THEFT OF DATA AND INTELLECTUAL PROPERTY PAST PAPERS WITH ANSWERS

QUESTION 1 : Shredding sensitive documents with a cross-cut shredder, sending and receiving mail at a secure site, and employing a perimeter security system at the office are all measures aimed to do which of the following?

1. Prevent misappropriation of office supplies.
2. Protect digital documentation.
3. Catch a fraudster in the act.
4. Guard manual file systems.

Organizations must take reasonable measures to protect manual file systems, which are composed of all humanreadable files and documents. These include items like contact lists, schedules, and calendars. To attack a manual file system, an information thief might pilfer trash, act as a cleaning crew member, or commit theft or burglary. Reasonable measures to protect manual file systems include the following: Place sensitive documents in high-grade locked filing cabinets. It is advisable to lock sensitive documents in a safe when not in use. Use a cross-cut shredder for sensitive documentary waste, or have sensitive trash disposed of by a bonded wastedisposal company. Receive and send mail at a secure site (e.g., mail drops, post office boxes, or locked mailboxes). The key is that the site remains secure. Provide reasonable perimeter security for offices by using an alarm system and securing locks to doors and windows. Pay attention to securing auxiliary materials.

 

QUESTION 2 : Research and development personnel often inadvertently divulge confidential information through which of the following?

1. Articles written for industry journals
2. Discussions with colleagues at conferences
3. Hiring outside academic professionals
4. All of the above

Often, intelligence professionals target research and development (R&D) employees because their positions generally involve the communication of information. For example, many R&D employees attend or participate in trade shows, conferences, or other industry functions where it is common to network with other professionals in their field and exchange ideas. Such events provide intelligence spies with the opportunity to learn key product- or projectrelated details simply by listening to a presentation or asking the right questions. R&D employees’ publications are also a good source of information for intelligence professionals. Researchers sometimes inadvertently include sensitive project details when writing articles about their findings for industry journals or other mediums. This is particularly true in the case of academic professionals who might be hired by a company to perform research or conduct a study. If a company hires an academician to conduct research, management must ensure that the academician understands the need to keep the results confidential.

 

QUESTION 3 : For corporate espionage purposes, technical surveillance generally consists of gathering documentary evidence or information that can be found via open sources.

1. True
2. False

Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques. When corporate spies resort to the use of technical surveillance, it is usually to gather nondocumentary evidence or information that cannot be found through open

 

QUESTION 4 : Which of the following is a poor information security procedure that contributes to loss of proprietary information?

1. Failure to guard documents maintained in manual file systems
2. Failure to practice data minimization
3. Failure to implement data retention and destruction policies
4. All of the above

To prevent the loss or misuse of sensitive data or proprietary information, organizations should develop and implement risk-based information-security systems designed to detect and prevent unauthorized access to sensitive information. An information security system requires controls that are designed to ensure that data are used as intended, and such controls will depend on the combination and coordination of people, processes, technologies, and To be effective, a system for safeguarding sensitive and proprietary information should include the following: Task force Security risk assessments Security policies and procedures Awareness training Nondisclosure agreements Noncompetition agreements Data classification Data retention and destruction policies Data minimization Security controls Measures to guard manual file systems Monitoring of visitor access Quiet room The failure to include any of these measures is a poor information security practice that can contribute to the loss of proprietary information.

 

QUESTION 5: Which of the following scenarios illustrates a fraudster’s use of social engineering?

1. A fraudster has lunch at a restaurant where a target company’s employees are known to eat with the intention of overhearing sensitive conversations
2. A fraudster calls a company employee and requests sensitive information while claiming to be a coworker whose systems are down
3. A fraudster without an employee badge gains access to a secure facility by following legitimate employees who are oblivious to his presence
4. None of the above

Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information. In social engineering schemes, social engineers use various forms of trickery, persuasion, threats, or cajolery to encourage their targets to release information that the engineers can use and exploit to achieve their goals. Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware.

 

QUESTION 6 : Visitors to a company’s facilities should be allowed unrestricted access as long as they have signed in as a visitor in the company’s logbook and have been issued a visitor’s badge.

1. True
2. False

Management should monitor and limit visitor access. Visitors should be required to sign in and out of an organization logbook. It is considered a best practice to issue visitors a badge that identifies them as a non-employee. Also, visitors should be escorted by a host at all times, and visitors should not be allowed into areas containing sensitive information.

