Social Engineering & Information Security Quiz

Social engineering is a form of manipulation that exploits human psychology to deceive individuals into divulging confidential information or performing actions that compromise security. It does not necessarily require a computer or internet connection, and while it is illegal in many cases, the answer does not state that it is illegal in the U.S. Social engineering is still widely used today as a tactic by attackers to gain unauthorized access to sensitive data or systems.

Spear phishing is a technique that targets only specific users. Unlike regular phishing, which casts a wide net to catch as many victims as possible, spear phishing is more personalized and tailored to a specific individual or group. Attackers gather information about their targets to make their phishing attempts more convincing and increase the chances of success. By posing as a trusted entity or using personalized information, spear phishing attacks aim to trick the targeted users into revealing sensitive information or performing certain actions that can be exploited by the attackers.

Shoulder surfing refers to the act of watching someone enter a security code on a keypad without their permission. It involves visually observing the person's actions from a close distance, typically by standing behind or beside them. This practice is often used by individuals with malicious intent to gain unauthorized access to sensitive information or passwords. Therefore, shoulder surfing is the correct term to describe this behavior.

Ethics is the correct answer because it refers to the study of what individuals perceive as good and right behavior, as well as how they form judgments about such behavior. It involves examining moral principles, values, and beliefs that guide human conduct and decision-making. Ethics helps us understand and evaluate the moral implications of actions and choices, and provides a framework for making ethical judgments and resolving ethical dilemmas.

When a file is deleted using Microsoft Windows, the information itself remains on the hard drive until it is overwritten by new files. This means that even though the file is no longer visible or accessible, its data is still present on the hard drive until it is replaced by new data. This is why it is possible to recover deleted files using specialized software until they are overwritten by new files.

The correct answer is "outlines how the organization uses information it collects." A personally identifiable information (PII) policy is a set of guidelines and procedures that an organization follows to ensure the proper handling and use of personal information collected from individuals. It outlines the specific ways in which the organization utilizes the information it collects, including how it is stored, shared, and protected. This policy helps to ensure that the organization complies with privacy laws and regulations and maintains the trust and confidentiality of individuals' personal information.

A representative from an antivirus vendor should not serve on a security policy development team because their role is to sell antivirus products and services, rather than to develop policies. The team should consist of individuals who have expertise in management, legal matters, and senior level administration to ensure that the policies are comprehensive, legally compliant, and aligned with the organization's goals and requirements.

A guideline is a collection of suggestions that should be implemented. It provides a set of recommendations or best practices to follow in order to achieve a desired outcome or goal. Guidelines are typically used to provide direction or instructions on how to perform a task or make decisions. They serve as a reference point for individuals or organizations to ensure consistency and efficiency in their actions.

System support personnel generally have a concern about the ease of managing systems under tight security controls. This means that they prioritize the efficiency and smooth operation of the systems they manage. Tight security controls can sometimes create obstacles or extra steps that make their work more difficult or time-consuming. Therefore, they are concerned about striking a balance between strong security measures and the ability to manage and maintain the systems effectively.

The correct answer is "Trust authorized individuals only." This option suggests that trust should only be placed in individuals who have been authorized or given specific permission. This approach implies that trust should not be extended to everyone or to all people at all times, but rather limited to a select group of individuals who have been deemed trustworthy.

The correct answer is "threat appraisal." In risk management, the process involves identifying potential threats, assessing their likelihood and impact, and then implementing measures to mitigate those risks. However, threat appraisal is not a step in the risk management study. It is important to distinguish between identifying threats and appraising them, as the latter involves evaluating the severity and potential consequences of each threat.

The correct answer is "Require all users to approve the policy before it is implemented." This is not a guideline for developing a security policy because it may not be practical or feasible to obtain approval from all users before implementing the policy. It is more common to involve users in the development process by notifying them in advance, providing opportunities for review and comment, and giving them time to provide feedback. However, the final decision on implementing the policy is typically made by the organization or the designated authority.

The given answer, "Policies communicate a unanimous agreement of judgment," is not a characteristic of a policy. Policies are guidelines or rules that provide direction and guidance on how to act or behave in a certain situation. They do not necessarily reflect a unanimous agreement of judgment, as policies can be created and enforced by a single authority or organization.

A security policy must be concise and easy to understand in order to effectively communicate the guidelines and procedures to all individuals within an organization. It should also be able to implement and enforce it to ensure that everyone follows the policy consistently. Additionally, a security policy must balance protection with productivity, as it should not hinder the organization's operations while still providing adequate security measures. However, stating reasons why the policy is necessary is not a requirement for a security policy, as it focuses more on the justification rather than the actual implementation and enforcement of the policy.

A password management and complexity policy will encourage users to avoid weak passwords by recommending each of the following except "Do not use alphabetic characters". This is because alphabetic characters are an essential component of a strong password. Including a combination of uppercase and lowercase letters, along with numbers and special characters, increases the complexity and makes it harder for hackers to guess or crack the password. Therefore, the policy should recommend using alphabetic characters along with other types of characters to create a strong password.

A service level agreement typically outlines the expectations and responsibilities between a service provider and a client. It includes details such as the scope of work, exclusions and exceptions, and penalties for failure to fulfill obligations. However, requirements for Personally Identifiable Information (PII) are not usually mentioned in a service level agreement. PII requirements are typically addressed in separate agreements or contracts that specifically focus on data privacy and security.

A classification of information policy is designed to produce a standardized framework for classifying information assets. This means that the policy aims to establish a consistent and organized system for categorizing and managing different types of information assets within an organization. By doing so, the policy helps ensure that information assets are properly identified, protected, and utilized according to their respective classification.

An acceptable use policy is a set of rules and guidelines that define the actions and behaviors that are permitted or prohibited while accessing systems and networking equipment. It outlines what users can and cannot do, ensuring that they use the resources responsibly and in accordance with the organization's policies. This policy helps maintain security, protect sensitive information, and prevent misuse or abuse of the network and systems.

For adult learners, an andragogical approach is often preferred because it focuses on the unique needs and characteristics of adult learners. Andragogy is the art of helping adults learn, and it recognizes that adults are self-directed, have a wealth of experience, and prefer learning that is relevant and applicable to their lives. This approach encourages active participation, problem-solving, and collaboration, which are all effective strategies for adult learners. In contrast, pedagogical approaches are more suitable for children and focus on teacher-directed instruction. Therefore, the andragogical approach is the most appropriate for adult learners.

Due care is defined as the obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. It involves being diligent and cautious in managing and safeguarding assets to prevent any harm, damage, or loss. By fulfilling their due care obligations, owners and operators demonstrate their responsibility and commitment to maintaining the integrity and security of the assets under their control.