Module 2

Question 1

What is the primary piece of UK legislation that criminalises unauthorised access to computer systems and data?

Answer 1

The Computer Misuse Act 1990 (CMA).

Question 2

The Computer Misuse Act 1990 was enacted in response to which legal case from 1984-85?

Answer 2

The R vs Gold and Schifreen case.

Question 3

Under what pre-existing act were Gold and Schifreen originally prosecuted for accessing British Telecom’s Prestel system?

Answer 3

The Forgery and Counterfeiting Act 1981.

Question 4

Section 1 of the original Computer Misuse Act makes it an offence to gain unauthorised access to what?

Answer 4

Computer material, which includes systems or data.

Question 5

What offence is described in Section 2 of the Computer Misuse Act 1990?

Answer 5

Gaining unauthorised access with intent to commit or facilitate further offences.

Question 6

Section 3 of the Computer Misuse Act 1990 makes it an offence to perform unauthorised acts against computer systems with what intent or outcome?

Answer 6

With intent to impair, or that may cause impairment, even if accidental.

Question 7

According to the Computer Misuse Act, is the ‘motive’ of a person relevant when determining if gaining unauthorised access is an offence?

Answer 7

No, the Act does not discriminate against motive; even good intentions do not negate the offence.

Question 8

Who was the systems administrator in a well-publicised case who hacked into NASA and US military systems looking for evidence of coverups?

Answer 8

Gary McKinnon.

Question 9

What was the outcome for penetration tester Daniel Cuthbert after he performed directory traversal scans on a legitimate charity website he suspected was a phishing site?

Answer 9

He was prosecuted and found guilty under the Computer Misuse Act, fined, and lost his job.

Question 10

Which act from 2006 amended the Computer Misuse Act to put a stronger emphasis on requiring clear proof of intent?

Answer 10

The Police and Justice Act 2006.

Question 11

The Police and Justice Act 2006 introduced which new section to the Computer Misuse Act?

Answer 11

Section 3A.

Question 12

What does Section 3A of the Computer Misuse Act criminalise?

Answer 12

The making, supplying, or obtaining of any ‘articles’ used to commit an offence under the Act.

Question 13

In the context of Section 3A of the CMA, what can an ‘article’ include?

Answer 13

Any program or data held in electronic form, such as malware or hacking instructions.

Question 14

Which 2015 act introduced another new section, 3ZA, to the Computer Misuse Act?

Answer 14

The Serious Crime Act 2015.

Question 15

What does Section 3ZA of the Computer Misuse Act enforce?

Answer 15

Much harsher sentences for unauthorised acts that cause, or risk causing, serious damage.

Question 16

Under Section 3ZA of the CMA, what kind of damage to human welfare or national security could result in life imprisonment?

Answer 16

Serious damage including illness or death, or disruption to supplies (food, water, energy), transportation, communication, health, or government networks.

Question 17

How did the Serious Crime Act 2015 update the territorial scope of computer misuse offences?

Answer 17

It expanded the scope to include offences against other countries, and offences by a UK citizen from another country.

Question 18

Which UK act from 1998 sets out the fundamental rights and freedoms that everyone is entitled to?

Answer 18

The Human Rights Act 1998.

Question 19

What right is protected by Part I Article 6 of the Human Rights Act?

Answer 19

The right to a fair trial, including the presumption of innocence until proven guilty.

Question 20

According to the Human Rights Act, how must evidence gathered during security testing be handled to ensure its admissibility in court?

Answer 20

It must be handled in a manner that preserves its integrity.

Question 21

Part I Article 8 of the Human Rights Act establishes the right to respect for what aspects of a person’s life?

Answer 21

Their private life, home, and correspondence.

Question 22

What right, relevant to security testing, is protected by Part II Article 1 of the Human Rights Act?

Answer 22

The protection of property and the right to peaceful enjoyment of possessions.

Question 23

In the context of the Human Rights Act, testers must be particularly careful not to access personal devices and data in what common work scenarios?

Answer 23

Scenarios involving BYOD (Bring Your Own Device) or employees who work from home.

Question 24

Which two pieces of legislation in the UK protect individuals regarding the processing of their personal data?

Answer 24

The Data Protection Act 2018 and the UK GDPR.

Question 25

In data protection law, the entity that defines the purposes and means of processing personal data is known as the _____.

Answer 25

Controller.

Question 26

In data protection law, the entity that handles data based on the documented instructions of a Controller is known as the _____.

Answer 26

Processor.

Question 27

Which data protection principle states that processing must have a valid legal basis, be fair, and provide individuals with clear information?

Answer 27

Lawfulness, fairness, and transparency.

Question 28

The data protection principle of _____ requires that data be collected for specific, legitimate purposes and not be processed for other reasons.

Answer 28

Purpose Limitation.

Question 29

What does the 'Data Minimisation' principle of GDPR require of controllers?

Answer 29

To only collect and process data that is relevant and limited to what is necessary for the intended purposes.

Question 30

Which GDPR principle mandates that personal data must be accurate and kept up-to-date where necessary?

Answer 30

Accuracy.

Question 31

The _____ principle dictates that controllers must not hold personal data for longer than is necessary for its intended purpose.

Answer 31

Storage Limitation.

Question 32

Which GDPR principle requires that personal data be processed in a manner that ensures appropriate security against unauthorised processing or accidental loss?

Answer 32

Integrity and Confidentiality.

Question 33

The _____ principle holds controllers and processors responsible for, and requires them to demonstrate compliance with, all other data protection principles.

Answer 33

Accountability.

Question 34

A client may employ red team services as part of their fulfilment of which GDPR article, related to implementing appropriate security measures?

Answer 34

GDPR Article 32.

Question 35

What type of agreement should a client put in place to stipulate guidelines for a red team handling personal data during an engagement?

Answer 35

A Data Processing Agreement.

Question 36

Does the GDPR apply to an organization based outside the EU?

Answer 36

Yes, if the organization stores or processes the personal data of EU residents.

Question 37

Which UK act from 2000 regulates the financial services sector and includes provisions for security and operational risk management?

Answer 37

The Financial Services and Markets Act 2000 (FSMA).

Question 38

What is the purpose of the Payment Services Regulations 2017?

Answer 38

It governs payment services and sets security requirements for providers, including fraud prevention and data protection.

Question 39

Which 2012 Act governs health and social care services and includes provisions for protecting patient data confidentiality?

Answer 39

The Health and Social Care Act 2012.

Question 40

What is the name of the EU regulation aimed at strengthening the IT security of financial entities like banks and insurance companies?

Answer 40

The Digital Operational Resilience Act (DORA).

Question 41

What framework, developed by the Bank of England, provides a structured approach to security testing for financial institutions?

Answer 41

CBEST.

Question 42

What does TIBER-EU stand for?

Answer 42

Threat Intelligence-Based Ethical Red Teaming Framework.

Question 43

What is the purpose of the TIBER-EU framework?

Answer 43

It is an EU-wide framework for conducting threat intelligence-led ethical red teaming for critical infrastructure and financial institutions.