Procedural and People Security Controls Flashcards

1
Q

Procedural & People Security Controls

A

Three categories of security controls: Physical controls, technical controls, and procedural/administrative controls.

  • Procedural controls focus on personnel and administrative procedures.
  • Controls can interact with technology and physical security.
  • Examples of procedural controls: Clear desk policy, password policies.
  • People within the organization can introduce risk, intentionally or unintentionally.
  • Administrative procedures that support securing people: Employment contracts, due care and due diligence, acceptable use policies, least privilege and need to know, separation of duties, job rotation, and culture.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is an example of a procedural control aimed at securing people within an organization?

A) Firewalls and intrusion detection systems
B) Biometric authentication systems
C) Employment contracts
D) Security cameras

A

C) Employment contracts

Procedural controls focus on administrative procedures and personnel within an organization. Options A, B, and D are technical or physical controls that do not directly address securing people. Option C, employment contracts, outlines the terms and conditions of employment, including security-related obligations, and is an example of a procedural control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following control measures promotes the principle of least privilege and need-to-know?

A) Firewalls and intrusion detection systems

B) Role-based access control (RBAC)

C) Security awareness training

D) Physical access controls

A

B) Role-based access control (RBAC)

The principle of least privilege and need-to-know is about granting individuals only the minimum privileges necessary to perform their job functions and providing them with access to only the information they require. Option A, firewalls and intrusion detection systems, is a technical control related to network security. Option D, physical access controls, is a physical control related to restricting access to physical locations. Option C, security awareness training, is an educational control aimed at increasing employees’ understanding of security practices.

Option B, role-based access control (RBAC), is a control measure that assigns access rights and permissions based on job roles and responsibilities. RBAC helps enforce the principle of least privilege by ensuring individuals have access to resources based on their specific job requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Employment Contracts

A

Employment contracts establish a legal relationship between the employer and the employee, outlining their roles, responsibilities, and obligations.

The contract covers important aspects such as: salary, holidays, benefits, and working conditions.

  • It sets clear expectations for both the employer and the employee, ensuring a mutual understanding of their respective responsibilities.
  • The contract should include provisions regarding employee behaviour and conduct, outlining expected standards of professionalism and ethics.
  • Acceptable Use Policies (AUPs) may be included in the employment contract, specifying the appropriate use of company resources, such as computer systems, networks, and data.
  • Non-Disclosure Agreements (NDAs) can be part of the employment contract to protect sensitive information and trade secrets.
  • Intellectual Property Issues should be addressed in the contract, clarifying ownership and rights related to any intellectual property created by the employee during their employment.
  • Compliance with legal requirements, such as employment laws, data protection regulations, and industry-specific regulations, should be stated in the contract.

Understanding employment contracts is essential for organizations to establish clear expectations, protect their interests, and ensure compliance with legal and regulatory requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is typically addressed in an employment contract?

A) Technical specifications of company equipment

B) Company’s financial performance targets

C) Marketing strategies for product promotion

D) Confidentiality obligations

A

D) Confidentiality obligations.

Employment contracts often include provisions related to maintaining the confidentiality of sensitive information and trade secrets. These clauses help protect the company’s intellectual property and prevent the unauthorized disclosure of confidential information by employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Due Care & Due Diligence:

A

A business has a duty of care to ensure the safety and well-being of employees, customers, and others associated with the business. Due diligence is the process of identifying and addressing risks through research and preparation. Failure to provide due care as a result of not carrying out due diligence can result in negligence.

  • Behaviour and Conduct:
    • A code of conduct for employees extends beyond workplace behaviour to include maintaining confidentiality, integrity, and availability.
    • Guidance should be provided on discussions held outside the office to prevent unintended disclosure of sensitive information.
    • Social media usage should be addressed, including avoiding work-related issues in posts and being cautious about sharing company-related images.
    • Corporate hospitality guidelines should be established to avoid potential allegations of bribery and corruption.
  • Acceptable Use Policies:
    • Establish directives for employees on the proper use of corporate resources, such as internet and email access.
    • Define when the corporate internet can be used for personal purposes and ensure the avoidance of accessing or downloading inappropriate material.
    • Email etiquette is important to maintain the organization’s reputation and prevent legal issues.
    • Specify the actions the company may take in case of policy violations, including different levels of infringement and potential termination.
    • Require employees to acknowledge that they have read and understood the Acceptable Use Policy (AUP).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the relationship between due care and due diligence in cybersecurity?

A) Due care is the process of identifying and addressing risks, while due diligence is the legal responsibility to protect stakeholders.

B) Due care is the legal responsibility to protect stakeholders, while due diligence is the process of identifying and addressing risks.

C) Due care and due diligence are interchangeable terms used to describe the legal responsibility to protect stakeholders.

D) Due care and due diligence are unrelated concepts in the field of cybersecurity.

A

B) Due care is the legal responsibility to protect stakeholders, while due diligence is the process of identifying and addressing risks.

