Chapter 7 Security Flashcards

1
Q

A mantrap is:

A

an area with two locking doors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A mantrap essentially:

A

slows down the entry process in hopes that people sneaking in behind others will be thwarted before gaining entry to the secure area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Badge readers are:

A

devices that can interpret the data on a certain type of ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ID badges and readers can use a variety of physical security methods, including the following:

A

Photos

Barcodes and magnetic strips

RFID technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Barcodes embedded on ID badges and readers enable:

A

the cards to carry a range of information about the bearers and can limit individuals’ access to only authorized areas of building

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ID badges and readers with RFID chips can:

A

be used to open only doors that are matched to the RFID chip

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A smart card is:

A

a credit-card sized card that contains stored information and might also contain a simple microprocessor or an RFID chip

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Smart card can be used to store:

A

identification for use in security applications

store values for use in prepaid telephone and debit card services, hotel guest room access and many other functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Smart cards are available in 2 form factors:

A

contact

contactless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Contactless cards are also known as:

A

proximity cards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Contactless card readers are usually:

A

wall mounted so users can scan their cards within 6 inches of a reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A smart card-based security system includes:

A

smart cards

card readers that are designed to work with smart cards

a back-end system that contains a database that stores a list of approved smart cards for each secured location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A smart card-based security system can also be used to:

A

secure individual personal computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The best way to deter a thief is to:

A

use a mix of technical barriers and human interaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When employees enter the work area in the presence of a guard, it is more likely that:

A

the best practices will be followed and everyone will scan in and be authenticated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Without a guard in the work area it is more common for:

A

people to hold the door for people who are recognized but say they have misplaced their IDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Another way to deploy guards besides in the work area is to:

A

have them watch several areas via security cameras that record access into and out of the buildings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The easiest way to secure an area is to:

A

lock doors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Aside from main entrances, you should also always lock:

A

server rooms

wiring closets

labs

other technical rooms when not in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Physical door locks might seem low tech, but they can’t be:

A

taken over by hackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Other precautions to take besides locking doors include:

A

documenting who has keys to server rooms

wiring closets and periodically changing locks and keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cipher locks on a door uses:

A

punch codes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Biometric security refers to:

A

the use of a person’s biological information to authenticate potential users of a secure area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The most common type of biometric security for PCs is:

A

fingerprint based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Examples of biometric security include:
fingerprint scanning retina scanning facial recognition
26
What is a token?
Any physical device that a user must carry to gain access to a specific system
27
Examples of a token are:
smart cards RFID cards USB tokens key fobs
28
Where is the security slot on a laptop typically located?
near a rear corner
29
Rack-level security involves:
locking down equipment in a server rack
30
Rack-level security can be done with:
cabinets or cages with secure biometric locks or perhaps keycards that can be changed often
31
Besides cabinets or cages in a data center, what else is appropriate to use for security?
Security cameras
32
USB locks can be used to:
secure USB cables into the computer and to securely plug empty USB ports
33
Data on a computer screen can be easily protected by installing a:
privacy screen
34
A privacy screen is a:
transparent cover for a PC monitor or laptop display that reduces the cone of vision, usually about 30 degrees, so that only the person directly in front of the screen can see the content
35
Many privacy screens are also:
antiglare, helping to reduce the user's eye strain
36
Key fobs can contain:
RFID chips
37
Many key fobs are used as part of a two-step authentication protocol as follows:
The user carries a key fob that generates a code every 30 to 60 seconds. Every time the code changes on the fob, it is also matched in the authentication server. In some cases the user must also log into the fob to see the access code for an extra layer of security The user then logs into the system or restricted area, using the randomly generated access code displayed on the key fob's LCD display
38
An entry control roster is:
a list of individuals or representatives who are authorized to enter a secured area
39
A keypad lock on an entrance to a secure area can:
store a list of authorized PINs
40
Active Directory is:
a Microsoft solution for managing users, computers, and information access in a network
41
Active Directory is based on:
a database of all resources and users that will be managed within the network. The information in the database determines what people can see and do within the network
42
Here are the basics for Active Directory:
Login script Domain Group Policy Organization Unit (OU) Home folder Folder redirection
43
Explain login script for Active Directory:
When a user logs onto the network, Active Directory knows who that user is and runs a login script to make the assigned resources available
44
Explain domain for Active Directory:
The domain is a computer network or group computer networks under one administration
45
Explain Group Policy for Active Directory:
This is a set of rules and instructions defining what a user or group of users can or cannot do when logged into the domain
46
The term Group Policy Object (GPO) is:
a set of instructions assigned to a group of users or to certain machines on the network
47
Explain Organizational Unit (OU) for Active Directory:
logical groups that help organize users and computers so that Group Policy Object (GPO) may give them special access to financial records
48
Explain home folder for Active Directory:
This folder is accessible to the network administrator and is where the user's data and files are kept locally
49
Explain Folder redirection for Active Directory:
This allows for the work done by an Organizational Unit (OU) to be saved on a common folder in the domain as directed by the administrator instead of the user
50
Software tokens are different than regular tokens because:
they exist in software and are commonly stored on devices
51
An example of a software token is:
Google Authenticator which is an app that is downloaded to a device and provides a shared secret key
52
A suite of software known as mobile device management (MDM) is used for:
Organizations that have many mobile devices that need to administer them such that all devices and users comply with the security practices in place
53
Good mobile device management (MDM) software do these things:
secures monitors manages supports multiple different mobile devices across the enterprise
54
Disabling ports refers to:
using a firewall appliance of software firewall to prevent specified UDP or TCP ports from being used by a service, an app, a specific device, or all devices
55
Turning off unused ports makes it:
harder for hackers to find stealth access into a machine
56
The MAC address is a:
list of six two-digit hexadecimal numbers
57
A MAC address is usually found on:
a label on the side of a network adapter
58
Because MAC addresses are unique, it is possible to:
control access to most wireless networks by allowing only certain addresses in. This process is sometimes called whitelisting
59
Some routers can be configured to block:
a list of specified MAC address from accessing the wired network
60
MAC address filtering can be a useful way to:
block casual hackers from gaining access to a small wireless (or wired) network, but it can be troublesome for a large network with many different devices coming into and going out of the system as each needs to be entered separately.
61
What is MAC address cloning?
The use of software to change the MAC address of a network device
62
MAC addresses are not:
encrypted and can be detected by software used to hack networks
63
MAC address filtering should not:
be relied on alone to stop serious attacks
64
Digital certificates included in software are use to:
identify the publisher
65
Most OSs display warning messages when:
an app without a digital certificate is being installed
66
To access Certificate Manager in Windows 10 follow these steps:
click the Start button type certmgr.msc in the search field and press Enter
67
In Windows 10 the Certificate Manager does what?
It keeps track of and check certificates
68
Antivirus/anti-malware software for mobile devices are:
third-party applications that need to be paid for, downloaded, and installed to the mobile device
69
One of the benefits of iOS being a closed-source OS is that it can be more difficult to:
write viruses for it, making is somewhat difficult to compromise
70
A firewall is a:
physical device or a software program that examines data packets on a network to determine whether to forward them to their destination or block them
71
A one-way firewall is used to:
protect against inbound threats only
72
A two-way firewall is used to:
protect against both unauthorized inbound and outbound traffic
73
A software firewall can be:
configured to permit traffic between specified IP addresses and to block traffic to and from the Internet except when permitted on a per-program basis
74
A corporate network may use a proxy server with a firewall as:
the sole direct connection between the Internet and the corporate network and use a firewall in the proxy server to protect the corporate network against threats
75
Physical firewalls are specialed:
computers whose software is designed to quickly analyze network traffic and make forwarding decisions based on rules set by the administrator
76
Most current OSs have some sort of firewall built in, the examples are:
Windows has Windows Defender, initially configured a one-way firewall but can be configured to work as a two-way firewall macOS includes an application firewall Linux includes iptables to configure netfilter, its packet-filtering framework
77
Authenticating users means:
making sure those who are logging in are truly who they say they are
78
To solve the problem of weak passwords, administrators should mandate:
strong passwords in their authentication settings
79
Strong passwords that foil casual hackers have the following characteristics:
They are at least eight characters long; every character added to this minimum makes the password exponentially safer They include a variety of uppercase and lowercase letters, numbers, and symbols They do not include real names and words
80
The best type of authentication system is one that:
uses two or more authentication methods, this is known as multifactor authentication
81
Directory permissions is the term used in macOS and Linux for:
configuring the access levels a user has to a directory (folder) and individual files. In Windows, the equivalent term is file and folder permissions
82
In Linux and macOS, directory permissions include:
Read (opens file but no changes) Write (able to read and change file) Execute (runs executable file or opens directory)
83
The chmod command is used in Linux to:
change directory permissions
84
In macOS, the Get Info menu's Sharing & Permissions submenu is used to:
change directory permissions
85
In Windows, file and folder permissions on an NTFS drive include:
Full control Modify Read & Execute List folder contents (applies to folders only) Read Write
86
Data loss/leakage prevention (DLP) involves:
preventing confidential information from being viewed or stolen by unauthorized parties
87
Data loss/leakage prevention (DLP) goes beyond normal digital security methods such as firewalls and antivirus software by:
observing and analyzing unusual patterns of data access, email, and instant messaging, whether the data is going into or out of an organization's network
88
Access control lists (ACLs) are:
lists of permissions or restriction rules for access to an object such as a file or folder
89
Access control lists (ACLs) controls:
which users or groups can perform specific operations on specified files or folders
90
Smart cards can be used to enable:
logins to a network, encrypt or decrypt drives, and provide digital signatures when supported by the network server
91
Email filtering can be used to:
organize email into folders automatically block spam and potentially dangerous messages
92
Email filtering can be performed at:
the point of entry to a network with a specialized email filtering server or appliance as well as by enabling the spam and threat detection features that are built into email clients or security software
93
Applying the principle of least privilege means:
giving a user access to only what is required to do his or her job
94
An encrypted wireless network relies on:
the exchange of a passphrase between the client and the wireless access point (WAP) or router before the client can connect to the network
95
There are several standards for encryption for a network connection. They are:
WEP WPA versions TKIP AES
96
There are four different authentication methods for access to a wireless network, they are:
single-factor multifactor RADIUS TACACS
97
Single-factor authentication is basic:
username and password access to a computer or network
98
A multifactor authentication system uses:
two or more authentication methods and is far more secure than single-factor authentication
99
Multifactor authentication is a:
combination of the password and the digital token, which makes it very difficult for imposters to gain access to a system
100
A Remote Authentication Dial-In User Service (RADIUS) Servers is used for a:
user who wants to access a network or an online service. They enter a username and password when requested
101
