it security defense against the digital dark arts week 6 answers

Risk in the Workplace

1. What are some examples of security goals that you may have for an organization? Check all that apply.

  • To protect customer data from unauthorized access
  • To prevent unauthorized access to customer credentials
  • To implement a strong password policy
  • To deploy an Intrusion Prevention System

2. Which of these would you consider high-value targets for a potential attacker? Check all that apply.

  • Authentication databases
  • Customer credit card information
  • Logging server
  • Networked printers

3. What's the purpose of a vulnerability scanner?

  • It protects your network from malware.
  • It blocks malicious traffic from entering your network.
  • It detects vulnerabilities on your network and systems.
  • It fixes vulnerabilities on systems.

4. What are some restrictions that should apply to sensitive and confidential data? Check all that apply.

  • It can be transferred via email.
  • It can be accessed and stored on personal devices.
  • It can be accessed and stored on personal devices.
  • It can be stored on encrypted media only.

5. What's a privacy policy designed to guard against?

  • Eavesdropping on communications
  • Misuse or abuse of sensitive data
  • Attackers stealing customer data
  • Denial-of-service attacks

6. Which of the following are actions and/or steps that can be taken to avoid leaks and disclosures when handling sensitive data?

  • Giving the employees the right tools to get their work done without compromising security.
  • Understanding what employees need to do to accomplish their jobs.
  • Giving unrestricted access to the employees handling sensitive data
  • Allowing employees to write their passwords on a post-it note

7. When evaluating the services of a vendor company, which of the following can be used to assess their security capabilities? Check all that apply.

  • Ask the vendor to complete a questionnaire
  • Assume that they’re using industry-standard solutions
  • Request full access to the vendor systems to perform an assessment
  • Ask them to provide any penetration testing or security assessment reports

8. What is the goal of mandatory IT security training for an organization? Check all that apply.

  • To punish employees with poor security practices
  • To educate employees on how to stay secure
  • To build a culture that prioritizes security
  • To avoid the need for a security team

9. Which of the following are necessary in the organization to create a culture that makes security a priority? Select all that apply.

  • Reinforce and reward behaviors that boost the security of the organization
  • A working environment that encourages people to speak up.
  • Punish employees every time they make poor security practices
  • Designated communication channels

10. A long and complex password requirement is designed to protect against _________.

  • lazy users
  • employees memory lost
  • brute force attacks
  • password reuse

11. In order to properly handle a security incident, what is the first thing that needs to happen?

  • Recover from the incident
  • Remove or eradicate the incident
  • Contain the incident
  • Detect the incident

12. After a security incident, how can an organization be protected against a similar incident occurring again in the future?

  • Update antivirus definitions.
  • Cross your fingers and hope for the best!
  • Change all account passwords.
  • Conduct a post-incident analysis.

13. In order to preserve the integrity of any forensic evidence, what should be done before analyzing a hard drive that has been compromised by a security attack?

  • Install an antivirus software
  • Format the hard drive
  • Make a virtual copy or an image of the hard drive
  • Connect the hard drive to a computer

14. Which of the following are protection that can be used on mobile devices?

  • Screen lock
  • Use the device settings to allow or deny apps access to the devices features
  • Always have bluetooth on
  • Storage encryption

15. In order to prevent further damage, the breach should be ________.

  • contained
  • recovered
  • audited
  • ignored

16. In the Payment Card Industry Data Security Standard (PCI DSS), which of these goals would benefit from encrypted data transmission?

  • Implementing strong access control measures
  • Maintaining a vulnerability management program
  • Monitoring and testing networks regularly
  • Protecting cardholder data

17. What tools can be used to discover vulnerabilities or dangerous misconfigurations in systems and networks?

  • Vulnerability scanners
  • Bastion hosts
  • Firewalls
  • Antimalware software

18. _____ is the practice of attempting to break into a system or network for the purpose of verifying the systems in place.

  • Network probing
  • Penetration testing
  • Security assessment
  • Vulnerability scanning

19. Which of the following should be part of an access data request? Select all that apply.

  • Specify exact data needed
  • Provide justification
  • Time limit
  • A second signature

20. Which of the following is recommended to secure authentication?

  • Password rotation
  • Strong encryption
  • 2-factor authentication
  • Vulnerability scanning

21. When thinking about credential theft, what is one of the greatest workplace cybersecurity risks?

  • Keylogging
  • Credential stealing text messages
  • Phishing emails
  • Blackmail

22. Which of the following actions should be included when conducting a vendor risk review? Select all that apply.

  • Ask the vendor for a cost comparison
  • Talk to the vendor’s employees
  • Ask the vendor to fill out a security questionnaire
  • Test the vendor’s hardware or software

23. What are some things that are generally included on a third party security assessment report? Select all that apply

  • User reviews
  • Third party security audit results
  • Penetration testing results
  • Customer feedback scores

24. Management wants to build a culture where employees keep security in mind. Employees should be able to access information freely and provide feedback or suggestions without worry. Which of these are great ideas for this type of culture? Select all that apply.

