Securing Devices

Question 1

Define Physical Security

Answer 1

The implementation and practice of various control mechanisms that are intended to restrict physical access to facilities and physical assets.

Question 2

What does BYOD stand for?

Answer 2

Bring your own device

Question 3

Which devices are permitted to access sensitive data?

Answer 3

1. Phones that are either traceable and able to wipe or lock itself after too many failed login attempts
2. A specially designated device provided from an organisation.

Question 4

What type of credentials are required for accessing devices.

Answer 4

*User names and passwords
*security key fobs
*digital certificates
*badges
*other form of credentials in order for you to access devices.

Question 5

Which device types are acceptable for storing data.

Answer 5

• Encrypted Devices

(Some USB flash drives automatically provide this functionality and can be decrypted when accessed by authorized personnel.)

Question 6

How to securely erase a device before disposal.

Answer 6

This will depend on the sensitivity of the data and your industry’s regulatory requirements. Even emptying the trash or formatting the drive will still leave traces of files that can be recovered by software or in a laboratory. When erasing a drive or device, use tools that can destroy data at the hardware level, or use physical destruction.

Question 7

What is digital presence?

Answer 7

sometimes called a digital shadow or an electronic footprint – refers to the trail of data you leave when using the internet.

Can include:
*Browser cache
*Temporarily downloaded files.
*Remnants left on public computers
*Also includes device logs.
*System operations.
*User activity.
*Info revealed from IoT device configuration.
*Also includes cloud storage. You may not be aware your files are synchronized with cloud.

Question 8

Internet of Things (IoT)

Answer 8

(Internet of Things) The network of physical objects that are embedded with sensors, software, and other technology that enables them to connect to and exchange data with other objects via the Internet or other communication networks.

Question 9

Maintaining Device Security

Device Usage:

Answer 9

*Ensure your device has not been modified to bypass normal security. E.G. Jailbroken (removing software restrictions)

*Ensure location detection is enabled.

*Ensure remote wipe is enabled.

Question 10

Maintaining Device Security

Awareness:

Answer 10

*Lock unattended devices.

*Beware of shoulder surfers.

*Never access sensitive data in a public place.

*Be cautious when connecting to public Wi-Fi. Never access sensitive data on a public network

Question 11

Maintaining Device Security

Passwords and Authentication:

Answer 11

*Set strong PINs/patterns/passwords on your device.

*Be cautious about saving passwords on your device.

Question 12

Maintaining Device Security

Data:

Answer 12

*Limit sensitive data stored on or accessed by the device.

*Use security mechanisms to protect data on your device. (Permissions and Encryptions)

*Regularly back up data to a secure location.

Question 13

Maintaining Device Security

Social Media:

Answer 13

Limit the use of social media services or device features that would allow others to track your movements and activities.

Question 14

Maintaining Device Security

Policy and Procedures:

Answer 14

Follow your organizational policy when using mobile devices or any other device.

Question 15

Maintaining Device Security

Decommissioning and Disposal:

Answer 15

Securely destroy data on your device before disposal.

Question 16

Scenario:
You just ended a lunch meeting with a client. After arriving back at your office, you realize your corporate-issued cell phone is missing. You need to decide what to do to minimize the security risk of a lost device.

What is the first step you should take after realizing that the phone is missing?

Answer 16

The first step you should take is to report the missing phone to your organization’s IT personnel.

Question 17

Scenario:
You just ended a lunch meeting with a client. After arriving back at your office, you realize your corporate-issued cell phone is missing. You need to decide what to do to minimize the security risk of a lost device.

What type of security controls could you or your company put in place to ensure that any information on the phone is protected?

Answer 17

When the phone is issued, your organization may place restrictions on the type of data that can be stored on the phone, as well as if that data is encrypted.
If the phone is lost or stolen, IT personnel may be able to remotely wipe or otherwise secure the data on the phone. From a user perspective, you can help protect the data on the phone by following your organization’s usage policies, as well as uphold general guidelines like using strong passwords.

Question 18

What is Authentication?

Answer 18

Authentication is the act of you proving your identity, usually to a computer system. There are three basic approaches to authentication.

Comes in one of three factors:
Something you know (Password or Pin)
Something you have (A token)
Something you are (Biometrics - eyes, fingerprints)

Question 19

What is Single Factor Authentication?

