CyberSecurity Practice Questions:

"On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an invasive keylogger called Agent Tesla." What is the primary danger of accidentally downloading a keylogger? a) A keylogger will share the secret keys of the user with other users on the network. b) A keylogger will replicate itself into other files on the computer. c) A keylogger will record every key stroke and upload the data to an attacker. d) A keylogger will prevent the user from typing anything on their computer.

c) A keylogger will record every key stroke and upload the data to an attacker.

Johannes learns about certificate authorities and is concerned that he doesn't know which authorities to trust when browsing the web. What is good advice for Johannes? a) "You'll have to decide which certificate authority to trust, but at least you can follow a standard checklist." b) "If you trust the website that you're visiting, then it doesn't matter whether you trust the certificate authority of their certificate." c) "If you trust your browser, then you don't need to worry about exactly which certificate authorities to trust." d) "Don't worry, there's only one certificate authority that you should trust, and it's easy to memorize one name."

c) "If you trust your browser, then you don't need to worry about exactly which certificate authorities to trust." The verification of certificates relies on a trust model. Browsers and/or operating systems actively maintain a list of trustworthy certificate authorities.They spend time and afford on keeping that list accurate so that users do not have to do so themselves

Computer A is sending data securely to Computer B using public key encryption. In order for Computer A to encrypt the data, they need to use information from Computer B in a mathematical operation. What information from Computer B is used in that operation? a) Computer B's IP address b) Computer B's public key c) Computer B's private key d) Computer B's administrative password

c) In public key encryption, one computer never needs to know the private key of another computer. That information should be kept private and never sent over the Internet

Emilia arrived to work at her company's office at 9 AM. She connected her laptop to the WiFi hotspot labeled "OfficeWiFi5thFl". After a meeting ended at 10:30 AM, she connected to a different hotspot labeled "OfficeSpace5thFl". After lunch ended at 12 PM, her laptop lost that signal and reconnected to "OfficeWiFi5thFl". If "OfficeSpace5thFl" was actually a rogue access point, which website visits could it have intercepted? a) A visit to an analytics website at 9:20 AM where she downloaded the weekly analytics data. b) A visit to an online spreadsheets website at 9:50 where she filled out several rows of information about internal team deadlines. c) A visit to a tax software website at 10:45 AM where she filled out part of her tax form for this year. d) A visit to an expense management website at 12:15 PM where she submitted a receipt for reimbursement. e) All of the visits described above.

A visit to a tax software website at 10:45 AM where she filled out part of her tax form for this year.

In 2018, the housewares company OXO discovered that attackers installed malware on their online store to steal customer information. The malware had access to the customer's name, billing and shipping addresses, and credit card information. With access to that information, which of the following actions could not be taken by an attacker? a) The exposed information did not include user account details (such as username and password), so an attacker would not be able to login to the user account. They would need to do additional work to uncover the credentials b) An attacker could send spam mail to the customer at their home address c) An attacker could sell the customer's mailing addresses on the Internet d) An attacker could sell the customer's mailing addresses on the Internet

a) An attacker could login to the customer's OXO account and change account details The exposed information did not include user account details (such as username and password), so an attacker would not be able to login to the user account. They would need to do additional work to uncover the credentials

Which of these describes a multi-factor authentication system? An enterprise website asks the user to enter a code generated by an application on their mobile phone. They then ask the user for their password.] a) An enterprise website asks the user to enter a code generated by an application on their mobile phone. They then ask the user for their password. b) A government website asks the user to type a paragraph and analyzes the way the user types the keys. They compare that keystroke profile to the saved keystroke profile for the user. The website then takes a photo of the user's eye and checks that against its database. c) A banking website asks the users to type in a password. They then show the user a picture of an image that the user pre-selected and ask the user for a PIN (Personal Identification Number). d) A shopping website asks the user to type in a numeric code that they send to the user's phone. They then ask the user to type in the card verification value from their credit card

a) An enterprise website asks the user to enter a code generated by an application on their mobile phone. They then ask the user for their password. The cell phone code is a possession factor (something the user has) and the user's password is a knowledge factor (something the user knows). This is a combination of evidence from two factors, so this would count as multi-factor authentication

