based o Scalable, cost-efficient o May have blind spots o Increases internet traffic & potential cost • Best practice = combine multiple methods for layered security

Question 55

Asset Disposal Overview

Answer 55

• Data mining of discarded devices = major security risk • Legal responsibility continues after device retirement • All IT assets must be tracked during and after use • Covered devices: o Workstations, laptops, tablets, smartphones o Printers, copiers, fax machines, scanners o Servers, firewalls, routers, switches o Storage media: flash drives, tape drives, hard drives

Question 56

Professional Disposal Services

Answer 56

• Devices sanitized or destroyed before leaving premises • Secure transport with tracking (e.g. GPS) • Adherence to data protection & environmental laws • End-to-end insurance coverage provided • Certification (CEED) includes: o Chain of custody o Date/time & sanitization methods used o Resale valuation o Final outcome (resold / recycled / destroyed) • CEED used for legal/audit protection

Question 57

In-House Disposal Protocols

Answer 57

• Org assumes full responsibility if not using vendor • Remote wipe or factory reset: o Clears most data o Often leaves data recoverable by experts • Proper sanitization required before disposal • Staff must return old devices to IT • Mobile devices: o Often allow remote wipe if lost/stolen o Still require physical sanitization for full data removal

Question 58

Security Policy Overview

Answer 58

• Defines: o Security goals o Risks o Levels of authority o Security coordinator & team o Responsibilities (team + all employees) o Breach response procedures • Does not include: o Specific hardware/software o Architecture/protocol details o Installation/configuration methods • Includes both: o Written policies (e.g. handbook) o Enforced policies (e.g. Active Directory settings)

Question 59

Security Policy Goals

Answer 59

• Ensure authorized user access to required resources • Block unauthorized access (internal & external) • Protect sensitive data • Prevent hardware/software damage (accidental/intentional) • Support threat resistance, response, and recovery • Communicate individual responsibilities • Obtain signed consent to monitoring

Question 60

Creating & Implementing Policies

Answer 60

• Form a multi-department committee including IT & managers • Assign a security coordinator • Tie policies to business impact to encourage compliance o E.g. 2-hour hack outage = $100,000 lost sales • Conduct a posture assessment to identify risks o Rate threat severity and likelihood • Use assessment results to inform policy content • Purpose: Ensure org-wide understanding of risk and responsibility

Question 61

BYOD & Variants

Answer 61

• BYOD – Bring your own device • Variants: o BYOA – Bring your own application o BYOC – Bring your own cloud o BYOT – Bring your own technology (umbrella term) o CYOD – Choose your own device (limited, org-supplied) • Modern context includes remote work (not just physical devices brought in)

Question 62

BYOD Policy Considerations

Answer 62

• Define: o Allowed/blocked activities o Device configurations o Security restrictions o Reimbursement/allowance policies • Benefits: o Cost reduction o Efficiency/morale boost • Risks: o Data security o Legal compliance • Policies must address both benefits & risks clearly

Question 63

BYOD: Onboarding & Device Management

Answer 63

• Onboarding = Configuring wireless clients for access • Handled by MDM (Mobile Device Management) o Automates onboarding/offboarding o Enforces password/security policies o Encrypts/syncs/wipes corporate data o Monitors device use & location o Allows selective data removal (corporate only) o Works across all major platforms o Examples:  VMware Workspace ONE  Cisco Meraki Systems Manager • MAM (Mobile App Management) = Less intrusive o Controls only specific apps, not entire device

Question 64

Acceptable Use Policy (AUP)

Answer 64

• Defines acceptable and unacceptable actions when using network resources • Clarifies user responsibilities and penalties for misuse • Protects network security and supports productive use • Key elements typically include: • Use company resources only for work tasks • Acknowledge that activity is monitored and auditable • Report suspected data breaches immediately • Lock/sign out when not using a device • Avoid illegal activities using company assets • Don’t bypass security controls • Don’t advertise/market to others on the network • Don’t forward spam • Don’t infringe on rights of others • Don’t violate intellectual property regulations, including: ❍ No pirated software ❍ No copying/distributing copyrighted material • No exporting restricted software/encryption

Question 65

Non-Disclosure Agreement (NDA)

Answer 65

• Defines confidentiality and privacy within the organization • Confidential info = anything that may: • Harm the organization • Damage reputation • Cause financial loss • Undermine customer trust • Aid competitors • Info sensitivity may be tiered (e.g. Top Secret vs. Confidential) • Top Secret: Accessible by execs only • Confidential: Accessible only by required personnel (e.g. doctors/accountants)

Question 66

Password Policy — Best Practices

Answer 66

• Change defaults: • Change default passwords after software/hardware install • Avoid personal info: • No names, birthdays, favorites, ID, addresses, etc. • Avoid real words: • No full dictionary words • Defend against dictionary attacks • Use long passwords: • 15+ characters preferred • "Long is strong" • Increase complexity: • Mix upper/lowercase randomly • Include letters, numbers, symbols • Avoid obvious symbol substitutions (e.g. @ for a) • No repeated characters or phrases • Keep private: • Don’t write down passwords or share them • Don’t store unencrypted or in browsers

Question 67

Password Policy — Attacks & Defenses

Answer 67

• Dictionary attack: • Tries known words and user behavior (e.g. common subs) • Rainbow table attack: • Uses precomputed hashes • Mitigation: salt passwords (add secret characters) • Brute-force attack: • Attempts all character combos • Starts with common ones like “password” or “123456” • Mitigation: long + complex password, 2FA

Question 68

Password Policy — Management & Updates

Answer 68

• Frequent changes: • Update at least every 60 days • Force changes via directory services • No reuse: • Don’t reuse expired passwords • Use different passwords for different services • Use password manager tools: • E.g. LastPass, KeePass, 1Password • Generate/store complex unique passwords • Single master password to access encrypted vault • Sync across devices

Question 69

Privileged User Agreement (PUA)

Answer 69

• Agreement for admins, support staff, and roles with privileged access • Defines: o What privileged users can and can't do with sensitive data o Precautions to protect privacy (e.g., HIPAA for doctors) o Rules, restrictions, guidelines, and violation consequences • Example control: o One person creates vendor accounts o A different person authorizes payments • Users should: o Sign into privileged accounts only as long as necessary o Sign off manually, not rely on time-outs • Requires frequent training to prevent social engineering attacks • Privileged activity often monitored using PAM tools: o Examples: BeyondTrust, CyberArk o Can be on-premises or cloud-based

Question 70

Anti-Malware Policy

Answer 70

• Aims to prevent malware spread via tech + user awareness • Requires organization-wide support from management • Policy should include: Anti-Malware Software Use • All computers must have: o Detection + cleaning software o Regular scans o Centralized distribution + updates • Users: o Cannot alter or disable anti-malware software o Should know to call help desk if malware is detected o Must not install unauthorized software (e.g., games from internet) Anti-Malware Team Responsibilities • Choose and maintain anti-malware tools • Ensure software is up-to-date • Educate users • Respond to significant malware outbreaks Additional Measures • Flash drives and file sharing must be handled cautiously • Serious malware threats: o Trigger system-wide alerts o Advise users on prevention steps • Automation preferred: o E.g., automatic scans on USB use and email attachments o Do not rely on users to initiate scans manually Purpose of Policy • Not to limit freedom • Designed to: o Protect user data o Protect system files o Prevent downtime and network damage