Chapter 15 - Policies, Procedures, and People

Question 1

Which method would you use if you were disposing hard drives as part of a company computer sale?
A. Destruction
B. Purging
C. Clearing
D. Formatting

Answer 1

B. Purging (or sanitizing) removes all the data from a hard drive so that it cannot be reconstructed by any known technique. If a hard drive were destroyed, it wouldn’t be of much value at a company computer sale. Clearing is the removal of data with a certain amount of assurance that it cannot be reconstructed; this method is usually used when recycling the drive within the organization. Formatting is not nearly enough to actually remove data because it leaves data residue, which can be used to reconstruct data.

Question 2

Which of these governs the disclosure of financial data?
A. SOX
B. HIPAA
C. GLB
D. Top secret

Answer 2

A. SOX, or Sarbanes-Oxley, governs the disclosure of financial and accounting data. HIPAA governs the disclosure and protection of health information. GLB, or the Gramm-Leach-Bliley Act of 1999, enables commercial banks, investment banks, securities firms, and insurance companies to consolidate. Top secret is a classification given to confidential data.

Question 3

Jeff wants to employ a Faraday cage. What will this accomplish?
A. It will increase the level of wireless encryption.
B. It will reduce data emanations.
C. It will increase EMI.
D. It will decrease the level of wireless emanations.

Answer 3

B. The Faraday cage will reduce data emanations. The cage is essentially an enclosure (of which there are various types) of conducting material that can block external electric fields and stop internal electric fields from leaving the cage, thus reducing or eliminating data emanations from such devices as cell phones.

Question 4

If a fire occurs in the server room, which device is the best method to put it out?
A. Class A extinguisher
B. Class B extinguisher
C. Class C extinguisher
D. Class D extinguisher

Answer 4

C. When you think Class C, think Copper. Extinguishers rated as Class C can suppress electrical fires, which are the most likely kind in a server room.

Question 5

What device will not work in a Faraday cage? (Select the best two answers.)
A. Cell phones
B. Computers
C. Pagers
D. TDR

Answer 5

A and C. Signals cannot emanate outside a Faraday cage. Therefore, cell phones and pagers will not work inside the Faraday cage.

Question 6

You go out the back door of your building and noticed someone looking through your company’s trash. If this person were trying to acquire sensitive information, what would this attack be known as?
A. Browsing
B. Dumpster diving
C. Phishing
D. Hacking

Answer 6

B. Dumpster diving is when a person goes through a company’s trash to find sensitive information about an individual or a company. Browsing is not an attack but something you do when connected to the Internet. Phishing is known as acquiring sensitive information through the use of electronic communication. Nowadays, hacking is a general term used with many different types of attacks.

Question 7

You are told by your manager to keep evidence for later use at a court proceeding.  Which of the following should you document?
A. Disaster recovery plan
B. Chain of custody
C. Key distribution center
D. Auditing

Answer 7

B. A chain of custody is the chronological documentation or paper trail of evidence. A disaster recovery plan details how a company will recover from a disaster with such methods as backup data and sites. A key distribution center is used with the Kerberos protocol. Auditing is the verification of logs and other information to find out who did what action and when and where.

Question 8

Which law protects your Social Security number and other pertinent information?
A. HIPAA
B. SOX
C. The National Security Agency
D. The Gramm-Leach-Bliley Act

Answer 8

D. The Gramm-Leach-Bliley Act protects private information such as Social Security numbers. HIPAA deals with health information privacy. SOX, or the Sarbanes Oxley Act of 2002, applies to publicly held companies and accounting firms and protects shareholders in the case of fraudulent practices.

Question 9

User education can help to defend against which of the following? (Select the three best answers.)
A. Social engineering
B. Phishing
C. Rainbow Tables
D. Dumpster diving

Answer 9

A, B, and D. Rainbow Tables are lookup tables used when recovering passwords. User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving.

Question 10

Which of these is an example of social engineering?
A. Asking for a username and password over the phone
B. Using someone else’s unsecured wireless network
C. Hacking into a router
D. Virus

Answer 10

A. Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else’s network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.

