-
Logic bomb
"explodes" when certain conditions are met
What are the principal concerns with respect to inappropriate temperature and humidity.
(1) Room temperature too hot or too cold for equipment. (2) Internal equipment temperature too hot. (3) Humidity too high or too low.
What are possible locations for NIDS sensors?
(1) just inside the external firewall; (2) between the external firewall and the Internet or WAN; (3) at the entrance to major backbone networks; to support workstation LANs.
A Botnet can use _______ for command-and-control.
- Email - HTTP - IRC
Types of Resources that can be attacked
-Network bandwidth -System resources -application resources
flooding ping
-aims to overwhelm the capacity of the network connection -traffic can be handled by higher capacity links on the path, but packets are discarded source of the attack is clearly identified unless spoofed network performance is noticeably affected
HTTP flood
-attack that bombards web servers with http requests -consumes considerable resources -spidering: bots start from a given http link and follow all links on the web site in a recursive way
reflection attacks
-attacker sends packets to a known service on the intermediary with a spoofed source address of actual target system -when intermediary responds the response is sent to the target "reflects" the attack off the reflector -goal si to generate enough volumes of packets to flood the link to the target system without alerting it -basic defense is blocking spoofed source packets
SYN spoofing
-attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them -thus legitimate users are denied access to the server -it's an attack on system resources, specifically the network handling code in an operating system
slowloris
-attempts to monopolize by sending http requests that never complete -eventually consumes web servers capacity -legitimate http traffic -existining intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recovnize slowloris
Dos attack prevention
-block spoofed source addresses -filters may be used to ensure path back to the claimed source address is the one being used by current packet -use modified TCP connection handling code -cryptographically encode critical information in a cookie that is sent as the servers initial sequesnce # -drop an entry for an incomplete connection -block ip directed braodcasts -block suspicious services and combinations -manage application attacks with a captcha -good general system security practeces -use mirrored and replicated servers when high performance and reliability is required
High traffic
-can be legit -activity on a popular site -high publicity called slashdotted, flash crwod or flash event
responding to dos attacks
-identify type of attack capture packets, design filters, or identify and correct system/debug -have isp trace packet flow to source difficult and time consumping useful if legal action wanted -implement contigency plan switch to backup server commission new servers at a new site with new address -update incident response plan
ICMP flood
-ping flood using icmp echo request packets -traditionally network admins allow such packets into their networks because ping is a useful diagnostic tool
Dos attack defenses
-prevention and preemption -detection and filtering -attack source traceback and identiication -attack reaction
TCP SYN flood
-sends TCP packets to target system -total volume of packets is the aim of the attacker rather than system code
SIP flood
-standard protocol for VoIP telephony -text-based protocol with a syntax similar to HTTP -requests and responses
Source Address Spoofing
-use forged source address -makes attack harder to identify -attacker generates large volumes of packets that have the target system as the destination address -congestion results in the router connected to the final lower capacity link -requires network engineers to specifically query flow information from their routers
DNS amplification attacks
-uses packets directed as legitimate dns server as the intermediary system -attacker creates a series of dns requests containing the spoofed source address of target system -exploits dns behavior to convert small request to a much larger response (amplification) -target is flooded with responses -basic defense is to prevent use of spoofed source addresses
List three design goals for a firewall
1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this section. 3. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system.
What are the three benefits that can be provided by an IDS?
1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthenthe intrusion prevention facility.
National Institute of Standards and Technology (NIST)
1. The Secure Hash Algorithm (SHA) was developed by the _________ and published as a federal information processing standard (FIPS 180) in 1993.
firewall
1. The _________ is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter to protect the premises network from Internet-based attacks.
T
1. The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
T
1. The one-way hash function is important not only in message authentication but also in digital signatures.
C
1. _________ control determines the types of Internet services that can be accessed, inbound or outbound. A. Behavior B. Direction C. Service D. User
F
10. A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
B
10. A _________ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
host-based IPS (HIPS)
10. A ___________ makes use of both signature and anomaly detection techniques to identify attacks.
A
10. Although the _________ attack is a serious threat, there are simple countermeasures that can be used such as constant time calcs, random delays or blinding computations. A. timing B. chosen ciphertext C. mathematical D. none of the above
XOR (bit-by-bit exclusive-OR)
10. One of the simplest hash functions is the ________ of every block.
T
10. The key exchange protocol is vulnerable to a man-in-the-middle attack because it does not authenticate the participants.
SHA-3
11. "Must support hash value lengths of 224, 256,384, and 512 bits" and "algorithm must process small blocks at a time instead of requiring the entire message to be buffered in memory before processing it" are requirements for ________.
T
11. A logical means of implementing an IPSec is in a firewall.
C
11. Typical for SOHO applications, a __________ is a single router between internal and external networks with stateless or full packet filtering. A. single bastion T B. double bastion inline C. screening router D. host-resident firewall
T
11. Unlike RSA, DSS cannot be used for encryption or key exchange.
Pattern
11. _________ matching scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks.
B
11. ___________ was the first published public-key algorithm. A. NIST B. Diffie-Hellman C. RC4 D. RSA
What is the additive inverse of 8 MOD 20?
12 The inverse of 8 is a number that when we add to 8 MOD 20 will result in 0. So obviously the answer is 12, because 8 + 12 MOD 20 is 0, because 8 plus 12 is 20, 20 MOD 20 is 0. Therefore, the additive inverse of 8 is 12.
If n is 21, what is totient(n)?
12. We know that 21 equals to 3 times 7. And 3 and 7 are prime numbers. Therefore, totient 21 should be 2 times 6. And the result is then 12. So 12 is the answer.
T
12. Distributed firewalls protect against internal attacks and provide protection tailored to specific machines and applications.
MD5
12. If speed is a concern, it is fully acceptable to use _________ rather than SHA as the embedded hash function for HMAC.
D
12. The National Institute of Standards and Technology has published Federal Information Processing Standard FIPS PUB 186, known as the __________. A. XOR B. MD5 C. MAC D. DSS
F
12. The operations performed during a round consist of circular shifts, and primitive Boolean functions based on DSS, MD5, SHA, and RSA.
Traffic
12. __________ anomaly watches for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network.
A
12. __________ are attacks that attempt to give ordinary users root access. A. Privilege-escalation exploits B. Directory transversals C. File system access D. Modification of system resources
T
13. An important aspect of a distributed firewall configuration is security monitoring.
T
13. SHA-3 algorithms must be designed to resist any potentially successful attack on SHA-2 functions.
Sdrop
13. Snort Inline adds three new rule types: drop, reject, and _________.
C
13. The __________ uses an algorithm that is designed to provide only the digital signature function and cannot be used for encryption or key exchange. A. ECC B. RSA C. DSS D. XOR
secret key
13. The purpose of the algorithm is to enable two users to exchange a __________ securely that can then be used for subsequent encryption of messages.
D
13. __________ scans for attack signatures in the context of a traffic stream rather than individual packets. A. Pattern matching B. Protocol anomaly C. Traffic anomaly D. Stateful matching
UTM (Unified Threat management)
14. A single device that integrates a variety of approaches to dealing with network-based attacks is referred to as a __________ system.
T
14. Cryptographic hash functions generally execute faster in software than conventional encryption algorithms such as DES.
A
14. The principal attraction of __________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead. A. ECC B. MD5 C. Diffie-Hellman D. none of the above
cryptographic
14. The security of any MAC function based on an embedded hash function depends in some way on the _________ strength of the underlying hash function.
F
14. Unlike a firewall, an IPS does not block traffic.
B
14. __________ looks for deviation from standards set forth in RFCs. A. Statistical anomaly B. Protocol anomaly C. Pattern matching D. Traffic anomaly
T
15. A hash function such as SHA-1 was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key.
RSA
15. Perhaps the most widely used public-key algorithms are _________ and Diffie-Hellman.
T
15. Snort Inline enables Snort to function as an intrusion prevention capability.
D
15. The DSS makes use of the _________ and presents a new digital signature technique, the Digital Signature Algorithm (DSA). A. HMAC B. XOR C. RSA D. SHA-1
A
15. The _________ attack is designed to circumvent filtering rules that depend on TCP header information. A. tiny fragment B. address spoofing C. source routing D. bastion host
"defense in depth"
15. The firewall follows the classic military doctrine of _________ because it provides an additional layer of defense.
T
16. The additive constant numbers used in SHA-512 are random-looking and are hardcoded in the algorithm.
SHA-1 produces a hash value of _____ bits.
160
T
17. The strong collision resistance property subsumes the weak collision resistance property.
F
18. It is a good idea to use sequentially increasing numbers as challenges in security protocols.
T
19. Assuming that Alice and Bob have each other?s public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob's public key, and send the encrypted k to Bob and then Bob will know he has a key shared with Alice.
packet filtering
2. A _________ firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet.
T
2. A firewall can serve as the platform for IPSec.
A
2. In 2005, NIST announced the intention to phase out approval of _______ and move to a reliance on the other SHA versions by 2010. A. SHA-1 B. SHA-512 C. SHA-256 D. SHA-2
T
2. SHA is perhaps the most widely used family of hash functions.
SHA-2
2. Versions of SHA, with hash value lengths of 256, 384, and 512 bits, (SHA-256, SHA-384, and SHA 512) are collectively known as _________.
B
2. _________ control controls how particular services are used. A. Service B. Behavior C. User D. Direction
D
3. Issued as RFC 2104, __________ has been chosen as the mandatory-to-implement MAC for IP Security. A. RSA B. SHA-3 C. DSS D. HMAC
F
3. SHA-1 is considered to be very secure.
Source
3. The ________ IP address is the IP address of the system that originated the IP packet.
cost
3. The evaluation criteria for the new hash function are: security, _______, and algorithm and implementation characteristics.
F
3. The firewall can protect against attacks that bypass the firewall.
C
3. _________ control determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. A. Behavior B. User C. Direction D. Service
The MPDU exchange for distributing pairwise keys is known as the _______.
4-way handshake
T
4. A packet filtering firewall is typically configured to filter packets going in both directions.
spoofing
4. An intruder transmitting packets from the outside with a source IP address field containing an address of an internal host is known as IP address _________.
T
4. SHA-2 shares the same structure and mathematical operations as its predecessors and this is a cause for concern.
D
4. The _________ scheme has reigned supreme as the most widely accepted and implemented approach to public-key encryption. A. SHA-1 B. HMAC C. MD5 D. RSA
HMAC
4. ______ has been issued as RFC 2014, has been chosen as the mandatory-to-implement MAC for IP Security, and is used in other Internet protocols, such as Transport Layer Security.
A
4. ________ control controls access to a service according to which user is attempting to access it. A. User B. Direction C. Service D. Behavior
C
5. A ________ attack involves trying all possible private keys. A. mathematical B. timing C. brute-force D. chosen ciphertext
T
5. HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths.
F
5. One disadvantage of a packet filtering firewall is its simplicity.
RSA
5. One of the first public-key schemes, _______, was developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman.
D
5. The _________ defines the transport protocol. A. destination IP address B. source IP address C. interface D. IP protocol field
SOCKS
5. The __________ protocol is an example of a circuit-level gateway implementation that is conceptually a "shim-layer" between the application layer and the transport layer and does not provide network-layer gateway services.
What is the multiplicative inverse of 3 MOD 17?
6. Three times six equals to 18 equal to one mod 17.
D
6. A __________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. A. packet filtering B. stateful inspection C. application-level D. circuit-level
bastion host
6. Identified as a critical strong point in the network's security, the _________ serves as a platform for an application-level or circuit-level gateway.
T
6. The appeal of HMAC is that its designers have been able to prove an exact relationship between the strength of the embedded hash function and the strength of HMAC.
F
6. The countermeasure to tiny fragment attacks is to discard packets with an inside source address if the packet arrives on an external interface.
A
6. _________ attacks have several approaches, all equivalent in effort to factoring the product of two primes. A. Mathematical B. Brute-force C. Chosen ciphertext D. Timing
Timing attacks
6. __________ are alarming for two reasons: they come from a completely unexpected direction and they are a ciphertext-only attack.
DES block size is ____ bits and takes a key of ______ bits to produce a ciphertext block of ______ bits
63, 56, 64
personal
7. A __________ firewall controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side.
T
7. A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context.
B
7. An example of a circuit-level gateway implementation is the __________ package. A. application-level B. SOCKS C. SMTP D. stateful inspection
mathematical
7. Four possible approaches to attacking the RSA algorithm are: brute force, timing attacks, _________ attacks, and chosen ciphertext attacks.
T
7. RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n - 1 for some n.
D
7. _________ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number. A. Digital standards B. Mathematical attacks C. Ciphers D. Timing attacks
VPN
8. A ________ uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet.
T
8. A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.
Digital Signature Standard (DSS)
8. NIST has published FIPS PUB 186, which is known as the ___________.
B
8. The _________ attack exploits the common use of a modular exponentiation algorithm in RSA encryption and decryption, but can be adapted to work with any implementation that does not run in fixed time. A. mathematical B. timing C. chosen ciphertext D. brute-force
F
8. Timing attacks are only applicable to RSA.
A
8. Typically the systems in the _________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server. A. DMZ B. IP protocol field C. boundary firewall D. VPN
C
9. A _________ consists of a set of computers that interconnect by means of a relatively unsecure network and makes use of encryption and special protocols to provide security. A. proxy B. UTM C. VPN D. stateful inspection firewall
C
9. A __________ type of attack exploits properties of the RSA algorithm. A. timing B. brute-force C. chosen ciphertext D. mathematical
T
9. The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms.
T
9. The primary role of the personal firewall is to deny unauthorized remote access to the computer.
Diffie-Hellman
9. The purpose of the __________ algorithm is to enable two users to exchange a secret key securely that can then be used for subsequent encryption of messages.
IPSec
9. __________ protocols operate in networking devices, such as a router or firewall, and will encrypt and compress all traffic going into the WAN and decrypt and uncompress traffic coming from the WAN.
A botnet operator compromises a number of computers in a company. The malware executed by the bots only sends large amounts of spam email but does not exfiltrate sensitive data or interfere with legitimate activities. Select the appropriate action by the company in this situation: a. the company should detect and prevent abuse of its resources by unauthorized parties b. Since it posed no risk to company's sensitive data or normal operations, it can be ignored.
A
Select all statements that are true: A. CBC is more secure than ECB. B. We can have both confidentiality and integrity protection with CBC by using just one key.
A
Define buffer overflow.
A "buffer overflow" results from adding more information to a program's buffer than it was designed to hold.
Check any item that is true. To improve detection performance, an IDS should: a. reduce false alarm rate, while detecting as many intrusions as possible. b. apply detection models at all unfiltered packet data directly. c. apply detection models at processed event data that has higher base rate.