Answer 19

The act of authenticating your identity by using only one factor, such as a password or PIN, that will grant you access if correct.

Question 20

What is Multi Factor Authentication?

Answer 20

The act of authenticating your identity by using multiple factors, such as a PIN and a one-time code sent to your phone as a SMS.

Multi Factor Authentication requires more than one factor in a different category. (1. From something you know 2. From
something you have).

Question 21

What is a Password?

Answer 21

Any series of letters, numbers, or special characters used to prove your identity during authentication.

Question 22

What is a personal identification number (PIN)?

Answer 22

A personal identification number (PIN) is a short numeric password. It’s typically four numbers but it can be longer. The risk of PINs is that they are very short, with a limited set of numbers to choose from. This makes them easier to crack. The longer the PIN, the longer it will take to crack, and the more secure it is.

Question 23

What is a pattern lock?

Answer 23

A pattern, also known as a pattern lock, is a series of swipes or taps you perform to log in to your device. This can be done by physically tracing the pattern on a touch screen with your finger, or by drawing a pattern using a device like a mouse.

Question 24

What is ‘Something you have’ authentication method?

Answer 24

Something you have is any authentication method that requires possession of some object in order to use. It does not require memorization or recalling information from a record. The most common object used with this factor is a smartphone. The physical phone itself is usually not the method of entry, but rather the apps that are tied to a specific phone. When a banking site sends you a text message with a one-time use code, also called a token, you are using something you have. The fact that you possess the only phone that should be receiving this text is what fulfils this factor.

Question 25

What is ‘Something you are’ authentication method?

Answer 25

Something you are is any authentication method that uses your own unique physical traits to prove that you are who you say you are. It is also referred to as biometrics. Unlike the other two factors, you’re not required to know some piece of information, nor are you required to possess some object. There are many biometric methods out there. One of the most common is facial recognition, which analyses the general shape of your face to determine whether or not it’s you.

Others may include:
*Retinal or iris scans (detect minute details in someone’s eyes)
*Fingerprint analysis

Question 26

Which of the following is an example of using multi-factor authentication?

A. Using a password and a PIN.

B. Using a one-time code from a phone app and a token from a key fob.

C. Using a passphrase and facial recognition.

D. Using an iris scan and fingerprint scan

Answer 26

C.

C is the correct answer because it is the only one that describe two methods from different factors: something you know (passphrase), and something you are (facial recognition).

Question 27

What strategies can the new hire employ to manage passwords on infrequently used systems?

Answer 27

• A password manager
• Recording passwords in a digital file or physical document
  that is maintained under at least as much security as is
  appropriate for the most sensitive of the credentials listed
• Emailing them to a password-protected email account

Question 28

Data protection is often spoken of in the context of three main facets. What are they?

Answer 28

Confidentiality, Integrity and Availability.

Question 29

Confidentiality

Answer 29

The data is only accessible to authorised individuals

• Information is not provided to unauthorised individuals
• Restrict access of the information
• Restrict what can be done with the information

Question 30

Integrity

Answer 30

The data has not been manipulated or falsified.

• Ensures that the information is accurate, complete and
  reliable.
• Seeks to protect the information source (Information
  cannot be edited/altered by an outside source) – Only can
  be edited by authorised users

Question 31

Availability

Answer 31

Resources can be accessed whenever needed by authorized users.

• The information is accessible to authorised users when
  they need it. This can be achieved through the use of
  redundancy, disaster recovery procedures, and other
  security measures.

Question 32

List some tips that will help you store & work safely with Sensitive Data Protection

Answer 32

*Lock your workstation whenever you walk away.
*Use privacy screens.
*Keep a clean desk.
*Pick up sensitive printouts and faxes immediately.
*Store sensitive data in locations approved by IT.
*Apply protections to data based on how it is classified.
*Avoid storing sensitive data on removable storage.
*Never access sensitive data on public networks.
*Never read sensitive data in public.
*Be careful when sending or replying to email containing sensitive data.
*Make sure all recipients are authorized to view the data.
*Be mindful of how sensitive data can be a part of digital presence.
*Pay attention to access/deletion alerts you may receive.

