1. You are testing physical security measures as part of a pen test team. Upon entering the lobby of the building, you see the entrance has a guard posted at the lone entrance. A door leads into a smaller room with a second door heading into the interior of the building. Which physical security measure is in place?
A. Guard shack
B. Turnstile
C. Man shack
D. Man trap
D. If you took a test on college football history, you know it would contain a question about Alabama. If you took one on trumpet players, there’d be one about Dizzy Gillespie. And if you take a test on physical security measures for Certified Ethical Hacker, you’re going to be asked about the man trap. They love it that much.
A man trap is nothing more than a locked space you can hold someone in while verifying their right to proceed into the secured area. It’s usually a glass (or clear plastic) walled room that locks the exterior door as soon as you enter. Then there is some sort of authentication mechanism—such as a smart card with a PIN or a biometric system. Assuming the authentication is successful, the second door leading to the interior of the building will unlock and the person is allowed to proceed. If it’s not successful, the doors will remain locked until the guard(s) can check things out. As an aside, in addition to authentication, some man traps add all sorts of extra fun—such as checking your weight to see if you’ve mysteriously gained or lost 20 pounds since Friday.
A couple of other notes here may be of use to you: First, I’ve seen a man trap defined as either manual or automatic, where manual has a guard locking and unlocking the doors, and automatic has the locks tied to the authentication system, as described previously. Second, a man trap is also referred to in some definitions as an air lock. Should you see that term on the exam, know that they are referring to the man trap.
A is incorrect because this question is not describing a small location at a gate where guards are stationed. Traditionally, these are positioned at gates to the exterior wall or the gate of the facility, where guards can verify identity and so on before allowing people through to the parking lot.
B is incorrect because a turnstile is not described here and, frankly, does absolutely nothing for physical security. Anyone who has spent any time in subway systems knows this is true: Watching people jump the turnstiles is a great spectator sport.
C is incorrect because, so far as I know, this term man shack is not a physical security term within CEH. Maybe the title of a 1970’s disco hit, but not a physical security term you’ll need to know for the exam.
2. In your social engineering efforts you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?
A. Piggybacking
B. Reverse social engineering
C. Technical support
D. Halo effect
C. Although it may seem silly to label social engineering attacks (as many of them contain the same steps and bleed over into one another), you’ll need to memorize them for your exam. A technical support attack is one in which the attacker calls the support desk in an effort to gain a password reset or other useful information. This is a very valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.
A is incorrect because piggybacking refers to a method to gain entrance to a facility—not to gain passwords or other information. Piggybacking is a tactic whereby the attacker follows authorized users through an open door without any visible authorization badge at all.
B is incorrect because reverse social engineering refers to a method where an attacker convinces a target to call him with information. The method involves marketing services (providing the target with your phone number or e-mail address in the event of a problem), sabotaging the device, and then awaiting for a phone call from the user.
D is incorrect because halo effect refers to a psychological principle that states a person’s overall impression (appearance or pleasantness) can impact another person’s judgement of them. For example, a good-looking, pleasant person will be judged as more competent and knowledgeable simply because of their appearance. The lesson here is to look good and act nice while you’re trying to steal all the target’s information.
3. Your client is considering a biometric system for access to a controlled location. Which of the following is a true statement regarding his decision?
A. The lower the CER, the better the biometric system.
B. The higher the CER, the better the biometric system.
C. The higher the FRR, the better the biometric system.
D. The higher the FAR, the better the biometric system.
A. The crossover error rate (CER) is the point on a chart where the false acceptance rate (FAR) and false rejection rate (FRR) meet, and the lower the number the better the system. It’s a means by which biometric systems are calibrated—getting the FAR and FRR the same. All that said, though, keep in mind that in certain circumstances a client may be more interested in a lower FAR than FRR, or vice versa, and therefore the CER isn’t as much a concern. For example, a bank may be far more interested in preventing false acceptance than it is in preventing false rejection. In other words, so what if a user is upset they can’t log on, so long as their money is safe from a false acceptance.
B is incorrect because this is exactly the opposite of what you want. A high CER indicates a system that more commonly allows unauthorized users through and rejects truly authorized people from access.
C is incorrect because the false rejection rate needs to be as low as possible. The FRR represents the amount of time a true, legitimate user is denied access by the biometric system.