Question 11

What is the most common reason that social engineering succeeds?
A. Lack of vulnerability testing
B. People share passwords
C. Lack of auditing
D. Lack of user awareness

Answer 11

D. User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely not as much as user awareness training. People should not share passwords.

Question 12

Which of the following is not one of the steps of the incident response process?
A. Eradication
B. Recovery
C. Containment
D. Nonrepudiation

Answer 12

D. Nonrepudiation, although an important part of security, is not part of the incident response process. Eradication, containment, and recovery are all parts of the incident response process.

Question 13

In which two environments would social engineering attacks be most effective? (Select the two best answers.)
A. Public building with shared office space
B. Company with a dedicated IT staff
C. Locked building
D. Military facility
E. An organization whose IT personnel have little training

Answer 13

A and E. Public buildings, shared office space, and companies with employees that have little training are all environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.

Question 14

Of the following definitions, which would be an example of eavesdropping?
A. Overhearing parts of a conversation
B. Monitoring network traffic
C. Another person looking through your files
D. A computer capturing information from a sender

Answer 14

A. Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening and to try to protect against this.

Question 15

Your company expects its employees to behave in a certain way. How could a description of this behavior be documented?
A. Chain of custody
B. Separation of duties
C. Code of ethics
D. Acceptable use policy

Answer 15

C. The code of ethics describes how a company wants its employees to behave. A chain of custody is a legal and chronological paper trail. Separation of duties means that more than one person is required to complete a job. Acceptable use policy is a set of rules that restrict how a network or a computer system may be used.

Question 16

You are a forensics investigator. What is the most important reason for you to verify the integrity of acquired data?
A. To ensure that the data has not been tampered with
B. To ensure that a virus cannot be copied to the target media
C. To ensure that the acquired data is up-to-date
D. To ensure that the source data will fit on the target media

Answer 16

A. Before analyzing any acquired data, you need to make sure that the data has not been tampered with, so you should verify the integrity of the acquired data before analysis.

Question 17

Of the following, which type of fire suppression can prevent damage to computers and servers?
A. Class A
B. Water
C. CO2
D. ABC extinguishers

Answer 17

C. CO2 is the best answer that will prevent damage to computers because it is air-based, not water-based. CO2 displaces oxygen. Fire needs oxygen; without it the fire will go out. All the others have substances that can damage computers. However, because CO2 can possibly cause ESD damage, the best solution in a server room would be Halotron or FE-36.

Question 18

You are the security administrator for your organization. You have just identified a malware incident. Of the following, what should be your first response?
A. Containment
B. Removal
C. Recovery
D. Monitoring

Answer 18

A. Most organizations’ incident response procedures will specify that containment of the malware incident should be first. Next would be the removal, then recovery of any damaged systems, and finally monitoring that should actually be going on at all times.

Question 19

A man pretending to be a data communications repair technician enters your building and states that there is networking trouble and he needs access to the server room. What is this an example of?
A. Man-in-the-middle attack
B. Virus
C. Social engineering
D. Chain of custody

Answer 19

C. Any person pretending to be a data communications repair person would be attempting a social engineering attack.

Question 20

Employees are asked to sign a document that describes the methods of accessing a company’s servers. Which of the following best describes this document?
A. Acceptable use policy
B. Chain of custody
C. Incident response
D. Privacy Act of 1974

Answer 20

A. Acceptable use (or usage) policies set forth the principles for using IT equipment such as computers, servers, and network devices. Employees are commonly asked to sign such a document that is a binding agreement that they will try their best to adhere to the policy.

Question 21

One of the developers for your company asks you what he should do before making a change to the code of a program’s authentication.  Which of the following processes should you instruct him to follow?
A. Chain of custody
B. Incident response
C. Disclosure reporting
D. Change management

Answer 21

D. He should follow the change management process as dictated by your company’s policies and procedures. This might include filing forms in paper format and electronically, and notifying certain departments of the proposed changes before they are made.

