Chapter 8 Flashcards
We further need to protect information and environments from…
Employees, contractors, partners, customers, service providers, and others
Inappropriate actions of human being may compromise our security
What is an RSA breach?
An example of social engineering attack
Hardware authentication tokens of RSA was stolen by attacking a company’s environment
We need a solid security awareness and training program to…
avoid social engineering attack
We need to consider following items to build security awareness among users
o protecting data o passwords o social engineering o network usage o malware o the use of personal equipment o clean desk o policy knowledge
Data protection is essential in business because of
o Reputation and customer retention
o Avoid any penalties
What are the practices of Data Protection?
o Regular training to educate employees and users
o May consider gamification techniques to increase users participation
Most OSs and tools enforce certain levels of password strength:
at least eight characters, at least one upper case, at least one lower case, at least one symbol, at least one number
balance the complexity of the password with the importance of what is being protected. For example…
bank account vs family photos
Use a policy of resetting password in a _____ interval
regular
We can stipulate that new passwords cannot be a _____ of the previous 10 passwords used
variation
Users’ Mistakes include:
- Write their password down and stick it to the underside of their keyboard
- Passwords being shared among users
- Passwords being created based on pet names, birthdates, or other such personal information
- More damaging user behaviours is manually syncing passwords between systems or applications
- Train employees and users to avoid the above actions
- Users also need to use strong passwords in every applications and systems
Social Engineering refers to…
psychological manipulation of people into performing actions or divulging confidential information
•”Any act that influences a person to take an action that may or may not be in their best interests”
Pretexting means:
Attackers establish fabricated scenarios to access victim’s sensitive information
Direct pretexting:
face-to-face communication
- Attacker’s confidence or body language is important
Indirect pretexting:
Over some communication medium
over the phone or through e-mail
Pretexting requires…
strong communication and psychological skills, specialized knowledge, and a quick mind in order to be successful
Phishing happen mostly through…
mail, texting, or phone calls (electronic communications)
Phishing involves convincing the potential victim to click on a link in the e-mail to…
to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system
Fake sites are usually well-known websites
Some sites are cleverly crafted; thus, difficult to distinguish from the legitimate pages that they are imitating
If the fake sites are not relevant for target victims, the attack will not be ______
successful
Spear phishing is a…
targeted attack against a specific company, organization, or person
The requirements for spear fishing are…
an advanced investigation to conduct a legitimate attack
The fake site may look valid
e-mail must be seen to come from a valid sender
E.g., from human resources, a manger, the corporate IT support team, a peer, or friend
Tailgating is…
The act of following someone through an access control point
E.g., secure door
Tailgating is common in locations that use _____ access controls
technical
Tailgating attackers may play on the _______ of others
sympathies
Network Usage involves…
wired vs. wireless OR closed vs. open networks
Institute, hotel, airport etc.
An enterprise network gives _____ from outsiders.
o Foreign devices are not ______ in corporate network o Offer alternative network, e.g., _____ wireless network
protection
allowed
guest
To protect resources in outside networks, one must:
o Implement a VPN to access the corporate network
o configure the VPN client to automatically connect the device to the VPN whenever it finds itself on a foreign network
Users awareness about what devices they connect to which networks is important and how they need to handle _____ data that these devices might contain
sensitive
We must train users about some _____ ____ to avoid malware
common items
Common items for malware are (5 items):
1) mail attachments from people that you do not know
2) E-mail attachments containing certain file types (exe, zip, pdf, etc.)
3) Web links using shortened URLs such as http://bit.lyoWeb links using names that differ slightly from what we expect (myco.org when we expect myco.com)
4) Smart phone applications from nonofficial download sites
5) Pirated software
Contact ______ for assistance in the presence of unfamiliar items
helpdesk
Depending on policies employees may connect their ______ equipment to corporate or guest network
personal
Noncorporate-owned devices such as vendor laptops or MP3 players may take a bit more work to ________
communicate
Data needs to be handled appropriately regardless of ________ ___ _________ form
electronic or non-electronic
Sensitive information is not to be left out on a desk when it is to be _______ for any significant period of time
unattended
Sensitive data on physical media such as paper or tape needs to be disposed via
use of shred bins, data destruction services, media shredders, and so on
How do you convey policies and regulations with which an organization must comply?
Convey most critical information
Some portion of this critical information should be condensed and communicated directly to users as a policy crib notes or highlights reel
We need to modifying the behavior of users in our environments in the direction of being more ______
secure
The security awareness and training program may consist of…
instructor-led or computer-based training
Security training must happen…
o during the new-employee onboarding process
o at some regular interval
o followed up by a mandatory quiz or attestation of understanding by the person taking the training
An effective way of training employees about security is
the gamification for training and educating users
Humans are considered____when it comes to cyber security
a. Strong link
b. Weak link
c. Liability
d. Asset
b.Weak link
In business, data protection is essential because of a.Reputation
b. Customer retention
c. Saving money
d. None of the above
a. Reputation
b. Customer retention
A policy of changing password every _________ in a university with 30,000 users is considered a good practice.
a. 15 days
b. 30 days
c. 90 days
d. 120 days
c.90 days
______ is the act of unauthorized individuals entering a restricted-access building following an authorized individual.
a. Tailgating
b. Pretexting
c. Vishing
d. Dumpster Driving
a.Tailgating
In order to avoid malware, you must
a. Use pirated software
b. Download an exe
c. Avoid shortened URLs
d. None of the above
c.Avoid shortened URLs
Why might we not want to allow personal equipment to be attached to the network of our organization
Answer: It is because a personal device may not have proper security and firewall configuration. Thus, the device can lead to compromising the enterprise network. The attackers can access the secured enterprise network through the non-secured personal device. Therefore, the enterprise can configure a guest wireless network to support personal equipment from employees.
Why is it important not to use the same password for all of our accounts?
Answer: Using the same password for different services and applications is a bad practice. If the password is somehow disclosed or one of our accounts is compromised, then all our accounts can be compromised. It is better to use different and strong passwords for different accounts.
Why might using the wireless network in a hotel with a corporate laptop be dangerous?
Answer: The WiFi in hotels, cafes, or airports is an open wireless network (WPA or WPA2). Thus, these locations are the sweet spots for packet sniffing and active hearing. Therefore, if someone connects a corporate device having sensitive information to such WiFi, hackers can easily access that information.