A company gives phones for business use to all of its salespeople. The IT department installs a suite of security software on each phone that includes a monitoring program that sends the phone's current location back to company headquarters. Assuming the employees always have their phone near them, which of these questions could not be answered by the location data a) How many customers did the employee go to lunch with? b) How long did an employee spend in the restaurant during lunch time? c) Where is the employee currently located? d) What path did an employee take from home to work?

a) How many customers did the employee go to lunch with? Not racking the location of the other phones that do not have the software installed. Cannot be answered based on employee's geolocation history

In which of the following scenarios would it be least advisable to enter the requested PII? a) Shi sees a posting for a product on a local marketplace, emails the poster, and is asked to reply back with her banking account information b) Miriam visits a government website to renew her license and is asked to enter her drivers license number. c) Bokamoso signs up for a job hunting website where she can post her résumé and is asked to add her full name in their profile. d) Janelle shops at an online store and is asked to enter her credit card information at checkout.

a) Shi sees a posting for a product on a local marketplace, emails the poster, and is asked to reply back with her banking account information There are several suspicious aspects of this situation. Shi is asked to send sensitive PII over an email to a stranger, and she is asked to submit banking information instead of credit card information (and the latter is generally better protected against fraud). This is the most suspicious scenario and the least advisable time to enter PII

Paula is creating a journalism organization to do investigative reporting. She registers the domain "whistleblowerz.org" and signs up with a hosting company to provide an email server, so that the journalists can easily communicate with each other. She's debating whether to acquire a digital certificate for her domain from a certificate authority. What benefit would the certificate bring? a) The certificate for "whistleblowerz.org" would associate a public key with the domain, and enable the server to use TLS for secure email sending. b) The certificate would notify the domain name servers that "mail.whistleblowerz.org" maps to the associated IP address for the email server. c) The certificate for "whistleblowerz.org" would ensure that the journalists using the email server all use strong passwords. d) The certificate for "whistleblowerz.org" would verify to users that the associated news stories are not "fake news".

a) The certificate for "whistleblowerz.org" would associate a public key with the domain, and enable the server to use TLS for secure email sending. When a domain has a valid digital certificate, clients can successfully use TLS connections to send data encrypted with the certificate's public key to a server. The server can then decrypt the data with the corresponding private key

A software engineer is developing a chatbot that can discuss political issues with a human. The engineer is concerned that people might try to break into the database to discover the political opinions of the users, so they do not want to store any PII in the database at all. Which of these pieces of information is least likely to be PII? a) Timezone b) Social media username c) Email address d) Last name

a) Timezone PII is information about an individual that can be used to identify them. There are large numbers of individuals with the same time zone, so this the least identifying piece of information

The recent rise in popularity of smart home products (such as smart home assistants or smart thermostats) has led to an increase in concerns about their security. In June 2019, security researchers discovered an openly accessible database from a smart home products company. Anyone could potentially access that database, without a username or password, and see all the data. The database records included these details: 1) Email addresses 2) Passwords 3) Username 4) Precise geolocation 5) IP address 6) Family name 7) Family ID Smart device name Which of the following are immediate risks of malicious access to that database? a) A hacker could install keylogging software onto a user's laptop. b) A cybercriminal could log into a user's account on the smart home product website and change the behavior of one of their smart devices. c) A cybercriminal could log into a user's bank account, even those accounts that require multi-factor authentication. d) A burglar could break into a user's home and steal the smart home devices.

b) A cybercriminal could log into a user's account on the smart home product website and change the behavior of one of their smart devices.

ZeuS is malware that is typically used to steal banking data from a computer's users by installing a key logger and sending the logged data to the attackers. What best describes how antivirus software can protect against ZeuS? a) Antivirus software can warn the user not to use banking websites. Not primary way for antivirus software to protect against malware like Zeus b) Antivirus software can scan the files on the drive and notify users of files that look like the ZeuS malware. c) Antivirus software can block network requests that are coming from a known ZeuS botnet. d) Antivirus software can prevent the user from ever downloading any malware.

b) Antivirus software can scan the files on the drive and notify users of files that look like the ZeuS malware.