With Terminal Access Controller Access Control System (TACACS) a user:
who was already authenticated into the network was automatically logged into other resources in the system as well
102
Malicious software, or malware is:
software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent
103
Malware is a broad term used by computer professionals to includes:
viruses worms Trojan horses spyware rootkits keyloggers adware other types of undesirable software
104
Ransomware uses:
malware to encrypt the targets computer's files. The ransom demand might be presented after you call a bogus technical support number displayed onscreen or the ransom may be displayed onscreen
105
Trojan malware, also known as a Trojan horse is a:
malware program disguised as a "gift"- usually popular videos or website links- that trick the user into downloading a virus that might be used to trap keystrokes or transmit sensitive information
106
Keylogger viruses are:
especially dangerous because they track keystrokes and can capture usernames and passwords of unwitting users
107
A keylogger can be delivered via a:
Trojan horse phishing fake email attachment that the user opens
108
A rootkit is a set of:
hacking tools that makes its way deep into the computer's OS or applications and sets up shop to take over the computer
109
A rootkit is a complex:
type of malware that is difficult to detect and remove with standard malware antivirus software
110
Some rootkits do different things. For example some:
do keylogging listen for banking information can take over a computer completely
111
Sometimes the only solution for a rootkit is to:
wipe the drive and reinstall the OS
112
Virus is a generic term for:
any malicious software that can spread to other computers and cause trouble
113
Most virus attacks are spread with:
human assistance when users fall prey to phishing and carelessly open attachments
114
Hackers can infect multiple computers to form:
a botnet
115
Hackers use a botnet to:
cause trouble, such as by mounting denial or service attacks or spreading spam
116
Hackers who install networks of bots sometimes:
sell access to them to other hackers
117
Worms are different from over viruses in that they:
are able to self-replicate on computers and push themselves out to other computers
118
Spyware is:
software that spies on system activities and transmits details of web searches or other activities to remote computers
119
What is a good indicator of spyware?
Getting multiple unwanted pop-up windows when browsing the Internet
120
Spyware can possibly cause:
slow system performance
121
Antivirus/anti-malware programs can use some or all of the following techniques to protect users and systems:
Real-time protection to block infection Periodic scans for known and suspected threats Automatic updating on a frequent (usually daily) basis Renewable subscriptions to obtain updated threat signatures Links to virus and threat encyclopedias Inoculation of systems files Permissions-based access to the Internet Scanning of downloaded files and sent/received email
122
When attempting to protect against viruses and malware, the two most important things to remember is to:
keep your anti-malware application up to date watch out for unknown data, whether it comes via email, USB flash drive, mobile device, or some other mechanism
123
The Recovery Console allows:
you to reset your PC or boot from a recovery disk
124
Troubleshooting an infected PC can be done from a:
recovery drive
125
A recovery drive allows you to:
boot into a minimal Safe mode that does not install all applications or normal condition
126
To enable and Time Machine follow these steps:
1. Connect a suitable external disk to a macOS system 2. When prompted, click Use a Backup Disk. You can also check the Encrypt Backup Disk box to protect the backup 3. If you select the option to encrypt your backup in Step 2, enter a password, confirm it, and enter a password hint. Click Encrypt Disk 4. Make sure Time Machine is turned on. After the selected disk is encrypted, the backup starts
127
Regardless of the sophistication of physical or digital security measures, the lack of user education and an acceptable use policy (AUP) can lead to security issues. Some elements of a good AUP include the following:
Have users ask for an ID when approached in person by somebody claiming to be from the help desk, the phone company, or a service company Have users ask for a name and a supervisor name when contacted by phone by someone claiming to be from the help desk, the phone company, or a service company Provide contact information for the help desk, phone company, and authorized service companies and ask users to call the authorized contact person to verify that a service call or phone request for information is legitimate Ask users to log into systems and then provide the tech the computer rather than giving the tech login information Have users change passwords immediately after service calls Ask users to report any potential social engineering calls or in-person contracts, even if no information was exchanged
128
Users should be educated in how to do the following:
Keep antivirus, antispyware, and anti-malware programs updated Scan systems for virus, spyware, and malware Understand major malware types and techniques Scan removable media drives (such as optical discs and USB drives) for viruses and malware Disable autorun Configure scanning program for scheduled operation Respond to notifications that viruses, spyware, or malware have been detected Quarantine suspect files Report suspect files to the help desk Remove malware Disable antivirus software when needed and know when to reenable antivirus software Avoid opening attachments from unknown senders Use anti-phishing features in web browsers and email clients