 

QUESTION 7 : Nondisclosure agreements are generally an expensive and inefficient means of protecting an organization’s proprietary information.

1. True
2. False

Generally, a nondisclosure agreement is a written agreement providing that signatories must keep all trade secrets and proprietary information learned during their employment confidential. Nondisclosure agreements are one of the least expensive and most efficient methods for controlling the loss of proprietary information.

 

QUESTION 8 : Shareholders’ reports and company newsletters might give a competitor valuable information about a company’s product secrets.

1. True
2. False

Publications such as newsletters or reports to shareholders and speeches or papers that are presented at conferences can inadvertently provide valuable information to competitors. A company’s website might also contain accidental leaks. Corporate spies frequently visit their targets’ websites to gather information that these companies have unknowingly made public. Employee telephone and email directories, financial information, key employees’ biographical data, product features and release dates, details on research and development, and job postings can all be found on many corporate websites.

QUESTION 9 : When a task force is charged with developing a program for safeguarding proprietary information (SPI), which of the following should be the first step that it takes?

1. Develop an employee awareness program.
2. Institute an encryption policy.
3. Determine what information should be protected.
4. Shred sensitive documents.

To coordinate a company-wide program for safeguarding proprietary information (SPI), management should establish a task force and charge it with developing the program. The task force should include managers and staff from departments that deal with proprietary information, such as research and development and production. The task force should also include representatives from the following departments: corporate security, human resources, Once the task force is assembled, it must identify the information that is to be protected. To make this determination, the task force should identify those areas that give the company its competitive edge (e.g., quality of the product, service, price, manufacturing technology, marketing, and distribution). When doing so, the task force should ask, “What information would a competitor like to know?”

 

QUESTION 10 : When should an employee be made aware of the need to maintain the confidentiality of an organization’s proprietary information, as well as which information is considered confidential?

1. Upon being hired
2. During an exit interview
3. When signing a nondisclosure agreement
4. All of the above

Often, employees are willing to abide by nondisclosure agreements, but they do not understand that the information they are communicating might be confidential. To more effectively implement nondisclosure agreements, employees must be clearly informed as to what information is considered confidential upon hiring, upon signing a nondisclosure agreement, and during exit interviews.

 

QUESTION 11 : Favorite targets for intelligence-gathering purposes include employees in all of the following departments EXCEPT:

1. Research and development
2. Purchasing
3. Marketing
4. Shipping and receiving

Some of the favorite targets of intelligence gatherers include employees in the following departments: research and development, marketing, manufacturing and production, human resources, sales, and purchasing.

 

QUESTION 12 : Lack of employee education concerning nondisclosure agreements is one of the primary reasons employees communicate confidential information to outside parties.

1. True
2. False

Lack of employee education concerning nondisclosure agreements is one of the primary reasons employees communicate confidential information to outside parties. Often, employees are willing to abide by nondisclosure agreements, but they do not understand that the information they are communicating might be confidential. To more effectively implement nondisclosure agreements, employees must be clearly informed as to what information is considered confidential upon hiring, upon signing a nondisclosure agreement, and during exit interviews.

 

QUESTION 13 : The primary reason for a company’s management to construct an electronically and acoustically shielded quiet room is to protect the company’s computer servers and other sensitive electronic equipment.

1. True
2. False

Management can prevent corporate spies from listening in on meetings through the use of a quiet room. A quiet room is an area that is acoustically and radio-frequency shielded so that conversations that occur within the room cannot be monitored or heard from outside the room.

 

QUESTION 14 : If a company hires an employee from a competitor, it might open itself up to claims from the competitor that it is unlawfully using proprietary information taken by the employee.

1. True
2. False

Organizations must also prevent their employees from appropriating the proprietary information belonging to others. A new hire from a competitor, for example, might expose the new employer to liability by using or disclosing secrets obtained from his previous employer in the course of his employment. Moreover, a company can be held liable for misappropriation of proprietary information even if it is not aware that its employee is using or disclosing secrets in the course of his employment.

 

QUESTION 15 : Employees are often willing to abide by nondisclosure agreements, but they sometimes do not understand that the information they are communicating might be confidential.

1. True
2. False

Often, employees are willing to abide by nondisclosure agreements, but they do not understand that the information they are communicating might be confidential. To more effectively implement nondisclosure agreements, employees must be clearly informed as to what information is considered confidential upon hiring, upon signing a nondisclosure agreement, and during exit interviews.