A business has a duty of care to ensure the safety and well-being of employees, customers, and others associated with the business. Due diligence is the process of identifying and addressing risks through research and preparation. Failure to provide due care as a result of not carrying out due diligence can result in negligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

“Need to Know” and “Least Privilege”

A
  1. Need to Know:
    - Need to know is a principle used to determine whether a user should be granted access to specific information.
    - Users should only be given access to information that is necessary for them to perform their job duties effectively.
    - If a user does not require access to certain information, access should not be granted.
    - Access should be granted based on the minimum level required to fulfil the job function.
    - Access should only be provided for the minimum amount of time needed to complete the task.
  2. Least Privilege:
    - Least privilege is the practice of granting users the minimum level of privileges necessary to perform their job functions.
    - Users should have access rights and permissions based on their specific roles and responsibilities.
    - By granting least privilege, the potential impact of a security breach or unauthorized access is minimized.
    - Permission creep should be avoided, which refers to the tendency to grant users more access privileges than necessary.
    - Regular reviews and audits should be conducted to ensure that access privileges are aligned with the principle of least privilege.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following principles determines the level of access granted to users based on their job requirements and limits access to the minimum necessary?

A) Separation of Duties
B) Need to Know
C) Acceptable Use Policy
D) Role-Based Access Control

A

B) Need to Know.

The principle of “Need to Know” ensures that users are granted access only to the information necessary for them to perform their job duties, limiting access to the minimum required level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following best describes the principle of “Least Privilege”?

A) Granting users access to all information and resources within the organization.

B) Restricting access to only the necessary information and resources required to perform job duties.

C) Providing users with unrestricted access to all systems and applications.

D) Assigning the highest level of privileges to all users for increased flexibility.

A

B) Restricting access to only the necessary information and resources required to perform job duties.

The principle of “Least Privilege” states that users should be given the minimum level of access necessary to perform their job functions effectively, reducing the risk of unauthorized access or misuse of sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Separation of Duties

A
  • Separation of Duties:
  • Also known as segregation of duties.
  • Critical functions are divided among multiple staff members to prevent a single person from having enough privilege to commit fraudulent activities.
  • Examples include requiring multiple signatures for company cheques and independent testing of software development.
  • Separation should be maintained between auditors, system administrators, and users to ensure independent viewpoints and limit permissions.
  • Job Rotation:
  • Employees rotate through different roles within the organization.
  • Commonly used for interns and provides exposure to various aspects of the business.
  • Benefits include improved staff motivation, better understanding of the business, and increased resilience by having staff who can cover different roles in case of absences.

Note: These concepts help reduce the risk of fraud, increase accountability, and enhance the overall security posture of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following best describes the concept of Separation of Duties?

A) Allowing employees to rotate through different roles within the organization.

B) Dividing critical functions among multiple staff members to prevent fraudulent activities.

C) Providing independent testing of software development for objective evaluation.

D) Giving auditors the authority to oversee all business functions without bias.

A

B) Dividing critical functions among multiple staff members to prevent fraudulent activities.

Separation of Duties is a control mechanism that ensures no single person has enough privilege to carry out activities that could lead to damage or fraud. By dividing critical functions among multiple staff members, the risk of unauthorized actions or fraudulent activities is reduced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the primary purpose of implementing separation of duties in an organization?

A) To increase collaboration and teamwork among employees.

B) To minimize the risk of fraud and unauthorized activities.

C) To streamline business processes and improve efficiency.

D) To provide employees with job rotation opportunities.

A

B) To minimize the risk of fraud and unauthorized activities.

The primary purpose of implementing separation of duties is to distribute critical tasks and responsibilities among different individuals to create a system of checks and balances. By ensuring that no single person has complete control over a process from start to finish, it reduces the risk of fraud, errors, and unauthorized activities. This control measure helps prevent conflicts of interest and increases accountability within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Culture:

A

Organizational culture has a direct impact on the functioning of the business, including security.

Security culture is cultivated through various stages: awareness of risks/threats and duties, attitude modification, intention to comply, emphasis on compliance benefits, and eventually secure behaviour.

  • Training plays a crucial role in developing a security culture and should be provided at multiple levels throughout the employee life cycle.
  • Training should be relevant, job-specific, and focused on behavioural change rather than just awareness.
  • Effectiveness of awareness training should be measured.

*Access Controls:
- Procedural controls play a vital role in managing and regulating access to files and folders on the network.

  • The main objective of access controls is to ensure that only authorized individuals can access information.
  • User access controls involve mechanisms to mediate user access to files (objects).
  • Principles of IAAA (Identity Authentication, Authorization, and Accounting) guide access control implementation.
  • Various methods can be used for user authentication, including passwords, tokens, and biometrics.
  • Access control models provide frameworks for managing access rights and permissions.
  • Administering controls involves tasks such as user provisioning, access revocation, and auditing.
  • File permissions are used to restrict or grant access to specific files or folders.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the primary objective of developing a security culture within an organization?

A) Ensuring compliance with legal regulations
B) Increasing awareness of security risks and threats
C) Implementing strict access control measures
D) Promoting job rotation and cross-training opportunities

A

B) Increasing awareness of security risks and threats.

Developing a security culture within an organization involves making people aware of security risks and threats and their responsibilities in mitigating them. By increasing awareness, employees are more likely to modify their attitudes towards security, comply with security policies and procedures, and exhibit secure behaviours. A strong security culture helps foster a proactive and security-conscious workforce, reducing the likelihood of security incidents and breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is an essential component of access controls in procedural controls?

A) Incident response procedures
B) User awareness training
C) Physical security measures
D) Network firewalls

A

B) User awareness training.

User awareness training is an essential component of access controls in procedural controls. It helps educate employees about their responsibilities, security policies, and best practices for accessing and handling sensitive information. By providing training, employees become aware of the risks, threats, and proper procedures related to access controls, which contributes to a strong security culture and reduces the likelihood of security incidents caused by human error or lack of awareness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is a key aspect of access controls in procedural controls?

