Information Security Basics Quiz

Questions and Answers

What is one of the primary goals of information security awareness?

• To maintain awareness and skills among employees (correct)
• To minimize employee salaries
• To manage social media accounts
• To increase internet speed

Which type of malware is NOT discussed in the session agenda?

• Spyware
• Worms
• Zombie malware (correct)
• Viruses

What was highlighted as a top security concern in 2015?

• Increased hardware sales
• New software installations
• Top security breaches (correct)
• Social media marketing

Which of the following is considered a human-based attack?

Phishing attacks (C)

Which of the following is NOT a security tip mentioned in the session?

Using HTTP instead of HTTPS (B)

What does 'clearing your screen' refer to in the context of security tips?

Ensuring no sensitive information is visible (B)

Which security measure is recommended for protecting mobile devices?

Installing security software (B)

What is a key component of incident reporting?

Documenting security incidents (A)

What does 'business continuity' refer to in the context of information security?

Continuing operations after security incidents (C)

What should you do to protect sensitive data?

Always backup sensitive data (D)

Which action should you take when stepping away from your workstation?

Lock the workstation using Windows key + L (C)

Why is it important to keep your operating system and applications updated?

To ensure they contain security patches (B)

What is a recommended practice when using strong passwords?

Try not to confuse it with personal account passwords (D)

What should you avoid when charging your smartphone?

Charging from the PC (A)

What percentage of information security is attributed to behavior rather than technology?

80% (B)

What security measure should be taken for a strong password?

At least 8 characters (A)

Which statement is true regarding social networking security?

Limit personal information posted. (D)

What is one recommended action for email security?

Contact the sender if you are unsure about an attachment. (D)

What does the Web of Trust (WOT) help users determine?

It informs trusted websites for safe browsing. (D)

Which of the following is a suggestion for mobile phone security?

Always use a screen lock. (A)

What is a best practice for physical security at a workstation?

Always lock the workstation when leaving. (A)

What should you do with sensitive documents after use?

Shred them for disposal. (A)

Which of the following is NOT a recommended practice for mobile security?

Plug your phone into any PC. (B)

Which characteristic is essential for a password phrase?

Mix of characters and words. (D)

What precaution should be taken regarding third-party applications in social networking?

Limit the sharing of personal data. (D)

What is the first step in incident reporting?

Report (B)

What is an example of a successful phishing attack?

A customer complaining about unauthorized transfer (D)

What does the acronym IRC stand for in incident reporting?

Incident Response Coordinator (C)

Which of the following reflects a countermeasure to information security risks?

Proactively identifying potential leaks (A)

What is one common misconception about digital information?

It is inherently safe from attacks (D)

What is a key characteristic of digital information?

It is easy to leak (B)

Which of the following is a type of social engineering attack?

Shoulder surfing (A)

In the case of a phishing email detected, what is the typical content of the email?

A request for account verification (D)

What should be avoided when dealing with potential security incidents?

Delayed action (A)

What is a characteristic of phishing emails?

Forged sender’s address (C)

Which department usually addresses an incident after it has been reported?

Repair and support unit (RSU) (D)

What does APT stand for in information security?

Advanced Persistent Threat (D)

What does successfully falling for phishing lead to?

Unauthorized financial transfers (B)

The first line of defense against social engineering attacks is:

Staff awareness and training (A)

Which method is NOT considered a form of information gathering for phishing?

Online purchase transactions (A)

What should be reported as a potential sign of an APT attack?

Odd user behavior after hours (D)

Which of the following is NOT a human-based social engineering attack method?

Online Scams (B)

What is a common tactic of an attacker who conducts a phishing campaign?

Using forged content (A)

Which of the following is a countermeasure against APTs?

Reporting strange user activity (B)

Which of the following tactics is used in dumpster diving?

Collecting discarded documents (A)

Flashcards are hidden until you start studying

Study Notes

Information Security Goals

• Maintain an appropriate level of knowledge and skills among employees and managers
• Ensure business continuity if information security incidents occur

Types of Malware

• A type of social engineering attack where unauthorized personnel gain access to the network undetected for a long time to steal data
• Often uses social engineering to gain access to the network via legitimate means
• Establishes a backdoor once access is achieved
• Countermeasures include reporting odd user behavior, keeping aware of social engineering attempts, and understanding information/credentials disclosure compromises the entire information system

Top Security Breaches of 2015

• Not mentioned in provided material

Social Engineering

• Human based attacks:
  • Information gathering (Social media vectors)
  • Shoulder surfing
  • Dumpster diving
  • Impersonation
  • Phishing
• Computer based attacks:
  • Online Scams

Incident Reporting

• Report, fix, follow-up
• Repair and Support unit (RSU)
• Incident Reporting Coordinator (IRC)
• Concerns about business line

###Security Tips & Counter-measures

• HTTPs:
  • Protect by encrypting information sent between computer and website
• WOT:
  • Shows a colored traffic light to indicate the trustworthiness of websites
• Social networking security:
  • Limit the amount of personal information you post
  • Be cautious of third-party applications
  • Use strong passwords
  • Check privacy policies
• Password security:
  • At least 8 characters
  • Mix of upper and lowercase characters
  • Mix of alpha and numeric characters
  • Don't use dictionary words
  • Change passwords frequently
  • Don't share or reuse passwords
  • Use different passwords for different accounts
  • Don't write down passwords
  • Use password phrases
• Clear desk & clear screen:
  • Clear away paperwork
  • Use shredders when disposing of sensitive documents
  • Lock desks and filing cabinets
  • Lock away portable devices such as tablets
  • Lock your workstation when you leave
  • Make sure no documents are left in the printer
  • Treat mass storage devices (CDROM, DVDs, USB drives) as sensitive and secure
  • them in a locked drawer
• Email Security
  • Never open an attachment from an unknown sender
  • Make sure the email references the attachment
  • Don't hesitate to contact the sender of an email that contains an attachment
  • Never send anyone your personal data (name, address, phone number, password, account numbers)
  • In case of suspicion, contact the IT department or the information security officer
• Mobile threat & security:
  • Number of malicious installation packages and new malicious programs detected (Q3 2014 – Q1 2015)
  • Never plug in your phone to the PC
  • Download applications only from trusted sources
  • Install antimalware controls
  • Never store business-related documents on your phone
  • Always change the factory pin code (0000)
  • Always use a screen lock
  • Install locking features
  • Use secure messaging applications
  • Secure personal email
• How to protect your PC:
  • Always back up sensitive data
  • Always lock your workstation when away from your desk
  • Ensure that antivirus definitions are updated regularly
  • Reboot your system after applying new updates
  • Use a strong password and try not to be confused with passwords used for personal accounts
  • Never charge smartphones from the PC
  • Never insert a USB or any storage device into your PC

Conclusion

• Security is 20% technical and 80% behavior