ISM 3004 EXAM 4 QUESTIONS AND VERIFIED
ACCURATE ANSWERS
Three reasons to secure data - Answers - 1. It's the most valuable asset.
2. Privacy Regulations.
3. Systems can be hijacked.
What are digital identities and why protect them? - Answers - Log-in credentials such as
usernames and passwords. To protect your identity.
What is a zero day exploit? - Answers - Everyday vulnerability becomes known to the
world, because bad guys are using it to break into other people's systems.
A hole in the software that is unknown to the vendor. This security hole is then exploited
by hackers before the vendor becomes aware and hurries to fix it.
According to the PWC report, what is the annual growth rate for security incidents? -
Answers - 66%
Reading: Biggest hack in history. How did hackers get in ? - Answers - An employee
opened a bad email.
Reading: Biggest Hack in History. What damage was suffered? - Answers - In a matter
of hours, 35,000 computers were partially wiped or totally destroyed.
Without a way to pay them, gasoline tank trucks seeking refills had to be turned away.
Saudi Aramco's ability to supply 10% of the world's oil was suddenly at risk.
Employees had to use typewriters since they could not use the computer to prevent the
virus from spreading further.
What does it mean for something to be vulnerable? - Answers - Susceptible to attack or
harm.
What are the broad categories of IT vulnerability? - Answers - Physical
Technological
Human
Percentage of laptops lost over their service life? - Answers - 7%
Stolen Veteran's Affairs laptop incident: What data was exposed, what was the impact?
- Answers - One laptop stolen!
Exposure: name, SSN, birth date for 26.5 million people.
Lawsuit settlement: 20 Mil
Individual impact: ID theft
,Percentage of smartphones lost EACH YEAR? - Answers - 5%
About _____% of lost smartphones had sensitive data? - Answers - 60%
Were the lost smartphone protected? - Answers - NO
As a rule of thumb, each data record lost costs a company about $_____? - Answers -
$200
_____% of companies surveyed suffered loss of sensitive/confidential information from
lost flash drives? - Answers - 70%
What is Shoulder Surfing? - Answers - Acquiring sensitive information just by looking
over somebody's shoulder.
How do attackers use shoulder surfing? - Answers - Stealing confidential data.
Stealing mobile devices.
A company's dumpster can be a "_________________________" to cybercriminals. -
Answers - Gold Mine of Information
What kinds of information might be in a company's 'dumpster'? - Answers - Pre-attack
research
What kinds of things actually contain the desired information from dumpster diving? -
Answers - Phone Lists, Print outs, and media
How would the cyber-criminal use the information from the dumpster dive? - Answers -
SELL IT
What risk must be considered when disposing of obsolete equipment? - Answers -
Computers and copy machines at risk due to their hard drives.
As one example, why was one healthcare company over $1 million? - Answers -
Improper photocopy equipment disposal.
What is a bug? - Answers - A programming flaw or oversight that can be exploited.
Is it reasonable to expect that large software systems would be truly and totally bug-
free? Why? - Answers - NO. There are millions of lines of codes that could contain
bugs.
What can an attacker do with a bug? - Answers - Run undesired programs.
Unauthorized data access.
Gain full control.
, What are the three user password vulnerabilities? - Answers - Sticky Notes: writing the
passwords down.
Guessable: people who know you.
Lack on complexity: too simple.
What are the root causes of problems with user passwords? - Answers - Easily
remembered.
Resistant to change.
Why are default password a potential security problem? - Answers - Weak.
Easily guessable.
Doesn't change network identifier.
Organizations spend most of their IT security dollars protecting
_________________________. - Answers - castle walls. These are corporate sites.
Mobile devices are largely unprotected because they spend much time
________________________. - Answers - Outside the castle walls.
2 examples of mobile/BYOD technical risks are: - Answers - Direct data flow.
Mobile Sync.
Explain the problem with Direct Data Flow with Gartner research data. - Answers - 25%
of all corporate data traffic can go directly from the mobile device to corporate provider.
Huge amount of data flowing around the world without protection.
Explain the problem with Mobile Sync with Gartner research data. - Answers - 40% of
enterprise contact information will have leaked into Facebook such as customer
information.
What is Social Engineering? - Answers - Process where outsiders exploit naive insiders;
tricking.
How is social engineering done? - Answers - Take baby steps.
Research your victim.
Ask for help: plausible requests to the right people mentioning the right names.
How does CERT define the term Insider? - Answers - Current or former employee,
contractor, or other partner that has or had authorized access and intentionally misused
that access against the organization.
Are insiders a serious threat? - Answers - Yes, because 70% of incidents involve
insiders.
Reading: Beautiful Social Engineering Attack. What did the chemical engineer do that
enabled the hacker to find him? - Answers - Posted information on social media.
ACCURATE ANSWERS
Three reasons to secure data - Answers - 1. It's the most valuable asset.
2. Privacy Regulations.
3. Systems can be hijacked.
What are digital identities and why protect them? - Answers - Log-in credentials such as
usernames and passwords. To protect your identity.
What is a zero day exploit? - Answers - Everyday vulnerability becomes known to the
world, because bad guys are using it to break into other people's systems.
A hole in the software that is unknown to the vendor. This security hole is then exploited
by hackers before the vendor becomes aware and hurries to fix it.
According to the PWC report, what is the annual growth rate for security incidents? -
Answers - 66%
Reading: Biggest hack in history. How did hackers get in ? - Answers - An employee
opened a bad email.
Reading: Biggest Hack in History. What damage was suffered? - Answers - In a matter
of hours, 35,000 computers were partially wiped or totally destroyed.
Without a way to pay them, gasoline tank trucks seeking refills had to be turned away.
Saudi Aramco's ability to supply 10% of the world's oil was suddenly at risk.
Employees had to use typewriters since they could not use the computer to prevent the
virus from spreading further.
What does it mean for something to be vulnerable? - Answers - Susceptible to attack or
harm.
What are the broad categories of IT vulnerability? - Answers - Physical
Technological
Human
Percentage of laptops lost over their service life? - Answers - 7%
Stolen Veteran's Affairs laptop incident: What data was exposed, what was the impact?
- Answers - One laptop stolen!
Exposure: name, SSN, birth date for 26.5 million people.
Lawsuit settlement: 20 Mil
Individual impact: ID theft
,Percentage of smartphones lost EACH YEAR? - Answers - 5%
About _____% of lost smartphones had sensitive data? - Answers - 60%
Were the lost smartphone protected? - Answers - NO
As a rule of thumb, each data record lost costs a company about $_____? - Answers -
$200
_____% of companies surveyed suffered loss of sensitive/confidential information from
lost flash drives? - Answers - 70%
What is Shoulder Surfing? - Answers - Acquiring sensitive information just by looking
over somebody's shoulder.
How do attackers use shoulder surfing? - Answers - Stealing confidential data.
Stealing mobile devices.
A company's dumpster can be a "_________________________" to cybercriminals. -
Answers - Gold Mine of Information
What kinds of information might be in a company's 'dumpster'? - Answers - Pre-attack
research
What kinds of things actually contain the desired information from dumpster diving? -
Answers - Phone Lists, Print outs, and media
How would the cyber-criminal use the information from the dumpster dive? - Answers -
SELL IT
What risk must be considered when disposing of obsolete equipment? - Answers -
Computers and copy machines at risk due to their hard drives.
As one example, why was one healthcare company over $1 million? - Answers -
Improper photocopy equipment disposal.
What is a bug? - Answers - A programming flaw or oversight that can be exploited.
Is it reasonable to expect that large software systems would be truly and totally bug-
free? Why? - Answers - NO. There are millions of lines of codes that could contain
bugs.
What can an attacker do with a bug? - Answers - Run undesired programs.
Unauthorized data access.
Gain full control.
, What are the three user password vulnerabilities? - Answers - Sticky Notes: writing the
passwords down.
Guessable: people who know you.
Lack on complexity: too simple.
What are the root causes of problems with user passwords? - Answers - Easily
remembered.
Resistant to change.
Why are default password a potential security problem? - Answers - Weak.
Easily guessable.
Doesn't change network identifier.
Organizations spend most of their IT security dollars protecting
_________________________. - Answers - castle walls. These are corporate sites.
Mobile devices are largely unprotected because they spend much time
________________________. - Answers - Outside the castle walls.
2 examples of mobile/BYOD technical risks are: - Answers - Direct data flow.
Mobile Sync.
Explain the problem with Direct Data Flow with Gartner research data. - Answers - 25%
of all corporate data traffic can go directly from the mobile device to corporate provider.
Huge amount of data flowing around the world without protection.
Explain the problem with Mobile Sync with Gartner research data. - Answers - 40% of
enterprise contact information will have leaked into Facebook such as customer
information.
What is Social Engineering? - Answers - Process where outsiders exploit naive insiders;
tricking.
How is social engineering done? - Answers - Take baby steps.
Research your victim.
Ask for help: plausible requests to the right people mentioning the right names.
How does CERT define the term Insider? - Answers - Current or former employee,
contractor, or other partner that has or had authorized access and intentionally misused
that access against the organization.
Are insiders a serious threat? - Answers - Yes, because 70% of incidents involve
insiders.
Reading: Beautiful Social Engineering Attack. What did the chemical engineer do that
enabled the hacker to find him? - Answers - Posted information on social media.