A) Network segmentation
B) Encryption algorithms
C) Incident response plans
D) User privilege management

A

D) User privilege management.

User privilege management is a key aspect of access controls in procedural controls. It involves defining and managing the levels of access that users have to various resources within an organization’s network. By effectively managing user privileges, organizations can ensure that users only have access to the resources necessary for their job roles and responsibilities, reducing the risk of unauthorized access or data breaches.

Network segmentation refers to dividing a network into smaller segments to enhance security and control access between different segments.

Encryption algorithms are cryptographic techniques used to protect data during transmission or storage, but they are not directly related to user access controls.

Incident response plans are procedures and guidelines that organizations follow to address and manage security incidents. While important for overall security, they are not specifically focused on access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is an example of a technical control?

A) Security awareness training
B) Background checks for employees
C) Acceptable use policy
D) Firewall configuration

A

D) Firewall configuration.

Firewall configuration is an example of a technical control. Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. By configuring firewall settings, such as defining allowed and blocked ports, protocols, and IP addresses, organizations can enforce network security policies and protect their systems from unauthorized access and malicious activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Identification and Authentication

A

Identification and Authentication:
- Identification refers to the unique identity of a user on a computer system, usually in the form of a username.
- Authentication is the process of validating the user’s identity through credentials, such as a password.
- Authentication mechanisms are used to verify the user’s claimed identity.

Authorisation:
- After successful authentication, the user is granted access to the system and specific resources.
- Access tokens are assigned to users, defining their access permissions and levels.
- When accessing a resource, the user’s access token is compared against the access control list (ACL) to determine if access should be granted.

Accounting:
- Accounting involves recording and documenting user actions and system activities.
- It captures information such as who logged on, when they logged on, what resources they accessed, and when they logged off.
- Accounting provides an audit trail and helps in monitoring and tracking system usage.

IAAA Model:
- The IAAA model consists of three components: Identification, Authentication, Authorisation, and Accounting.
- Identification establishes the unique identity of a user.
- Authentication validates the user’s identity.
- Authorisation determines what resources the user can access and at what level.
- Accounting records user actions and system activities.

Remember, identification is about “who,” authentication is about “proving who they are,” authorisation is about “what they can do,” and accounting is about “when and what actions are recorded.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which component of the IAAA model involves keeping a record of user actions and system activities?

A) Identification
B) Authentication
C) Authorisation
D) Accounting

A

D) Accounting.

Accounting is the component of the IAAA model that involves keeping a record of user actions and system activities. It includes logging information such as who logged on, when they logged on, what resources they accessed, and when they logged off. Accounting helps in auditing, monitoring, and tracking system usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which component of the IAAA model determines what resources a user can access and at what level?

A) Identification
B) Authentication
C) Authorisation
D) Accounting

A

C) Authorisation.

Authorisation is the component of the IAAA model that determines what resources a user can access and at what level. Once a user’s identity has been authenticated, authorisation is the process of granting or denying access to specific resources based on the user’s permissions, privileges, or assigned roles. It ensures that users have the appropriate rights and permissions to perform their authorized tasks and activities within the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is an example of an authentication factor?

A) User’s job title
B) User’s email address
C) User’s access permissions
D) User’s physical fingerprint

A

D) User’s physical fingerprint.

In the context of authentication, a physical fingerprint is an example of a biometric factor. Biometric authentication relies on unique physical or behavioural characteristics of an individual, such as fingerprints, iris patterns, or voice recognition, to verify their identity. By scanning and comparing the user’s physical fingerprint with stored biometric data, the system can authenticate the user based on this factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Passwords

A

Passwords have been a common authentication mechanism, but there is a shift away from them as the sole primary authentication method.

  • Passwords were traditionally stored in clear text, but later advancements led to storing passwords in a hashed format to enhance security.
  • Basic authentication involves sending the username and password over the network, making it vulnerable to interception or sniffing.
  • Challenge-response authentication improves upon basic authentication:
    1. The server sends a challenge (random string) to the client.
    2. The client combines the challenge with the password, hashes the new string, and sends it to the server.
    3. The server verifies the received credential by comparing it with its own calculation.
    4. If the strings match, the authentication is successful.
  • Challenge Handshake Authentication Protocol (CHAP) is an example of challenge-response authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which authentication mechanism involves sending a challenge from the server to the client, combining it with the password, and hashing the result for verification?

A) Basic authentication
B) Two-factor authentication
C) Challenge-response authentication
D) Biometric authentication

A

C) Challenge-response authentication.

Challenge-response authentication involves the server sending a challenge or nonce to the client, which is then combined with the password and hashed to create a credential string. This credential string is sent back to the server for verification. It is a more secure method compared to basic authentication as the actual password or hash does not travel over the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which authentication mechanism involves sending the username and password in plain text over the network?

A) Basic authentication
B) Challenge-response authentication
C) Biometric authentication
D) Token-based authentication

A

A) Basic authentication

The authentication mechanism that involves sending the username and password in plain text over the network is Basic authentication (option A). In Basic authentication, the credentials are not encrypted or hashed before transmission, making them susceptible to interception and unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which authentication mechanism improves upon Basic authentication by using a challenge-response process?

A) Two-factor authentication
B) Biometric authentication
C) Certificate-based authentication
D) Challenge Handshake Authentication Protocol (CHAP)

A

D) Challenge Handshake Authentication Protocol (CHAP).

CHAP is an authentication protocol that improves upon Basic authentication by using a challenge-response mechanism, where the server sends a random challenge to the client, and the client combines it with the password to generate a response. This process helps to prevent the exposure of passwords during authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Threats against passwords

A
  1. Weak, easy-to-guess passwords:
    • Weak passwords are vulnerable to dictionary attacks and brute-force attacks.
    • Users often choose simple passwords such as “123456” or “password,” which are easily guessed.
    • Passwords that include personal information like birthdates or names are also risky.
  2. Technical attacks - password cracking:
    • Password cracking involves using software or tools to systematically guess passwords.
    • Attackers can employ techniques like dictionary attacks, where common words or phrases are tried, or brute-force attacks, where all possible combinations are attempted.
    • Rainbow tables, precomputed tables of password hashes, can also be used to crack passwords quickly.
  3. Social engineering:
    • Social engineering attacks aim to manipulate individuals into revealing their passwords.
    • Techniques include phishing emails, where attackers impersonate legitimate entities to trick users into providing their passwords.
    • Shoulder surfing, dumpster diving, and impersonation are other social engineering tactics used to obtain passwords.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Weak Passwords

A
  • Users often choose passwords that are easy to remember, such as common words or phrases.
  • Common passwords are often based on easily guessable information, like children’s names.
  • Password length plays a crucial role in password strength. A password of eight characters is no longer considered secure.
  • Passphrases are recommended as they provide increased security. A passphrase is a string of easily remembered words.
  • Passphrases are harder to crack due to their length and complexity compared to shorter passwords.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Technical attacks against passwords

A

Password cracking involves using software programs to systematically guess passwords until the correct one is found.

Common techniques used in password cracking include:

*Dictionary attacks - involve comparing passwords against a dictionary file or list of common words to find a match.

*Hybrid attacks - modify word lists by adding numbers or changing letters to increase the likelihood of finding a match.

*Brute force attacks - try every possible combination of characters and numbers until a match is found. The time required increases with the length of the password.

*Rainbow tables - are precomputed tables of password hashes, making password comparisons faster. However, they require significant storage space to store all possible combinations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Countermeasures against password threats

A
  1. Enforce strong password policies:
    • Require passwords to have a minimum length and a combination of uppercase and lowercase letters, numbers, and special characters.
    • Educate users about the importance of creating unique, complex passwords that are not easily guessable.
  2. Implement multi-factor authentication (MFA):
    • MFA adds an extra layer of security by requiring users to provide additional verification, such as a one-time password or biometric authentication, in addition to a password.
  3. Use password hashing and salting:
    • Passwords should be stored in hashed form, where they are transformed into a fixed-length string of characters.
    • Salting involves adding a random value to the password before hashing, making it harder for attackers to crack passwords using precomputed tables.
  4. Regularly update and patch systems:
    • Keep systems and applications up to date with the latest security patches to mitigate vulnerabilities that could be exploited to compromise passwords.
  5. Conduct user awareness training:
    • Educate users about password best practices, such as avoiding password reuse, regularly changing passwords, and being cautious of phishing attempts.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following attacks against passwords involves systematically guessing all possible combinations?

A) Dictionary attack
B) Brute-force attack
C) Social engineering attack
D) Rainbow table attack

A

B) Brute-force attack.

A brute-force attack involves systematically guessing all possible combinations of characters until the correct password is found. It is a time-consuming method that tries every possible combination of letters, numbers, and symbols until a match is found.

32
Q

Which of the following is a common technical attack used to crack passwords?

A) Phishing
B) Social engineering
C) Brute force attack
D) Shoulder surfing

A

C) Brute force attack.

A brute force attack is a technique where an attacker systematically tries all possible combinations of characters to guess a password. It involves trying different passwords until the correct one is found. This method can be time-consuming and resource-intensive, but it can be effective against weak or easily guessable passwords.

33
Q

What type of attack involves an attacker tricking a user into revealing their password or other sensitive information?

A) Dictionary attack
B) Brute force attack
C) Social engineering attack
D) Phishing attack

A

C) Social engineering attack.

In a social engineering attack, the attacker manipulates or deceives the user into divulging confidential information, such as passwords, by exploiting human psychology and trust. It often involves tactics like impersonation, pretexting, or manipulation to trick the user into providing sensitive information willingly.

34
Q

Which technique involves comparing passwords against a precomputed table of password hashes for faster password cracking?

A) Dictionary attack
B) Hybrid attack
C) Brute force attack
D) Rainbow table attack

A

D) Rainbow table attack

The technique described in the question, where passwords are compared against a precomputed table of password hashes for faster password cracking, is known as a Rainbow table attack

35
Q

Which of the following attacks against passwords involves trying every possible combination of characters and numbers until a match is found?

A) Dictionary attack
B) Hybrid attack
C) Brute force attack
D) Rainbow table attack

A

C) Brute force attack

The attack that involves trying every possible combination of characters and numbers until a match is found is called a brute force attack

36
Q

Social Engineering

A
  1. Social engineering involves exploiting human relationships to gather information.
  2. Victims of social engineering attacks often unknowingly provide useful information to attackers.
  3. Social engineers manipulate conversations to extract passwords or other valuable information.
  4. The more a hacker knows about their target, the easier it is to obtain the password.
  5. Social media and social settings are common platforms for social engineering attacks.
  6. Social engineers use techniques such as friendship, authority, and fear to gather information.
  7. Phishing is a common form of social engineering, involving attempts to extract personal information via email or telephone.
  8. Always ensure you are communicating with a trusted party before sharing any sensitive information.
  9. Organizations should have a clearly advertised reporting channel for suspected social engineering attempts.
  10. Employee awareness training programs should educate individuals about the dangers of social engineering.
37
Q

Which of the following best describes social engineering?

a) Exploiting software vulnerabilities
b) Manipulating human behaviour to gain information
c) Using encryption techniques to protect data
d) Conducting network penetration tests

A

b) Manipulating human behaviour to gain information

Social engineering involves exploiting human relationships to gather information

38
Q

What is the primary goal of social engineering?

a) Gaining unauthorized access to computer systems
b) Spreading malware and viruses
c) Manipulating human emotions
d) Exploiting software vulnerabilities

A

a) Gaining unauthorized access to computer systems

The primary goal of social engineering is to manipulate and exploit human behaviour to gain unauthorized access to computer systems or sensitive information. While spreading malware and viruses, manipulating human emotions, and exploiting software vulnerabilities can be tactics used in social engineering attacks, the ultimate objective is to gain unauthorized access.

39
Q

Which technique involves a social engineer pretending to be a superior to request information?

a) Friendship
b) Authority
c) Fear
d) Phishing

A

b) Authority

The technique that involves a social engineer pretending to be a superior to request information is known as the authority technique. Social engineers may impersonate someone in a position of power or authority, such as a manager, supervisor, or IT personnel, to manipulate individuals into providing sensitive information or granting access to restricted areas. This technique leverages the psychological tendency to comply with authority figures or follow instructions from higher-ranking individuals.

40
Q

Phishing is a common form of social engineering that typically involves:

a) Exploiting physical security controls
b) Extracting personal information through email or telephone
c) Manipulating social media accounts
d) Hacking wireless networks

A

b) Extracting personal information through email or telephone

Phishing is a common form of social engineering where attackers attempt to deceive individuals into providing personal or sensitive information through deceptive emails, text messages, or phone calls. The goal of phishing is to trick victims into revealing confidential data such as passwords, credit card numbers, or social security numbers. This information can then be used for various malicious purposes, such as identity theft or unauthorized access to accounts.

41
Q

How can social engineers exploit information shared on social media platforms?

a) By spreading false information
b) By impersonating friends or family members
c) By posting malicious links and attachments
d) By using targeted advertising techniques

A

d) By using targeted advertising techniques

Social engineers can exploit information shared on social media platforms by using targeted advertising techniques. Social media platforms collect vast amounts of personal information from their users, including interests, demographics, and online behaviours. Social engineers can utilize this information to create targeted advertisements that appear genuine and enticing to the individuals they are trying to exploit. These advertisements may lead to phishing websites, malware downloads, or other malicious activities. By leveraging the personal information shared on social media, social engineers can increase the chances of successful manipulation and exploitation.

42
Q

Why is it important to verify the trustworthiness of a party before sharing personal information?

a) To prevent identity theft
b) To avoid malware infections
c) To protect against phishing attacks
d) To maintain privacy and confidentiality

A

d) To maintain privacy and confidentiality

It is important to verify the trustworthiness of a party before sharing personal information primarily to maintain privacy and confidentiality. When sharing personal information, there is a risk of it being misused or falling into the wrong hands. By verifying the trustworthiness of the party, individuals can ensure that their personal information is shared only with reliable and legitimate entities who will handle it responsibly and securely. This helps in protecting sensitive data, maintaining privacy, and reducing the potential for identity theft, unauthorized access, or misuse of personal information. While options a, b, and c also play a role in the importance of verifying trustworthiness, the broader objective of maintaining privacy and confidentiality encompasses these aspects as well.

43
Q

Which of the following is a recommended measure for organizations to mitigate social engineering attacks?

a) Regularly updating software and systems

b) Implementing strong firewall configurations

c) Conducting background checks on employees

d) Providing employee awareness training programs

A

d) Providing employee awareness training programs

While all the options listed can contribute to the overall security of an organization, providing employee awareness training programs is a recommended measure specifically for mitigating social engineering attacks. Social engineering attacks heavily rely on manipulating human behavior, and by educating employees about the various tactics and techniques used by social engineers, organizations can significantly reduce the risk of successful attacks. Employee awareness training programs help individuals recognize and respond appropriately to suspicious emails, phone calls, or in-person interactions, making them less susceptible to social engineering attempts. It is an effective preventive measure that promotes a security-conscious culture within the organization. Regularly updating software and systems, implementing strong firewall configurations, and conducting background checks on employees are also important security measures but may not directly address the specific threat posed by social engineering attacks.

44
Q

Which term refers to a social engineering technique that instils fear in the victim to extract information?

a) Pretexting
b) Tailgating
c) Dumpster diving
d) Baiting

A

a) Pretexting

Pretexting refers to a social engineering technique where the attacker creates a false scenario or pretext to gain the trust of the victim and extract information. In pretexting, the social engineer often assumes a fabricated identity or role to deceive the victim and instils fear or a sense of urgency to manipulate them into sharing sensitive information. By establishing a false sense of trust and using fear as a motivator, pretexting aims to convince the victim that they are assisting a legitimate person or addressing a critical situation. The social engineer may pose as a co-worker, IT support personnel, or even law enforcement to exploit the victim’s fear and obtain confidential information.

45
Q

How can individuals protect themselves against social engineering attacks?

a) Sharing personal information with trusted parties only

b) Installing antivirus software on all devices

c) Avoiding social media platforms altogether

d) Changing passwords frequently

A

a) Sharing personal information with trusted parties only

To protect themselves against social engineering attacks, individuals should primarily focus on sharing personal information with trusted parties only. This means being cautious about whom they share sensitive information with, such as passwords, financial details, or personally identifiable information (PII). By limiting the disclosure of personal information to trusted entities, individuals can minimize the risk of their data falling into the wrong hands or being used for malicious purposes.

While installing antivirus software on devices, avoiding social media platforms altogether, and changing passwords frequently are also important security practices, they are not directly related to protecting against social engineering attacks. Antivirus software helps protect against malware and other digital threats, avoiding social media platforms reduces the exposure of personal information, and changing passwords frequently adds an extra layer of security. However, social engineering attacks focus on manipulating human behaviour, and sharing personal information with trusted parties is a crucial step in mitigating those attacks.

46
Q

Password Policy and Management:

A

Password policy defines password construction and should cover:
- Minimum password length (e.g., eight characters)
- Complexity (character sets, upper/lower case, numbers, special characters)
- Password duration (frequency of change)
- Lockout policy (number of attempts before lockout)
- Password reset procedure
- Password storage (do not write it down)

  • Password length is important; longer passwords take longer to crack, but should be balanced with user ability to remember them.
  • Password complexity is key; using a combination of upper/lower case, numbers, and special characters increases strength and makes cracking more difficult.
  • There is a trend towards not changing passwords frequently to reduce the burden on users and the help desk. However, regular password changes are still common practice in many organizations.
  • Lockout policies are used to protect against brute-force attacks; after a certain number of failed attempts, the account is locked and the user must wait or go through a reset process.
  • Password reset procedures often involve additional identity validation, such as responding to a text message or token, to ensure the correct user is resetting the password.
  • Managing multiple passwords is important, and using the same password across multiple accounts is not recommended. Password managers or vaults can securely store passwords for easy access.
  • Avoid writing passwords down in insecure locations like sticky notes attached to monitors or scraps of paper under keyboards.
  • It is crucial to protect passwords from unauthorized access and follow best practices to ensure their strength and confidentiality.
47
Q

What is the primary purpose of a password policy?

a) Ensuring all passwords are unique
b) Setting the maximum password length
c) Defining the rules for creating strong passwords
d) Determining the frequency of password changes

A

c) Defining the rules for creating strong passwords

48
Q

Which factor should be considered when determining password length?

a) User’s ability to remember the password
b) The number of characters in the user’s name
c) The complexity of the password
d) The expiration date of the password

A

a) User’s ability to remember the password

49
Q

What is the main advantage of using a password manager?

a) Automatically generating strong passwords
b) Encrypting passwords for secure storage
c) Ensuring password complexity requirements are met
d) Enforcing regular password changes

A

b) Encrypting passwords for secure storage

Password managers or vaults can securely store passwords for easy access.

50
Q

What is the purpose of a lockout policy in password management?

a) Encouraging users to change their passwords regularly
b) Preventing brute-force attacks by locking accounts
c) Increasing the maximum password length allowed
d) Requiring users to validate their identity before changing passwords

A

b) Preventing brute-force attacks by locking accounts

51
Q

Why is it important to avoid using the same password for multiple accounts?

a) It increases the risk of password guessing attacks
b) It violates password complexity requirements
c) It reduces the effectiveness of password managers
d) It exposes multiple accounts to potential compromise if one password is discovered

A

d) It exposes multiple accounts to potential compromise if one password is discovered

52
Q

What is a recommended practice for password storage?

a) Writing passwords down on sticky notes

b) Storing passwords in an unencrypted document on the computer

c) Using password managers or vaults for secure storage

d) Sharing passwords with trusted colleagues for backup purposes

A

c) Using password managers or vaults for secure storage

Password managers or vaults can securely store passwords for easy access.

53
Q

Multifactor Authentication

A

Multifactor authentication (MFA) is the use of supplementary methods along with passwords for authentication. MFA ensures the right entity is identified and authenticated by using multiple factors.

  • Authentication is based on three factors:
    • Something you know (password or PIN)
    • Something you have (smart card or token)
    • Something you are or do (biometrics)

For authentication to be multifactor, it must use factors from two or more distinct categories.

  • Examples of multifactor authentication:
    • Password and token (something you know and something you have)
    • Password and fingerprint (something you know and something you are)

Tokens are devices used for authentication based on possession.
- Authentication tokens can generate codes that change periodically, requiring the entry of a valid code within a specific time period.
- One Time Passwords (OTP) are commonly used tokens that consist of a time-limited code sent to a mobile phone for authentication.

  • Smart cards, resembling credit cards with magnetic strips or embedded chips, are another type of token that requires insertion into a reader or utilizes near field communications (NFC) for authentication.
54
Q

Which combination of factors would NOT qualify as multifactor authentication?

a) Password and fingerprint
b) Password and PIN
c) Password and smart card
d) Smart card and biometrics

A

b) Password and PIN

For authentication to be multifactor, it must use factors from two or more distinct categories.

  • Something you know (password or PIN)
  • Something you have (smart card or token)
  • Something you are or do (biometrics)
55
Q

What is the primary advantage of using multifactor authentication?

a) Simplicity and ease of use
b) Elimination of password requirements
c) Enhanced security by requiring multiple forms of identification
d) Reduction in authentication time

A

c) Enhanced security by requiring multiple forms of identification

56
Q

Which of the following is a common type of authentication token that generates time-limited codes for authentication?

a) Smart card
b) Biometric device
c) One-time password (OTP)
d) Password manager

A

c) One-time password (OTP)

57
Q

Biometrics

A

*Biometrics can be categorized as physiological (related to the body) or behavioural (related to actions).