A & C
Firewalls can stop/control: a. Pings b. Packet Sniffing c. Outbound network traffic
A & C
Malware can disable: a. Software firewalls b. Hardware firewalls c. Antivirus checkers
A & C
What weaknesses can be exploited in the Vigenere Cipher? a. It uses a repeating key letters b. It requires security for the key, not the message c. The length of the key can be determined using frequency
A & C
Which of the following characteristics would improve password security? a. Use a one-way hash function b. Should not use the avalanche effect c. Should only check to see that the hash function output is the same as stored output
A & C
A company has a conventional firewall in place on its network. Which (if any) if these situations requires an additional personal firewall. a. An employee uses a laptop on the company network at home. b. An employee uses a desktop on the company network to access websites worldwide. c. A remote employee uses a desktop to create a VPN on the company's secure network. d. None of the above, in each case the employee's computer is protected by the company firewall.
A & C. A - In this case a personal firewall is required because when the employee takes the laptop to his home it needs protection. That is when the laptop is at home it is not protected by the conventional network firewall at a company, so it requires a personal firewall. C - The third case, a remote employee uses a desktop to create a VPN on the company's secure network. In this case, a personal firewall is required. In fact, a personal firewall on a desktop is typically used to create a VPN, so that the remote desktop can access the company's secure network.
host-based IDS
A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity
digital signature
A _________ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key.
cryptanalytic
A _________________ attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
stream cipher
A _________________ processes the input elements continuously, producing output one element at a time.
block cipher
A _________________ processes the plaintext input in fixed-size blocks and produces a block of ciphertext of equal size for each plaintext block.
What is the difference between a bot and a rootkit?
A bot (robot), also known as a zombie or drone, is a program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot's creator. A rootkit is a set of programs installed on a system to maintain administrator (or root) access to that system. Root access provides access to all the functions and services of the operating system. The rootkit alters the host's standard functionality in a malicious and stealthy way.
What is a circuit-level gateway?
A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed.
Define a denial of service (DOS) attack
A denial of service (DoS) attack is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.
Define a distributed denial-of-service (DDoS) attack.
A distributed denial of service (DDoS) attack uses multiple attacking systems, often using compromised user workstations or PC's. Large collections of such systems under the control of one attacker can be created, collectively forming a "botnet". By using multiple systems, the attacker can significantly scale up the volume of traffic that can be generated. Also by directing the attack through intermediaries, the attacker is further distanced from the target, and significantly harder to locate and identify.
What are typical phases of operation of a virus or worm?
A dormant phase, a propagation phase, a triggering phase, and an execution phase
Define the terms false match rate and false nonmatch rate, and explain the use of a threshold in relationship to these two rates.
A false match occurs when an imposter's biometric data is declared by the system to be matched with the stored biometric data for a user. A false mismatch occurs when the system declares that the biometric data of a genuine user does not match the stored biometric data for that user. The rate refers to the probability of a false match or false mismatch.
T
A message authentication code is a small block of data generated by a secret key and appended to a message. True or False
What is the role of encryption in the operation of a virus?
A portion of the virus, generally called a mutation engine, creates a random encryption key to encrypt the remainder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected.
In the context of access control, what is the difference between a subject and an object?
A subject is an entity capable of accessing objects. Generally, the concept of subject equates with that of process. Any user or application actually gains access to an object by means of a process that represents that user or application. An object is anything to which access is controlled. Examples include files, portions of files, programs, and segments of memory.
What is the difference between a packet filtering firewall and a stateful inspection firewall?
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, as shown in Table 9.2. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory
inline sensor
A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
Select all correct answers to complete this statement. A block cipher should a. use substitution to achieve confusion. b. use permutation to achieve diffusion. c. use a few rounds, each with a combination of substitution and permutation. d.keep the algorithm secret.
A, B, C
Select all statements that are true: a. To decrypt using DES, the same algorithm is used but with per-round keys used in the reversed order. b. With Triple DES the effective key length can be 56, 112, and 168. c. Each round of DES contains both substitution and permutation operations. d. the logics behind the S-boxes are well-known and verified.
A, B, C
_______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries. A. Anonymization B. Data transformation C. Immutable audit D. Selective revelation
A. Anonymization
For general-purpose block-oriented transmission you would typically use _____ mode. A. CBC B. CTR C. CFB D. OFB
A. CBC
This backdoor inserts backdoors into other programs during compilation. A. Compiler backdoors B. Object backdoors C. Asymmetric backdoors
A. Compiler backdoors
Typically the systems in the ---------- require or foster external connectivity such as a corporate web site, an e-mail server, or a DNS server A. DMZ B. IP protocol field C. boundary firewall D. VPN
A. DMZ
Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server. A. DMZ B. IP protocol field C. boundary firewall D. VPN
A. DMZ
Typically the systems in the _________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server. A. DMZ B. IP protocol field C. boundary firewall D. VPN
A. DMZ
Typically the systems in the _________ require or foster external connectivity such as a corporate Web site, an e‐mail server, or a DNS server. A. DMZ B. IP protocol field C. boundary firewall D. VPN
A. DMZ
The principal attraction of _________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead. A. ECC B. MD5 C. Diffie-Hellman D. none of the above
A. ECC
Mark the box next to all those items that firewalls can stop: A. Hackers breaking into your system B. Internet traffic that appears to be from a legitimate source C. Viruses and worms that spread through the internet D. Spyware being put on your system E. Viruses and worms that are spread through email
A. Hackers breaking into your system C. Viruses and worms that spread through the internet
________ attacks have several approaches, all equivalent in effort to factoring the product of two primes. A. Mathematical B. Brute-force C. Chosen ciphertext D. Timing
A. Mathematical
________ is the original message or data that is fed into the encryption process as input. A. Plaintext B. Encryption algorithm C. Decryption algorithm D. Ciphertext
A. Plaintext
Georgia Tech systems store student data such as grades. The institute must protect such data due to a. Regulatory reasons b. Because the data is sensitive it can only be disclosed to the student and his/her family
A. Regulatory reasons - FERPA
An attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited. A. Scanning attack B. DOS C. Penetration Attack
A. Scanning attack This is scanning the network in order to find weaknesses for attacks.
Malware can disable: A. Software firewalls B. Hardware firewalls C. Antivirus checkers
A. Software firewalls C. Antivirus checkers
Typically the systems in the __________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server. A. DMZ B. IP protocol field C. Boundary firewall D. VPN
A. We typically put these public facing servers in a DMZ, but also protect the internal network from these servers.
A _________ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key. A. digital signature B. keystream C. one way hash function D. secret key
A. digital signature
A ________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection
A. host-based IDS
5. The _______ field in the outer IP header indicates whether the association is an AH or ESP security association. A. protocol identifier B. security parameter index C. IP destination address D. sequence path counter
A. protocol identifier
The ________ attack is designed to circumvent filtering rules that depend on TCP header information. A. tiny fragment B. address spoofing C. source routing D. bastion host
A. tiny fragment
The ________ attack is designed to circumvent filtering rules that depend on TCP header information. A. tiny fragment B. address spoofing C. source routing D. bastion host
A. tiny fragment
The _________ attack is designed to circumvent filtering rules that depend on TCP header information. A. tiny fragment B. address spoofing C. source routing D. bastion host
A. tiny fragment
The most important symmetric algorithms, all of which are block ciphers, are the DES, triple DES, and the __________.
AES
implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.
Access Control
A(n) __________ is any entity that has station functionality and provides access to the distribution system via the wireless medium for associated stations.
Access point
System conditions requiring immediate attention is a(n) _______ severity.
Alert
A Botnet can use ____ for command-and-control. A. Email B. HTTP C. IRC D. All of the above
All of the above
A multilevel secure system for confidentiality must enforce:
All of the above
A wireless access point is a _______.
All of the above
A wireless client can be _______.
All of the above
Cryptographic systems are generically classified by _________.
All of the above
Data items to capture for a security audit trail include:
All of the above
Security concerns that result from the use of virtualized systems include ______.
All of the above
The copyright owner has which exclusive right(s)?
All of the above
The following steps should be used to secure an operating system:
All of the above
Which of the following need to be taken into consideration during the system security planning process?
All of the above
_____ can be copyrighted.
All of the above
______ is the recommended technique for wireless network security.
All of the above
Characteristics of APT include ____. A. Using zero-day exploit B. Low-and-slow C. Targeting high-value data D. All the above
All the above
symmetric encryption
Also referred to as single-key encryption, the universal technique for providing confidentiality for transmitted or stored data is _______________________ .
How does an IPS differ from a firewall?
An IPS blocks traffic, as a firewall does, but makes use of the types of algorithms developed for IDSs.
What is an application-level gateway?
An application-level gateway, also called a proxy server, acts as a relay of application-level traffic.
The _____ is the IDS component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
Analyzer
_____ involves the collection of data relating to the behavior of legitimate users over a period of time.
Anomaly Detection
________ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.
Anonymization
The ________ access mode allows the subject only write access to the object.
Append
_________ audit trails may be used to detect security violations within an application or to detect flaws in the application's interaction with the system.
Application-level
The ______ process retains copies of data over extended periods of time in order to meet legal and operational requirements.
Archive
________ is a process that ensures a system is developed and operated as intended by the system's security policy
Assurance
________ is a process that ensures a system is developed and operated as intended by the system's security policy.
Assurance
The ________ is a module that transmits the audit trail records from its local system to the centralized audit trail collector.
Audit Dispatcher
The ________ is a module on a centralized system that collects audit trail records from other systems and creates a combined audit trail.
Audit Trail Collector
The purposes of a security protocol include:
Authentication Key-exchange Negotiate crypto algorithms and parameters
The purposes of a security protocol include: __________.
Authentication, Key-Exchange, Negotiate crypto algorithms and parameters.
is the granting of a right or permission to a system entity to access a system resource.
Authorization
Ease of use
Avoid security that gets in the way
A company is considering two possible IDS solutions to reduce its exposure to attacks on its network. The first one costs $100K and reduces risk exposure by $150K. The second one costs $250K but reduces risk exposure by $500K. Which solution would you recommend? a. Cheaper solution that costs $100K b. More expensive solution that costs $250K
B
An example of proactive security measure is... a. Making sure the company complies with all regulatory requirements b.Chief risk officer (CRO) of the company addressing cyber risk regularly at highest level (e.g., board) when other risks are discussed
B
Choose all tasks which asymmetric encryption is better: a. provide confidentiality of a message b. securely distribute a session key c. scalability
B & C
Select the statements that are true: a. The one-way hash function is important not only in message authentication, but also in digital signatures. b. SHA processes the input one block at a time, but each block goes through the same processing. c. HMAC is secure, provided that the embedded hash function has good cryptographic strengths, such as one-way and collision resistant.
B & C
When using sensors which of the following is considered good practice? a. Set the IDS level to the highest sensitivity to detect every attack. b. Monitor both outbound and inbound traffic. c. Use a shared network resource to gather NIDS data. d. NIDS sensors are not turnkey solutions. System admins must interpret alerts.
B & D The first statement, set the IDS level to the highest sensitivity to detect every attack. This may appear to be a good idea, but in practice, this may lead to a large number of false alarms. Second, monitor both outbound and inbound traffic. This is a good idea. Because there will be a tech traffic in both directions. Third, use a shared network resource to gather NIDS data. This is not a good idea, because an attacker can disable the IDS or modify the alerts that sent. Fourth, NIDS sensors are not turnkey solutions. System admins must interpret alerts. This is true, because network IDS can produce false positives. Therefore, the system admins must interpret the alerts and take the appropriate actions.
Select all statements that are true: a. To decrypt using AES, just run the same algorithm in the same order of operations. b. Each operation or stage in AES is reversible. c. AES can support key length of 128, 192 and 256. d. AES is much more efficient than triple DES.
B, C, D
SHA-1 produces a hash value of _________ bits. A. 256 B. 160 C. 384 D. 180
B. 160
Public-key encryption was developed in the late _______. A. 1950s B. 1970s C. 1960s D. 1980s
B. 1970s
Which is the better way to prevent SQL injection? a. Use blacklisting to filter out "bad" input. b. Use whitelisting to allow only well-defined set of safe values.
B. Blacklisting is very hard to implement, because there can be many, many possible ways to inject malicious strings. That is, it's very hard to have a complete blacklist.
In a ______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system. A. SYN flood B. DNS amplification C. poison packet D. UDP flood
B. DNS amplification
Attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users. A. Scanning attack B. DOS C. Penetration Attack
B. DOS Disrupting the service is the same as Denial of Service.
___________ was the first published public-key algorithm. A. NIST B. Diffie-Hellman C. RC4 D. RSA
B. Diffie-Hellman
This backdoor is hard to detect because it modifies the machine code. A. Compiler backdoors B. Object backdoors C. Asymmetric backdoors
B. Object backdoors
__________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
B. Signature detection
A _________ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. a. packet filtering firewall b. distributed firewall c. boundary firewall d. VPN
B. Typically, a distributed firewall includes stand-alone network firewall, host-based firewalls, plus personal firewalls.
A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
B. distributed firewall
A ________ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
B. distributed firewall
A _________ configuration involves stand‐alone firewall devices plus host‐based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
B. distributed firewall
A------configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
B. distributed firewall
On average, _________ of all possible keys must be tried in order to achieve success with a brute-force attack. A. one-fourth B. half C. two-thirds D. three-fourths
B. half
ESP supports two modes of use: transport and ________. A. padding B. tunnel C. payload D. sequence
B. tunnel
The ______ process makes copies of data at regular intervals for recovery of lost or corrupted data over short time periods.
Backup
The first critical step in securing a system is to secure the __________.
Base operating system
What is a DMZ network and what types of systems would you expect to find in such networks?
Between internal and external firewalls are one or more networked devices in a region referred to as a DMZ (demilitarized zone) network. Systems that are externally accessible but need some protections are usually located on DMZ networks. Typically, the systems in the DMZ require or foster external connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system) server. What is the difference between an internal and an external firewall?; An external firewall is placed at the edge of a local or enterprise network, just inside the boundary router that connects to the Internet or some wide area network (WAN). One or more internal firewalls protect the bulk of the enterprise network.
A _________ is to try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained
Brute-force attack
This backdoor can only be used by the person who created it, even if it is discovered by others. A. Compiler backdoors B. Object backdoors C. Asymmetric backdoors
C. Asymmetric backdoors
Which of the following scenario requires a security protocol: _________. A. log in to mail.google.com B. connecting to work from home using a VPN C. Both A and B
C. Both A and B
_______ is a list that contains the combinations of cryptographic algorithms supported by the client. A. Compression method B. Session ID C. CipherSuite D. All of the above
C. CipherSuite
_________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key. A. Session key B. Subkey C. Key distribution technique D. Ciphertext key
C. Key distribution technique
_________ is a procedure that allows communicating parties to verify that received or stored messages are authentic. A. Cryptanalysis B. Decryption C. Message authentication D. Collision resistance
C. Message authentication
An attacker gains an unauthorized control of a system A. Scanning attack B. DOS C. Penetration Attack
C. Penetration Attack the attacker has penetrated into the system.
For general-purpose stream-oriented transmission you would typically use _______ mode.
CFB
For general-purpose block-oriented transmission you would typically use _______ mode.
CTR
______ mode is typically used for a general-purpose block-oriented transmission and is useful for high-speed requirements.
CTR
The ________ is the government agency that monitors the evaluation process.
Certifier
______ systems should not run automatic updates because they may possibly introduce instability.
Change controlled
The _________ Model was developed for commercial applications in which conflicts of interest can arise.
Chines Wall
Th e__________ Model was developed for commercial applicatins in which conflicts of interest can arise
Chinese Wall
If the analyst is able to get the source system to insert into the system a message chosen by the analyst, then a ________ attack is possible.
Chosen-plaintext
A _______ is a collection of requirements that share a common focus or intent.
Class
________ is when a new document consolidates information from a range of sources and levels so that some of that information is now classified at a higher level than it was originally
Classification creep
A hash function is referred to as _____ if it is computationally infeasible to find any pair (x,y) such that H(x) = H(y)
Collision resistant; strong collision resistant
_______ is a form of crime that targets a computer system to acquire information stored on that computer system, to control the target system without authorization or payment, or to alter the integrity of data or interfere with the availability of the computer or server.
Computers as targets
Provide a means of adapting RBAC to the specifics of administrative and security policies in an organization
Constraints
F
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. True or False
The success of cybercriminals, and the relative lack of success of law enforcement, influence the behavior of _______.
Cybercrime victims
A Botnet can use _______ for command-and-control. A. Email B. HTTP C. IRC D. All the above
D. All the above
Characteristics of APT include ______. A. Using zero-day exploit B. Low-and-slow C. Targeting high-value data D. All the above
D. All the above
The purposes of a security protocol include: ________. A. Authentication B. Key-exchange C. Negotiate crypto algorithms and parameters D. All the above
D. All the above
_______ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
D. Anomaly detection
Issued as RFC 2104, _________ has been chosen as the mandatory-to-implement MAC for IP Security. A. RSA B. SHA-3 C. DSS D. HMAC
D. HMAC
The ____ defines the transport protocol. A. Destination IP adddress B. Source IP Address C. Interface D. IP protocol field
D. IP protocol field
The _______ defines the transport protocol. A. destination IP address B. source IP address C. interface D. IP protocol field
D. IP protocol field
The _________ defines the transport protocol. A. destination IP address B. source IP address C. interface D. IP protocol field
D. IP protocol field
The DSS makes use of the _______ and presents a new digital signature technique, the Digital Signature Algorithm (DSA). A. HMAC B. XOR C. RSA D. SHA-1
D. SHA-1
_______ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number. A. Digital standards B. Mathematical attacks C. Ciphers D. Timing attacks
D. Timing attacks
A benefit of IPsec is _________. A. that it is below the transport layer and transparent to applications B. there is no need to revoke keying material when users leave the organization C. it can provide security for individual users if needed D. all of the above
D. all of the above
An IT security plan should include details of ________. A. risks B. recommended controls C. responsible personnel D. all of the above
D. all of the above
Cryptographic systems are generically classified by ________. A. the type of operations used for transforming plaintext to ciphertext B. the number of keys used C. the way in which the plaintext is processed D. all of the above
D. all of the above
IPSec can assure that. A. a router advertisement comes from an authorized router. B. a routing update is not forged. C. a redirect message comes from the router to which the initial packet was sent. D. all of the above.
D. all of the above.
The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzer
D. analyzer
A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. A. packet filtering B. stateful inspection C. application-level D. circuit-level
D. circuit-level
A __________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. A. packet filter B. stateful inspection C. application-level D. circuit-level
D. circuit-level
A __________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. A. packet filtering B. stateful inspection C. application-level D. circuit-level
D. circuit-level
The most complex part of TLS is the _________. A. signature B. message header C. payload D. handshake protocol
D. handshake protocol
The purpose of a ________ is to produce a "fingerprint" of a file, message, or other block of data. A. secret key B. digital signature C. keystream D. hash function
D. hash function
A(n) _______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensor
D. inline sensor
Which of the following can only be accomplished using public key cryptography. A. Authentication B. encryption C. key-exchange D. non-repudiation
D. non-repudiation
A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way.
DDI
The most widely used encryption scheme is based on the _________ adopted in 1977 by the National Bureau of Standards.
DES
_____ strengthens the protection of copyrighted materials in digital format.
DMCA
Typically the systems in the _____ require or foster external connectivity such as a corporate Web site, an email server, or a DNS server.
DMZ
In a ______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
DNS amplification
In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system. A. SYN flood B. DNS amplification C. poison packet D. UDP flood
DNS amplification
What are examples of block cipher algorithms?
Data Encryption Standard (DES), triple DES, Advanced Encryption Standard (AES)
_________ identifies the level of auditing, enumerates the types of auditable events, and identifies the minimum set of audit-related information provided.
Data Generation
transmitted data stored locally are referred to as
Data at Rest
List and describe some measures for dealing with inappropriate temperature and humidity?
Dealing with this problem is primarily a matter of having environmental-control equipment of appropriate capacity and appropriate sensors to warn of thresholds being exceeded. Beyond that, the principal requirement is the maintenance of a power supply.
The _________ is the encryption algorithm run in reverse.
Decryption algorithm
Fail-Safe Defaults
Default Deny
The Computer Fraud and Abuse Act was used to prosecute the creator of the Melissa virus and he was sentenced in federal prison and fined by using its provisions. What abuse was perpetrated by the Melissa virus? Choose the best answer. Data stored on computers was destroyed. Denial-of-service attacks that made computers unusable
Denial-of-service attacks that made computers unusable
_________ was the first published public-key algorithm. A. NIST B. Diffie-Hellman C. RC4 D. RSA
Diffie-Hellman
The purpose of ______ algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages
Diffie-Hellman Key Agreement
A _____ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key
Digital signature
The most important changes needed to improve system security are to ______.
Disable services and applications that are not required
Briefly define the difference between DAC and MAC.
Discretionary access control (DAC) controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource. Mandatory access control (MAC) controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.
What architecture does a distributed denial of service attack typically use?
Distributed denial of service (DDoS) attack botnets typically use a control hierarchy, where a small number of systems act as handlers controlling a much larger number of agent systems, as shown in Figure 8.4. These have are a number of advantages, as the attacker can send a single command to a handler, which then automatically forwards it to all the agents under its control. Automated infection tools can also be used to scan for and compromise suitable zombie systems.
Ddos
Distributed denial of service attack
A _____ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.
Distributed firewall
A system used to interconnect a set of basic service sets and LANs to create an extended service set is a _________.
Distribution system
A ________ provides distribution channels, such as an online shop or a Web retailer.
Distributor
The wireless environment lends itself to a ______ attack because it is so easy for the attacker to direct multiple wireless messages at the target.
DoS
Four stages of viruses
Dormant phase Propagation phase - i.e. attachment to email Triggering phase Execution phase
The needs and policy relating to backup and archive should be determined ______.
During the system planning stage
The range of logging data acquired should be determined _______.
During the system planning stage
Voice pattern, handwriting characteristics, and typing rhythm are examples of
Dynamic biometrics
With _________ the linking to shared library routines is deferred until load time so that if changes are made any program that references the library is unaffected.
Dynamically Linked Shared Libraries
Which of the following could be considered an anomaly to typical network traffic? A. An IP address B. A port address C. Packet length D. Flag setting E. All of the above.
E. All of the above. First, an IP address. Can this be an anomaly? If the IP address is not the one that normally accessed by users or is not well known, it can be anomaly. So this is anomaly. Second, a port address. Similar to the IP address, if the port address is not normally accessed, then this is an anomaly. How about packet length? Again, if the length is unusually long, for example, then this is an anomaly. How about flag setting on a packet? Again, if these flags are not normally seen under the same traffic conditions, then this is an anomaly. That is, all of these can be anomalies if they are not normally seen in normal operations of the network.
Which of the following would allow an attack that to know the (plaintext of) current message must be the same as one previously transmitted because their ciphtertexts are the same? A. CBC B. ECB C. CFB D. OFB
ECB
The principal attraction of ________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead. A. ECC B. MD5 C. Diffie-Hellman D. none of the above
ECC
tunnel
ESP supports two modes of use: transport and ________.
In July 1998, the ______ announced that it had broken a DES encryption using a special purpose "DES cracker" machine
Electronic Frontier Foundation (EFF)`
The simplest approach to multiple block encryptiopn is known as _________ mode, in which plaintext is handled b bits at a time and each block of plaintext is encrypted using the same key
Electronic codebook (ECB)
Cryptographic file systems are another use of _______.
Encryption
Why use a secret value?
Encryption software is slow, expensive, and optimized towards larger data sizes
The _________ is logic embedded into the software of the system that monitors system activity and detects security-related events that it has been configured to detect.
Event Discriminator
Complete Mediation - TCB Design
Every Access Must be checked, attempts to bypass must be prevented
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
F
A bot propagates itself and activates itself, whereas a worm is initially controlled from some central facility.
F
A buffer overflow error is not likely to lead to eventual program termination.
F
A macro virus infects executable portions of code.
F
A major disadvantage of the baseline risk assessment approach is the significant cost in time, resources, and expertise needed to perform the analysis.
F
A single countermeasure for SQLi attacks.
F
A user program executes in a kernel mode in which certain areas of memory are protected from the user's use and certain instructions may not be executed.
F
A view cannot provide restricted access to a relational database so it cannot be used for security purposes.
F
Activists are either individuals or members of an organized crime group with a goal of financial reward.
F
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined.
F
An individual's signature is not unique enough to use in biometric application.
F
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
F
Anomaly detection is effective against misfeasors.
F
Assurance is the process of examining a computer product or system with respect to certain criteria.
F
Botnet command-and-control has to be centralized, e.g., using a server(s).
F
Buffer overflow exploits are no longer a major source of concern to security practitioners.
F
Business continuity consists of security services that allocate access, distribute, monitor, and protect the underlying resource services.
F
Computer attacks are considered crimes but do not carry criminal sanctions.
F
Contingency planning is a functional area that primarily requires computer security technical measures.
F
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.
F
Detecting and reacting to incidents is not a function of IT security management.
F
Even though it is a high-level programming language, Java still suffers from buffer overflows because it permits more data to be saved into a buffer than it has space for.
F
External devices such as firewalls cannot provide access control services.
F
Fixed server roles operate at the level of an individual database.
F
For information systems, the role of logical security is to protect the physical assets that support the storage and processing of information.
F
High humidity does not pose a threat to electrical and electronic equipment as long as the computer's temperature stays within the optimal range.
F
Identification is the means of establishing the validity of a claimed identity provided by a user.
F
If we find that a botnet server is located in country X, we can be certain that criminals within country X control the botnet.
F
It is not critical that an organization's IT security policy have full approval or buy-in by senior management.
F
It is not possible to spread a virus via an USB stick.
F
Keylogging is a form of host attack.
F
Keyware captures keystrokes on a compromised system.
F
Like the MAC, a hash function also takes a secret key as input.
F
Low-intensity devices such as cell phones do not interfere with electronic equipment.
F
Memory cards store and process data.
F
Metamorphic code is software that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
F
Once the IT management process is in place and working the process never needs to be repeated.
F
One disadvantage of a packet filtering firewall is its simplicity.
F
Public-key algorithms are based on simple operations on bit patterns.
F
Security labels indicate which system entities are eligible to access certain resources.
F
Security mechanisms typically do not involve more than one particular algorithm or protocol.
F
Shellcode is not specific to a particular processor architecture.
F
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior.
F
Snort can perform intrusion prevention but not intrusion detection.
F
Software is an example of real property.
F
The "A" in CIA Triad stands for authenticity.
F
The Common Criteria specification is primarily concerned with the privacy of personal information concerning the individual rather than the privacy of an individual with respect to that individual's use of computer resources.
F
The IDS component responsible for collecting data is the user interface.
F
The advantage of a stream cipher is that you can reuse keys.
F
The assignment of responsibilities relating to the management of IT security and the organizational infrastructure is not addressed in a corporate security policy.
F
The authentication function determines who is trusted for a given purpose.
F
The cloud carrier is useful when cloud services are too complex for a cloud consumer to easily manage.
F
The countermeasure to tiny fragment attacks is to discard packets with an inside source address if the packet arrives on an external interface.
F
The direct flame is the only threat from fire.
F
The domain name of the command and control server of a botnet cannot be changed in the lifetime of the botnet because otherwise the bots cannot find the server.
F
The firewall can protect against attacks that bypass the firewall.
F
The optimal temperature for computer systems is between 10 and 32 degrees Fahrenheit.
F
The purpose of the DDS algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages.
F
The successful use of law enforcement depends much more on technical skills than on people skills.
F
Threats are attacks carried out.
F
Traditional RBAC systems define the access rights of individual users and groups of users.
F
Triple DES takes plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits.
F
Unlike a firewall, an IPS does not block traffic.
F
User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
F
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
FALSE
Like the MAC, a hash function also takes a secret key as input
FALSE
Public-key algorithms are based on simple operations on bit patterns
FALSE
The purpose of the DSS algorithm is to enable two users to securely reach agreement about a shared secret key that be used as a secret key subsequent symmetric encryption of messages
FALSE
List and briefly describe the principal physical characteristics used for biometric identification.
Facial characteristics: Facial characteristics are the most common means of human to-human identification; thus it is natural to consider them for identification by computer. The most common approach is to define characteristics based on relative location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. An alternative approach is to use an infrared camera to produce a face thermogram that correlates with the underlying vascular system in the human face. Fingerprints: Fingerprints have been used as a means of identification for centuries, and the process has been systematized and automated particularly for law enforcement purposes. A fingerprint is the pattern of ridges and furrows on the surface of the fingertip. Fingerprints are believed to be unique across the entire human population. In practice, automated fingerprint recognition and matching system extract a number of features from the fingerprint for storage as a numerical surrogate for the full fingerprint pattern. Hand geometry: Hand geometry systems identify features of the hand, including shape, and lengths and widths of fingers. Retinal pattern: The pattern formed by veins beneath the retinal surface is unique and therefore suitable for identification. A retinal biometric system obtains a digital image of the retinal pattern by projecting a low-intensity beam of visual or infrared light into the eye. Iris: Another unique physical characteristic is the detailed structure of the iris. Signature: Each individual has a unique style of handwriting and this is reflected especially in the signature, which is typically a frequently written sequence. However, multiple signature samples from a single individual will not be identical. This complicates the task of developing a computer representation of the signature that can be matched to future samples. Voice: Whereas the signature style of an individual reflects not only the unique physical attributes of the writer but also the writing habit that has developed, voice patterns are more closely tied to the physical and anatomical characteristics of the speaker. Nevertheless, there is still a variation from sample to sample over time from the same speaker, complicating the biometric recognition task.