 

QUESTION 16 : Cooper is an intelligence professional for Whetstone Intelligence, a competitive intelligence firm. She is tasked with gathering intelligence about Cryptic Global, the major competitor of Whetstone’s biggest client. To gather the intelligence, Cooper infiltrates Cryptic Global’s office by posing as a member of its cleaning crew and collects information left around employees’ computers and desks. Cooper’s approach is an example of:

1. Spoofing
2. Scavenging
3. Dumpster diving
4. Shoulder surfing

Scavenging involves collecting information left around computer systems (e.g., on desks or workstations). Dumpster diving involves obtaining sensitive information by looking through someone else’s trash (e.g., via dumpsters and other trash receptacles). Shoulder surfing involves observing an unsuspecting target from a nearby location while the target enters a username and password into a system, talks on the phone, fills out financial forms, or performs some other task from which valuable information can be obtained. Spoofing refers to the process whereby an individual impersonates a legitimate user to obtain access to the target’s network.

 

QUESTION 17 : When a fraudster calls someone at the target company and cajoles or tricks the person into providing valuable information, that corporate espionage technique is referred to as which of the following?

1. Social engineering
2. Replicating
3. Spamming
4. None of the above

Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information. In social engineering schemes, social engineers use various forms of trickery, persuasion, threats, or cajolery to encourage their targets to release information that the engineers can use and exploit to achieve their goals. Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware.

 

QUESTION 18 : When an employee signs a legally enforceable noncompetition agreement, the provisions of the noncompetition agreement continue after the employee leaves the company where he signed the agreement.

1. True
2. False

A noncompetition agreement is an agreement whereby an employee agrees not to work for competing companies within a certain period of time after leaving his current employer. If an organization uses a noncompetition agreement, management should remind its employees about the agreement’s provisions during an exit interview conducted before the end of their employment. When employees leave a company, it is a good idea to have them sign a statement in which they acknowledge that they understand the noncompetition agreement’s terms

 

QUESTION 19 : Which of the following best illustrates the concept of human intelligence?

1. A corporate spy installs software on the computer of an employee from a competing company to monitor that employee’s communications.
2. A corporate spy creates a deceptive website that tricks employees from a competing company into divulging confidential information.
3. A corporate spy poses as a customer of a competing company to elicit information from the competitor’s salespeople.
4. A corporate spy breaks into a competing company’s office and steals sensitive information while employees are attending an off-site event.

Intelligence professionals might gather data through human intelligence (i.e., through direct contact with people). Generally, human intelligence is gathered from subject matter experts and informed individuals. Such efforts typically target individuals who can provide the most valuable information. For example, an intelligence professional might gather intelligence by posing as a customer of the target entity. This approach exploits two weaknesses of corporate culture: (1) all salespeople want to make a sale and (2) many salespeople will do almost anything to make a sale. Other approaches include: Employment interviews (real and fake) False licensing negotiations False acquisition or merger negotiations Hiring an employee away from a target entity Planting an agent in a target organization Social engineering

 

QUESTION 20 : Which of the following is a common avenue through which proprietary company information is compromised?

1. Speeches by executives
2. Publications
3. Company website
4. All of the above

Publications such as newsletters or reports to shareholders and speeches or papers that are presented at conferences can inadvertently provide valuable information to competitors. A company’s website might also contain accidental leaks. Corporate spies frequently visit their targets’ websites to gather information that these companies have unknowingly made public. Employee telephone and email directories, financial information, key employees’ biographical data, product features and release dates, details on research and development, and job postings can all be found on many corporate websites.

 

QUESTION 21 : When developing a program for safeguarding proprietary information (SPI), an organization should form a company task force to develop the program, and the task force should include representatives from relevant departments across the company, such as research and development, corporate security, and records management.

1. True
2. False

To coordinate a company-wide program for safeguarding proprietary information (SPI), management should establish a task force and charge it with developing the program. The task force should include managers and staff from departments that deal with proprietary information, such as research and development and production. The task force should also include representatives from the following departments: corporate security, human resources, Once the task force is assembled, it must identify the information that is to be protected. To make this determination, the task force should identify those areas that give the company its competitive edge (e.g., quality of the product, service, price, manufacturing technology, marketing, and distribution). When doing so, the task force should ask, “What information would a competitor like to know?”

 

QUESTION 22 : Publicly available information that anyone can lawfully obtain by request, purchase, or observation is known as which of the following?

