Cybersecurity Quiz - Vee Care Asia

Cybersecurity Quiz

NameEmailPhone Number

1. Which of the following cybersecurity objectives ensures that only authorized users can access specific data or resources?

a) Authenticity

b) Authorization

c) Availability

d) Confidentiality

e) Updatability and Patchability

2. Which of the following cybersecurity objectives is primarily focused on ensuring that data or communication is genuine and from a verified source?

a) Authorization

b) Confidentiality

c) Authenticity

d) Availability

e) Updatability and Patchability

3. Which is the correct order of the main steps in managing cybersecurity risk?

a) Identify, Detect, Protect, Respond, Recover

b) Protect, Detect, Identify, Respond, Recover

c) Identify, Protect, Detect, Respond, Recover

d) Detect, Identify, Protect, Recover, Respond

e) Recover, Respond, Detect, Protect, Identify

4. In the NIST SP 800-53 Risk Management Framework (SPDF), which of the following correctly represents the order of steps from organizational readiness to handling vulnerabilities?

a) Protect the software, Prepare the Organization, Produce well-secured software, Respond to vulnerabilities

b) Prepare the Organization, Protect the software, Produce well-secured software, Respond to vulnerabilities

c) Produce well-secured software, Prepare the Organization, Protect the software, Respond to vulnerabilities

d) Respond to vulnerabilities, Prepare the Organization, Protect the software, Produce well-secured software

e) Protect the software, Produce well-secured software, Respond to vulnerabilities, Prepare the Organization

5. Which of the following cybersecurity activity(ies) is/are conducted by the manufacturer?

a) Prepare and fill the MDS2 form

b) Conduct Penetration Test

c) Conduct Fuzz Testing

d) Conduct Vulnerability Scanning

e) a and c

6. What is the primary purpose of threat modeling in medical device cybersecurity management?

a) To ensure devices comply with medical regulations

b) To test the physical durability of medical devices

c) To train healthcare staff on device operation

d) To improve user interface design of medical devices

e) To identify potential security vulnerabilities and assess risks before attacks occur

7. According to FDA post-market guidance, how should cybersecurity risks be assessed in medical devices?

a) By examining the device's physical reliability and user feedback

b) By evaluating the exploitability of vulnerabilities and their potential severity

c) By analyzing manufacturing costs and supply chain robustness

d) By assessing the device's aesthetic design and user comfort

e) By reviewing prior incidents unrelated to cybersecurity threats

8. What is the primary purpose of a data flow diagram in cybersecurity management?

a) To visually represent the physical layout of a network

b) To illustrate how data moves within a system, helping identify potential security vulnerabilities

c) To generate encryption keys for secure communication

d) To monitor real-time network traffic for malicious activity

e) To train employees on cybersecurity policies

9. In the context of FDA's Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, what is an "asset"?

a) A financial resource allocated for cybersecurity measures

b) Any physical component of the medical device

c) An information system or component that has value and needs protection, such as hardware, software, or data

d) A healthcare professional responsible for device maintenance

e) The user manual for the medical device

10. Which of the following are examples of physical assets in a cybersecurity context?

a) Server hardware

b) Encryption keys stored in a secure database

c) Network cables

d) A & C

e) All of the above

11. Which of the following are examples of information assets in cybersecurity?

a) Patient health records stored in a database

b) Physical security cameras and surveillance equipment

c) Confidential email communications

d) Network infrastructure hardware

e) A & C

12. What is an attack vector in cybersecurity?

a) A detection method used to identify malware

b) The pathway or method through which an attacker gains access to a system or network

c) A type of encryption used to secure data

d) A hardware component that protects against cyber threats

e) A policy used to regulate user access rights

13. Which of the following correctly lists the attack vector types defined in CVSS 3.1?

a) Remote, Local, Insider, Supply Chain

b) Network, Adjacent Network, Local, Cloud

c) Network, Adjacent Network, Local, Insider

d) Network, Adjacent Network, Local, Physical

e) Network, Local, Remote, Insider

14. Which of the following is an example of a network attack vector according to CVSS 3.1?

a) Exploiting a vulnerability through physical hardware tampering

b) Accessing a system remotely over the internet to exploit a weakness

c) Gaining access by exploiting a local user account

d) Attacking via an insider with physical access to the device

e) Interacting with the device through physical maintenance tools

15. Which of the following is an example of an adjacent network attack vector according to CVSS 3.1?

a) Attacker exploits a vulnerability over the internet from anywhere

b) Attacker physically tampering with the hardware on-site

c) An attacker exploiting a vulnerability via email phishing

d) An insider accessing the system with local credentials

e) Attacker gains access through a nearby Wi-Fi or local network segment without internet access