Question 22

As a network administrator, one of your jobs is to deal with Internet service providers. You want to ensure that the provider guarantees end-to-end traffic performance. What is this known as?
A. SLA
B. VPN
C. DRP
D. WPA

Answer 22

A. An SLA, or service-level agreement, is the agreement between the Internet service provider and you, finding how much traffic you are allowed, and what type of performance you can expect. A VPN is a virtual private network. A DRP is a disaster recovery plan. And WPA is Wi-Fi protected access.

Question 23

Turnstiles, double entry doors, and security guards are all preventative measures for what kind of social engineering?
A. Dumpster diving
B. Impersonation
C. Piggybacking
D. Eavesdropping

Answer 23

C. Turnstiles, double entry doors, and security guards are all examples of preventative measures that attempt to defeat piggybacking. Dumpster diving is when a person looks through a coworker’s trash or a building’s trash to retrieve information. Impersonation is when a person attempts to represent another person possibly with the other person’s identification. Eavesdropping is when a person overhears another person’s conversation.

Question 24

When it comes to security policies, what should HR personnel be trained in?
A. Maintenance
B. Monitoring
C. Guidelines and enforcement
D. Vulnerability assessment

Answer 24

C. Human resource personnel should be trained in guidelines and enforcement. A company’s standard operating procedures will usually have more information about this. However, a security administrator might need to train these employees in some areas of guidelines and enforcement.

Question 25

In a classified environment, clearance to top secret information that enables access to only certain pieces of information is known as what?
A. Separation of duties
B. Chain of custody
C. Nonrepudiation
D. Need to know

Answer 25

D. In classified environments, especially when accessing top secret information, a person can get access to only what they need to know.

Question 26

In addition to bribery and forgery, which of the following are the most common techniques that attackers used to socially engineer people? (Select the two best answers.)
A. Flattery
B. Assuming a position of authority
C. Dumpster diving
D. Whois search

Answer 26

A and C. The most common techniques that attackers use to socially engineer people include flattery, dumpster diving, bribery, and forgery. Although assuming a position of authority is an example of social engineering, it is not one of the most common. A WHOIS search is not necessarily malicious; it can be accomplished by anyone and can be done for legitimate reasons. This type of search can tell a person who runs a particular website or who owns a domain name.

Question 27

What is documentation that describes minimum expected behavior known as?
A. Need to know
B. Acceptable usage
C. Separation of duties
D. Code of ethics

Answer 27

D. A code of ethics is documentation that describes the minimum expected behavior of employees of a company or organization. Need to know deals with the categorizing of data and how much an individual can access. Acceptable usage defines how a user or group of users may use a server or other IT equipment. Separation of duties refers to a task that requires multiple people to complete.

Question 28

You are the security administrator for your company. You have been informed by human resources that one of the employees in accounting has been terminated. What should you do?
A. Delete the user account.
B. Speak to the employee’s supervisor about the person’s data.
C. Disable the user account.
D. Change the user’s password.

Answer 28

C. When an employee has been terminated, the employee’s account should be disabled, and the employee’s data should be stored for a certain amount of time, which should be dictated by the company’s policies and procedures. There is no need to speak to the employee’s supervisor. It is important not to delete the user account because the company may need information relating to that account later on. Changing the user’s password is not enough; the account should be disabled.

Question 29

You need to protect your datacenter from unauthorized entry at all times.  Which is the best type of physical security to implement?
A. Mantrap
B. Video surveillance
C. Nightly security guards
D. 802.1X

Answer 29

A. Mantraps are the best solution listed—they are the closest to foolproof of the listed answers. Mantraps (if installed properly) are strong enough to keep a human inside until he completes the authentication process or is escorted off the premises. This is a type of preventive security control meant to stop tailgating and piggybacking. Video surveillance will not prevent an unauthorized person from entering your datacenter, it is a detective security control. Security guards are a good idea, but if they only work at night, then they can’t
prevent unauthorized access at all times. 802.1X is an excellent authentication method, but it is logically implemented as software and devices; it is not a physical security control.

Question 30

Which of the following targets specific people?
A. Pharming
B. Phishing
C. Vishing
D. Spear phishing

Answer 30

D. Spear phishing is a targeted attack unlike regular phishing, which usually works by contacting large groups of people. Pharming is when a website’s traffic is redirected to another, illegitimate, website. Vishing is the phone/VoIP version of phishing.