129
Domain Name Service (DNS) involves:
a database containing public IP addresses and their associated domain names
130
The purpose of Domain Name Service (DNS) is to:
translate domain names used in web page request into IP addresses
131
Domain Name Service (DNS) functions are included in:
SOHO routers larger networks
132
Domain name servers communicate with:
other, larger, domain name servers if the requested addresses are not in their databases
133
Hackers like to capture Domain Name Service (DNS) information because:
it provides links between domain names and IP address
134
With Domain Name Service (DNS) records, a hacker can:
create false DNS information that can point victims to fake websites and get them to download malware or viruses
135
Six common social engineering techniques that all employees in an organization should know about are:
phishing spear phishing impersonation should surfing tailgating dumpster diving
136
The key to mitigating social engineering threats is a combination of:
ensuring employee implementing policies and protocols for handling sensitive internal information and whenever possible, using cybersecurity
137
Phishing involves:
creating bogus websites or sending fraudulent emails that trick users into providing personal, bank, or credit card information
138
Phone phishing uses:
an interactive voice response (IVR) system that the user has been tricked into calling to dupe the user into revealing information
139
Spear phishing involves:
sending spoof messages that appear to come from an internal source requesting confidential information, such as payroll or tax information
140
Phishing can be addressed with:
awareness warnings from administrators that give examples of the latest threats and education for employees about using judgment to identify suspicious messages
141
The best protection against spear phishing is:
implementing security software that identifies spear phishing mail and educating users about how to handle sensitive information within the organization
142
Impersonation happens when a hacker:
pretends to be someone the victim trusts via email, phone, or in person
143
What can help prevent impersonation attacks?
Common sense and strict policies oh how to communicate sensitive information
144
Shoulder surfing is:
the attempt to view physical documents on a user's desk or electronic documents displayed on a monitor by looking over the user's shoulder
145
A common protection against shoulder surfing is:
a special privacy screen that limits the viewing range of a display
146
Tailgating occurs when:
an authorized person attempts to accompany an authorized person into a secure are by following that person closely and grabbing the door before it shuts
147
If the authorized person is knowingly involved in tailgating is known as:
piggybacking
148
Dumpster diving is when a person:
goes through the trash seeking information about a network or about a person with access to the network
149
A distributed denial service (DDoS) attack occurs when:
several (up to thousands) of computer have been compromised with special malware that turns them into bots. The bots then get directions from their new master to attack with thousand of requests to a network site. The traffic is so overwhelming that the site is unreachable by normal traffic and is effectively shut down
150
A denial of service (DoS) attack involves:
one computer attacking a specific target with an overwhelming number of service requests
151
Zero day occurs when:
legitimate software is sold and distributed, it may have security vulnerabilities that are unknown. When the flaws are discovered, the users may put out alerts while the software company who made the software creates a patch. The hackers watch for those alerts and exploit the vulnerabilities before the patch is installed
152
A man-in-the-middle (MiTM) attack involves:
the attacker intercepting a connection while fooling the endpoints into thinking there are communicating directly with each other.
153
In a man-in-the-middle (MiTM) attack the attacker essentially becomes:
an authorized and undetected proxy or relay point and the attacker uses this position to capture confidential data or transmit altered information to one or both ends of the original connections
154
A brute force attack involves:
cracking passwords by calculating and using every possible combination of characters until the correct password is discovered
155
One way an administrator can block brute forcing is to:
set authentication systems to lock after a specified number of incorrect passwords are offered
156
Dictionary attacks involve:
attempting to crack passwords by trying all the words in a list, such as a dictionary
157
Dictionary attacks can be blocked by:
locking systems after a specified number of incorrect passwords are offered Requiring more sophisticated passwords that do not include identifiable information such as birthdays or family names
158
A rainbow table is used in:
an attack in much the same manner as in a brute force attack, but it is more mathematically sophisticated and takes less time
159
Rainbow tables are:
precomputed tables that can speed calculations when cracking hashes
160
Spoofing is a general term for:
malware attacks that purport to come from a trustworthy source
161
Non-compliant systems are systems that:
are tagged by a configuration manager application for not having the most up-to-date security patches installed
162
A zombie/botnet is a:
computer on the Internet that has been taken over by a hostile program so it can be used for malware distribution or distributed denial of service (DDoS) or other attacks without notification to the regular uses of the computer
163
Many malware attacks attempt to turn targeted computers into:
zombies on a hostile botnet
164
The principles of access control are:
Users and groups NTFS vs. share permissions Shared files and folders System files and folders User authentication Run as administrator vs. standard user BitLocker BitLocker To Go EFS
165
There are three standard account levels in Windows
Standard Administrator Guest
166
Standard accounts have:
permission to perform routine tasks
167
Administrator accounts users can:
perform any and all tasks
168
Guest accounts are:
the most limited
169
In Windows versions up to 8.1, the power users account is:
a specific account type that has more permissions than standard users but fewer than administrators
170
In Windows 10 the Power Users group has:
been discontinued, but it is available to assign for backward compatibility
171
New Technology File System (NTFS) is:
an improved way to store files on disks over the FAT system of Windows 95
172
Permissions control both:
local and network access to files and can be set for individual users or groups
173
Each permission has two settings:
Allow Deny
174
In some cases, an administrator must issue an explicit:
denial if the user is part of a larger group that already has access to a parent folder but needs to be kept out of a particular subfolder
175
When you copy a folder or file to a different volume:
the folder or file inherits the permissions of the parent folder it was copied to (the target directory)
176
When you copy a folder or file to a different location on the same volume:
the folder or file retains its original permissions
177
File attributes are used in Windows to:
indicate how can be treated specify which files should be backed up specify which should be hidden from the normal GUI or command-line file listings, whether a file compressed or encrypted, and so on
178
To view file attributes in Windows follow these steps:
right-click a file in File Explorer or Windows Explorer and select Properties
179
To view file attributes from the Windows command line, you should use what command?
Attrib
180
Shared files and folders have their permissions via:
the Security tab of the object's properties sheet
181
Folder and file permissions vary by user type or group and can include the following:
Full control: compete access to the contents of the file or folder Modify: change file or folder contents Read & Execute: access file or folder contents and run programs List Folder Contents: display folder contents Read: access a file or folder Write: add a new file or folder
182
Local shares are normally configured on:
a folder or library basis in Windows
183
To connect to the administrative share, a user must:
provide a username and password for an account on that system
184
If you create a folder you can describe how the files and folders receive permissions by these two terms:
inheritance propagation
185
To make system files and folders visible in Windows 10 follow these steps:
1. Open File Explorer 2. In the top left select the View tab 3. Uncheck the boxes that are hidden that need to be viewed
186
BitLocker software can:
encrypt the entire disk, which, after completed, is transparent to the user
187
The requirements for using BitLocker are:
A Trusted Platform Module (TPM) chip, which is a chip residing on the motherboard that actually stores the encrypted keys or An external USB key to store the encrypted keys. Using TPM chip requires changes to Group Policy setting and A hard drive with two volumes, preferably created during the installation of Windows
188
BitLocker software is based on:
Advanced Encryption Standard (AES) and uses 128-bit encryption key
189
BitLocker To Go is:
removable drives and external USB drives (including flash drives) that have BitLocker functionality
190
Encrypting File System (EFS) can be used to:
protect sensitive data files and temporary files and can be applied to individual files or folders
191
Encrypting File System (EFS) files can be opened only by:
the user who encrypted them, by an administrator, or by EFS keyholders (users who have been provided with EFS certificate key for another user's account)
192
To encrypt a file in Windows 10, follow this process:
1. Right-click the file in the File Explorer and select Properties 2. Click the Advanced button on the General tab 3. Click the empty Encrypt Contents to Secure Data check box 4. Click OK 5. Click Apply. When prompted, select the option the file and parent folder or only the file as desired and click OK 6. Click OK for close the properties sheet
193
Using a password generator can make:
the creation of strong passwords easier
194
The following are best practices for passwords:
Setting strong passwords Setting expiration for passwords Requiring a password to enter a computer after the screensaver appears
195
Passwords can be set up to require users to do the following:
Change passwords periodically to keep them fresh and secure Be informed in advance that passwords are about to expire so that users can change passwords early and prevent being locked out at an inconvenient time Enforce a minimum password length to keep passwords strong Require complex passwords that include a mixture of letters, numbers, and special characters Prevent old passwords from being reused continually by tracking past passwords and not allowing them Wait a certain number of minutes after a specified number of unsuccessful logins has taken place before being able to log in again