16. Which of the following is an example of a local attack vector according to CVSS 3.1?

a) Exploiting a vulnerability through a remote web application over the internet

b) Gaining access to a system by logging in directly at the physical machine or via local user accounts

c) Launching an attack from a nearby network using Wi-Fi

d) Exploiting a vulnerability via a supply chain compromise from a third-party supplier

e) Attacker executing code remotely via email attachment

17. Which of the following is an example of a physical attack vector according to CVSS 3.1?

a) Exploiting a vulnerability remotely over the internet

b) Launching a phishing attack to trick users into revealing credentials

c) Exploiting a software vulnerability via network services

d) Gaining access by physically tampering with or interacting with the hardware device

e) Intercepting data transmitted over a wireless network

18. What is the purpose of an MDS2 (Manufacturer Disclosure Statement for Medical Device Security) form?

a) To provide a detailed technical manual for the medical device's operation

b) To disclose manufacturer's security features, vulnerabilities, and cybersecurity practices for a medical device

c) To record the clinical performance and efficacy of the medical device

d) To certify that the device complies with international safety standards

e) To outline the pricing and purchasing terms for the medical device

19. What is the purpose of MS STRIDE in risk identification?

a) To evaluate the security and privacy threats by categorizing potential threats

b) To assess physical vulnerabilities in medical devices

c) To perform compliance auditing with cybersecurity standards

d) To develop patch management and update procedures

e) To train staff on cybersecurity policies

20. In the context of STRIDE Threat Mode, what does "Spoofing" refer to?

a) An attacker injecting malicious code into a system

b) An attacker impersonating a legitimate user or system to gain unauthorized access

c) An attacker causing a denial of service by overwhelming system resources

d) An attacker tampering with data to alter its integrity

e) An attacker exploiting a software vulnerability to escalate privileges

21. Which of the following is an example of Tampering with data in the STRIDE Threat Model?

a) An attacker impersonates a doctor to access patient records

b) An attacker alters medical device firmware to cause malfunction

c) A denial-of-service attack overwhelms the network resources

d) An attacker intercepts data in transit but leaves it unchanged

e) A user accidentally deletes a log file

22. Which of the following is an example of a repudiation threat in the STRIDE threat model?

a) An attacker impersonates a legitimate user to gain access

b) A user denies having sent a specific transaction or action that cannot be proven otherwise

c) An attacker causes a system to crash by overwhelming resources

d) An attacker intercepts and alters data during transmission

e) An attacker persistently attempts to flood a network to deny service

23. Which of the following is NOT an example of information disclosure in a medical device according to STRIDE?

a) The device transmitting encrypted patient data securely over a protected network

b) An unauthorized attacker accessing and retrieving patient data from the device

c) A user intentionally sharing login credentials with a colleague to perform a procedure

d) An attacker intercepting unencrypted data transmitted between the device and the server

e) Confidential patient information being displayed on the device screen without authorization

24. Which of the following is an example of a Denial of Service (DoS) attack on a medical device?

a) An attacker intercepts and alters data sent from the device to another system

b) An attacker floods the device's network with excessive traffic, causing it to become unresponsive or unavailable

c) A user unknowingly shares login credentials with an attacker

d) A malicious actor impersonates a healthcare professional to access the device

e) The device's firmware is deliberately tampered with to cause incorrect operation

25. Which of the following is an example of elevation of privileges in a medical device according to STRIDE?

a) An attacker sends a large volume of network traffic to disable the device

b) An attacker intercepts patient data during wireless transmission

c) A device's firmware becomes corrupted causing malfunction

d) A user accidentally deletes a patient record without proper authorization

e) A user with limited access gains administrative rights to change device configurations without authorization