Question 31

Why would you implement password masking?
A. To deter tailgating
B. To deter shoulder surfing
C. To deter impersonation
D. To deter hoaxes

Answer 31

B. Password masking is when the characters a user types into a password field are replaced, usually by asterisks. This is done to prevent shoulder surfing. Tailgating is when an unauthorized person follows an authorized person into a secure area, without the second person’s consent. Impersonation is when a person masquerades as another authorized user. A hoax is an attempt at deceiving people into believing something that is false.

Question 32

Your organization already has a policy in place that bans flash drives. What other policy could you enact to reduce the possibility of data leakage?
A. Disallow the saving of data to a network share
B. Enforce that all work files have to be password protected
C. Disallow personal music devices
D. Allow unencrypted HSMs

Answer 32

C. By creating a policy that disallows personal music devices, you reduce the possibility of data leakage. This is because many personal music devices can store data files, not just music files. This could be a difficult policy to enforce since smartphones can play music and store data. That’s when you need to configure your systems so that those devices cannot connect to the organization’s network. DLP devices would also help to prevent data leakage. Network shares are part of the soul of a network, without them, there would be chaos as far as stored data. If network shares are configured properly, there shouldn’t be much of a risk of data leakage. Password protecting files is something that would be hard to enforce, and the encryption used could very easily be subpar and easily cracked. HSMs are inherently encrypted; that is their purpose. To allow an HSM would be a good thing, but there are no unencrypted HSMs.

Question 33

Which of the following requires special handling and policies for data retention and distribution?
A. Phishing
B. Personal electronic devices
C. SOX
D. PII

Answer 33

D. PII (personally identifiable information) must be handled and distributed carefully to prevent ID theft and fraud. Phishing is the attempt at obtaining information fraudulently. Personal electronic devices should be protected and secured but do not require special policies. SOX (Sarbanes Oxley) is an act that details the disclosure of banking information.

Question 34

A targeted e-mail attack is received by your organization’s CFO. What is this an example of?
A. Vishing
B. Phishing
C. Whaling
D. Spear phishing

Answer 34

C. Whaling is a type of spear phishing that targets senior executives such as CFOs. Regular old phishing does not target anyone, but instead tries to contact as many people as possible until an unsuspecting victim can be found. Vishing is the telephone-based version of phishing. Spear phishing does target individuals but not senior executives.

Question 35

One of the accounting people is forced to change roles with another accounting person every three months. What is this an example of?
A. Least privilege
B. Job rotation
C. Mandatory vacation
D. Separation of duties

Answer 35

B. Job rotation is when people switch jobs, usually within the same department. This is done to decrease the risk of fraud. It is closely linked with separation of duties, which is when multiple people work together to complete a task; each person is given only a piece of the task to accomplish. Least privilege is when a process (or a person) is given only the bare minimum needed to complete its function. Mandatory vacations are when an employee is forced to take X amount of consecutive days vacation away from the office.

Question 36

Which of the following environmental variables reduces the possibility of static discharges (ESD)?
A. Humidity
B. Temperature
C. EMI
D. RFI

Answer 36

A. Humidity (if increased) can reduce the chance of static discharges. Temperature does not have an effect on computer systems (within reason). EMI and RFI are types of interference that in some cases could possibly increase the chance of static discharge.

Question 37

You have been ordered to implement a secure shredding system as well as privacy screens.  What two attacks is your organization attempting to mitigate?
A. Shoulder surfing
B. Impersonation
C. Phishing
D. Dumpster diving
E. Tailgating

Answer 37

A. and D. The privacy screens are being implemented to prevent shoulder surfing. The secure shredding system is being implemented to mitigate dumpster diving. Impersonation is when an unauthorized person masquerades as a legitimate, authorized person. Phishing is when an attacker attempts to fraudulently obtain information through e-mail scams. Tailgating is when a person (without proper credentials) attempts to gain access to an unauthorized area by following someone else in.