Question 33

Data Backup

Answer 33

Store files where expected or as directed by your IT department.
Discuss alternatives if solution is problematic.

Question 34

Mobile device considerations

Answer 34

*Always-on functionality creates challenges for protecting data.
*Apps need to access multiple phone features to function.
*Risk occurs when an app accesses too many features.
*Be wary of apps requesting certain permissions.
Main Permissions to be wary of:
* Calendar * Camera * Contacts * Location * Microphone * Phone * Body sensors * Text messages * Storage

Question 35

Scenario:
Your assistant is resigning, and you’ve hired a replacement. You are responsible to ensure that sensitive data is retained from the departing employee, and that the new employee is trained to participate in data protection.

The departing employee’s laptop is outdated and a new one will be acquired for the new employee. The departing employee asks to keep the laptop since the company plans to dispose of it.

What security factors might you need to consider?

Answer 35

Consulting the company compliance officer or IT department for the proper procedure to thoroughly sanitize sensitive data including files, cached user credentials, and access rights.

Question 36

Scenario:
Your assistant is resigning, and you’ve hired a replacement. You are responsible to ensure that sensitive data is retained from the departing employee, and that the new employee is trained to participate in data protection.

What guidance would you give the new employee to help keep data secure?

Answer 36

*Reading through the acceptable use policy (AUP) together.
*Creating a complex password and keep it secure
*Being mindful of the handling of sensitive data
*Turning off your phone when entering meetings where
sensitive or confidential topics will be discussed
*Following established procedures for the sanitization and
disposal of media that may contain sensitive data.

Question 37

What is Malware?

Answer 37

Any intentionally harmful software, including computer viruses and more specialized forms of malicious software.
Can include software that:
*Corrupts systems.
*Leaks sensitive information.
*Presents annoying pop-ups.
*Performs other annoyances.

Question 38

What is a Verified Publisher?

Answer 38

A Verified Publisher is an application developer who digitally signs their software with a certificate that has been issued by a certification authority. The certificate is accepted by the organization that sells the software and is an assurance that the application comes from a reputable source.

Question 39

What is a Virus?

Answer 39

Malicious code that can replicate and cause harm to your computer. Viruses attach themselves to other files but require human intervention to spread.

Question 40

What is a Worm?

Answer 40

Similar to a virus, but does not require human intervention and can replicate itself. Also, it does not attach itself to other programs or files.

Question 41

What is Adware?

Answer 41

A type of software that automatically displays or downloads advertisements such as banners and pop-ups.

Question 42

What is Spyware?

Answer 42

A type of software that covertly gathers sensitive information about a user from their computer. One particularly malicious type of spyware is a keylogger, which captures keystrokes you enter on your keyboard and sends them to an attacker.

(Secretly collects data)

Question 43

What is a Trojan Horse?

Answer 43

Malware hidden inside an otherwise legitimate application or file. When you run the original program, the Trojan runs in the background.

Question 44

What is Rookit?

Answer 44

Code that is intended to take full or partial control of a system at the lowest levels. Rootkits often hide themselves from system processes, running invisibly.

Question 45

What is Ransomware?

Answer 45

A type of malicious software that blocks access to your computer or its files, usually by encrypting them, until a sum of money is paid.

Question 46

What is a Browser Hijacker?

Answer 46

Malware that changes your browser’s settings and redirects it to unwanted websites no matter what you select.

Question 47

What is Malvertisment?

Answer 47

Malware delivered through advertisements, particularly those that are web based, like pop-ups, banners, and front-loaded videos.

Question 48

List a few common sources of Malware:

Answer 48

*Trick email or website offers
*Email attachments
*Rogue (fake) antivirus programs
*Free software/music/video scams
*Free online games
*Social media postings
*Software piggybacking
*Confusing or obscured install options
*Unknown/untrusted download sites
*Links in emails and text messages
*Advertising banners
*Scripts in data files and software
*Infected hardware
*Infected autorun files
*Open and unsecured networks

Question 49

What are some effects of Malware?

Answer 49

*User annoyance and distraction
*Data corruption or destruction
*System compromise and poor performance
*Pop-up ads or browser hijacking
*Spying, logging, and data theft
*Blackmail and ransoming

Question 50

Defending against malware

Usage

Answer 50

Be familiar with the basic operation of your devices. If they suddenly behave strangely or unexpectedly, they may be infected with malware.