26. How does AAMI TIR57:2016 recommend evaluating risk in medical device cybersecurity?

a) By only considering the likelihood of cyberattacks occurring

b) By assessing the potential impact of cybersecurity vulnerabilities, regardless of exploitability

c) By combining both the likelihood of an exploit and the severity of potential harm to patients or users

d) By analyzing the device's hardware design and physical robustness only

e) By reviewing past cybersecurity incidents in unrelated industries

27. What is the primary function of the MITRE system in cybersecurity?

a) To develop hardware solutions for secure communication

b) To provide a comprehensive knowledge base of cyber threat tactics, techniques, and procedures (TTPs) through frameworks like ATT&CK

c) To manufacture and distribute cybersecurity software

d) To enforce cybersecurity regulations through government policies

e) To certify cybersecurity professionals and experts

28. Which of the following is an example of a mitigation strategy for preventing spoofing identity attacks?

a) Using multi-factor authentication and digital certificates to verify user identities

b) Implementing strong encryption for data in transit and at rest

c) Increasing network bandwidth to handle more traffic

d) Regularly updating device hardware components

e) Disabling user accounts after multiple failed login attempts

29. Which of the following is an example of a mitigation strategy to prevent tampering with data?

a) Sending data over unsecured wireless networks to improve speed

b) Disabling all user authentication protocols for faster access

c) Reducing the frequency of software updates to minimize disruptions

d) Allowing all users to modify device data without restrictions

e) Implementing strong access controls and audit logs to track data modifications

30. Which of the following is an effective mitigation strategy to prevent repudiation in a medical device?

a) Implementing digital signatures and secure audit trails to ensure actions can be verified and non-repudiable

b) Increasing network traffic to detect any unusual activity

c) Disabling logging features to improve system performance

d) Providing false audit logs to confuse potential attackers

e) Relying solely on user memory for accountability

31. Which of the following is an effective mitigation strategy to prevent information disclosure in a medical device?

a) Allowing unrestricted access to all device data for convenience

b) Encrypting sensitive data during storage and transmission

c) Disabling user authentication to simplify device operation

d) Sharing device data openly over public networks without encryption

e) Removing audit logs to reduce storage needs

32. Which of the following is an effective mitigation strategy to defend against denial of service (DoS) attacks on a medical device?

a) Allowing unlimited network traffic without restrictions to ensure availability

b) Disabling all security features to improve device responsiveness

c) Implementing network firewalls and intrusion detection systems to monitor and block malicious traffic

d) Removing all logging to reduce system overhead

e) Increasing device power consumption to handle high traffic volumes

33. Which of the following is an effective mitigation strategy to prevent elevation of privileges in a medical device?

a) Implementing strict access controls and privilege management to limit user permissions

b) Allowing all users to access administrative functions without restrictions

c) Disabling user authentication to speed up device access

d) Removing audit trails to improve system performance

e) Sharing administrator passwords among multiple users for convenience

34. What is vulnerability testing in cybersecurity?

a) A method of encrypting data to prevent unauthorized access

b) The process of updating software and firmware on devices regularly

c) A process of scanning systems to identify weaknesses or security flaws that could be exploited by attackers

d) A technique used to recover data after a security breach

e) A training program for users to recognize phishing scams

35. What is a penetration test in cybersecurity?

a) A test to measure the speed of a network connection

b) An authorized simulation of a cyberattack to identify vulnerabilities in a system or network

c) A process to encrypt data to ensure confidentiality during transmission

d) A routine backup of critical data before system updates

e) A training exercise for users to improve password management skills

36. What is fuzz testing in cybersecurity?

a) A method of manually inspecting code for bugs and vulnerabilities

b) An automated technique that sends random or invalid data to a system to identify security weaknesses or crashes

c) A process of encrypting data to prevent unauthorized access

d) A routine system backup procedure before updates

e) A method of user authentication involving multiple factors

37. What is the primary goal of the FDA's post-market cybersecurity program for medical devices?

a) To develop new medical devices based on cybersecurity research

b) To monitor, assess, and address cybersecurity risks in medical devices after they are released to the market

c) To replace all existing cybersecurity standards with new regulations

d) To encrypt all patient data stored in medical devices permanently

e) To eliminate cybersecurity vulnerabilities during the initial device design phase only

38. Which of the following are potential risks introduced by design changes?

a) Software/hardware change introducing new attack vector

b) Network and connectivity change

c) Risk control change

d) SBOM update

e) All of the above

39. In case of uncontrolled risk being identified, what will be the timeline to communicate with customer about the remediation plan?

a) 5 days

b) 10 days

c) 15 days

d) 30 days

e) 90 days

40. What is the main purpose of becoming a member of an Information Sharing and Analysis Organization (ISAO)?

a) To receive exclusive access to government funding for cybersecurity research

b) To share cyber threat intelligence, best practices, and incident information with other members to enhance collective security

c) To get certified as a cybersecurity professional

d) To access proprietary hardware security modules

e) To directly influence international cybersecurity laws and regulations

Your score is

0%