  • Designated mailing list
  • Posters promoting good security behavior
  • Desktop monitoring software
  • Bring your own device

25. Once the scope of the incident is determined, the next step would be _____.

  • escalation
  • containment
  • documentation
  • remediation

26. In the Payment Card Industry Data Security Standard (PCI DSS), what are the requirements for the “regularly monitor and test networks” objective? Select all that apply

  • Develop and maintain secure systems and applications
  • Regularly test security systems and processes
  • Track and monitor all access to network resources and cardholder data
  • Encrypt the transmission of cardholder data across open public networks

27. What characteristics are used to assess the severity of found vulnerabilities? Select all that apply.

  • Remotely exploitable or not
  • Use of encryption or not
  • Type of access gained
  • Chance of exploitation

28. Which of the following devices are considered a risk when storing confidential information?

Select all that apply.

  • Encrypted portable hard drives
  • Limited access file shares
  • CD drives
  • USB sticks

29. Which of the following are ways to prevent email phishing attacks against user passwords? Select all that apply.

  • User education
  • Virtual private network
  • Cloud email
  • Spam filters

30. When contracting services from a third party, what risk is the organization exposed to?

  • Zero-day vulnerabilities
  • Trusting the third party’s security
  • Malware attacks
  • DDoS attacks

31. Periodic mandatory security training courses can be given to employees in what way? Select all that apply.

  • Brief quiz
  • One-on-one interviews
  • Interoffice memos
  • Short video

32. How can events be reconstructed after an incident?

  • By reviewing and analyzing logs
  • By interviewing the people involved
  • By doing analysis of forensic malware
  • By replaying security video footage

33. What is the first step in performing a security risk assessment?

  • Logs analysis
  • Threat modeling
  • Vulnerability scanning
  • Penetration testing

34. What is penetration testing?

  • Giving network access to a bad actor for the purposes of testing.
  • Assessing computers, computer systems, networks, or applications for weaknesses.
  • Attempting to break into a system or network for the purpose of verifying the systems in place.
  • Attempting to gather credentials with phishing emails.

35. Consider the following scenario:

A co-worker needs to share a sensitive file with you, but it is too large to send via an encrypted email. The co-worker works out of a remote office. You work at headquarters. Which of these options would most likely be approved by the company’s security policies? Select all that apply.

  • Upload to company secure cloud storage
  • Upload to a personal OneDrive
  • Put on a company file server that you both have access to
  • Upload to a personal Google drive

36. Google provides free _____, which is a good starting point when assessing third-party vendors.

  • cloud storage
  • vendor security assessment questionnaires
  • mobile phone services
  • business apps

37. What are the first two steps of incident handling and response?

  • Incident eradication or removal
  • Incident recovery
  • Incident detection
  • Incident containment

38. When working on a laptop in a public area, always _____ when getting up to use the restroom.

  • Ask a coworker to watch the laptop
  • Set up a VPN
  • Lock the screen
  • Ask permission to leave

39. What is a quick way of evaluating a third party's security?

  • A comprehensive penetration testing review
  • A security assessment questionnaire
  • A signed contract
  • A manual evaluation of all security systems

40. When handling credit card payments, the organization needs to adhere to the _____.

  • ISO
  • HIPAA
  • PCI DSS
  • IEEE

41. What characteristics are used to assess the severity of found vulnerabilities? Select all that apply.

  • Remotely exploitable or not
  • Type of access gained
  • Chance of exploitation
  • Use of encryption or not

42. Which of the following are bad security habits commonly seen amongst employees in the workplace? Select all that apply.

  • Password on a post-it note
  • Log out of website session
  • Leave laptop logged in and unattended
  • Lock desktop screen

43. Which of the following are examples of security tools that can scan computer systems and networks for vulnerabilities? Select all that apply.

  • Wireshark
  • Nessus
  • OpenVAS
  • Qualys

44. Consider the following scenario:

Your company wants to establish good privacy practices in the workplace so that employee and customer data is properly protected. Well-established and defined privacy policies are in place, but they also need to be enforced. What are some ways to enforce these privacy policies? Select all that apply.

  • Print customer information
  • Audit access logs
  • Apply the principle of least privilege
  • VPN connection

45. Third-party services that require equipment on-site may require a company to do which of the following? Select all that apply.

  • Unrestricted access to the network
  • Provide additional monitoring via a firewall or agentless solution
  • Provide remote access to third-party service provider
  • Evaluate hardware in the lab first

46. What are some behaviors to be encouraged in order to build a security-conscious culture? Select all that apply.

  • Locking your screen
  • Shaming people who haven’t done a good job of ensuring their company’s security
  • Checking website URLs when authenticating
  • Asking security-related questions

Leave a Reply