1. Free-source information
2. Wide-source information
3. Confidential-source information
4. Open-source information

Open-source information is information in the public domain; it can be defined as publicly available data “that anyone can lawfully obtain by request, purchase, or observation.”

 

QUESTION 23 : One method competitive intelligence professionals commonly use to gather data about a competitor involves posing as a job applicant and interviewing with key employees at the competing company. This practice is best described as conducting surveillance.

1. True
2. False

Intelligence professionals might gather data through human intelligence (i.e., through direct contact with people). Generally, human intelligence is gathered from subject matter experts and informed individuals. Such efforts typically target individuals who can provide the most valuable information. For example, an intelligence professional might gather intelligence by posing as a customer of the target entity. This approach exploits two weaknesses of corporate culture: (1) all salespeople want to make a sale and (2) many salespeople will do almost anything to make a sale. Other approaches include: Employment interviews (real and fake)

 

QUESTION 24 : Which of the following best illustrates the use of technical surveillance for purposes of corporate espionage?

1. A spy hacks into a target computer and monitors an employee’s communications.
2. A spy uses a phony employee badge to enter an office and take a sensitive document.
3. A spy creates a deceptive website to trick employees into entering confidential information.
4. A spy impersonates a help desk representative to obtain an employee’s network password.

Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques. When corporate spies resort to the use of technical surveillance, it is usually to gather nondocumentary evidence or information that cannot be found through open Corporate spies might employ various forms of technological surveillance, such as aerial photography, bugging and wiretapping, video surveillance, photographic cameras, mobile phones, monitoring computer emanations

 

QUESTION 25 : To help promote employee awareness of sensitive information, company data should be classified into different security levels based on value and sensitivity.

1. True
2. False

According to the CERT Insider Threat Center, organizations should implement a data classification policy that establishes what protections must be afforded to data of different value and sensitivity levels. Data classification allows organizations to follow a structured approach for establishing appropriate controls for different data categories. Moreover, establishing a data classification policy will help employee awareness. In short, classifying an organization’s data involves: (1) organizing the entity’s data into different security levels based on the data’s value and sensitivity and (2) assigning each level of classification different rules for viewing, editing,

 

QUESTION 26 : Calendars and schedules displayed at an employee’s workstation can inadvertently provide a company’s competitors with valuable proprietary information.

1. True
2. False

Organizations must take reasonable measures to protect manual file systems, which are composed of all humanreadable files and documents. These include items like contact lists, schedules, and calendars located at employees’ workstations.

 

QUESTION 27 : Which of the following is a common method used by fraudsters to physically infiltrate and spy on organizations?

1. Fabricate or steal an employee badge
2. Pose as a contractor
3. Secure a position as an employee
4. All of the above

Corporate spies might use physical infiltration techniques to obtain sensitive information. Physical infiltration is the process whereby an individual enters a target organization to spy on the organization’s employees. One common infiltration technique is to secure a position, or pose, as an employee or contract laborer of the target organization. For example, a spy might obtain work as a security officer or a member of the janitorial crew for the target Another common physical infiltration technique is to steal or fabricate employee badges belonging to the target organization

 

QUESTION 28 : Jason, an employee at Go Marketing, has just informed his supervisor that he intends to leave the company and go to work for a competitor. Upon accepting his resignation, Jason’s boss reminds him of a document that he signed several years prior in which Jason agreed not to divulge confidential or proprietary company information. What is the

1. Employee testimonial statement
2. Employee awareness statement
3. Noncompetition agreement
4. Nondisclosure agreement

Generally, a nondisclosure agreement is a written agreement providing that signatories must keep all trade secrets and proprietary information learned during their employment confidential. Nondisclosure agreements are one of the least expensive and most efficient methods for controlling the loss of proprietary information. A noncompetition agreement is an agreement whereby an employee agrees not to work for competing companies within a certain period of time after leaving his current employer.

 

QUESTION 29 : Which of the following scenarios illustrates a fraudster’s use of social engineering?

1. A fraudster calls a company employee and requests sensitive information while claiming to be a coworker whose systems are down
2. A fraudster has lunch at a restaurant where a target company’s employees are known to eat with the intention of overhearing sensitive conversations
3. A fraudster without an employee badge gains access to a secure facility by following legitimate employees who are oblivious to his presence
4. None of the above

Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information. In social engineering schemes, social engineers use various forms of trickery, persuasion, threats, or cajolery to encourage their targets to release information that the engineers can use and exploit to achieve their goals. Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware.