Quiz — Chapter 26: Insider Threats¶

Questions¶

1. Which insider threat category describes a disgruntled employee who intentionally exfiltrates proprietary data before resignation?

• [ ] A. Negligent insider
• [ ] B. Malicious insider
• [ ] C. Compromised insider
• [ ] D. Collusive insider

2. The CERT Insider Threat Center identifies which precursor as the single strongest behavioral indicator of imminent sabotage?

• [ ] A. Excessive overtime
• [ ] B. Working remotely more frequently
• [ ] C. Unresolved workplace grievance combined with technical access abuse
• [ ] D. Requesting access to systems outside job role

3. A user's UEBA profile shows a 4-sigma spike in data downloads at 02:00 on a Friday before a holiday weekend. What is the FIRST action?

• [ ] A. Immediately terminate the user's account
• [ ] B. Alert HR and legal simultaneously
• [ ] C. Investigate contextually — verify if scheduled batch job or authorized activity
• [ ] D. Block all egress from that workstation

4. Which data loss prevention (DLP) deployment mode provides the highest fidelity detection of email exfiltration without impacting user productivity?

• [ ] A. Endpoint DLP agent in blocking mode
• [ ] B. Network DLP inline with SSL inspection
• [ ] C. Cloud access security broker (CASB) in API mode
• [ ] D. Email gateway DLP in monitor-only mode

5. [SCENARIO] A sysadmin resigns effective in two weeks. The next morning, SIEM alerts show they ran GRANT ALL ON *.* TO 'backdoor'@'%' on the production MySQL server at 23:47.

What is the correct immediate response sequence?

• [ ] A. Revoke access → inform manager → open HR ticket
• [ ] B. Preserve evidence → revoke access → notify legal and CISO → treat as incident
• [ ] C. Confront the employee → change passwords → patch server
• [ ] D. Monitor for 48 hours to gather more evidence before acting

6. Which framework provides the most structured methodology for insider threat program maturity assessment?

• [ ] A. NIST SP 800-53
• [ ] B. CERT Insider Threat Program Evaluation Framework (ITPEF)
• [ ] C. MITRE ATT&CK for Enterprise
• [ ] D. ISO/IEC 27001 Annex A

7. Privileged Access Management (PAM) reduces insider threat risk primarily by:

• [ ] A. Blocking all privileged logins outside business hours
• [ ] B. Recording and auditing all privileged sessions with just-in-time access grants
• [ ] C. Requiring MFA for all user accounts
• [ ] D. Encrypting privileged credentials at rest

8. Which ATT&CK technique most directly represents an insider using legitimate credentials to exfiltrate data via a personal cloud storage account?

• [ ] A. T1078 — Valid Accounts
• [ ] B. T1567.002 — Exfiltration to Cloud Storage
• [ ] C. T1048 — Exfiltration Over Alternative Protocol
• [ ] D. T1213 — Data from Information Repositories

9. A negligent insider accidentally emails a 50MB file containing 10,000 customer PII records to an external address. Under GDPR, notification to the supervisory authority is required within:

• [ ] A. 24 hours
• [ ] B. 48 hours
• [ ] C. 72 hours
• [ ] D. 7 days

10. [SCENARIO] Your DLP system alerts that a contractor has uploaded 2.3GB of source code to a personal GitHub account (set to private). The contractor's NDA prohibits this. You have no PAM logging for this individual.

What evidence should you immediately preserve?

• [ ] A. Interview the contractor immediately
• [ ] B. Network flow logs showing the upload, DLP alert details, GitHub API metadata if obtainable, and endpoint file access logs
• [ ] C. Only the DLP alert — no other evidence is legally admissible
• [ ] D. Screenshot of the GitHub repository before it can be deleted

11. Which technical control BEST detects a compromised insider (account taken over by external threat actor)?

• [ ] A. Data classification labels
• [ ] B. UEBA baseline deviation detection (impossible travel, new device, abnormal hours)
• [ ] C. Network segmentation
• [ ] D. Background check on hire

12. A "two-person integrity" (TPI) control requires:

• [ ] A. Two separate passwords for privileged systems
• [ ] B. Two authorized individuals must jointly authorize and execute sensitive operations
• [ ] C. Dual-factor authentication for all admin logins
• [ ] D. Two independent DLP systems reviewing all egress

13. [SCENARIO] HR informs your SOC that an executive has been placed on a Performance Improvement Plan (PIP) with 30-day notice. The executive has broad SaaS admin rights and access to M&A documents.

Which actions should your team take PROACTIVELY?

• [ ] A. Immediately revoke all access and notify the executive
• [ ] B. Increase monitoring of the account (UEBA tuning, DLP alerts), review access scope, prepare access revocation runbook, brief legal
• [ ] C. Do nothing until a policy violation occurs
• [ ] D. Transfer all documents the executive can access to a new location

14. The "Joiner-Mover-Leaver" (JML) process primarily addresses which insider threat risk?

• [ ] A. Credential stuffing attacks
• [ ] B. Accumulation of excessive permissions over time (privilege creep) and orphaned accounts after departure
• [ ] C. Phishing susceptibility
• [ ] D. Insider trading on financial data

15. [SCENARIO] Post-investigation reveals a terminated employee retained VPN access for 47 days after departure (off-boarding process failure) and used it to delete 3TB of backup data.

Which systemic controls would have PREVENTED this?

• [ ] A. Better password complexity requirements
• [ ] B. Automated account de-provisioning integrated with HR system, privileged session recording, and immutable backups
• [ ] C. More frequent security awareness training
• [ ] D. Endpoint DLP blocking USB access

Score Interpretation¶

Key References: CERT ITPEF, NIST SP 800-53 (AC, AU controls), MITRE ATT&CK T1078/T1567, GDPR Art. 33/34