Workshop Post-Assessment

This assessment is multiple choice. Enter your name and answer all questions. Submit once when finished.

Name

1) What does the CIA Triad represent in cybersecurity? Confidentiality, Integrity, Availability Compliance, Inspection, Audit Cyber, Internet, Access Control, Identity, Authorization

2) In a simple model, risk is best described as: How expensive a security tool is Likelihood × Impact The number of vulnerabilities found The amount of data stored

3) Which option best matches the terms threat and vulnerability? Threat = a weakness; Vulnerability = a person/group that causes harm Threat = a security control; Vulnerability = a policy Threat = something that can cause harm; Vulnerability = a weakness that can be exploited Threat = an incident; Vulnerability = a patch

4) Which control primarily reduces impact (not likelihood) after something goes wrong? Turning off unused USB ports Security awareness training Applying patches quickly Tested backups with a clear restore process

5) Which is the best example of good cyber hygiene? Using MFA and keeping systems updated Sharing one admin account so work is faster Disabling updates to avoid breaking software Emailing passwords when someone forgets them

6) Why are logs valuable even if you think you prevented the attack? Logs guarantee attacks will stop Logs provide evidence of what happened and help confirm or refute suspicion Logs replace the need for backups Logs prevent all insider threats

7) Which sequence matches a basic threat detection workflow? Escalation → Alerts → Events → Triage Triage → Events → Escalation → Alerts Events → Alerts → Triage → Escalation Alerts → Events → Escalation → Triage

8) What best describes the idea of signal vs noise? Signal is meaningful activity; noise is expected/low-value activity that can hide signal Signal is any alert; noise is anything without an alert Signal is always malware; noise is always user behavior Signal is only network traffic; noise is only endpoint activity

9) Which telemetry source is often most useful when investigating account compromise? Printer error logs Monitor brightness settings Disk defragmentation logs only Authentication/login logs (successes, failures, MFA events)

10) What is the main purpose of triage in incident detection? To punish users who clicked links To quickly assess whether an alert is real, important, and needs action To delete logs to save storage To immediately rebuild affected systems

11) During an incident, which role is primarily responsible for documenting actions and timelines? Documentation/communications lead End user who reported the issue Attacker emulation lead Facilities manager

12) In the first minutes of an incident, which action is generally the best first step? Immediately wipe the system so malware is gone Post about it publicly so everyone knows Capture what you know: facts, timestamps, preserve evidence, and follow the response process Disable all user accounts permanently

13) Which example is social engineering? A server crashes due to a failed disk A patch is applied to a browser A firewall blocks a port A caller impersonates IT support and pressures someone to reveal a code

14) Why can MFA fatigue (push bombing) work? It exploits encryption weaknesses in TLS It pressures the user to approve a prompt out of annoyance, confusion, or urgency It automatically bypasses all MFA systems without user interaction It only works if the user has no password

15) In a beginner course, why do we teach offensive concepts at all? To understand attacker thinking so we can defend better To encourage students to attack real systems To replace defensive security topics To avoid learning about ethics

16) Which activity is NOT appropriate in a classroom setting? Running labs in a controlled environment you provide Analyzing scenario-based phishing examples that do not target real organizations Scanning or attacking real school/business networks without written authorization Practicing incident response documentation with synthetic data

17) Which step commonly comes first in a high-level attack chain? Identify / Reconnaissance Exfiltrate Persist Recover

18) Why are misconfigurations often a major cause of incidents? Misconfigurations only affect availability Misconfigurations cannot be detected with logs Misconfigurations are always less severe than CVEs They can expose systems/data directly through bad defaults or excessive permissions

19) What is the main goal of a capstone scenario in this workshop? To memorize definitions from frameworks To integrate concepts (CIA, hygiene, detection, response, safe offense) into one narrative exercise To require advanced exploitation skills To replace the need for assessments

20) Which option best describes a teacher-friendly way to use frameworks (NIST, CIS, NICE)? Teach framework acronyms as the main learning outcome Avoid frameworks entirely because they are too complex Translate frameworks into lesson objectives, activities, and lab deliverables Use frameworks only for legal compliance paperwork