Chapter 15 - Policies, Procedures, and People Flashcards
Which method would you use if you were disposing hard drives as part of a company computer sale? A. Destruction B. Purging C. Clearing D. Formatting
B. Purging (or sanitizing) removes all the data from a hard drive so that it cannot be reconstructed by any known technique. If a hard drive were destroyed, it wouldn’t be of much value at a company computer sale. Clearing is the removal of data with a certain amount of assurance that it cannot be reconstructed; this method is usually used when recycling the drive within the organization. Formatting is not nearly enough to actually remove data because it leaves data residue, which can be used to reconstruct data.
Which of these governs the disclosure of financial data? A. SOX B. HIPAA C. GLB D. Top secret
A. SOX, or Sarbanes-Oxley, governs the disclosure of financial and accounting data. HIPAA governs the disclosure and protection of health information. GLB, or the Gramm-Leach-Bliley Act of 1999, enables commercial banks, investment banks, securities firms, and insurance companies to consolidate. Top secret is a classification given to confidential data.
Jeff wants to employ a Faraday cage. What will this accomplish?
A. It will increase the level of wireless encryption.
B. It will reduce data emanations.
C. It will increase EMI.
D. It will decrease the level of wireless emanations.
B. The Faraday cage will reduce data emanations. The cage is essentially an enclosure (of which there are various types) of conducting material that can block external electric fields and stop internal electric fields from leaving the cage, thus reducing or eliminating data emanations from such devices as cell phones.
If a fire occurs in the server room, which device is the best method to put it out? A. Class A extinguisher B. Class B extinguisher C. Class C extinguisher D. Class D extinguisher
C. When you think Class C, think Copper. Extinguishers rated as Class C can suppress electrical fires, which are the most likely kind in a server room.
What device will not work in a Faraday cage? (Select the best two answers.) A. Cell phones B. Computers C. Pagers D. TDR
A and C. Signals cannot emanate outside a Faraday cage. Therefore, cell phones and pagers will not work inside the Faraday cage.
You go out the back door of your building and noticed someone looking through your company’s trash. If this person were trying to acquire sensitive information, what would this attack be known as? A. Browsing B. Dumpster diving C. Phishing D. Hacking
B. Dumpster diving is when a person goes through a company’s trash to find sensitive information about an individual or a company. Browsing is not an attack but something you do when connected to the Internet. Phishing is known as acquiring sensitive information through the use of electronic communication. Nowadays, hacking is a general term used with many different types of attacks.
You are told by your manager to keep evidence for later use at a court proceeding. Which of the following should you document? A. Disaster recovery plan B. Chain of custody C. Key distribution center D. Auditing
B. A chain of custody is the chronological documentation or paper trail of evidence. A disaster recovery plan details how a company will recover from a disaster with such methods as backup data and sites. A key distribution center is used with the Kerberos protocol. Auditing is the verification of logs and other information to find out who did what action and when and where.
Which law protects your Social Security number and other pertinent information? A. HIPAA B. SOX C. The National Security Agency D. The Gramm-Leach-Bliley Act
D. The Gramm-Leach-Bliley Act protects private information such as Social Security numbers. HIPAA deals with health information privacy. SOX, or the Sarbanes Oxley Act of 2002, applies to publicly held companies and accounting firms and protects shareholders in the case of fraudulent practices.
User education can help to defend against which of the following? (Select the three best answers.) A. Social engineering B. Phishing C. Rainbow Tables D. Dumpster diving
A, B, and D. Rainbow Tables are lookup tables used when recovering passwords. User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving.
Which of these is an example of social engineering?
A. Asking for a username and password over the phone
B. Using someone else’s unsecured wireless network
C. Hacking into a router
D. Virus
A. Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else’s network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.
What is the most common reason that social engineering succeeds? A. Lack of vulnerability testing B. People share passwords C. Lack of auditing D. Lack of user awareness
D. User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely not as much as user awareness training. People should not share passwords.
Which of the following is not one of the steps of the incident response process? A. Eradication B. Recovery C. Containment D. Nonrepudiation
D. Nonrepudiation, although an important part of security, is not part of the incident response process. Eradication, containment, and recovery are all parts of the incident response process.
In which two environments would social engineering attacks be most effective? (Select the two best answers.)
A. Public building with shared office space
B. Company with a dedicated IT staff
C. Locked building
D. Military facility
E. An organization whose IT personnel have little training
A and E. Public buildings, shared office space, and companies with employees that have little training are all environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.
Of the following definitions, which would be an example of eavesdropping?
A. Overhearing parts of a conversation
B. Monitoring network traffic
C. Another person looking through your files
D. A computer capturing information from a sender
A. Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening and to try to protect against this.
Your company expects its employees to behave in a certain way. How could a description of this behavior be documented? A. Chain of custody B. Separation of duties C. Code of ethics D. Acceptable use policy
C. The code of ethics describes how a company wants its employees to behave. A chain of custody is a legal and chronological paper trail. Separation of duties means that more than one person is required to complete a job. Acceptable use policy is a set of rules that restrict how a network or a computer system may be used.