196
User account settings, when combined with workstation security settings help:
prevent unauthorized access to the network
197
User permissions for standard users prevent:
systemwide changes, but additional restrictions can be set with Group Policy or Local Security Policy
198
Login time restrictions can be used to:
specify when an account can be used
199
The guest account in Windows is a potential:
security risk, so it should be disabled
200
Password policy should specify that:
a user should be locked out after a specified number of failed attempts to log into an account
201
Automatic screen locking can be configured to:
take effect after a specified amount of idle time, which can help safeguard a system if a user forgets to lock the system manually
202
Default usernames and passwords for SOHO routers or other devices or services that have default passwords should be:
changed
203
After a user is created, a technician might need to perform a few common tasks which are:
Account deletion: a technician might need to completely remove a user from Active Directory Password reset/unlock: This may need to be done when a user has forgotten a password or failed to authenticate Disable account: It is possible to deactivate a user but keep the account and its records
204
Auto run is a feature that enables:
programs to start automatically when a CD or USB drive or flashcard is connected to a computer
205
Both Autorun and AutoPlay allow the user to:
be selective in what kinds of programs, updates, and syncs can take place
206
To disable autorun in Windows by using Local Group Policy, complete the following steps:
1. Click Start and in the search field type gpedit.msc to open the Local Group Policy Editor 2. Navigate to Computer Configuration> Administrative Templates> Windows Components> AutoPlay Policies 3. Double-click the Turn Off AutoPlay settings to display the Turn Off AutoPlay configuration window 4. Click the Enabled radio button and then click OK to enable the policy named Turn off AutoPlay
207
Data encryption should be used on laptops and other systems that might be used:
outside the more secure corporate network environment
208
To encrypt folders folders or drives use the following steps:
1. Right-click the folder or drive to be secured and select Properties 2. Click the Advanced button at the bottom of the General tab 3. In the Advanced Attributes dialog, select the Encrypt Contents to Secure Data check box and click OK
209
Patches and updates and OSs and applications should be:
managed centrally to prevent systems from falling out of compliance
210
Microsoft's Windows Server Update Services (WSUS) can be used for:
OS and application patches and updates for Microsoft product
211
macOS Server's Software Update service can be used for:
OS and application patches and updates for macOS machines
212
The first step in securing a mobile device is setting up the:
screen lock
213
A screen lock can be:
a pattern that is drawn on the display, a PIN (passcode lock), or a password
214
Some devices support other types of screen locking, including:
fingerprint lock and face lock
215
A swipe lock app immediately:
locks a device when the user swipes the display to one side
216
A remote wipe can be initiated from a desktop computer to:
delete all the contents of the remote mobile device
217
There are two ways to back up a mobile device. They are:
via a USB connection to a desktop or laptop the cloud by using a remote backup application
218
Patching/OS updates help:
protect mobile devices from the latest vulnerabilities and threats
219
With full device encryption, your data is not:
accessible to would-be thieves unless they know the passcode
220
File-based encryption is:
encryption on individual files, meaning each file has a separate encryption key, so all the phone resources do not have to be tied up in the encryption process
221
An authenticator application is used to:
receive or generate authentication codes for one or more apps or services
222
Apps downloaded from locations other than the OS app store are considered:
untrusted and should not be used if at all possible
223
Jailbreaking the phone is usually required to:
run untrusted apps
224
Jailbreaking removes:
security measures built into the phones
225
Benefits of bring your own device (BYOD) policies include:
No hardware cost to the organization Higher usage due to employee satisfaction with their selected device Greater productivity
226
Potential drawbacks of BYOD include:
Hidden costs of management and security Possibility that some employees will not want to buy their own devices
227
Issues involved with organizations using corporate-owned mobile devices, BYOD, or a mixture setting are:
specifying approved devices and OS versions requiring passwords and lock screens requiring device encryption, support issues, and when and how to remove company information when an employee leaves the organization
228
Physical destruction renders:
a mass storage device into small pieces that cannot be reconstructed, making the data inside unrecoverable
229
Physical destruction methods include the following:
Shredding Drill/Hammer Electromagnetic (degaussing) Incineration
230
Electromagnetic degaussers and permanent magnet degaussers can be used to:
permanently purge information from a disk
231