  • Examples of physiological biometrics include:
    • Fingerprint: Patterns on the fingertips.
    • Retina scan: Patterns at the back of the eye.
    • Iris scan: Patterns in the iris of the eye.
    • Palm vein: Patterns of veins in the hand.
    • Hand geometry: Construction and measurements of the hand.
    • Voice: Voice recognition.
    • Facial recognition: Identifying individuals based on facial features.
  • Examples of behavioural biometrics include:
    • Keystroke dynamics: Analysing typing patterns and rhythm.
    • Signature dynamics: Assessing the unique characteristics of a person’s signature on an electronic pad.
    • Gait analysis: Analysing an individual’s walking style (less commonly used for computer authentication).
58
Q

Which of the following is an example of a physiological biometric?

a) Keystroke dynamics
b) Signature dynamics
c) Retina scan
d) Gait analysis

A

c) Retina scan

Examples of physiological biometrics include:
- Fingerprint: Patterns on the fingertips.
- Retina scan: Patterns at the back of the eye.
- Iris scan: Patterns in the iris of the eye.
- Palm vein: Patterns of veins in the hand.
- Hand geometry: Construction and measurements of the hand.

59
Q

What is the primary advantage of using biometrics for authentication?

a) Ease of use and convenience
b) Low cost of implementation
c) High level of accuracy and uniqueness
d) Compatibility with all devices and systems

A

c) High level of accuracy and uniqueness

60
Q

Access Control Models

A
  1. Authentication verifies the identity, while authorization determines what actions a user can perform after authentication.
  2. Access control models include: Discretionary Access Control (DAC), Role Based Access Control (RBAC), Mandatory Access Control (MAC), and Rule Based Access Control (RuBAC).
  3. In Discretionary Access Control (DAC), the resource owner decides access to the resource based on their discretion. It is the most common access control model in Windows and Linux.
  4. Role Based Access Control (RBAC) utilizes groups to assign permissions based on job functions, making it easier to manage access for a large number of users.
  5. Mandatory Access Control (MAC) is used in environments with high security requirements, where access is granted based on labels and security clearances assigned to subjects and objects.
  6. Rule Based Access Control (RuBAC) grants access based on predefined rule sets, such as specific computers, locations, or time restrictions. A firewall could be an example of a rule-based device because the rules define what traffic will be allowed to pass through the firewall and what traffic will be specifically denied.
  7. Information classification plays a role in access control, especially in environments with sensitive information, where access is restricted based on classification labels.
61
Q

Which access control model allows the resource owner to determine access to the resource?

a) Discretionary Access Control (DAC)
b) Role Based Access Control (RBAC)
c) Mandatory Access Control (MAC)
d) Rule Based Access Control (RuBAC)

A

a) Discretionary Access Control (DAC)

In Discretionary Access Control (DAC), the resource owner decides access to the resource based on their discretion. It is the most common access control model in Windows and Linux.

62
Q

Which access control model utilizes groups to assign permissions based on job functions?

a) Discretionary Access Control (DAC)
b) Role Based Access Control (RBAC)
c) Mandatory Access Control (MAC)
d) Rule Based Access Control (RuBAC)

A

b) Role Based Access Control (RBAC)

Role Based Access Control (RBAC) utilizes groups to assign permissions based on job functions, making it easier to manage access for a large number of users.

63
Q

In which access control model is access granted based on labels and security clearances?

a) Discretionary Access Control (DAC)
b) Role Based Access Control (RBAC)
c) Mandatory Access Control (MAC)
d) Rule Based Access Control (RuBAC)

A

c) Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is used in environments with high security requirements, where access is granted based on labels and security clearances assigned to subjects and objects.

64
Q

Which access control model grants access to objects based on rule sets that must be satisfied?

a) Discretionary Access Control (DAC)
b) Role Based Access Control (RBAC)
c) Mandatory Access Control (MAC)
d) Rule Based Access Control (RuBAC)

A

d) Rule Based Access Control (RuBAC)

Rule Based Access Control (RuBAC) grants access based on predefined rule sets, such as specific computers, locations, or time restrictions.
A firewall could be an example of a rule-based device because the rules define what traffic will be allowed to pass through the firewall and what traffic will be specifically denied.

65
Q

Administrative Access and Service Accounts

A
  1. Administrative access grants higher levels of privilege to administrators compared to regular users.
    • Privileges can range from user management to full control over the operating system.
    • Additional measures are implemented to ensure a higher level of trust and assurance.
  2. Measures for ensuring the trustworthiness of administrators may include:
    • Conducting deeper background checks to verify their credentials and integrity.
    • Administering psychometric evaluations to assess their suitability for the role.
    • Implementing a higher level of oversight and auditing their activities.
    • Enforcing mandatory vacations to detect any potential cover-ups or unauthorized actions.
  3. Administrative access should be granted based on the principles of need-to-know and least privilege.
    • Instead of giving everyone full admin rights, access should be limited to what is necessary for their role.
  4. Service accounts are user accounts used by specific services within an operating system.
    • Examples include print spooling and job scheduling.
    • Service accounts should be configured in a way that prevents unauthorized access by disabling user logon capabilities.
  5. Service accounts should have limited functionality based on their specific requirements.
    • This helps mitigate the risk of abuse or misuse of service accounts.
66
Q

Which of the following measures can help provide a greater degree of assurance for individuals with administrative access?

a) Regular password changes
b) Mandatory vacations
c) Limited internet access
d) Two-factor authentication

A

b) Mandatory vacations

Mandatory vacations require individuals with administrative access to take time off from their duties. This measure can help uncover any potential unauthorized activities or cover-ups. When an individual is absent, their tasks and responsibilities are temporarily transferred to someone else, increasing the likelihood of detecting any irregularities or suspicious actions.

67
Q

What is the principle that should guide the granting of administrative access privileges?

a) Full control for all users
b) Need to know and least privilege
c) Universal access rights
d) User popularity and reputation

A

b) Need to know and least privilege

The principle of “need to know and least privilege” states that individuals should be granted only the access privileges necessary to perform their job functions. This principle helps minimize the risk of unauthorized access or accidental misuse of sensitive systems or information. By granting the minimum level of access required, the potential impact of any security breaches or mistakes is reduced.

68
Q

What is the purpose of configuring service accounts in a way that prevents user logon capabilities?

a) To reduce the number of user accounts in the system
b) To simplify the authentication process
c) To enhance accountability for service-related activities
d) To allow users to access the system using service accounts

A

c) To enhance accountability for service-related activities

Configuring service accounts to prevent user logon capabilities is done to ensure that these accounts are solely used by specific services or processes and cannot be misused by regular users. By disabling user logon capabilities, the accountability for any actions performed using service accounts is enhanced. It helps maintain the separation between user accounts and service accounts, reducing the risk of unauthorized access or malicious activities.

69
Q

File Permissions

A
  1. File and folder permissions: File and folder objects can be protected by applying individual permissions. Operating systems like Windows, Linux, and macOS have mechanisms for applying permissions.
  2. Permission categories: Permissions can be applied based on three categories:
    • User/owner: The individual who created the file or folder.
    • Group: A defined group of users who have specific access rights.
    • Everyone else: Users who do not fall into the user/owner or group categories.
  3. Permission attributes: Permission attributes determine the actions that can be performed on the object:
    • Read: Allows reading/viewing the object.
    • Write: Permits modifying the object.
    • Execute: Enables executing the object, typically used for applications.
  4. Additional Windows permissions: Windows introduces greater granularity with additional attributes, including:
    • Full control: Provides complete control over the object.
    • Delete: Allows deleting the object.
    • Special: Reserved for specific permissions.
    • Ownership: Permission to change the owner of the object.
  5. Default access: If no explicit permission is granted, access to an object is denied by default. Some operating systems have a specific deny permission that overrides all other permissions and explicitly denies access.
70
Q

Which of the following operating systems introduces greater granularity in file permissions by including attributes such as “Full control” and “Delete”?

A) Linux
B) macOS
C) Windows
D) UNIX

A

C) Windows

Windows operating system provides additional granularity in file permissions with attributes such as “Full control” and “Delete.”

71
Q

In the context of file permissions, what is the purpose of the “Read” attribute?

A) Allows modifying the file
B) Allows executing the file
C) Allows reading/viewing the file
D) Grants ownership of the file

A

C) Allows reading/viewing the file

The “Read” attribute in file permissions allows users to read/view the file content but does not permit modification or execution.

72
Q

If a user does not belong to the owner or group categories, they are classified as:

A) Superusers
B) Administrators
C) Everyone else
D) Unauthorized users

A

C) Everyone else

Users who do not fall into the owner or group categories are categorized as “everyone else” in terms of file permissions.

73
Q

Securing Access

A

There are three main types of connections to business networks:

  • Hard (direct) -wired connections require robust authentication mechanisms and encryption to protect credentials and data in transit.
  • Wireless connections can be intercepted by attackers, so proper security measures like encryption (e.g., WPA2 or WPA3) should be used to protect wireless networks.
  • Remote access, such as VPN connections, should be used for secure communication between remote workers and the office network, with encrypted tunnels to prevent interception.
  • Protection of data involves information classification based on sensitivity and value, using labels or protective markings.
  • Training and awareness programs are essential for promoting information security within the organization.
  • Training can be provided through education (formal process leading to qualifications), specific skills-based training, and awareness programs tailored to different audiences.
  • Information security awareness training should aim to promote a secure culture, provide awareness of secure behaviours, and help individuals identify insecure behaviours.
  • Training delivery methods can include in-person sessions, remote online training, computer-based training, or distributed materials for self-study.
  • Engagement and motivation can be enhanced through incentives and rewards for attending training sessions and passing evaluations.
  • Measuring the success of training programs can be done through tests, quizzes, evaluation of operational activities, and practical techniques like simulated phishing campaigns.
  • Good sources of training materials and guidance can be obtained from organizations like the National Cyber Security Centre, Getsafeonline, ENISA, and trade bodies like the SANS Institute.
74
Q

What is the primary purpose of using encryption for wireless networks?

A) To enhance network performance
B) To prevent unauthorized access
C) To increase network coverage
D) To simplify network management

A

B) To prevent unauthorized access

Encryption is used in wireless networks to protect data transmission and prevent unauthorized access. It ensures that only authorized users with the correct encryption key can decrypt and access the transmitted data.

75
Q

Which of the following is a recommended method for securing remote access to a business network?

A) Using unencrypted connections
B) Using weak passwords for authentication
C) Implementing a Virtual Private Network (VPN)
D) Allowing unrestricted access without authentication

A

C) Implementing a Virtual Private Network (VPN)

A VPN provides a secure tunnel for remote access, encrypting the communication between the remote user and the office network. It ensures the confidentiality and integrity of data transmitted over the Internet and mitigates the risk of interception or unauthorized access.