D is incorrect because false acceptance rate needs to be as low as possible. The FAR represents the amount of time an unauthorized user is allowed access to the system.
4. A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event they are adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?
A. Technical support
B. Impersonation
C. Phishing
D. Reverse social engineering
D. This may turn out to be a somewhat confusing question for some folks, but it’s actually pretty easy. Reverse social engineering involves three steps. First, in the marketing phase, an attacker advertises himself as a technical point of contact for problems that may be occurring soon. As an aside, be sure to market to the appropriate audience: Attempting this against IT staff probably won’t work as well as the “average” user, and may get you caught. Second, in the sabotage phase, the attacker performs a denial of service or other attack on the user. Third, in the tech support phase, the user calls the attacker and freely hands over information, thinking they are being assisted by company’s technical support team.
A is incorrect because a technical support attack involves the attacker calling a technical support help desk, not having the user calling back with information.
B is incorrect because this is not just impersonation—the attack described in the question revolves around the user contacting the attacker, not the other way around. Impersonation can cover anybody, from a “normal” user to a company executive. And impersonating a technical support person can result in excellent results—just remember if you’re going through steps to have the user call you back, you’ve moved into reverse social engineering.
C is incorrect because a phishing attack is an e-mail crafted to appear legitimate, but in fact contains links to fake websites or to download malicious content. In this example, there is no link to click—just a phone number to call in case of trouble. Oddly enough, in my experience people will question a link in an e-mail far more than just a phone number.
5. A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?
A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking
C. This one is so easy I hope you maintain your composure and stifle the urge to whoop and yell in the test room. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity. I once shoulder surfed in front of someone (a mirror behind her showed her screen clear as day).
A is incorrect because eavesdropping is a social engineering method where the attacker simply remains close enough to targets to overhear conversations. Although its doubtful users will stand around shouting passwords at each other, you’d be surprised how much useful information can be gleaned by just listening in on conversations.
B is incorrect because tailgating is a method for gaining entrance to a facility by flashing a fake badge and following an authorized user through an open door.
D is incorrect because piggybacking is another method to gain entrance to a facility. In this effort, though, you don’t have a badge at all—you just follow people through the door.
6. You are interviewing an incident response team member of an organization you’re working with. He relates an incident where a user received an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?
A. Phishing
B. Internet level
C. Reverse social engineering
D. Impersonation
A. Phishing is one of the most pervasive and effective social engineering attacks on the planet. It’s successful because crafting a legitimate-looking e-mail that links a user to an illegitimate site or malware package is easy to do, easy to spread, and preys on our human nature to trust. If the source of the e-mail looks legitimate, or the layout looks legitimate, most people will click away without even thinking about it. Phishing e-mails can often include pictures lifted directly off the legitimate website and use creative means of spelling that aren’t easy to spot: www.regions.com is a legitimate bank website that could be spelled in a phishing e-mail as www.regi0ns.
B is incorrect because Internet level is not a recognized form of social engineering attacks by this exam. It’s included here as a distractor.
C is incorrect because reverse social engineering is an attack where the attacker cons the target into calling back with useful information.
D is incorrect because this particular description does not cover impersonation. Impersonation is an attack where a social engineer pretends to be an employee, a valid user, or even an executive (or other V.I.P.). Generally speaking, when it comes to the exam, any impersonation question will revolve around an in-person visit or a telephone call.
7. Which type of social engineering attacks use phishing, pop-ups, and IRC?
A. Technical
B. Computer based
C. Human based
D. Physical
B. All social engineering attacks fall into one of two categories: human based or computer based. Computer-based attacks are those carried out with the use of a computer or other data-processing device. Examples include, but are not limited to, fake pop-up windows, SMS texts, e-mails, and chat rooms or services. Social media sites (such as Facebook or LinkedIn) are consistent examples as well, and spoofing entire websites isn’t out of the realm here either.
A is incorrect because technical is not a social engineering attack type and is included here as a distractor.
C is incorrect because human-based social engineering involves the art of human interaction for information gathering. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.
D is incorrect because physical is not a social engineering attack type and is included here as a distractor.
8. An e-mail sent from an attacker to a known hacking group contains a reference stating, “Rebecca works for the finance department at _business-name_ and is the administrative assistant to the chief. She can be reached at _phone-number_.” What is most likely being communicated here?
A. The name of an administrative assistant is being published to simplify later social engineering attacks.
B. The administrative assistant for the chief of the finance department at this business is easily swayed by social engineering efforts.
C. The finance department has lax security policy in place.
D. None of the above. There is not enough information to form a conclusion.
B. Within the confines of this exam, you need to remember the names “Rebecca” and “Jessica” as potential targets of social engineering. According to CEH documentation, these names are used to refer to individuals who are easy targets for social engineering efforts. The reality of your day-to-day work in the field might be that you’ll never hear this mentioned this way (I had never heard these names used this way before studying for this exam, myself); however, you need to memorize it for your exam. Jessica and Rebecca are easily swayed by social engineering and are targets for your efforts.
A is incorrect because, frankly, there’s a better answer here (B). Is it possible the person sending this e-mail knows the assistant’s first name is Rebecca? Sure it is; however, it’s unlikely to be shared in this manner and, more importantly here, this just is not the “most likely” answer.
C is incorrect because the name Rebecca is not associated with security policy in any way. The company may very well have lax policy, but there’s just nothing here to indicate that. As an aside (that is, it really has nothing to do with the question itself), whether the policy is weak or strong, an individual susceptible to social engineering almost makes the policy moot. Security policy is one of those things that has to be supported and enforced from the top down and made part of the very culture of the organization. If you have those things, it’s a great countermeasure to a whole assortment of security issues. If you don’t, it’s a big waste of time.
D is incorrect because there is a correct answer to the question. This answer is included as a distractor.
9. What are the three categories of measures taken to ensure physical security?
A. Technical
B. Computer based
C. Physical
D. Human based
E. Operational
F. Policy based
A, C, and E. Physical security measures can be looked at through three major categories. Physical measures are all the things you can touch, taste, smell, or get shocked by. Examples include lighting, locks, fences, and guards. Technical measures are those using technology to protect explicitly at the physical level (an example might be a biometric system at the door to authenticate a visitor). Operational measures are the policies and procedures you set up to enforce a security-minded operation. Examples include background checks on employees, risk assessments on devices, and policies regarding key management and storage.
B and D are incorrect because they refer to social engineering attack types.
F is incorrect because policy based is not a physical security measure and is included here as a distractor.
10. After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?
A. Offline
B. Physical
C. Piggybacking
D. Dumpster diving
D. Dumpster diving doesn’t necessarily mean you’re actually taking a header into a dumpster outside. It could be any waste canister, in any location, and you don’t even have to place any more of your body in the canister than you need to extract the old paperwork with. And you’d be amazed what people just throw away without thinking about it: password lists, network diagrams, employee name and number listings, and financial documents are all examples.
A is incorrect because offline is not a social engineering attack and is used here as a distractor.
B is incorrect because physical is not a social engineering attack type.
C is incorrect because piggybacking is a social engineering attack that allows entry into a facility and has nothing to do with digging through trash for information.
11. An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred?
A. Tailgating
B. Piggybacking
C. Identity theft
D. Impersonation
B. This is one of those questions that just drives everyone batty—especially people who actually perform pen tests for a living. Does knowing that gaining entry without flashing a fake ID badge of any kind is called piggybacking make it any easier or harder to pull off? I submit having two terms for what is essentially the same attack, separated by one small detail is unfair, in the least, but there’s not a whole lot we can do about it. If it makes it easier to memorize, just keep in mind that pigs wouldn’t wear a badge—they don’t have any clothes to attach it to.
A is incorrect because a tailgating attack requires the attacker to be holding a fake badge of some sort. I know it’s silly, but that’s the only differentiation between these two items: tailgaters have badges, piggybackers do not. If it makes it any easier, just keep in mind a lot of tailgaters at football games should have a badge on them—to prove they are of legal drinking age.
C is incorrect because this attack has nothing to do with identity theft. Identity theft occurs when an attacker uses personal information gained on an individual to assume that person’s identity. Although this is normally thought of in the criminal world (stealing credit cards, money, and so on), it has its uses elsewhere.
D is incorrect because impersonation is not in play here. The attacker isn’t pretending to be anyone else at all—he’s just following someone through an open door.
12. Which threat presents the highest risk to an organization’s resources?
A. Government-sponsored hackers
B. Social engineering
C. Disgruntled employees
D. Script kiddies
C. I can almost guarantee you’ll see this on your exam. EC Council made a big point of stressing this in the CEH version 7 documentation, so I in turn will stress it to you. Disgruntled employees can cause all sorts of havoc for a security team. The main reason is location: They’re already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent. When you add a human element of having an axe to grind, this can boil over quickly—whether the employee has the technical knowledge to pull it off or not.
A is incorrect because most organizations won’t have government-sponsored hackers knocking at their virtual front door and, even if they do, the attacks still generate from outside. Now I’m not saying a sponsored hacker group wouldn’t seek out a disgruntled employee inside a government organization, but that proves the answer in itself.
B is incorrect because social engineering as a whole is not the greatest threat. It is a major concern, though, because most people are susceptible to it and, frankly, users can’t be trusted.
D is incorrect because script kiddies by definition are relatively easy to find and squash. A script kiddy is someone who goes out and steals hack codes and techniques right off the Web, flinging them around wildly in an attempt to succeed. They don’t really understand what the attack vector is, how the code works, or (usually) what to do if they actually find success, which make them very easy to spot.
13. Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)
A. Security policies
B. Operational guidelines
C. Appropriately configured IDS
D. User education and training
E. Strong firewall configuration
A, B, and D. The problem with countermeasures against social engineering is they’re almost totally out of your control. Sure you can draft strong policy requiring users to comply with security measures, implement guidelines on everything imaginable to reduce risks and streamline efficiency, and hold educational briefings and training sessions for each and every user in your organization, but when it comes down to it, it’s the user who has to do the right thing. All countermeasures for social engineering have something to do with the user themselves because they are the weak link here.
C and E are both incorrect for the same reason: A social engineering attack doesn’t target the network or its defenses; it targets the users themselves. Many a strongly defended network has been compromised because a user inside was charmed by a successful social engineer.
14. Which of the following are indicators of a phishing e-mail? (Choose all that apply.)
A. It does not reference you by name.
B. It contains misspelled words or grammatical errors.
C. It contains spoofed links.
D. It comes from an unverified source.
A, B, C, and D. One of the objectives of CEHv7 is, and I quote, to “understand phishing attacks.” Part of the official curriculum to study for the exam covers detecting phishing e-mail in depth, and all of these answers are indicators an e-mail may not be legitimate. First, most companies now sending e-mail to customers will reference you by name and sometimes by account number. An e-mail starting with “Dear Customer” or something to that effect may be an indicator something is amiss. Misspellings and grammatical errors from a business are usually dead giveaways, because companies do their best to proofread things before they are released. There are, occasionally, some slipups (Internet search some of these; they’re truly funny), but those are definitely the exception and not the rule. Spoofed links can be found by hovering a mouse over them (or by looking at their properties). The link text may read www.yourbank.com, but the hyperlink properties will be sending you to some IP address you don’t want to go to.
15. You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measure is being discussed?
A. Physical
B. Technical
C. Operational
D. Practical
C. Physical security has three major facets: physical measures, technical measures, and operational measures. Operational measures are the policies and procedures you put into place to assist with security. Background checks on employees and any kind of written policy for operational behaviors are prime examples.
A is incorrect because physical measures can be seen or touched. Examples include guards (although you probably would want to be very careful touching one of them), fences, and locked doors.
B is incorrect because technical measures include things such as authentication systems (biometrics anyone?) and specific permissions you assign to resources.
D is incorrect because, although these may seem like practical measures to put into place, there is simply no category named such. It’s included here as a distractor, nothing more.
16. Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)
A. Phishkill
B. Netcraft
C. Phishtank
D. IDA Pro
B and C. For very obvious reasons, there are not a lot of questions from these objectives concerning tools—mainly because social engineering is all about the human side of things, not necessarily using technology or tools. However, you can put into place more than a few protective applications to help stem the tide. There are innumerable e-mail-filtering applications and appliances you can put on an e-mail network boundary to cut down on the vast amount of traffic (spam or otherwise) headed to your network. Additionally, Netcraft’s phishing toolbar and Phishtank are two client-side, host-based options you can use (there are others, but these are pointed out specifically in EC Council’s official courseware).
Netcraft’s (http://toolbar.netcraft.com/) and Phishtank’s (www.phishtank.com/) toolbars are like neighborhood watches on virtual steroids, where eagle-eyed neighbors can see naughty traffic and alert everyone else. From the Netcraft site: “Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL.”
These tools, although useful, are not designed to completely protect against phishing. Much like antivirus software, they will act on attempts that match a signature file. This, sometimes, makes it even easier on the attacker—because they know which phishing will not work right off the bat.
A is incorrect because phishkill is not an anti-phishing application.
D is incorrect because IDA Pro is a debugger tool you can use to analyze malware (viruses).
17. In order, what are the three steps in a reverse social engineering attack?
A. Technical support, marketing, sabotage
B. Sabotage, marketing, technical support
C. Marketing, technical support, sabotage
D. Marketing, sabotage, technical support
D. Reverse engineering occurs when the attacker creates a circumstance or situation that makes users call him with information. This is carried out in three steps. First, the attacker will market his skills, position, and impending problem (for example, the attacker may send e-mails promoting himself as help desk personnel to call in the event of problems next Wednesday when the server is rebooted). Second, the attacker performs sabotage against the user or network segment (a denial of service attack to take users off network confirms with the user that the original e-mail must have been correct). Lastly, the attacker provides “technical support” to the users calling in for assistance (by stealing all their account information, which is gladly being handed over the phone by panicked users).
A, B, and C are incorrect because the order presented is not correct.
18. Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?
A. Physical
B. Technical
C. Human based
D. Computer based
C. So once again, we’re back to the two major forms of social engineering: human based and computer based. Human-based attacks include all the attacks mentioned here and a few more. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information. This can be as blatant as simply asking someone for their password or pretending to be a known entity (authorized user, tech support, or company executive) in order to gain information.
A is incorrect because social engineering attacks do not fall into a “physical” category.
B is incorrect because social engineering attacks do not fall into a “technical” category.
D is incorrect because computer-based social engineering attacks are carried out with the use of a computer or other data-processing device. These attacks can include everything from specially crafted pop-up windows, tricking the user into clicking through to a fake website, to SMS texts, which provide false technical support messages and dial-in information to a user.
19. What is considered the best defense against social engineering?
A. User education and training
B. Strong security policy and procedure
C. Clear operational guidelines
D. Proper classification of information and individuals’ access to that information
A. So anyone reading this book who has spent any time at all trying to educate users on a production, enterprise-level network is probably yelling right now, because results can sometimes be spotty. And, yes, I too can point out the multiple studies on the value, or lack thereof, of continuing user training. However, when you consider the options presented (and EC Council’s training materials), this is the only answer that makes any sense. After all, the weak point in the chain is the users themselves. Therefore, we must do our best to educate them on what to look for and what to do as they see it. There simply is no better defense than a well-educated user.
B, C, and D are all incorrect for the same reason—they do not address the root of the problem. It is absolutely essential to have good security policy, operational guidelines, and appropriate classification across the board. However, the user is at the heart of every social engineering attack and, therefore, requires our attention. A poorly educated user standing on strong policies still makes a very attractive target.
20. Which anti-phishing method makes use of a secret message or image referenced on the communication?
A. Steganography
B. Sign-in seal
C. PKI
D. Captcha
B. Sign-in seal is an e-mail protection method in use at a variety of business locations. The practice is to use a secret message or image that can be referenced on any official communication with the site. If you receive an e-mail purportedly from the business but it does not include the image or message, you’re aware it’s probably a phishing attempt. This sign-in seal is kept locally on your computer, so the theory is that no one can copy or spoof it.
A is incorrect because steganography is not used for this purpose. As we know, steganography is a method of hiding information inside another file—usually an image file.
C is incorrect because PKI refers to an encryption system using public and private keys for security of information between members of an organization.
D is incorrect because a captcha is an authentication test of sorts, which I am sure you’ve seen hundreds of times already. Captcha (actually an acronym meaning Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response-type method where an image is shown and the client is required to type the word from the image into a challenge box. An example is on a contest entry form—you type in your information at the top, then see an image with a word (or two) in crazy font at the bottom. If you type the correct word in, it’s somewhat reasonable for the page to assume you’re a human (as opposed to a script) and the request is sent forward.
21. Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)
A. Classification of information
B. Strong security policy
C. User education
D. Strong change management process
A, B, C, and D. All of the answers are correct. There’s an argument to be made about these as being purely social engineering mitigations, but trust me, EC Council sees them this way, so you should, too. A. Classification of information is seen as a strong countermeasure because the information—and access to it—is stored and processed according to strict definitions of sensitivity. In the Government/DoD world, you’d see labels such as Confidential, Secret, and Top Secret. In the commercial world, you might see Public, Sensitive, and Confidential. I could write an entire chapter on the difference between DoD and commercial labels, and have all sorts of fun arguing the finer points of various access control methods, but we’ll stick just to this chapter and what you need here. As a side note, classification of information won’t do you a bit of good if the enforcement of access to that information, and the protection of it in storage or transit, is lax.
B. Strong security policy has been covered earlier in the chapter, so I won’t waste much print space here on it. You must have a good one in place to help prevent all sorts of security failures; however, you can’t rely on it as a countermeasure on its own.
C. User education is the number-one preventative measure you can take against social engineering. There’s argument about just how successful it is, but try running an organization without any education and see how far that gets you.
D. A change management process helps to organize change to a system or organization by providing a standardized, reviewable process to any major change. In other words, if you allow changes to your financial system, IT services, HR processes, or fill-in-the-blank without any review or control process, you’re basically opening the door to Pandora’s box. Change can be made on a whim (sometimes at the behest of a social engineer, maybe?) and there’s no control or tracking of it.
22. Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a pin number. Which of the following are true?
A. Joe and Jill are using single-factor authentication.
B. Joe and Jill are using two-factor authentication.
C. Joe is using two-factor authentication.
D. Jill is using two-factor authentication.
D. When it comes to authentication systems, you can use three factors to prove your identity to a system: something you know, something you have, and something you are. Items you know are, basically, a password or PIN number. Something you have is a physical token of some sort—usually a smart card—that is presented as part of the authentication process. Something you are relates to biometrics—a fingerprint or retinal scan, for instance. Generally speaking, the more factors you have in place, the better (more secure) the authentication system. In this example, Joe is using only something he knows, whereas Jill is using something she has (PIV card) and something she knows (PIN).
A is incorrect because Jill is using two-factor authentication.
B is incorrect because Joe is using single-factor authentication.
C is incorrect because Joe is using single-factor authentication.
23. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?
A. Technical
B. Single factor
C. Computer based
D. Operational
A. Physical security measures are characterized as physical (door locks, guards), operational (policies, procedures), and technical (authentications systems, permissions). This example falls into the technical security measure category. Sure, the door itself is physical, but the question centers on the biometric system itself—clearly technical in origin.
B is incorrect because single factor refers to the method the authentication system uses, not the physical security measure itself. In this case, the authentication is using something you are—a biometric retina scan.
C is incorrect because computer based refers to a social engineering attack type, not a physical security measure.
D is incorrect because an operational physical security measure deals with policy and procedure.
24. Physical security also includes the maintenance of the environment and equipment for your data floor. Which of the following are true statements regarding this equipment? (Choose all that apply.)
A. The higher the MTBF, the better.
B. The lower the MTBF, the better.
C. The higher the MTTR, the better.
D. The lower the MTTR, the better.
A and D. MTBF is an acronym translating to Mean Time Between Failure, and it references the amount of time a piece of equipment can be expected to last. It’s a mathematical equation marking the average times between failures of the system. The higher this number, the longer the equipment is expected to perform. The MTTR is the Mean Time To Repair, which is an estimate of how long it will take to fix a potential problem with the equipment. Obviously, the lower the time it takes to repair, the better.
B and C are incorrect because the MTBF is better when higher and the MTTR is better when lower.
25. Which fire extinguisher type is the best choice for an electrical system fire?
A. An extinguisher marked “A”
B. An extinguisher marked “B”
C. An extinguisher marked “C”
D. An extinguisher marked “D”
C. Fire extinguishers are marked by the type of fire they are created to suppress, and usually have more than one marking (for example, the one I’m looking at right now across the hall from me is marked “BC”). A Class C fire is one involving electrical equipment. Generally speaking, you should first remove power and then try to extinguish the flames (although sometimes that’s difficult to do). Any extinguishers marked for Class C uses CO2 (carbon dioxide) or a dry chemical to extinguish the flames. Obviously, spraying water on an open electrical circuit could pose additional hazards, so these nonconductive methods are best.
A is incorrect because Class A fires are ordinary combustibles, such as paper, wood, and most plastics. A pure Class A-marked extinguisher may use water.
B is incorrect because Class B fires involve combustible liquids, such as gasoline.
D is incorrect because Class D fires involve combustible chemicals, such as magnesium.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.