Data-recycling companies can provide a:
certificate to prove compliance with local laws or institutional policies
232
As long as the data on a hard drive or other mass storage device can be rendered unrecoverable, it is not:
necessary to destroy the media itself
233
The following are some best practices for recycling and repurposing:
Low-level format vs. standard format Overwrite Drive wipe
234
Describe the best practices for recycling and repurposing: Low-level format
A low-level format that creates the physical infrastructure where data will be stored on a disk is performed by the drive manufacturer before the drive is shipped and cannot be performed in the field
235
Describe the best practices for recycling and repurposing: Standard format
The standard format used in OSs is a quick format. This type of format clears only the root folder
236
Describe the best practices for recycling and repurposing: Overwrite
Overwrite a hard disk's or SSD's data area with zeros
237
Describe the best practices for recycling and repurposing: Drive wipe
destroys existing data and partition information in such a way as to prevent data recovery or drive forensic analysis. Use this method when maintaining the storage device as a working device is important for repurposing (such as for donation or resale)
238
The service set identified (SSID) can provide:
a great deal of useful information to a potential hacker of a wireless network
239
If a default SSID is broadcast by a wireless network, a hacker can:
look up the documentation for a specific router or the most common models of a particular brand and determine the default IP address range, the default administrator username and password, and other information that would make it easy to attack the network
240
To help "hide" the details of your network and location, a replacement SSID for a secure wireless network should not include any of the following:
Your name Your company name Your location Any other easily identifiable information
241
Wireless Access Point's (WAP) generally, should be:
placed in the middle of an office to offer the greatest coverage while reducing the chance of outsiders being able to connect to the device
242
When wireless routers and access points radio power levels are set to low:
clients at the perimeter of the building will not be able to gain access
243
When wireless routers and access points radio power levels are set to high:
computers located in neighboring businesses will be able to attempt access
244
If a wireless signal is too weak, regardless of the router location and radio power levels, and the router is older, consider:
replacing it with a new wireless router
245
Using WiFi Protected Setup (WPS) is an:
easy way to configure a secure wireless network with a SOHO router, provided that all devices on the network support WPS
246
There are several ways that WiFi Protected Setup (WPS) can be configured. The most common ways include:
PIN (enter router pin in new device) Push button (similar to Xbox controller sync with time span)
247
If you want to limit access to the Internet for certain computers or log activity for computer by IP address you can:
disable the DHCP setting of handing out IP addresses to all computers connected to it
248
By default, most Wireless Access Points (WAP) and wireless routers use a feature that acts like a simple firewall called:
Network Address Translation (NAT)
249
Network Address Translation (NAT) prevents:
traffic from the Internet from determining the private IP addresses used by computer on the network
250
Many Wireless Access Points (WAP) and wireless routers offer additional firewall features that can be enabled, including:
Access logs Filtering of specific types of traffic Enhanced support for VPNs
251
Use port forwarding to allow:
inbound traffic on a particular TCP or UDP port or range to go to a particular IP addresses rather than all devices on a network
252
Port forwarding is also known as:
port mapping
253
Blocking TCP and UDP ports are also known as:
disabling ports
254
Blocking TCP and UDP ports is performed with:
a firewall app such as Windows Defender Firewall with Advanced Security
255
Windows Defender includes the following sections:
Virus & Threat Protection Account Protection Firewall & Network Protection App & Browser Control Device Security Device Performance & Health Family Options
256
To determine whether a WAP or wireless router has a firmware update available, follow these steps:
1. View the device's configuration dialogs to record the current firmware version 2. Visit the device vendor's website to see whether a new version of the firmware is available 3. Download the firmware update to a PC that can be connected to the device with an Ethernet cable 4. Connect the PC to the device with an Ethernet cable 5. Navigate to the device's firmware update dialog 6. Follow the instructions to update firmware
257
In a SOHO network environment, physical security refers to:
preventing unauthorized use of the network
258
The same basics of physical security apply in a SOHO network in a large office environment, they are:
Secure the network equipment in a locked wiring closet or room Disable any unused wall Ethernet jacks by either disabling their switch ports or unplugging the patch panels in the wiring closet Route network cables out of sight, in the walls and above the ceiling Locks doors when leaving If possible, dedicate a lockable room as a workspace in a home office to protect company devices and other resources from the hazards of daily family life, such as children and pets