Security+ Mod 1 Questions
Which of these is an example of social engineering? a)Asking for a username and password over the phone b)Using someone else's unsecured wireless network c)Hacking into a router d)Virus
Answer: A (asking for a username and a password over the phone) Explanation: Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else's network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.
To protect against malicious attacks, what should you think like? a)Hacker b)Network admin c)Spoofer d)Auditor
Answer: A (hacker) Explanation: To protect against malicious attacks, think like a hacker. Then, protect and secure like a network security administrator.
Of the following definitions, which would be an example of eavesdropping? a)Overhearing parts of a conversation b)Monitoring network traffic c)Another person looking through your files d)A computer capturing information from a sender
Answer: A (overhearing parts of a conversation) Explanation: Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening, and thus should always try to protect against this
In addition to bribery and forgery, which of the following are the most common techniques that attackers use to socially engineer people? (Select the two best answers.) a)Flattery b)Assuming a position of authority c)Dumpster diving d)WHOIS search
Answer: A and C (flattery and dumpster diving) Explanation: The most common techniques that attackers use to socially engineer people include flattery, dumpster diving, bribery, and forgery. Although assuming a position of authority is an example of social engineering, it is not one of the most common. A WHOIS search is not necessarily malicious; it can be accomplished by anyone and can be done for legitimate reasons. This type of search can tell a person who runs a particular website or who owns a domain name.
In which two environments would social engineering attacks be most effective? (Select the two best answers.) a)Public building with shared office space b)Company with a dedicated IT staff c)Locked building d)Military facility e)An organization whose IT personnel have little training
Answer: A and E (public building with shared office space and an organization shoe IT personnel have little training) Explanation: Public buildings with shared office space and organizations with IT employees who have little training are environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.
User education can help to defend against which of the following? (Select the three best answers.) a)Social engineering b)Phishing c)Rainbow tables d)Dumpster diving
Answer: A, B, and D (social engineering, phishing, dumpster diving) Explanation: User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving. Rainbow tables are lookup tables used when recovering passwords.
. A user receives an e-mail but the e-mail client software says that the digital signature is invalid and the sender of the e-mail cannot be verified. The would-be recipient is concerned about which of the following concepts? a)Confidentiality b)Integrity c)Remediation d)Availability
Answer: B (integrity) Explanation: The recipient should be concerned about the integrity of the message. If the e-mail client application cannot verify the digital signature of the sender of the e-mail, then there is a chance that the e-mail either was intercepted or is coming from a separate dangerous source. Remember, integrity means the reliability of the data, and whether or not it has been modified or compromised by a third party before arriving at its final destination.
Tom sends out many e-mails containing secure information to other companies. What concept should be implemented to prove that Tom did indeed send the e-mails? a)Authenticity b)Non-repudiation c)Confidentiality d)Integrity
Answer: B (non-repudiation) Explanation: You should use non-repudiation to prevent Tom from denying that he sent the e-mails.
Which of the following individuals uses code with little knowledge of how it works? a)Hacktivist b)Script kiddie c)APT d)Insider
Answer: B (script kiddie) Explanation: A script kiddie uses code and probably doesn't understand how it works and what the repercussions will be. Other actors such as hackers, hacktivists, insiders, and so on will usually have a higher level of sophistication when it comes to technology. An advanced persistent threat (APT) is a group of technical processes or the entity that implements those processes. An APT is just that- advanced-and is on the other side of the spectrum from the script kiddie.
In information security, what are the three main goals? (Select the three best answers.) a)Auditing b)Integrity c)Non-repudiation d)Confidentiality e)Risk Assessment f)Availability
Answer: B, D, and F (integrity, confidentiality, availability) Explanation: Confidentiality, integrity, and availability (known as CIA, the CIA triad, and the security triangle) are the three main goals when it comes to information security. Another goal within information security is accountability.
You are developing a security plan for your organization. Which of the following is an example of a physical control? a)Password b)DRP c)ID card d)Encryption
Answer: C (ID card) Explanation: An ID card is an example of a physical security control. Passwords and encryption are examples of technical controls. A disaster recovery plan (DRP) is an example of an administrative control.
Which of the following does the A in CIA stand for when it comes to IT security? (Select the best answer.) a)Accountability b)Assessment c)Availability d)Auditing
Answer: C (availability) Explanation: Availability is what the A in CIA stands for as in "the availability of data." Together the acronym stands for confidentiality, integrity, and availability. Although accountability is important and is often included as a fourth component of the CIA triad, it is not the best answer. Assessment and auditing are both important concepts when checking for vulnerabilities and reviewing and logging, but they are not considered to be part of the CIA triad.
Which of the following is the greatest risk when it comes to removable storage? a)Integrity of data b)Availability of data c)Confidentiality of data d)Accountability of data
Answer: C (confidentiality) Explanation: For removable storage, the confidentiality of data is the greatest risk because removable storage can easily be removed from the building and shared with others. Although the other factors of the CIA triad are important , any theft of removable storage can destroy the confidentiality of data, and that makes it the greatest risk.
Cloud environments often reuse the same physical hardware (such as hard drives) for multiple customers. These hard drives are used and reused when customer virtual machines are created and deleted over time. What security concern does this bring up implications for? a)Availability of virtual machines b)Integrity of data c)Data confidentiality d)Hardware integrity
Answer: C (data confidentiality) Explanation: There is a concern about data confidentiality with cloud computing because multiple customers are sharing physical hard drive space. A good portion of customers run their cloud-based systems in virtual machines. Some virtual machines could run on the very same hard drive (or very same array of hard drives). If one of the customers had the notion, he could attempt to break through the barriers between virtual machines, which if not secured properly, would not be very difficult to do.
A targeted e-mail attack is received by your organization's CFO. What is this an example of? a)Vishing b)Phishing c)Whaling d)Spear phishing
Answer: C (whaling) Explanation: Whaling is a type of spear phishing that targets senior executives such as CFOs. Regular old phishing does not target anyone, but instead tries to contact as many people as possible until an unsuspecting victim can be found. Vishing is the telephone-based version of phishing. Spear phishing does target individuals but not senior executives.
When it comes to information security, what is the I in CIA? a)Insurrection b)Information c)Indigestion d)Integrity
Answer: D (integrity) Explanation: The I in CIA stands for integrity. The acronym CIA stands for confidentiality, integrity, and availability. Accountability is also a core principle of information security.
What is the most common reason that social engineering succeeds? a)Lack of vulnerability testing b)People sharing passwords c)Lack of auditing d)Lack of user awareness
Answer: D (lack of user awareness) Explanation: User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely will not help as much as user awareness training. People should not share passwords.
When is a system completely secure? a)When it is updated b)When it is assessed for vulnerabilities c)When all anomalies have been removed d)Never
Answer: D (never) Explanation: A system can never truly be completely secure. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, and then the hacker looks for an alternative method. It goes on and on; be ready to wage the eternal battle!
Which of the following targets specific people? a)Pharming b)Phishing c)Vishing d)Spear phishing
Answer: D (spear phishing) Explanation: Spear phishing is a targeted attack, unlike regular phishing, which usually works by contacting large groups of people. Pharming is when a website's traffic is redirected to another, illegitimate, website. Vishing is the phone/VoIP version of phishing.