In symmetric encryption, how many keys are needed to encrypt the data between a sender to a receiver? a) Three keys: a private key for the sender, a private key for the receiver, and a shared public key for both the sender and receiver b) One key: the same key is used for encryption and decryption, and that key is shared between the sender and receiver c) Four keys: a pair of private and public keys for the sender and another pair for the receiver d) Two keys: one for the sender to encrypt/decrypt and one for the receiver to encrypt/decrypt

b) One key: the same key is used for encryption and decryption, and that key is shared between the sender and receiver

Bailey uploads a video of their neighborhood to YouTube. In what way could the uploaded video be used as PII? a) The quality of the video can help indicate the type of phone Bailey has. b) The size of the houses can indicate where Bailey lives. c) The street addresses could help locate where Bailey lives. d) The length of the video can help indicate how much time Bailey spends on Youtube.

b) The street addresses could help locate where Bailey lives. The home address of a person is considered a kind og linkable PII. It does not directly identify a person but it can identify them when combined other information

An analytics website offers web developers a script that can track where users are navigating and clicking on their website. The analytics script places a third-party cookie on each website that uses it. What records can the analytics website store about the browsing behavior of an individual? a) They can record all the webpages that the individual has ever visited. b) They cannot record any of the webpages visited by the user; only the website can track that. c) They can record all the webpages that the individual has visited that have their cookie embedded. d) The analytics website has no particular access to the user's search history, un;ess the search engine has embedded their cookies

c) They can record all the webpages that the individual has visited that have their cookie embedded. When a webpage embeds the cookie from the ana;ytics domain, the analytics website can see what webpage loaded the cookie. The analytics website can also connect that webpage visit with a user by setting a unique identifier in the cookie

Horacio is new to the Web and is concerned about his privacy while using a web browser. Which of these steps would NOT increase his privacy? a) Changing the browser's settings to clear browsing history every day b) Changing the browser's settings to disable all cookies c) Setting the default search engine to one that does not track search history d) Disabling auto-play of video and audio files in the browser's settings

d) Disabling auto-play of video and audio files in the browser's settings Only changes his browsing experience such that he wouldn't hear sound immediately upon loading a webpage. However, this would not affect the information that is sent from his machine to the browser or websites so WOULD NOT affect his privacy.

Billy receives a message from a stranger on a social media website that simply says "I know where you live." Billy tried to think about his online activities, and whether or not those activities could have revealed his location. Which of these online activities is least likely to have revealed his location to the stranger? a) Looking up driving directions to their house on a mapping site over an unsecured HTTP connection. b) Uploading a photo of their cat sleeping in the garden (with no house visible). c) Granting the social media site access to their geolocation while searching for nearby posts. d) Uploading a photo of their house, as taken from the street. e) Reading news sites in a browser with third-party cookies enabled.

d) Reading news sites in a browser with third-party cookies enabled. Third-party cookies do not have particular access to geolocation. It is possible that a cookie recorded Billy's geolocation from one of the news sites and that same cookie was shared with the social media website, and then the social media website exposed geolocation to the stranger. Hower, this the least likely for his geolocation information have been exposed

Sahed works for admissions at a university. One day, she receives an email about a new admissions tool that she needs to start using ASAP. The email links to a webpage with a registration form. She decides to re-use her password from the old administration tool, and signs up with her email and that password. Unfortunately, she then receives a message from her manager that the email is a phishing scam targeting everyone in their department, and that she should ignore it. What are the effects of revealing that password to the cyber criminals? {Select two answers } a) The cyber criminals can disable her ability to access her university computer and ask her to pay a ransom. b) The cyber criminals could use the password to login as any user of the actual admissions tool. c) The cyber criminals can infect the servers of the actual admissions tool with malware. d) The cyber criminals can try that password on the actual admissions tool and successfully gain access. e) The cyber criminals can sell her email and password combination to other attackers.

d) The cyber criminals can try that password on the actual admissions tool and successfully gain access. e) The cyber criminals can sell her email and password combination to other attackers. It is common for cyber criminals to sell the data that they discover during a phishing attack, as credentials can be very valuable data.

Joaquin needs to use online banking to transfer large amounts of money and is concerned about an attacker using a rogue access point to intercept his bank transfer. What's the best way for him to avoid the risks of a rogue access point? a) Only connect to secured wireless connections. b) Use multi-factor authentication when logging into the banking websites. c) Use a strong password when logging into the banking websites. d) Use a wired connection instead of a wireless connection.

d) Use a wired connection instead of a wireless connection. A rogue access point is a wireless access point. By connecting over a wired connection, he can avoid the risk of accidentally connecting to a rogue access point.