______ is intended to permit others to perform, show, quote, copy, and otherwise distribute portions of the work for certain purposes.
Fair Use
"Each block of 64 plaintext bits is encoded independently using the same key" is a description of the CBC mode of operation. True or false.
False
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
False
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network. True or False.
False
A macro virus infects executable protions of code
False
A packet filtering firewall can decide if the current packet is allowed based on another packet that it has just examined.
False
AES uses a Feistel structure.
False
AES uses a Feistel structure. True or false.
False
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of teh function in which it is defined
False
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device
False
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
False
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device. True or False.
False
Anomaly detection is effective against misfeasors.
False
Assuming that Alice and Bob have each other's public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob's public key, and send the encrypted k to Bob and then Bob will know he has a key shared with Alice. True or False.
False
Assuming that Alice and Bob have each other's public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob's public key, and send the encrypted k to Bob.
False
Botnet command and control must be centralized( i.e. all bots communicate with a central server(s))
False
Botnet command-and-control must be centralized, i.e., all bots communicate with a central server(s)
False
Botnet command-and-control must be centralized, i.e., all bots communicate with a central server(s).
False
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.
False
Each block of 64 plaintext bits is encoded independently using the same key? is a description of the CBC mode of operation.
False
External attacks are the only threats to dataase security
False
Firewalls can stop spyware being put on your system. True or False.
False
If the authentication option of ESP is chosen, message integrity code is computed before encryption. True or False.
False
If the sequence number in the IPsec header is greater than the largest number of the current anti-replay window the packet is rejected. True or False.
False
If we find that a botnet server is located in country X, we can be certain that criminals within country X control the botnet
False
If we find that a botnet server is located in country X, we can be certain that criminals within country X control the botnet.
False
In 2014 MS Windows (all versions combined) had more reported vulnerabilities than iOS. True or false
False
In Andoid, all apps have to be reviewed and signed by Google.
False
In Android, an app will never be able to get more permission than what the user has approved.
False
In IPSec, packets can be protected using ESP or AH but not both at the same time. True or False.
False
In iOS, an app can run its own dynamic, run-time generated code. True or false
False
It is a good idea to use sequentially increasing numbers as challenges in security protocols.
False
It is a good idea to use sequentially increasing numbers as challenges in security protocols. True or False.
False
It is easy for the legitimate site to know if a request is really from the (human) user. True or False.
False
It is not possible to spread a virus via a USB stick
False
It is possible to write a compiler tool to check any C program and identify all possible buffer overflow bugs
False
Just like RSA can be used for signature as well as encryption, Digital Signature Standard can also be used for encryption.
False
Just like RSA can be used for signature as well as encryption, Digital Signature Standard can also be used for encryption. True or false.
False
Kerberos does not support inter-realm authentication.
False
Kerberos does not support interrealm authentication.
False
Kerberos does not support interrealm authentication. True or False.
False
Like MAC, a hash function also takes a secret key as input.
False
Public-key algorithms are based on simple operations on bit patterns. True or False.
False
SHA-1 is considered to be very secure.
False
SHA-1 is considered to be very secure. True or False.
False
SQL injection attacks only lead to information disclosure. True or False.
False
Security labels indicate which system entities are eligible to access certain resources.
False
Security mechanisms typically do not involve more than one particular algorithm or protocol
False
Shellcode is not specific to a particular processor architecture
False
Signature-based approaches attempt to define normal, or expected behavior, whereas anomaly approaches attempt to define proper behavior
False
Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).
False
Since TLS is for the transport layer, it relies on IPsec which is for the IP layer. True or False.
False
Snort can perform intrusion prevention but not intrusion detection
False
T/F "Each block of 64 plaintext bits is encoded independently using the same key" is a description of the CBC mode of operation.
False
T/F AES uses a Feistel structure.
False
T/F All UNIX implementations will have the same variants of the syslog facility.
False
T/F Although important, security auditing is not a key element in computer security.
False
T/F An entire database such as a financial or personnel database cannot be maintained on a server with other files and still be classified as confidential or restricted
False
T/F An extended service set (ESS) is a set of stations controlled by a single coordination function.
False
T/F An object is said to have a security clearance of a given level.
False
T/F Any device that contains an IEEE 802.11 conformant MAC and physical layer is a basic service set.
False
T/F Audit trails are different from audit logs.
False
T/F Computer attacks are considered crimes but do not carry criminal sanctions.
False
T/F Data representing behavior that does not trigger an alarm cannot serve as input to intrusion detection analysis.
False
T/F If both sender and receiver use the same key the system is referred to as asymmetric.
False
T/F Lower layer security does not impact upper layers.
False
T/F Manual analysis of logs is a reliable means of detecting adverse events.
False
T/F Most large software systems do not have security weaknesses.
False
T/F One disadvantage of the link encryption approach is that the message must be decrypted each time it enters a frame switch.
False
T/F Passwords installed by default are secure and do not need to be changed.
False
T/F Plaintext is the scrambled message produced as output.
False
T/F Problems with providing strong computer security involve only the design phase.
False
T/F Software is an example of real property.
False
T/F Stream ciphers are far more common than block ciphers.
False
T/F The Biba models deals with confidentiality and is concerned with unauthorized disclosure of information.
False
T/F The Common Criteria specification is primarily concerned with the privacy of personal information concerning the individual rather than the privacy of an individual with respect to that individual's use of computer resources.
False
T/F The MAC service data unit contains any protocol control information needed for the functioning of the MAC protocol.
False
T/F The addition of multilevel security to a database system does not increase the complexity of the access control function.
False
T/F The association service enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN.
False
T/F The audit analyzer prepares human-readable security reports.
False
T/F The concerns for wireless security, in terms of threats, and countermeasures, are different to those found in a wired environment, such as an Ethernet LAN or a wired wide-area network.
False
T/F The purpose of the authentication phase is to maintain backward compatibility with the IEEE 802.11 state machine.
False
T/F The purpose of the system does not need to be taken into consideration during the system security planning process.
False
T/F The successful use of law enforcement depends much more on technical skills than on people skills.
False
T/F You should run automatic updates on change-controlled systems.
False
The App Store review process can guarantee that no malicious iOS app is allowed into the store for download. True or false
False
The Diffie-Hellman key exchange is restricted to two party communication only. True or False.
False
The IDS component responsible for collecting data is the user interface.
False
The IT security management process ends with the implementation of controls and the training of personnel. True or false
False
The authenticators use the new quest to KDC and application servers can be omitted. True or False.
False
The default configuration for many operating systems usually maximizes security
False
The domain name(s) of the command and control server(s) of a botnet are pre-determined for the lifetime of the botnet
False
The domain name(s) of the command and control server(s) of a botnet are pre-determined for the lifetime of the botnet.
False
The security association specifies a two-way security arrangements between the sender and receiver. True or False.
False
The ticket-granting ticket is never expired.
False
The ticket-granting ticket is never expired. True or False.
False
Those who hack into computers do so for the thrill of it or for status.
False
Timing attacks are only applicable to RSA.
False
Using an input filter to block certain characters is an effective way to prevent SQL injection attacks. True or False.
False
With perfect forward secrecy, the IPSec SA keys are based on the IKE shared secret established in Phase I. True or False.
False
the domain name of the command and control server of a botnet are pre-determined for the lifetime of the botnet
False
user authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic
False
In order for Bob to verify Alice's public key, the certificate authority must be online. True or False.
False because as long as the users have the CA's public key, they can verify the certificate.
New threats can be detected immediately. True or false.
False because a misuse detection of signature-based detection system can only detect attacks that match patterns or rules of known intrusions.
Assuming that Alice and Bob have each other's public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob's public key, and send the encrypted k to Bob and then Bob will know he has a key shared with Alice.
False, I wouldn't know it is alice.
A Honeypot can be a workstation that a user uses for work. True or False.
False, because a Honeypot is not a real system used by any real user.
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior. True or False.
False, because a signature based approach is typically used to represent known intrusion patterns.
Each fragment must not share a common fragment identification number. True or False.
False, because each fragment of the same IP packet must share the same identification number.
Even if the browser is compromised, the rest of the computer is still secure. True or False.
False, because if a browser is compromised, it can lead to malware installation on the computer.
Those who hack into computers do so for the thrill of it or for status. True or false.
False, because it only describes some attackers. But there are many attackers who attack computers for other reasons, for example, for illicit financial gains.
Cryptanalysis attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. True or False.
False, because what's described here is actually the brute force attack, or the spy research all possible keys until the ciphertext is translated into a plain text. Well as cryptanalytic attacks would use knowledge of the algorithm or the plain text such as the frequency of letters in order to break a scheme. In other words a cryptanalytic attack typically does not need to try every possible key.
Cookies are compiled pieces of code. True or False
False, cookies are plain text, they are not compiled code.
Activists are either individuals or members of an organized crime group with a goal of financial reward. True or false.
False, instead of financial motives, activists typically have a social or political cause.
Cookies can be used as a form of virus. True or False.
False, since cookies are not compiled code, they cannot be used as a virus.
Symmetric encryption can only be used to provide confidentiality. True or False.
False, symmetric encryption can be used for other security services. For example it can be used for authentication. Suppose Alice and Bob share a secret. Then Alice can use the shared secret as the key and encrypt message using symmetric encryption algorithm and send the message to Bob to prove that she's Alice.
Firewalls can stop internet traffic that appears from a legitimate source. True or False.
False.
Firewalls can stop viruses and worms that are spread through email. True or False.
False.
The challenge values used in an authentication protocol can be repeatedly used in multiple sessions. True or False.
False.
There's no benefit of deploying a network IDS or Honeypot outside of the external firewall. True or False.
False. Using a network IDS or Honeypot outside of the external firewall will allow us to see what attacks are coming from Internet to the enterprise network. In the case of Honeypot, because attacks are trapped in the Honeypot, it reduces the amount of traffic that the firewall has to process. In other words, the firewall does not need to produce as many alerts.
The fragment does not need to know whether more fragments follow this one. True or False
False. Because each fragment must know whether there are more fragments to follow.
The purpose of the DSS algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages.
False; Unlike RSA, it cannot be used for encryption or key exchange.
Triple DES takes a plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits.
False; that's DES
__________ is the first function in the propagation phase for a network worm
Fingerprinting
There are _____ modes of operation defined by NIST that are intended to cover virtually all the possible applications of encryption for which a block cipher could be used.
Five
Issued as RFC 2104, _____ has been chosen as the mandatory-to-implement MAC for IP security.
HMAC
What is a honeypot?
Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.
A _____ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
Host-based IDS
Describe the difference between a host based IDS.
Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity Network-based IDS: Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
The _____ defines the transport protocol.
IP Protocol Field
use longer keys
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to ________ .
use longer keys
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to __________ .
Describe the general concept of a challenge-response protocol.
In general terms, a challenge-response protocol functions as follows. A user attempts to logon to a server. The server issues some sort of challenge that the user must respond to in order to be authenticated.
Virus
Infect a program by modifying it. Self copy into the program to spread
___________ is the process of performing authorized queries and deducing unauthorized information from the legitimate responses received
Inference
A(n) _____ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
Inline Sensor
__________ is a defence against SQL Injection attacks
Input validation
________ are amount the most difficult to detect and prevent.
Insider attacks
Any intangible asset that consists of human knowledge and ideas is _______.
Intellectual Property
HMAC
Issued as RFC 2104, _______ has been chosen as the mandatory-to-implement MAC for IP Security.
Economy-TCB Design
Keep trusted code small as possible, easier to analyze and test
________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key. A. Session key B. Subkey C. Key distribution technique D. Ciphertext key
Key distribution technique
__________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.
Key distribution technique
The _________ module analyzes LAN traffic and reports the results to the central manager.
LAN monitor agent
OSI Model:
Layer 7: The application layer...This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.) Layer 6: The presentation layer...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer. Layer 5: The session layer...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination. Layer 4: The transport layer...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer. Layer 3: The network layer...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding. Layer 2: The data-link layer...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management. Layer 1: The physical layer...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier 7 - e-mail, web services, file transfer 6 - SMTP, HTTP, HTTPS, FTP 5 - port 25, port 80 & 443, port 21 & 20 4 - tcp vs udp 3 - IPv6 vs ip v4 2 - Ethernet, 802.11, 802.2 slip/ppp etc 1 - physical cable Cat 5 vs coax vs fiber or ATM vs FDDI
TCB Design Principles
Least Privilege Economy Open Design Complete Mediation Fail-safe defaults Ease of Use
Cyber insurance is still not very popular. Based on a 2014 survey, what percentage of customers of major insurance brokers were interested in buying cyber insurance? (see the instructor notes for a link to the survey) Less than 25% Over 50%
Less than 25%
Which of the following scenario requires a security protocol:
Log in to mail.google.com
The function of the ________ layer is to control access to the transmission medium and to provide an orderly and efficient use of that capacity.
MAC
controls access based on comparing security labels with security clearances.
Mandatory Access Control
A ________ model is used to establish transition probabilities amount various states
Markov process
________ attacks have several approaches, all equivalent in effort to factoring the product of two primes. A. Mathematical B. Brute-force C. Chosen ciphertext D. Timing
Mathematical
Public-key algorithms are based on ______ _______ rather than on ____________, such as are used in symmetric encryption algo- rithms.
Mathematical functions; simple operations on bit patterns
Model checking
Mathematical proof of correctness. Exponential time and space worst case complexity
Select three operating systems with the most vulnerabilities in 2014. Is it Max OS X, iOS, Linux, Microsoft Windows Server, Microsoft Windows Vista, Microsoft Windows 7, or Microsoft Windows 8?
Max OS X, iOS, Linux
T
Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data. True or False
An example of a __________ attack is one in which bogus reconfiguration commands are used to affect routers and switches to degrade network performance.
Network injection
A _____ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Network-based IDS
Windows allows the system user to enable auditing in _______ different categories.
Nine
Chief Information Security Officer, or CISO sometimes also called CSO, Chief Security Officer, is the executive who is responsible for information security in a company. If you think Target had a CISO when the leaks happened, say yes. Otherwise you say no.
No
Several people have argued about the overly general and vague language of the CFAA. For example, how exactly is unauthorized access defined? In one case, a company sued its competitor because the competitor's employees created a trial subscription and downloaded data that was available to its subscribers. Do you think this is violation of unauthorized access? Choose the best answer. No, the data was publicly available Yes, because it potentially can cause financial loss to the company that sued its competition.
No, the data was publicly available
Which of the following feature can only be provided by public-key cryptography? A. Confidentiality protection B. Integrity protection C. Non-repudiation D. None of the above
Non-repudiation
For stream-oriented transmission over noisy channel you would typically use _______ mode.
OFB
half
On average, ________ of all possible keys must be tried in order to achieve success with a brute-force attack.
half
On average, __________ of all possible keys must be tried in order to achieve success with a brute-force attack.
What are two common techniques used to protect a password file?
One technique is to restrict access to the password file using standard access control measures. Another technique is to force users to select passwords that are difficult to guess.
What is an alternative to the message authentication code?
One-way hash function
Cyber crime is a big problem. According to a recent report, what is an estimate of the cost of cybercrime for the United States? Ten billion dollars Over hundred billion dollars
Over hundred billion dollars
List and define the three classes of subject in an access control system
Owner: This may be the creator of a resource, such as a file. For system resources, ownership may belong to a system administrator. For project resources, a project administrator or leader may be assigned ownership. Group: In addition to the privileges assigned to an owner, a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights. In most schemes, a user may belong to multiple groups. World: The least amount of access is granted to users who are able to access the system but are not included in the categories owner and group for this resource.
9.8 What are the differences among the firewalls of figure 9.1?
Packet filtering firewall: Applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. Stateful inspection firewall: Tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, as shown in Table 9.2. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Application proxy firewall: Acts as a relay of application-level traffic (Figure 9.1d). The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features Circuit-level proxy firewall: As with an application gateway, a circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists ofdetermining which connections will be allowed.
What is the difference between passive and active security threats?
Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.
What are two other applications that hash functions are used
Passwords (storing the hash of a password) Intrusion detection (store H(F) for each file then you can see if the file was tampered with)
A _______ for an invention is the grant of a property right to the inventor.
Patent
A ________ is a key used between entities for the purpose of distributing session keys.
Permanent Key
Personal effects, moveable property and goods, such as cars, bank accounts, wages, securities, a small business, furniture, insurance policies, jewelry, patents, and pets are all examples of _________.
Personal Property
To defend against database inference attacks, we can apply
Perturbation, de-identification, anonymization
________ is the original message or data that is fed into the encryption process as input. A. Plaintext B. Encryption algorithm C. Decryption algorithm D. Ciphertext
Plaintext
_________ is the original message or data that is fed into the algorithm as input.
Plaintext
The first step in deploying new systems is _________.
Planning
Inserting a new row at a lower level without modifying the existing row at the higher level is known as ________ .
Polyinstantiation
A ________ is a secret key shared by the AP and a STA and installed in some fashion outside the scope of IEEE 802.11i.
Pre-shared key
List and describe some measures for dealing with water damage.
Prevention and mitigation measures for water threats must encompass the range of such threats. For plumbing leaks, the cost of relocating threatening lines is generally difficult to justify. With knowledge of the exact layout of water supply lines, measures can be taken to locate equipment sensibly. The location of all shutoff valves should be clearly visible or at least clearly documented, and responsible personnel should know the procedures to follow in case of emergency. To deal with both plumbing leaks and other sources of water, sensors are vital. Water sensors should be located on the floor of computer rooms, as well as under raised floors, and should cut off power automatically in the event of a flood.
_______________ Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
Privacy
The DMCA includes exclusions for researchers but companies have threatened to sue researchers who wanted to publish work related to circumvention of anti-piracy technologies. Which of these is an example of such a threat under DMCA? Prof. Ed Felten's research on audio watermarking removal by RIAA A research project done by MIT students that found vulnerabilities in the Boston Massachusetts Bay Transit Authority (MBTA).
Prof. Ed Felten's research on audio watermarking removal by RIAA
US_CERT follows a responsible disclosure process for vulnerabilities reported to it. Such a process must... a. Make the vulnerability information available to everyone who may be affected by it immediately, b. Provide a certain period of time for the vendor of the vulnerable system to develop a patch.
Provide a certain period of time for the vendor of the vulnerable system to develop a patch.
The ___________ is a pair of keys that have been selected so that id one is used for encryption , the other is used for decryption
Public and private key
Diffie and Hellman
Public-key encryption was first publicly proposed by _________________ in 1976.
_________ is a document that describes the application level protocol for exchanging data between intrusion detection entities.
RFC4767
__________ is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n.
RSA
Asymmetric Encryption Algorithms
RSA (Rivest, Shamir, Adleman), Diffie Hellman Key Agreement, Digital Signature Standard, Elliptic Curve Cryptography
________ is a block cipher in which the plaintext and ciphertext are intergers between 0 and n-1for some n
RSA`
The final form of the 802.11i standard is referred to as ________.
RSN
_____________ is malware that encrypts the user's data and demands payment in order to access the key needed to recover the information
Ransomware
Land and things permanently attached to the land, such as trees, buildings, and stationary mobile homes are _______.
Real Property
Rootkit
Resides in operating systems, modifies OS code and data structures. Helps user-level malware (E.g. hiding it from 'ls' or 'ps')
A __________ is a named job function within the organization that controls this computer system.
Role
The DSS makes use of the _____ and presents a new digital signature technique, the Digital Signature Algorithm (DSA).
SHA-1
B
SHA-1 produces a hash value of __________ bits. A. 256 B. 160 C. 384 D. 180
160
SHA-1 produces a hash value of _______ bits.
______ software is a centralized logging software package similar to, but much more complex than, syslog
SIEM
The _______ module performs end-to-end encryption and obtains session keys on behalf of users.
SSM
Clark-Wilson Policy
Same user cannot execute two programs that require separation of duty
__________ Data are data that may be derived from corporate data but that cannot be used to discover the corporations identity
Sanitized
__________ data are data that may be derived from corporate data but that cannot be used to discover the corporation's identity.
Sanitized
The exact substitutions and transformations performed by the algorithm depend on the ________.
Secret Key
Trap door
Secret entry point to a program or system
Most widely used hash function has been the _____
Secure Hash Algorithm SHA
Open Design - TCB Design
Security by obscurity doesn't work
The ________ control the manner by which a subject may access an object.
Security classes
Security classes are referred to as __________.
Security levels
Describe the three logical components of an IDS.
Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a sensor include network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer. Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion. User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component.
_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Signature Detection
________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder
Signature detection
In general terms, what are four means of authenticating a user's identity?
Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. Something the individual possesses: Examples include electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token. Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.
What information is used by a typical packet filtering firewall?
Source IP address: The IP address of the system that originated the IP packet. Destination IP address: The IP address of the system the IP packet is trying to reach. Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET. IP protocol field: Defines the transport protocol. Interface: For a router with three or more ports, which interface of the router the packet came from or which interface of the router the packet is destined for.
______________ are used to send large volumnes of unwanted email
Spammer programs
What is the difference between anomaly detection and signature intrusion detection?
Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Signature intrusion detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.
In 2014, the European Court of Justice ruled that EU citizens have the "right to be forgotten" on the Internet. For example, Google must not return links to information that can be shown to be "inaccurate, inadequate, irrelevant or excessive". Which one of the following is an example of information that Google decided not to return as a search result to meet the ECJ ruling? Choose the best answer. a. Story about criminal conviction that was quashed on an appeal b. A doctor requesting removal of links to newspaper stories about botched procedures performed by him
Story about criminal conviction that was quashed on an appeal
T
Symmetric encryption is used primarily to provide confidentiality. True or False
___________ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
System integrity
A Trojan horse is an apparently useful program containing hidden code that, when invoked, performs some harmful function.
T
A common location for a NIDS sensor is just inside the external firewall.
T
A constraint is defined relationship among roles or a condition related to roles.
T
A firewall can serve as the platform for IPSec.
T
A foreign key value can appear multiple times in a table.
T
A good technique for choosing a password is to use the first letter of each word of a phrase.
T
A logic bomb is the event or condition that determines when the payload is activated or delivered.
T
A logical means of implementing an IPSec is in a firewall.
T
A major advantage of the informal approach is that the individuals performing the analysis require no additional skills.
T
A message authentication code is a small block of data generated by a secret key and appended to a message.
T
A packet filtering firewall is typically configured to filter packets going in both directions.
T
A person that becomes statically charged can damage electronic equipment by an electric discharge.
T
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.
T
A query language provides a uniform interface to the database.
T
A servicemark is the same as a trademark except that it identifies and distinguishes the source of a service rather than a product.
T
A smart card contains and entire microprocessor.
T
A stack overflow can result in some form of denial-of-service attack on a system.
T
A threat may be either natural or human made and may be accidental or deliberate.
T
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context.
T
A user may belong to multiple groups.
T
A virus that attaches to an executable program can do anything that the program is permitted to do.
T
Access control is the central element of computer security.
T
An ABAC model can define authorizations that express conditions on properties of both the resource and the subject.
T
An IDS is a set of automated tools designed to detect unauthorized access to a host system.
T
An IPS incorporates IDS functionality but also includes mechanisms designed to block traffic from intruders.
T
An access right describes the way in which a subject may access an object.
T
An attacker is more interested in transferring control to a location and code of the attacker's choosing rather than immediately crashing the program.
T
An auditing function monitors and keeps a record of user accesses to system resources.
T
An example of a patent from the computer security realm is the RSA public-key cryptosystem.
T
An important aspect of a distributed firewall configuration is security monitoring.
T
An important element in many computer security services and applications is the use of cryptographic algorithms.
T
An intruder can also be referred to as a hacker or cracker.
T
Any program that is owned by, and SetUID to, the "superuser" potentially grants unrestricted access to the system to any user executing that program.
T
Anyone can join the Ad Hoc Committee on Responsible Computing.
T
At the basic machine level, all of the data manipulated by machine instructions executed by the computer processor are stored in either the processor's registers or in memory.
T
Availability assures that systems work promptly and service is not denied to users.
T
Because of the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.
T
Both static and dynamic analyses are needed in order to fully understand malware behaviors.
T
Buffer overflow attacks are one of the most common attacks seen.
T
Buffer overflows can be found in a wide variety of programs, processing a range of different input, and with a variety of possible responses.
T
Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the admin who tries to close them.
T
Computer security is protection of the integrity, availability, and confidentiality of information system resources.
T
Computer technology has involved the creation of new types of entities for which no agreed ethical rules have previously been formed.
T
Computers as targets is a form of crime that involves an attack on data integrity, system integrity, data confidentiality, privacy, or availability.
T
Concerns about the extent to which personal privacy has been and may be compromised have led to a variety of legal and technical approaches to reinforcing privacy rights.
T
Data integrity assures that information and programs are changed only in a specified and authorized manner.
T
Depending on the application, user authentication on a biometric system involves either verification or identification.
T
Depending on the details of the overall authentication system, the registration authority issues some sort of electronic credential to the subscriber.
T
Distributed firewalls protect against internal attacks and provide protection tailored to specific machines and applications.
T
E-mail is a common method for spreading macro viruses.
T
Encryption is a pervasive service that can be provided for data at rest in the cloud.
T
Enrollment creates an association between a user and the user's biometric characteristics.
T
Every bot has a distinct IP address.
T
Every bot typically has a distinct IP address.
T
Hardware is the most vulnerable to attack and the least susceptible to automated controls.
T
Human-caused threats are less predictable than other types of physical threats.
T
IT Security management consists of first determining a clear view of an organization's IT security objectives and general risk profile.
T
IT security management has evolved considerably over the last few decades due to the rise in risks to networked systems.
T
IT security needs to be a key part of an organization's overall management plan.
T
Identifiers should be assigned carefully because authenticated identities are the basis for other security services.
T
If a computer's temperature gets too cold the system can undergo thermal shock when it is turned on.
T
In a biometric scheme some physical characteristic of the individual is mapped into a digital representation.
T
In addition to propagating, a worm usually carries some form of payload.
T
In the context of security our concern is with the vulnerabilities of system resources.
T
Intruders typically use steps from a common attack methodology.
T
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
T
Legal and regulatory constraints may require specific approaches to risk assessment.
T
Malicious software aims to trick users into revealing sensitive personal data.
T
Many forms of infection can be blocked by denying normal users the right to modify programs on the system.
T
Many security admins view strong security as an impediment to efficient and user-friendly operation of an information system.
T
Many users choose a password that is too short or too easy to guess.
T
Misuse of the physical infrastructure includes vandalism, theft of equipment, theft by copying, theft or services, and unauthorized entry.
T
Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data.
T
Network-based intrusion detection makes use of signature detection and anomaly detection.
T
No cybercriminal database exist that can point investigators to likely suspects.
T
One asset may have multiple threats and a single threat may target multiple assets.
T
Organizational security objectives identify what IT security outcomes should be achieved.
T
Organizational security policies identify what needs to be done.
T
Packet sniffers are mostly used to retrieve sensitive information like usernames and passwords.
T
Physical access control should address not just computers and other IS equipment but also locations or wiring used to connect systems, equipment and distribution systems, telephone and communications lines, backup media, and documents.
T
Physical security must also prevent any type of physical access or intrusion that can compromise logical security.
T
Physical security must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information.
T
Programmers use backdoors to debug and test programs.
T
Public-key cryptography is asymmetric.
T
Reliable input is an access control requirement.
T
SQL Server allows users to create roles that can then be assigned access rights to portions of the database.
T
Shellcode must be able to run no matter where in memory it is located.
T
Snort inline enables Snort to function as an intrusion prevention capability.
T
Some APT attacks last for years before they are detected.
T
Some form of protocol is needed for public-key distribution.
T
Stack buffer overflow attacks were first seen in the Aleph One Worm.
T
Symmetric encryption is used primarily to provide confidentiality.
T
The CHUID is a PIV card data object.
T
The CSP can provide backup at multiple locations, with reliable failover and disaster recovery facilities.
T
The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.
T
The database management system makes use of the database description tables to manage the physical database.
T
The default set of rights should always follow the rule of least privilege or read-only access.
T
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function
T
The first comprehensive privacy legislation adopted in the U.S was the Privacy Act of 1974.
T
The first step in devising security services and mechanisms is to develop a security policy.
T
The legal and ethical aspects of computer security encompass a broad range of topics.
T
The more critical a component or service, the higher the level of availability required.
T
The potential for a buffer overflow exists anywhere that data is copied or merged into a buffer, where at least some of the data is read from outside the program.
T
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
T
The primary role of the personal firewall is to deny unauthorized remote access to the computer.
T
The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legit users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
T
The purpose of the privacy functions is is to provide a user protection against discovery and misuse of identity by other users.
T
The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.
T
The secret key is input to the encryption algorithm.
T
The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
T
The value of a primary key must be unique for each tuple of its table.
T
There are several generic restrictions on the content of shellcode.
T
Those who hack into computers do so for the thrill of it or for status.
T
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
T
To create a relationship between two tables, the attributes that define the primary key in one table must appear as attributes in another table, where they are referred to as a foreign key.
T
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control.
T
To implement a physical security program an organization must conduct a risk assessment to determine the amount of resources to devote to physical security and the allocation of those resources against the various threats.
T
Two of the most important applications of the public-key encryption are digital signatures and key management.
T
Unauthorized physical access can lead to other threats.
T
User authentication is the basis for most types of access control and for user accountability.
T
User authentication is the fundamental building block and the primary line of defense.
T
X.800 architecture was developed as an international standard and focuses on security in the context of networks and communications.
T
The _______ is a hardware module that is at the heart of a hardware/software approach to trusted computing.
TPM
The ____________ is a hardware module that is at the heart of a hardware/software approach to trusted
TPM
A firewall can serve as the platform for IPSec
TRUE
A packet filtering firewall is typically configured to filter packets going in both directions
TRUE
A prime disadvantage of an application‐level gateway is the additional processing overhead on each connection.
TRUE
An important element in many computer security services and applications is the use of cryptographic algorithms
TRUE
Public-key cryptography is asymmetric
TRUE
Some form of protocol is needed for public-key distribution
TRUE
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
TRUE
The strengths of a hash function against brute-force attacks depends solely on the lengths of the hash code produced by the algorithm
TRUE
In order for a fragmented packet to be successfully reassembled at the destination each fragment must obey the following rules. Mark all answers that are true: A. Must not share a common fragment identification number. B. Each fragment must say what its place or offset is in the original unfragmented packet. C. Each fragment must tell the length of the data carried in the fragment. D. Finally the fragment does not need to know whether more fragments follow this one.
TRUE: B. Each fragment must say what its place or offset is in the original unfragmented packet. C. Each fragment must tell the length of the data carried in the fragment. Others: False
SHA-1
The DSS makes use of the _______ and presents a new digital signature technique, the Digital Signature Algorithm (DSA).
What is the OSI security architecture.
The OSI Security Architecture is a framework that provides a systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The document defines security attacks, mechanisms, and services, and the relationships among these categories.
protocol identifier
The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.
analyzer
The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
decryption algorithm
The __________ is the encryption algorithm run in reverse.
decryption
The ________________ algorithm takes the ciphertext and the secret key and produces the original plaintext.
F
The advantage of a stream cipher is that you can reuse keys. True or False
What are the possible consequences of a buffer overflow occurring?
The consequences of a buffer overflow include corruption of data used by the program, unexpected transfer of control in the program, possibly memory access violations, and very likely eventual program termination. When done deliberately as part of an attack on a system, the transfer of control could be to code of the attacker's choosing, resulting in the ability to execute arbitrary code with the privileges of the attacked process.
What are the direct and indirect threats posed by fire?
The direct threat is the damage caused by the fire itself. The indirect threats are from heat, release of toxic fumes, water damage from fire suppression, and smoke damage.
What is the goal of a flooding attack?
The goal of a flooding attack is generally to overload the network capacity on some link to a server, or alternatively to overload the server's ability to handle and respond to this traffic.
handshake protocol
The most complex and important part of TLS is the ________.
AES
The most important symmetric algorithms, all of which are block ciphers, are the DES, triple DES, and the __________.
plaintext
The original message or data that is fed into the algorithm is __________.
What is the primary defense against many DoS attacks, and where is it implemented?
The primary defense against many DoS attacks is to prevent source address spoofing. This must be implemented close to the source of any packet, when the real address (or at least network) is known. Typically this is the ISP providing the network connection for an organization or home user. It knows which addresses are allocated to all its customers, and hence is best placed to ensure that valid source addresses are used in all packets from its customers.
ECC
The principal attraction of ________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead.
Define the principle of least privilege.
The principle of least privilege states that programs should execute with the least amount of privileges needed to complete their function.
Define computer security.
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
hash function
The purpose of a ________ is to produce a ?fingerprint? of a file, message, or other block of data.
hash function
The purpose of a __________ is to produce a "fingerprint" of a file, message, or other block of data.
T
The secret key is input to the encryption algorithm. True or False
What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overload and the consequences of a DoS attack?
The terms slashdotted or flash crowd refer to very large volumes of legitimate traffic, as result of high publicity about a specific site, often as a result of a posting to the well-known Slashdot or other similar news aggregation site. There is very little that can be done to prevent this type of either accidental or deliberate overload, without also compromising network performance.
uniform distribution
The two criteria used to validate that a sequence of numbers is random are independence and _________ .
brute-force
There are two general approaches to attacking a symmetric encryption scheme: cryptanalytic attacks and _______________________ attacks.
______ is the identification of data that exceed a particular baseline value.
Thresholding
________ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number. A. Digital standards B. Mathematical attacks C. Ciphers D. Timing attacks
Timing attacks
The _____ attack is designed to circumvent filtering rules that depend on TCP header information.
Tiny Fragment
List and describe some measures for dealing with power loss.
To deal with brief power interruptions, an uninterruptible power supply (UPS) should be employed for each piece of critical equipment. The UPS is a battery backup unit that can maintain power to processors, monitors, and other equipment for a period of minutes. UPS units can also function as surge protectors, power noise filters, and automatic shutdown devices when the battery runs low. For longer blackouts or brownouts, critical equipment should be connected to an emergency power source, such as a generator. For reliable service, a range of issues need to be addressed by management, including product selection, generator placement, personnel training, testing and maintenance schedules, and so forth.
A ______ is a word, name, symbol, or device that is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others.
Trademark
F
Triple DES takes a plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits. True or False
?No write down? is also referred to as the *-property.
True
A bot is a computer compromised by malware and under the control of a bot master (attacker)
True
A bot is a computer compromised by malware and under the control of a bot master (attacker).
True
A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained.
True
A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained. True or false.
True
A common location for a NIDS sensor is just inside the external firewall.
True
A common location for a NIDS sensor is just inside the external firewall. True or False.
True
A cookie can be used to authenticate a user to a web site so that the user does not have to type in his password for each connection to the site. True or False.
True
A firewall can serve as the platform for IPSec.
True
A firewall can serve as the platform for IPSec. True or False.
True
A hash function such as SHA-1 was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key.
True
A key benefit of using KDC is for scalability. True or False.
True
A key exchange protocol is vulnerable to a man-in-the-middle attack if it does not authenticate the participants.
True
A key exchange protocol is vulnerable to a man-in-the-middle attack if it does not authenticate the participants. True or false.
True
A malicious driver can potentially bypass many security controls to install malware
True
A message authentication code is a small block of data generated by a secret key and appended to a message.
True
A packet filtering firewall is typically configured to filter packets going in both directions.
True
A packet filtering firewall is typically configured to filter packets going in both directions. True or False
True
A packet filtering firewall is typically configured to filter packets going in both directions. True or False.
True
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.
True
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection. True or False.
True
A reflection attack is a form of man-in-the-middle attack. True or False.
True
A session key should be a secret and unique to the session. True or False.
True
A subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules.
True
A user may belong to multiple groups.
True
A virus that attaches to an executable program can do anything that hte program is permitted to do
True
ASLR(if implemented correctly) can prevent return-to-libc attacks
True
Access to any network resource requires a ticket issued by the KDC. True or False.
True
An ISA needs to be established before IPSec SAs can be negotiated. True or False.
True
An access right describes the way in which a subject may access an object.
True
An important element in many computer security services and applications is the use of cyptographic algorithms.
True
An intruder can also be referred to as a hacker or a cracker
True
Any program that is owned by, and SetUID to, the ?superuser? potentially grants unrestricted access to the system to any user executing that program.
True
Authentication can be one-way, for example, only authenticating Alice to Bob. True or False.
True
Authentication should be accomplished before key exchange. True or False.
True
Both static and dynamic analyses are needed in order to fully understand malware behaviors
True
Both static and dynamic analyses are needed in order to fully understand malware behaviors.
True
Checking the http Referer header to see if the request comes from an authorized page can prevent can prevent XSRF. True or False.
True
Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes. True or false
True
Cryptographic hash functions generally execute faster in software than conventional encryption algorithms such as DES.
True
ESP can provide both confidentiality and integrity protection. True or False.
True
Even web searches are often in HTTPS. True or False.
True
Every bot typically has a distinct IP address
True
HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths
True
HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths. True or False.
True
If the sequence number in the IPSec header is smaller than the smallest number of the current anti-replay window the packet is rejected. True or False.
True
In AH, the integrity hash covers the IP header. True or False.
True
In IPSec, the sequence number is used for prevent replay attacks. True or False.
True
In Kerberos, each human user has a master key shared with the authentication server, and the key is derived from the user's password.
True
In Kerberos, each human user has a master key shared with the authentication server, and the key is derived from the user's password. True or False.
True
In Kerberos, the authentication server shares a unique secret key with each server.
True
In Kerberos, the authentication server shares a unique secret key with each server. True or False.
True
In Kerberos, the purpose of using ticket-granting- ticket (TGT) is to minimize the exposure of a user's master key.
True
In Kerberos, the purpose of using ticket-granting-ticket (TGT) is to minimize the exposure of a user's master key.
True
In Kerberos, the purpose of using ticket-granting-ticket (TGT) is to minimize the exposure of a user's master key. True or False.
True
In XSRF, the malicious site can send malicious script to execute in the user's browser by embedding the script in a hidden iframe. True or False.
True
In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic. True or false
True
In addition to propagating, a worm usually carries some form of payload
True
In general, public key based encryption is much slower than symmetric key based encryption.
True
In iOS, each file is encrypted using a unique, per-file key. True or false
True
In most applications of TLS or SSL, public keys are used for authentication and key exchange. True or False.
True
In security protocol, an obvious security risk is that of impersonation.
True
In security protocol, an obvious security risk is that of impersonation. True or False.
True
Intruders typically use steps from a common attack methodology.
True
Intruders typically use steps from a common attack methodology. True or false.
True
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
True
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. True or False.
True
It is likely that an organization will not have the resources to implement all the recommended controls. True or false
True
Kerberos also distributes session keys. True or False.
True
Kerberos provides authentication and access control. True or False.
True
Legal and regulatory constraints may require specific approaches to risk assessment. True or false
True
Logging off immediately after using a web application. can prevent XSRF. True or False.
True
Malicious JavaScripts is a major threat to browser security. True or False.
True
Many forms of infection can be blocked by denying normal users the right to modify programs on the system
True
Many users choose a password that is too short or too easy to guess
True
Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data.
True
Most browsers come equipped with SSL and most Web servers have implemented the protocol. True or False.
True
Multilevel security is of interest when there is a requirement to maintain a resource in which multiple levels of data sensitivity are defined
True
Network based intrusion detection makes use of signature detection and anomaly detection
True
Network-based intrusion detection makes use of signature detection and anomaly detection.
True
Network-based intrusion detection makes use of signature detection and anomaly detection. True or False.
True
Not allowing the browser to save username/password, and do not allow web sites to remember user login can prevent XSRF. True or False.
True
Not using the same browser to access sensitive web sites and to surf the web freely can prevent XSRF. True or False.
True
One asset may have multiple threats and a single threat may target multiple assets. True or false
True
One way to secure against Trojan horse attacks is the use of a secure, trusted operating system
True
Organizational security objectives identify what IT security outcomes should be achieved. True or false
True
Performing regular backups of data on a system is a critical control that assists with maintaining the integrity of the system and user data
True
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion
True
SHA is perhaps the most widely used family of hash functions.
True
SHA is perhaps the most widely used family of hash functions. True or False.
True
SPI is used to help receiver identify the SA to un-process the IPsec packet. True or False.
True
SQL injection is yet another example that illustrates the importance of input validation. True or False.
True
Since the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control. True or false
True
Some APT attacks last for years before they are detected
True
Some APT attacks last for years before they are detected.
True
Some form of protocol is needed for public-key distribution.
True
Symmetric encryption is also referred to as secret-key or single-key encryption.
True
Symmetric encryption is also referred to as secret-key or single-key encryption. True or false.
True
Symmetric encryption is used primarily to provide confidentiality.
True
Symmetric encryption is used primarily to provide confidentiality. True or False.
True
T.F The first order of business in security audit trail design is the selection of data items to capture.
True
T/F "No write down" is also referred to as the *-property.
True
T/F "The plaintext is 64 bits in length and the key is 56 bits in length; longer plaintext amounts are processed in 64-bit blocks" is a description of the DES algorithm.
True
T/F A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext in obtained.
True
T/F A component describes a specific set of security requirements.
True
T/F A malicious driver can potentially bypass many security controls to install malware.
True
T/F A plan needs to identify appropriate personnel to install and manage the system, noting any training needed.
True
T/F A servicemark is the same as a trademark except that it identifies and distinguishes the source of a service rather than a product.
True
T/F A subject can exercise only accesses for which it has the necessary authorization and which satisfy the MAC rules.
True
T/F A very common configuration fault seen with Web and file transfer servers is for all the files supplied by the service to be owned by the same "user" account that the server executes as.
True
T/F According to ISO 27002, the person(s) carrying out the audit should be independent of the activities audited.
True
T/F An example of a patent from the computer security realm is the RSA public-key cryptosystem.
True
T/F Anyone can join the Ad Hoc Committee on Responsible Computing.
True
T/F CRC is an error detecting code.
True
T/F Company wireless LANs or wireless access points to wired LANs in close proximity may create overlapping transmission ranges.
True
T/F Computer technology has involved the creation of new types of entities for which no agreed ethical rules have previously been formed.
True
T/F Computers as targets is a form of crime that involves an attack on data integrity, system integrity, data confidentiality, privacy, or availability.
True
T/F Concerns about the extent to which personal privacy has been and may be compromised have led to a variety of legal and technical approaches to reinforcing privacy rights.
True
T/F Each layer of code needs appropriate hardening measures in place to provide appropriate security services.
True
T/F Functionality is the security features provided by a product.
True
T/F In most data-link control protocols, the data-link protocol entity is responsible not only for detecting errors using the CRC, but for recovering from those errors by retransmitting damaged frames.
True
T/F In using encryption, we need to decide what to encrypt and where the encryption gear should be located.
True
T/F It is possible for a system to be compromised during the installation process.
True
T/F It is possible to convert any block cipher into a stream cipher by using the cipher feedback (CFB) mode.
True
T/F Key distribution can be achieved for two parties A and B by a third party selecting the key and physically delivering it to A and B.
True
T/F Means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.
True
T/F Multilevel security is of interest when there is a requirement to maintain a resource in which multiple levels of data sensitivity are defined.
True
T/F One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext.
True
T/F One of the most influential computer security models is the Bell-LaPadula model.
True
T/F One way to secure against Trojan horse attacks is the use of a secure, trusted operating system.
True
T/F Performing regular backups of data on a system is a critical control that assists with maintaining the integrity of the system and user data.
True
T/F Symmetric encryption is also referred to as secret-key or single-key encryption.
True
T/F The BLP model effectively breaks down when (untrusted) low classified executable data are allowed to be executed by a high clearance (trusted) subject.
True
T/F The BLP model includes a set of rules based on abstract operations that change the state of the system.
True
T/F The Common Criteria for Information Technology and Security Evaluation are ISO standards for specifying security requirements and defining evaluation criteria.
True
T/F The National Bureau of Standards is now the National Institute of Standards and Technology.
True
T/F The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions.
True
T/F The ciphertext-only attack is the easiest to defend against.
True
T/F The foundation of a security auditing facility is the initial capture of the audit data.
True
T/F The legal and ethical aspects of computer security encompass a broad range of topics.
True
T/F The most significant source of risk in wireless networks in the underlying communications medium.
True
T/F The primary purpose of the MAC layer is to transfer MSDUs between MAC entities.
True
T/F The purpose of the discovery phase is for an STA and an AP to recognize each other, agree on a set of security capabilities, and establish an association for future communication using those security capabilities.
True
T/F The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users.
True
T/F The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.
True
T/F The transmission medium carries the radio waves for data transfer.
True
T/F The wireless access point provides a connection to the network or service.
True
T/F WPA2 incorporates all of the features of the IEEE 802.11i WLAN security specifications.
True
The Common Criteria for Information Technology and Security Evaluation are ISO standards for specifying security requirements and defining evaluation criteria.
True
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms.
True
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. True or false.
True
The OpenSSL heartbleed vulnerability would have been prevented if OpenSSL had been implemented in Java
True
The additive constant numbers used in SHA-512 are random-looking and are hardcoded in the algorithm.
True
The additive constant numbers used in SHA-512 random-looking and are hardcoded in the algorithm. True or False
True
The authentication messages can be captured and replayed by an adversary. True or False.
True
The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised
True
The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.
True
The best defense against being an unwitting participant in a DDos attack is to prevent your systems from being compromised
True
The ciphertext-only attack is the easiest to defend against.
True
The ciphertext-only attack is the easiest to defend against. True or false.
True
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
True
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function. True or False.
True
The first step in devising security services and mechanisms is to develop a security policy
True
The identity of the responder and receiver and the messages they have exchanged need to be authenticated. True or False.
True
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
True
The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
True
The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users. True or false
True
The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations. True or false
True
The strength of a hash function against brute-force attacks depends on the length of the hash code produced by the algorithm. True or False.
True
The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
True
The strong collision resistance property subsumes the weak collision resistance property.
True
The use synchronized token pattern, where a token for each request is embedded by the web application in all HTML forms and verified on a server site can prevent XSRF.
True
Timing attacks are only applicable to RSA. True or false.
True
To avoid over exposure of a user's master key, Kerberos uses a per-day key and a ticket granting ticket. True or False.
True
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
True
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. True or False.
True
To defeat a reflection attack, we can use an odd number as challenge from the initiator and even number from the responder. True or False.
True
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control
True
To protect the confidentiality and integrity of the whole original IP packet, we can use ESP with authentication option in tunnel mode. True or False.
True
Two of the most important applications of public-key encryption are digital signatures and key management. True or False.
True
Using PKCS (public-key cryptography standard), when RSA encrypts the same message twice, different ciphertexts will be produced.
True
Using PKCS (public-key cryptography standard), when RSA encrypts the same message twice, different ciphertexts will be produced. True or false.
True
We can use signing with public keys to achieve mutual authentication. True or False.
True
XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive. True or False.
True
XSS can perform many types of malicious actions because a malicious script is executed at user's browser. True or False.
True
XSS is possible when a web site does not check user input properly and use the input in an outgoing html page. True or False.
True
each layer of code needs appropriate hardening measures in place to provide appropriate security services
True
in a biometric scheme some physical characteristic of the individual is mapped into a digital representation
True
it is possible for a system to be compromised during the installation process
True
signing the message exchanges in Diffie-Hellman eliminates the man-in-the-middle attack. True or False.
True
Each fragment must say what it's place or offset it is in the original un-fragmented packet. True or False
True because otherwise we cannot correctly reassemble the fragments into the original IP packet.
A network IDS sensor monitors a copy of network traffic. The actual traffic does not pass through the device. True or False.
True, because a network ID typically performs passive monitoring by copying the network traffic.
The longer the system is in use, the more it learns about network activity. True or false.
True, because anomaly detection involves first learning or profiling what is normal. The longer the system is in use, the better it can learn what is normal.
If malicious activity looks like normal traffic to the system, it will not detect an attack. True or false.
True, because anomaly detection, detects what looks not like normal. Therefore, if an attack managed to look like normal, then the anomaly detection system will not be able to detect this attack.
The primary purpose of an IDS is to detect intrusions, log suspicious events and send alerts. True or False.
True, because these are the basic functions of an IDS.
Cookies are created by ads that run on websites. True or False
True, cookies are created by ads, widgets, and elements on the web page the user is visiting.
Cookies are created by websites a user is visiting. True or False.
True, cookies are created by ads, widgets, and elements on the web page the user is visiting.
Cookies can be used as a form of spyware. True or False.
True, cookies store user preferences and browsing history, and therefore they can be used as spyware.
Public-key encryption can be used to create digital signatures. True or False.
True, given a message we can first hash the message and then encrypt the message using our public-key. The encrypted hash value becomes the digital signature of this message.
Web servers can be compromised because of the exploits on web applications. True or False.
True, the security vulnerabilities of web applications can lead to attacks that deface websites or the backend servers can be compromised as well. For example, credit card information can be stolen from the backend servers.
To prevent XSS, any user input must be checked and preprocessed before it is used inside html. True or False.
True, the website can check that the name of a user should not be a script.
Each fragment must tell the length of the data carried in the fragment. True or False
True, this has the correct assembly of the fragments into the original packet.
A common location for a network intrusion detection system sensor is just inside the external firewall. True or False.
True, this is a very typical deployment strategy of network IDS.
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. True or False.
True, this is the primary assumption of IDS.
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion. True or false.
True, unless such packet sniffing is done with proper authorization.
Web browser can be attacked by any web site that it visits. True or False.
True, we can not authenticate all websites, and even if a website is authenticated, it may still have vulnerabilities.
An intruder can also be referred to as a hacker or cracker. True or false.
True, we sometimes use hacker to refer to an intruder.
When a user's browser visits a compromised or malicious site, a malicious script is returned. True or False.
True,this a required step in the cross-site scripting attack.
A stateful inspection firewall needs to keep track of information of an active connection in order to decide on the current packet.
True.
Firewalls can stop hackers breaking into your system. True or False.
True.
Firewalls can stop viruses and worms that spread through the internet. True or False.
True.
The secret key is input to the encryption algorithm. True or False.
True. An encryption algorithm takes as its input, the plain text and a key.
When a new virus is identified, it must be added to the signature database. True or false.
True. Because a misused detection system detects attacks based on signatures of known intrusions, therefore when a new attack is discovered, its signature needs to be added to the signature database.
False positive can become a problem, normal usage can be mistaken for an attack. True or false.
True. Because the definition of false positive is that, a normal activity is mistaken as an attack. At the minimum, false positives can waste systems time, because the system needs to investigate whether there's truly an intrusion or not.
Can only detect an intrusion attempt if it matches a pattern that is in the database. True or false.
True. This is essentially the definition of a signature-based detection system.
Network-based intrusion detection makes use of signature detection and anomaly detection. True or False.
True. You can indeed use both approaches.
What are the two broad categories of defenses against buffer overflows?
Two broad categories of defenses against buffer overflows are: compile-time defenses which aim to harden programs to resist attacks in new programs; and run-time defenses which aim to detect and abort attacks in existing programs.
T
Two of the most important applications of public-key encryption are digital signatures and key management. True or False
UDP flood
UDP packets directed to some port number on the target system
What are the threats posed by loss of electrical power?
Undervoltage, overvoltage, and noise.
What two criteria are used to validate that a sequence of numbers is random
Uniform distribution; independence
________ ensures that a user may make multiple uses of resources or services without others being able to link these uses together.
Unlinkability
List and define the four types of entities in a base model RBAC system.
User: An individual that has access to this computer system. Each individual has an associated user ID. Role: A named job function within the organization that controls this computer system. Typically, associated with each role is a description of the authority and responsibility conferred on this role, and on any user who assumes this role. Permission: An approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization. Session: A mapping between a user and an activated subset of the set of roles to which the user is assigned.
Characteristics of APT include ______.
Using zero-day exploit Low-and-slow Targeting high-value data
What types of packets are commonly used for flooding attacks?
Virtually any type of network packet can be used in a flooding attack, though common flooding attacks use ICMP, UDP or TCP SYN packet types.
In order to accelerate the introduction of strong security into WLANs the Wi-Fi Alliance promulgated ________, a set of security mechanisms that eliminates most 802.11 security issues, as a Wi-Fi standard.
WPA
List and briefly describe the principal threats to the secrecy of passwords.
We can identify the following attack strategies and countermeasures: Offline dictionary attack: Typically, strong access controls are used to protect the system's password file. However, experience shows that determined hackers can frequently bypass such controls and gain access to the file. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination. Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered. Popular password attack: A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs. A user's tendency is to choose a password that is easily remembered; this unfortunately makes the password easy to guess. Password guessing against single user: The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. Workstation hijacking: The attacker waits until a logged-in workstation is unattended. Exploiting user mistakes: If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password, to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless these preconfigured passwords are changed, they are easily guessed. Exploiting multiple password use. Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user. Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary.
Non-repudiation
Which of the following feature can only be provided by public-key cryptography?
ECB
Which of the following would allow an attack that to know the (plaintext of) current message must be the same as one previously transmitted because their ciphtertexts are the same?
__________ applications is a control that limits the programs that can execute on the system to just those in an explicit list.
White listing
_____________ applications is a control that limits the programs that can execute on the system to just those in an explicit list
White listing
The _______ access mode allows the subject both read and write access to the object.
Write
Technology and other safeguards for cyber security are largely defensive in nature. The only way they can impact a threat source is by increasing the work factor for an attacker. Can laws be used to reduce the magnitude of threats? Choose the best answer: Yes, laws can provide criminal sanctions against those who commit cyber crime No, cyber crime has increased even as new laws have been put in place.
Yes, laws can provide criminal sanctions against those who commit cyber crime Clearly whether it is to do with theft of data, identify theft, or theft of intellectual property, somebody invading your privacy, we need laws against those.
Anonymization
______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.
Signature detection
_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Anomaly detection
_______ involves the collection of data relating to the behavior of legitimate users over a period of time.
CipherSuite
_______ is a list that contains the combinations of cryptographic algorithms supported by the client.
Timing attacks
________ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number.
Mathematical
________ attacks have several approaches, all equivalent in effort to factoring the product of two primes.
Message authentication
________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
Key distribution technique
________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.
Diffie-Hellman
_________ was the first published public-key algorithm.
Message authentication
__________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
Ciphertext
__________ is the scrambled message produced as output.
A company stores sensitive customer data. The impact a breach of such data must include... a. cost of purchasing identity theft protection for your customers. b. Loss of business due to reduced customer confidence. c. Compensation for new cyber security personnel the company hires to better manage cyber security in the future.
a & B
Select all answers there correct. a. each app runs in a sandbox and has its own home directory for its files. b. all iOS apps must be reviewed and approved by Apple. c. iOS apps can be self-signed by app developers.
a & b
A news story in 2014 reported that an inspector general's report gave Veteran Affairs (VA) failing grade for 16th year. The CIO of VA discussed a number of challenges that could explain this grade. Select the ones that you think could be the possible reasons a. The need to manage cyber security for over a million devices each running many services b. Lack of sense of urgency in fixing cyber vulnerabilities c. Choosing to support key functions even when this could introduce vulnerabilities.
a & c
What is the difference between a distributed host-based IDS and a NIDS?
a NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network. A host-based system examines user and software activity on a host. A distributed IDS is a collection of host-based IDSs that cooperate, but the focus remains on host activity rather than network activity
Unlike the MAC, a hash function does not take ________ as input
a secret key
Message authentication code
a small block of data that is a complex function of the message generated by a secret key that is appended to the message
By mistake, a friend sends sensitive health data in an email to you (wrong attachment). You should not read the information in the attached document because... a, Professional code of ethics requires you to respect privacy of others. b. You can be liable under CFAA
a, Professional code of ethics requires you to respect privacy of others.
Select the statements that are true: a. RSA is a block cipher in which the plaintext and ciphertext are integers between zero and n-1 for some n. b. If someone invents a very efficient method to factor large integers, then RSA becomes insecure. c. the Diffie-Hellman algorithm depends, for its effectiveness, on the difficulty of computing discrete logarithms. d. the Diffie-Hellman key exchange protocol is vulnerable to a man-in-the-middle attack, because it does not authenticate the participants. e. RSA and Diffie-Hellman are the only public-key algorithms.
a,b,c,d
Which of these characteristics describes the statistical approach? a. any action that does not fit the normal behavior profile is considered an attack. b. any action that's not classified as one of the normal behaviors according to set of rules is considered to be an attack.
a. any action that does not fit the normal behavior profile is considered an attack.
A method where a specific known plaintext is compared to its ciphertext a. known-Plaintext attacks b. chosen-Plaintext attacks c. differential cryptanalysis d. linear cryptanalysis
a. known-Plaintext attacks
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to.. a. use a longer key length b. use a shorter key length c. use a more complex algorithm d. use a harder to guess key
a. use a longer key length Because a longer key length means more keys, which means the attacker has to search a lot more keys.
backscatter traffic
advertise routes to unused IP addresses to monitor attack traffic
System resources
aims to overload or crash the network handling software
Cryptographic systems are generically classified by _______. A. the type of operations used for transforming plaintext to ciphertext B. the number of keys used C. the way in which the plaintext is processed D. all of the above
all of the above
Security auditing can:
all of the above
Denial-of-service Attack
an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space
The ________ is responsible for determining if an intrusion has occurred.
analyzer
The ________ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator
analyzer
An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is an
attack
IP Spoofing is useful for.. a. Bidirectional communication b. Unidirectional communication
b. Unidirectional communication The second statement is correct because IP spoofing only works for unidirectional communication. For bidirectional communication, the server will not reply to the attacker, but to the spoofed IP address, which will not respond appropriately.
Which security standard should be used for WiFi? a. WEP b. WPA2
b. WPA2
Which of these characteristics describes the knowledge based approach? a. any action that does not fit the normal behavior profile is considered an attack. b. any action that's not classified as one of the normal behaviors according to set of rules is considered to be an attack.
b. any action that's not classified as one of the normal behaviors according to set of rules is considered to be an attack.
Compare the ciphertexts with its known plaintext a. known-Plaintext attacks b. chosen-Plaintext attacks c. differential cryptanalysis d. linear cryptanalysis
b. chosen-Plaintext attacks
Which description best describes the Machine Learning approach for Intruder Detection: a. detects new and novel attacks b. detects attacks similar to past attacks
b. detects attacks similar to past attacks
Select all the answers that are true. a. all cryptographic keys are stored in flash memory. b. trusted boot can verify the kernel before it is run. c. all file of an app are encrypted using the same key. d. all of the above
b. trusted boot can verify the kernel before it is run.
In 2013, researchers were able to bypass Apple's app store security. What method did they use? a. uploaded malware disguised as an app without authorization, bypassing the review and check process. b. uploaded an app that after it passed the review process morphed into malware. c. uploaded an app that led users to a site that contained malware.
b. uploaded an app that after it passed the review process morphed into malware.
When implementing RSA is it best to use a. your own custom software to ensure a secure system b. use the standard libraries for RSA
b. use the standard libraries for RSA The reason is that the standard libraries have been reviewed and tested by the security committee and therefore are more likely to be more secure.
A _______ is a hardware device that sits between servers and storage systems and ecrpts all data going from the server to the storage system and decrypts data going in the oppiste direction
back-end appliance
flooding attacks
based on network protocol used intent is to overload the network capacity vitrually any type of network packet can be used
What is the most commonly used symmetric encryption algorithm?
block cipher
What is one example where symmetric encryption alone is not a suitable tool for message authentication
block reordering
A __________ is to try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.
brute-force attack
Use the totient technique to compute the result of raise 7 to the power of 27 mod 30. Write your result in this box.
c = 7^27 = 7^27 mod totient(30) mod 30 = 7^27 mod [ totient(3) * totient(10) ] mod 30 = 7^27 mod [ 2 * 4 ] mod 30 = 7^27 mod 8 mod 30 = 7^3 mod 30 = 343 mod 30 = 13
Select all the answers that are true. a. Android apps can be self signed. b. Android apps can have more powerful permissions than iOS apps. c. all of the above
c. all of the above
Analyzing the effect of changes in input on the encrypted output a. known-Plaintext attacks b. chosen-Plaintext attacks c. differential cryptanalysis d. linear cryptanalysis
c. differential cryptanalysis
What properties must a hash function have?
can be applied to any size block of data, produces fixed length output, relatively easy to compute, preimage resistant, weak collision resistant
A _____ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
circuit-level
TCP Connection handshake
client sends seq =x to server. server sends syn-ack back so seq=y, ack=x+1 client recieves then sends ack=y+1
TCP SYN spoofing attack
client sends to server who keeps trying to send to spoofed client for a response and gets timeouts and failed connections because the client keeps dropping the servers awknowledgement and not responding
Aspects that make a key-search attack harder
compressing message before encryption and if the compressed file was a numerical file
Requirements of public-key cryptography
computationally easy for party B to generate a pair, computationally easy to send a message via the public key, computationally easy for the receiver to decrypt, computationally infeasible for the opponent knowing the public key to know the private key, computationally infeasible for the opponent to get the message if they know the public key and the ciphertext
A loss of __________ is the unauthorized disclosure of information
confidentiality
Public key certificate
consists of a public key plus a user ID of the key owner with the whole block signed by a trusted third party
Symmetric encryption is also referred to as _______ and ______
conventional encryption; single key encryption
a consequence of a buffer overflow error is
corruption of data, unexpected transfer of control, possible memory access violation
a _________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it
countermeasure
What are the two approaches to attacking symmetric encryption
cryptanalysis and brute-force attack
If the length of hash is 128 bits, then how many messages does an attacker need to search in order to find two that share the same hash value? a. 128 b. 2^128 c. 2^217 d. 2^64
d. 2^64 Because the length of hash is 128 bits. That means there are 128 possible hash values. Using the birthday paradox, the attacker needs to search a square root of 2 to the 128th, that many possible messages in order to find two that share the same hash. Therefore, the answer is 2 to 64.
Cyber security planning and management in an enterprise must define allowed computer and network use by employees. Georgia Tech's computer and network use policy strives to do this for students, faculty and staff. Select all that you think are required by this policy: a. Georgia Tech account passwords should be changed periodically b. A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech c. Georgia Tech computers cannot be used to download illegal content (e.g. child pornography) d. all of the above
d. all of the above
Select all answers that are correct. ESP can be securely used in a. encryption only mode b. authentication only mode c. encryption and authentication mode d. all of the above
d. all of the above All of these are correct. However, although ESP can be used in encryption only and authentication only modes, it is strongly discouraged, because only using the full encryption and authentication mode is secure.
Check all those who can write rules for SNORT: a. Users of SNORT b. The SNORT Community c. Talos Security Intelligence and Research Team d. all of the above.
d. all of the above. As an open source software, everyone can write rules for SNORT. The rules can then be submitted and improved by security experts, and shared with the community.
What iOS security weaknesses were exploited by researches in the 2015? a. the malware was uploaded to the Apple App store. b. the malware was able to bypass Sandbox security. c. the malware was able to hijack browser extensions and collect passwords. d. all the above.
d. all the above.
A method to determine the encryption function by analyzing known phrases and their encryption a. known-Plaintext attacks b. chosen-Plaintext attacks c. differential cryptanalysis d. linear cryptanalysis
d. linear cryptanalysis
Transmitted data stored locally are referred to as __________ .
data at rest
The assurance that data received is exactly as sent by an authorized entity
data integrity
Digital signatures ensure _______ but do not ensure _________
data integrity; confidentiality
public key algorithms are used for
digital signatures, secure distribution of public keys, use of public key to distribute secret keys, use of public key encryption to create temporary keys
The most important changes needed to improve system security are to
disable remotely accessible services that are not required, ensure that applications and services that are needed are appropriately configured, disable services and applications that are not required
"An individual (or role) may grant to another individual (or role) access to a document based on the owner's discretion, constrained by the MAC rules" describes the _________.
ds-property
To defeat an IDS, attackers can: a. Send a huge amount of traffic. b. Embed attack in packets that cause non-uniform processing by different operating systems, for example, bad checksum and overlapping fragments. c. Send traffic that purposely matches detection rules. d. send a packet that would trigger a buffer-overflow in the IDS code. e. all of the above
e. all of the above First, send a huge amount of traffic. This is true. This can cause denial of service of the IDS and cause it to not be able to analyze traffic that contains attacks. Second, embed attack in packets that cause non-uniform processing by different operating systems, for example, bad checksum and overlapping fragments. This is true because the result of this is that the IDS is seeing different traffic as the end host, and as a result, the end host may be attacked by the traffic, yet the IDS will miss it. Third, this is true because this will result in a lot of alerts that need to be analyzed by the sysadmins. And when the sysadmins are overwhelmed, then the attacker can send his attack that although the attack is detected and an alert is produced, the sysadmin will not have time to look at the alert until it's too late. Fourth, send a packet that would trigger a buffer-overflow in the IDS code. This is true because the buffer-overflow is a typical exploit method used to attack a program. For example, the attacker can inject his own code using buffer-overflow into a program. In other words, if the attacker can buffer-overflow an IDS, that means the attacker can now control the IDS.
In the thriving zero day attack marketplace hackers sell information on software vulnerabilities. Can you guess some of the buyers? a/ Apple b. Google c. Microsoft d. US government e. all of the above
e. all of the above The answer is, that they're all buyers of zero day attack information. For example, a zero day vulnerability in the Linux operating system was sold for $50,000.
Macro virus
embedded in documents, run/spread when opened
stream cipher
encrypts plaintext one byte at a time
each individual who is to be included in the database of authorized users must first be __________ in the system
enrolled
Regression Testing
ensure that alterations do not break existing functionality/performance
what is an example of multi factor authentication
enter a pin number and put a finer on the fingerprint reader
Polymorphic virus
envrypt part of the virus program using a randomly generated key
For hash function, cryptanalysis involves ________ in the code
exploiting logical weaknesses
Which of the following are security threats to WiFi? Select all that apply. a. Eavesdropping. This means attacker listening to communications. b. injecting bogus messages. c. replaying previously recorded messages. d. illegitimate access to the network & its services. e. denial of service. f. all the above.
f. all the above.
Primary advantage of a stream cipher over a block cipher
faster and use far less code
The purpose of a hash function is to produce a ________
fingerprint of a file, message, or other block of data
Digital envelope
generate a random symmetric, one time use key, encrypt the message using the key, encrypt the key using the public key of the intended receiver, attach the encrypted key and send the message
captcha
graphical puzzle to distinguish legit human requests
Security concerns that result from the use of virtualized systems include
guest OS isolation, guest OS monitoring by the hypervisor, virtualized environment security
On average, __________ of all possible keys must be tried in order to achieve success with a brute-force attack.
half
The purpose of a __________ is to produce a "fingerprint" of a file, message, or other block of data.
hash function
_______________ is a form of buffer overflow attack
heap overflow, return to system call, replacement stack frame
what needs to be taken into consideration during the system security planning process?
how users are authenticated, the categories of users of the system, what access the system has to information stored on other hosts
a buffer can be located
in the heap, on the stack, in the data section of the process
Memory-resident virus
infect running programs
what is a threat to or concern of multi-factor authentication
inherent imprecision, impersonation, coercion
A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
inline sensor
Combined one byte at a time with the plaintext stream using the XOR operation, a _____ is the output ofd the pseudorandom bit generator
keystream
Combined one byte at a time with the plaintext stream using the XOR operation, a __________ is the output of the pseudorandom bit generator.
keystream
Modes of operation was developed to overcome the security weaknesses with _______
larger sequences of data
Strength of a hash function against brute force attacks depends solely _________ produced by by the algorithm
length of the hash code
________ is provided by means of a co-processor board embedded in the tape drive and tape library hardware
library-based tape encryption
Which of the following scenario requires a security protocol: __________.
logging into mail.google.com, connecting to work from home using a VPN.
____________ is code inserted into malware that lies dormant until a predefined condition, which triggers an unauthorized act, is met
logic bomb
an example of ____ is an attempt by an unauthorized user to gain access to a system by posing as an authorized user
masquerade
__________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
message authentication
A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
network-based IDS
A multilevel secure system for confidentiality must enforce
no read up, ss-property, no write down
keystream
output of a stream cipher; key is XORed one bit at a time with the plaintext
Encryption protects against
passive attacks like eavesdropping
The ______________ is what the virus "does"
payload
Digital signature steps
personA sends message with signature attached. PersonB receives message with signature, decrypts signature using personAs public key, compares calculated hash value to decrypted hash value
The original message or data that is fed into the algorithm is __________.
plaintext
Electronic codebook mode
plaintext is encrypted using the same key b bits at a time
An asymmetric encryption scheme has six ingredients
plaintext, encryption algorithm, public and private key, ciphertext, decryption algorithm
What are the five ingredients of symmetric encryption?
plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm
A hash function is referred to as _____ if it is computationally infeasible to find x such that H(x) = h for a given code h
preimage resistant; called the one way property easy to generate code but virtually impossible to generate the message
How does a block cipher work?
processes plaintext input in fixed-size blocks and produces a block of ciphertext of equal size
A ____ stream is one that is unpredictable without knowledge of the input key and which has a apparently random character
pseudorandom
With a properly designed _______, a stream cipher can be as secure as a block cipher of comparable key length
pseudorandom number generator
Digital signatures and key management are the two most important applications of __________ encryption
public key
Digital signatures and key management are the two most important applications of
public key encryption
a ______ strategy is one in which the system periodically runs its own password cracker to find guessable passwords
reactive password checking
Network Bandwidth
relates to the capacity of the network links connecting a server to the internet, for most organizations this is their connection to their internet service provider or ISP
Boot sector virus
run/spread whenever the system is booted
Parasitic virus
scan/infect programs
_______ and _______ is input to an symmetric encryption algorithm
secret key; plaintext
A ________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so.
security intrusion
the function of _ was to transfer control to a user cmd-line interpreter,
shellcode
recognition by fingerprint, retina, and face are examples of
static biometrics
What are the two requirements for secure use of symmetric encryption
strong encryption algorithm (opponent who knows the algorithm and has access to one or more ciphertexts would be unable to decipher the ciphertext or figure out the key) and sender and receiver must have obtained secret key in a secure fashion
A ____ protects against an attack in which one party generates a message for another paryt to sign
strong has function
What are the three ways in which a message digest can be authenticated using hash code?
symmetric encryption, public-key encryption and by using a secret value (keyed hash MAC)
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
t
The following steps should be used to secure an operating system
test the security of the basic operating system, remove unnecessary services, install and patch the operating system
What is the principal drawback of 3DES
the algorithm is relatively sliggish
Intrusion detection is based on the assumption that __________.
the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
The security of any encryption scheme depends on _________ and ___________
the length of the key; computational work involved in breaking a cipher
The message authentication code ensures that
the message has not been altered, is from the alleged sender, if the messages includes a sequence number then the receiver is assured of the proper sequence
A bot is a computer compromised by malware and under the control of a bot master
true
Both static and dynamic analyses are needed in order to fully understand malware behaviors
true
application resources
typically involves a number of valid requests, each of which consumes significant resources, thus limiting the ability of the server to respond to requests from other users
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to __________ .
use longer keys
distributed denial of service attacks
use multiple systems to generate attacks -attacker uses a flaw in OS or in common application to gain access and installs their program on a zombie -large collections of such systems under the control of one attacker's control can be created, forming a botnet
What's different about Triple DES
uses 2-3 keys and has a key size of 112 or 168 bits
A one way hash function accepts a ________ and produces a ______. The message is padded out to _____ and padding includes ___________
variable size message; fixed size message; integer multiple of some fixed length; the value of the length of the original message in bits
presenting or generating authentication information that corroborates the binding between the entity and the identifier is the
verification step
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy is a
vulnerability
assurance
ways of convincing ourselves that a model,design, and implementation are correct
A hash function is referred to as _____ if it is computationally infeasible to find y != x with H(y) = H(x) for a given block x
weak collision resistant/second preimage resistant; guarentees that it's impossible to find an alternative message with the same hash value
List some desirable characteristics of an IDS.
•Run continually with minimal human supervision. •Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations. •Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker. •Impose a minimal overhead on the system where it is running. •Be able to be configured according to the security policies of the system that is being monitored. •Be able to adapt to changes in system and user behavior over time. •Be able to scale to monitor a large number of hosts. •Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible. •Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.