Ensure your device is running anti-malware software with real-time scanning functionality. Most modern anti-malware software can prevent infection by detecting and removing malware before it has a chance to harm the system.

Question 51

Defending against malware

Awareness

Answer 51

• Read and understand dialogs and prompts before selecting buttons; be on the lookout for automatically selected check boxes or hidden options.
• Be wary of selecting links that offer free games, applications, services, or entertainment. Hover your mouse over a link to see what URL it will take you to before selecting it.
• Consider the source and weigh the risks of your actions. Do the risks outweigh the potential benefits? If you don’t recognize a sender, don’t select a link in the email message. If you don’t trust the person who handed it to you, don’t insert the USB flash drive into your computer. If you don’t know the vendor, don’t install the program, app, or toolbar from the link on its website.

Question 52

Defending against malware

Policies and Procedures

Answer 52

Seek guidance from your IT department or another expert before proceeding with installations or upgrades. It’s much easier to inadvertently install malware than it is to remove it.
* Always follow organizational policy with regard to installing new software.
* Follow organizational policy for backups to mitigate against ransomware.

Question 53

Scenario:
A salesperson from a vendor with whom you have no experience hands you a USB flash drive containing the vendor’s product line catalog.

What are the possible risks, and how should you proceed?

Answer 53

USB flash drives may contain data and programs, and many computers are configured to automatically run them when inserted, so there may be little or no warning before they could deliver malicious content. Even if inserted while the machine is powered down to avoid autoruns, many systems are configured to boot from such devices, which can also introduce the malware. Mitigation methods include a cost–benefit analysis of using the media—you could instead ask for a printed catalog or a website, or develop more experience with the vendor before trusting their media. Alternatively, you could ask tech support to disable the autorun feature on your computer or prevent it from being able to automatically boot from a USB drive. If unsure of how to proceed, ask your IT department for guidance and assistance.

Question 54

Scenario:
You receive an email message from someone who wants to share a file with you. The email message contains an attachment, and the body of the message explains that the file is a Word document of the latest marketing report.

What are the possible risks, and how should you proceed?

Answer 54

The message may be a phishing attempt that is trying to entice you into downloading and installing malware. Most email services are good at detecting and blocking potentially malicious attachments, but they aren’t perfect. You should verify that you know the sender and that you are actually expecting such a document. Even so, you might want to encourage this person to use more secure and trusted channels to send you the file, like a company network share or an established cloud storage location.

Question 55

Wireless Security

Answer 55

Introduces an additional risk because attackers don’t need to be physically connected.
Attacker only needs to be within the area.

(There are several types of wireless networks, such as Wi-Fi, Bluetooth®, and cellular. WiFi signals can travel about 100 to 200 feet or farther; Bluetooth travels just a few meters; cellular phone signals can cover 2 to 3 miles or even more in rural areas if there is a clear line of sight to the nearest cell tower with no interference.)

Question 56

What are the 3 Wifi Network Types?

Answer 56

Open:
Visible for anyone to connect to.
Usually unencrypted and has no password.
Can be open for convenience or for the public.
May be open because of a mistake or negligence.

Public:
A type of open network deliberately meant to be accessible to anyone.
Found in public places or events.

Private:
Created for specific people or organizations.
Usually encrypted and has a password.

Question 57

What are the 3 Wifi Network Types?

Answer 57

Open:
Visible for anyone to connect to.
Usually unencrypted and has no password.
Can be open for convenience or for the public.
May be open because of a mistake or negligence.

Public:
A type of open network deliberately meant to be accessible to anyone.
Found in public places or events.

Private:
Created for specific people or organizations.
Usually encrypted and has a password.

Question 58

Wired Equivalent Privacy (WEP):

Answer 58

The original password-based Wi-Fi security method. It’s also the weakest and generally not recommended. It is less common these days, but still used in some situations.

Question 59

Wi-Fi Protected Access (WPA):

Answer 59

Also password based, it improved on the weaknesses of WEP, making it much harder to crack. It can be broken quickly if you use a weak password. It’s preferred over WEP, but is still not optimal.

Question 60

Wi-Fi Protected Access (WPA):

Answer 60

An improvement on the original WPA. It uses stronger encryption, and can replace simple passwords with device tokens. This is the most common Wi-Fi security mechanism used today

Question 61

Wi-Fi Protected Access 2 (WPA2):

Answer 61

An improvement on the original WPA. It uses stronger encryption, and can replace simple passwords with device tokens. This is the most common Wi-Fi security mechanism used today.

Question 62

Wi-Fi Protected Access 3 (WPA3):

Answer 62

The most recent Wi-Fi security standard. Once again, it improves upon existing encryption methods and helps mitigate the effects of weak passwords. It also makes it easier to connect devices with no display. This is the strongest wireless security mechanism available today, but it has not yet seen widespread adoption.

Question 63

Common Wireless Network Risks - Eavesdropping:

Answer 63

Wireless signals can be picked up by malicious and legitimate users alike. Even transmissions that are encrypted can be intercepted and decrypted if the encryption method or key is weak.

Question 64

Common Wireless Network Risks - Unsecured public networks:

Answer 64

For the convenience of the general public that uses them, they are open and unencrypted. Be cautious about connecting to these networks. They are typically vulnerable to attacks and eavesdropping.

Question 65

Common Wireless Network Risks - Unsecured private networks:

Answer 65

People often don’t realize that wireless signals don’t stop outside a conference room or at a property’s edge. A neighbour or someone parked outside on the street can also make a connection.

Question 66

Common Wireless Network Risks - Rogue Wireless Access Point (WAP):

Answer 66

An unauthorized wireless access point (WAP) on a corporate or private network that can enable an attacker to eavesdrop or modify communications.

Question 67

Common Wireless Network Risks - Evil twin:

Answer 67

An evil twin is a rogue WAP set up deliberately to entice users to connect to it. Evil twins usually have names that are very similar to nearby legitimate networks. Always check the name of any network you’re connecting to before you connect.

Question 68

Common Wireless Network Risks - Remembering wireless networks

Answer 68

Your device might automatically connect, without your awareness, to an unsecured network that you previously used.

Question 69

What does WPA stand for?

Answer 69

Wi-Fi Protected Access

Question 70

What is Bluetooth?

Answer 70

A type of wireless connection.

It has Low power.
Short range; around 30 feet.
Bluetooth devices work in pairs.
Commonly used to connect:
Mobile phone, Headset, Wireless keyboard , Wireless mouse
Vulnerable to eavesdropping and data theft.

Question 71

Guidelines for Using Wireless Devices Securely
Usage:

Answer 71

• Try to connect to WPA2 or WPA3 Wi-Fi networks if you’re able as they’re more secure
• If you must use a public Wi-Fi network, avoid sending or receiving sensitive data over that connection.
• Keep Wi-Fi passwords secure. Do not share them with unauthorized individuals.
• Disconnect and “forget” insecure wireless networks.
• Turn off Bluetooth altogether if you do not intend to use it.

Question 72

Guidelines for Using Wireless Devices Securely
Awareness:

Answer 72

• Be mindful of your usage of insecure wireless communication.
• Do not be misled into connecting to an official-sounding network—it could be an evil twin set up to maliciously gather data through unauthorized connections. Look for multiple access points with similar names or typos in the network name, or for what should have been a secure network that does not require a password.
• Do not leave your Bluetooth device in a discoverable state. Only turn on Bluetooth discovery to pair with a specific device, and then turn the feature off.

Question 73

Guidelines for Using Wireless Devices Securely
Policies and Procedures:

Answer 73

Be aware of any applicable organizational policies regarding the use of wireless devices, and adhere to them.

Question 74

Scenario:
You are at a hotel that offers free Wi-Fi. Upon connecting to the network, you discover that it does not prompt you for a password.

What are the security risks, and what can you do to protect yourself?

Answer 74

The network is obviously open with no security. Ask the hotel staff if you have connected to the correct network. If the network appears to be an evil twin, alert the hotel of the situation. Ensure that the personal firewall on your laptop or device is on before you access any websites.

Question 75

What is the 3 2 1 backup rule?

Answer 75

There should be 3 copies of data
On 2 different media
With 1 copy being off-site