Security Awareness Month Quiz

1. It's ok to share your work password with others.

True

False

Your work password should never be shared with anyone; even your manager.

Explanation

Your work password should never be shared with anyone; even your manager.

2. If you receive an e-mail plea from a family member asking for money, it's OK to repond and wire them money since they sent the message from their e-mail account.

True

False

These types of scams are common when an e-mail account has been hacked. The first course of action is to try and contact the person (not via e-mail) and confirm if they really need money and let them know that their e-mail account may have been hacked.

Explanation

These types of scams are common when an e-mail account has been hacked. The first course of action is to try and contact the person (not via e-mail) and confirm if they really need money and let them know that their e-mail account may have been hacked.

3. If you've spoken to your kids about being safe on the Internet, then there is no need to filter web content for them.

True

False

Web content should always be filtered for children. OpenDNS provides DNS-based protections for free. Other Anti-Virus companies also provide protections and filters for children accessing the Internet.

Explanation

Web content should always be filtered for children. OpenDNS provides DNS-based protections for free. Other Anti-Virus companies also provide protections and filters for children accessing the Internet.

4. When entering personal data such as credit card information into a website, it is important to look for the lock symbol or verify the url starts with 'https" to insure the transaction is protected by SSL encryption.

True

False

Before you enter sensitive data in a web form or on a webpage, look for signs—like a web address with https and a closed padlock beside it—that it is secure.

Explanation

Before you enter sensitive data in a web form or on a webpage, look for signs—like a web address with https and a closed padlock beside it—that it is secure.

5. It is safe to connect a USB drive that you found in the parking lot to your work computer.

True

False

GIS should be contacted to clean the device or you can contact Security to put the drive in lost and found.

Explanation

GIS should be contacted to clean the device or you can contact Security to put the drive in lost and found.

6. If you received a message that you suspect may be spam or a phishing attempt, what should you do with the message?

Open it up and click any links or attachments in the message

Delete the message

Forward it to a co-worker to see if they can open it

If it looks suspicious it is safest to delete the message and not expose yourself and SAS to risk.

Explanation

If it looks suspicious it is safest to delete the message and not expose yourself and SAS to risk.

7. It's OK to click website links in e-mails, from other untrusted websites, or in IM messages that go to sites that I trust (Facebook, Twitter, Google, etc).

True

False

You should only access trusted sites (Google, Facebook, Twitter, etc) by entering the URL directly or via a bookmark. Clicking on links in e-mail and from other untrusted sites may allow an attacker to steal or capture your credentials.

Explanation

You should only access trusted sites (Google, Facebook, Twitter, etc) by entering the URL directly or via a bookmark. Clicking on links in e-mail and from other untrusted sites may allow an attacker to steal or capture your credentials.

8. If someone calls you and requests information about where you work, the employees, your work account, passwords, or personal information about yourself you should:

Answer them as truthfully as possible

Give them your work e-mail address so they can email you the information they need

Deny their request and contact Security about the call.

Cases like this is when someone is trying to social engineer you for information about your workplace.

Explanation

Cases like this is when someone is trying to social engineer you for information about your workplace.

9. Where should keep your password in case you forget it?

Someplace easily seen from your computer

Someplace out of sight like in a drawer or under your keyboard

If you have to write down your password, it should be stored in a password keeper or vault.

Passwords should never be written down unless they are being stored in a password vault or storage utility and protected by a master password.

Explanation

Passwords should never be written down unless they are being stored in a password vault or storage utility and protected by a master password.

10. You receive an e-mail message from a deposed Prince of Nigeria. What do you do?

Forward it to all of your friends

Follow all his instructions to the letter and wait for your check in the mail

Highlight the message and hit "Control + Shift + Delete" to completely remove the message

These types of e-mails are called 419 or 411 scams. These are e-mails that try to encourage you to perform fraudulent activities on behalf of someone in another country (such as laundering money).

Explanation

These types of e-mails are called 419 or 411 scams. These are e-mails that try to encourage you to perform fraudulent activities on behalf of someone in another country (such as laundering money).

11. It's safe to open e-mail attachments and click on e-mail links, even if the message is from someone you don't know.

True

False

Even though email messages get scanned via multiple vendors for malware, spyware and phishing, there is no guarantee that they will catch every instance of malware. It is recommended that you only open attachments and click on links if messages are from an individual you know. Enabling Safe Senders for Outlook is a good way to accomplish this.

Explanation

Even though email messages get scanned via multiple vendors for malware, spyware and phishing, there is no guarantee that they will catch every instance of malware. It is recommended that you only open attachments and click on links if messages are from an individual you know. Enabling Safe Senders for Outlook is a good way to accomplish this.

12. Which of the following should you not do with your password?

Say it out loud

Email it to an associate

Provide it to your manager

All of the above

Passwords are meant to be secret and only known by you and not shared in any way.

Explanation

Passwords are meant to be secret and only known by you and not shared in any way.

13. If you are browsing the Internet and suddenly you get a prompt asking you to download a file and run it, what should you do?

Download the file and run it.

Cancel the download and close your browser.

Download the file and e-mail it to a co-worker to see if it is legitimate.

If you are prompted to download a file when simply browsing the internet, then chances are you've navigated to a site that is infected and is trying to infect you. It is best to cancel the download, close the browser and run a full AV scan on your machine.

Explanation

If you are prompted to download a file when simply browsing the internet, then chances are you've navigated to a site that is infected and is trying to infect you. It is best to cancel the download, close the browser and run a full AV scan on your machine.

14. It's ok to setup a rule to auto-forward all of your work e-mail to an external e-mail account like Gmail or Hotmail.

True

False

Auto-forwarding rules are prohibited by company policy. You can forward individual mails to your personal account as long as the communications are not company confidential.

Explanation

Auto-forwarding rules are prohibited by company policy. You can forward individual mails to your personal account as long as the communications are not company confidential.

15. It's OK to post personal information about yourself on Twitter or Facebook.

True

False

You should limit the personal information you post about yourself and your family on Twitter, Facebook and other social media sites. This information could be used in order to perform social engineering on you or your family. You should configure privacy settings to be as strict as possible on such sites to limit prying eyes. All information posted to social media sites should be considered permanent, no matter what the privacy policies of the sites state.

Explanation

You should limit the personal information you post about yourself and your family on Twitter, Facebook and other social media sites. This information could be used in order to perform social engineering on you or your family. You should configure privacy settings to be as strict as possible on such sites to limit prying eyes. All information posted to social media sites should be considered permanent, no matter what the privacy policies of the sites state.

16. Password challenge questions, used for resetting passwords on some Internet sites, should not be used if they contain publicly available information.

True

False

Know what you've posted about yourself. A common way that hackers break into financial or other accounts is by clicking the "Forgot your password?" link on the account login page. To break into your account, they search for the answers to your security questions, such as your birthday, home town, high school class, or mother's middle name. If the site allows, make up your own password questions, and don't draw them from material anyone could find with a quick search.

Explanation

Know what you've posted about yourself. A common way that hackers break into financial or other accounts is by clicking the "Forgot your password?" link on the account login page. To break into your account, they search for the answers to your security questions, such as your birthday, home town, high school class, or mother's middle name. If the site allows, make up your own password questions, and don't draw them from material anyone could find with a quick search.

17. If you set your anti-virus software to auto-update then you don't need Windows Automatic Updates.

True

False

Anti-virus is not a replacement for regularly applying patches and security updates.

Explanation

Anti-virus is not a replacement for regularly applying patches and security updates.

18. You are using e-mail to send and receive private information (e.g. medical data, salary information, social security numbers, passwords) for an approved, business need. What should you do?

Encrypt the information before sending it through e-mail

Encrypting the information before sending it through email ensures that the data is protected and cannot be accessed by unauthorized individuals. Encryption converts the information into a code that can only be deciphered with a decryption key, making it extremely difficult for anyone else to read or understand the content of the email. This helps to maintain the confidentiality and integrity of the private information being transmitted.

Explanation

Encrypting the information before sending it through email ensures that the data is protected and cannot be accessed by unauthorized individuals. Encryption converts the information into a code that can only be deciphered with a decryption key, making it extremely difficult for anyone else to read or understand the content of the email. This helps to maintain the confidentiality and integrity of the private information being transmitted.

19. The following are characteristics of a good work password:

The password is the same as another online account

The password is at least 4 characters long

The password uses a combination of lowercase, uppercase, and special characters

The password contains part of a family members birthday

All of the above

You should never choose your work password to be the same as any other accounts. You should also not use family birthdays, names, or other publicly available information about you or your family as part of your password.

Explanation

You should never choose your work password to be the same as any other accounts. You should also not use family birthdays, names, or other publicly available information about you or your family as part of your password.

20. It is not safe to e-mail business documents to your home computer to work on them.

True

False

You should work on business documents on a corporate issued machine by either working on it in the office, or remotely connecting to your work machine and working on them remotely

Explanation

You should work on business documents on a corporate issued machine by either working on it in the office, or remotely connecting to your work machine and working on them remotely

21. It's not OK to accept 3rd party/customer data without permissions from Information Security.

True

False

Information Security has a request form that will walk you through the process of accepting 3rd party data.

Explanation

Information Security has a request form that will walk you through the process of accepting 3rd party data.

22. According to the FBI and the Computer Security Institute, most information security breaches occur due to what?

External Hackers

Poor Programming Techniques

Internal Employees

Bad Firewall Settings

Internal employees tend to be the cause of the most information security breaches

Explanation

Internal employees tend to be the cause of the most information security breaches

23. Which of the following is the best protection technique for a home wireless network

MAC address filtering

Hidden SSID

WEP encryption

WPA2 encryption

MAC filters are not protection from an intruder as MAC information can be obtained via wireless sniffers and this information be spoofed. Hiding your SSID will also not keep intruders out since the SSID can still be detected via a wireless sniffer. WEP is not a suitable wireless protection mechanism because this encryption technique can easily be cracked in a number of minutes. WPA2 Pre-shared key with a lengthy key is the preferred standard.

Explanation

MAC filters are not protection from an intruder as MAC information can be obtained via wireless sniffers and this information be spoofed. Hiding your SSID will also not keep intruders out since the SSID can still be detected via a wireless sniffer. WEP is not a suitable wireless protection mechanism because this encryption technique can easily be cracked in a number of minutes. WPA2 Pre-shared key with a lengthy key is the preferred standard.

24. What type of attack relies on the trusting nature of employees and the art of deception?

Fraud

Phishing

Social Engineering

Dumpster Diving

Social Engineering is when an attacker tries to gain information about an attack based on information they already know about you or pretending to misrepresent themselves to you in hopes that you will trust them.

Explanation

Social Engineering is when an attacker tries to gain information about an attack based on information they already know about you or pretending to misrepresent themselves to you in hopes that you will trust them.

25. An 8 character password containing a mix of uppercase, lowercase and special characters can be cracked in under a day.

True

False

Hackers are now using Graphics cards in order to help brute force passwords. The 8 character keyspace can be traversed in under 24 hours with multi-GPU machines: http://arstechnica.com/security/2012/08/passwords-under-assault/

Explanation

Hackers are now using Graphics cards in order to help brute force passwords. The 8 character keyspace can be traversed in under 24 hours with multi-GPU machines: http://arstechnica.com/security/2012/08/passwords-under-assault/