CYSE 101 Final

If we are using an identity card such as a driver's license as the basis for our authentication scheme, which of the following additions would *not* represent multifactor authentication?

A birth certificate

Why does access control based on the Media Access Control (MAC) address of the systems on our network not represent strong security?

MAC addresses can be easily spoofed or changed

What do we call the process in which the client authenticates to the server and the server authenticates to the client?

Mutual authentication

How do we know at what point we can consider our environment to be secure?

Never; perfect security does not exist

When we have cycled through the entire operations security process, are we finished?

No, we continue to iterated through the steps

Which of the following would *not* be part of a solution in the Polycom case study?

Off site backups

What does the European Union s (EU) Data Protection Directive (Directive 95/46/EC) deal with?

PII

Which of the following is an example of a race condition?

Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded)

From a security perspective, why might we not want to allow personal equipment to be attached to the network of our organization?

malware and intellectual property issues

What is the foremost concern as related to physical security?

protect people

If we are using an 4-character password that contains only lowercase English alphabetic characters (26 different characters), how many *more* possible passwords are there if we use a 5-character password (still only lowercase English alphabetic characters?

11,424,400 more possibilities

What is the difference between a stateful packet filtering firewall and a basic packet filtering firewall?

A stateful packet filtering firewall tracks sessions between systems

Which of the following about vulnerabilities and threats is *not* true?

A vulnerability or a threat, but not both, are required to create risk

What is competitive counterintelligence?

Actions to defeat competitive intelligence activities

Which of the following is true regarding the history of cybersecurity as presented in class and the associated document?

Advances (firewalls, intrusion detection, encryption algorithms, etc.) often followed attacks or apparent weaknesses

Which should take place first, authorization or authentication?

Authentication

Which of the following is *not* true about complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as !Hs4(j0qO$&zn1%2SK38cn^!Ks620! ?

Brute force password crackers will break them as quickly as a 4-digit PIN

Name the two main categories of Web security.

Client-side attacks and server-side attacks

In a data breach (such as the OPM case) which security characteristic of data has been violated?

Confidentiality

What does the Brewer and Nash model protect against?

Conflict of interest

What do we call the rate at which we fail to authenticate legitimate users in a biometric system?

False Rejection Rate (FRR)

What is the third law of operations security?

If you are not protecting it (the information), . . . THE DRAGON WINS!

What is the difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?

In DAC, the owner of the resource determines access; in MAC, the owner of the resource does not determines access

The primary vulnerability in the Lodz Tram Hack case study was:

Lack of authentication

Considering the CIA triad and the Parkerian hexad, which of the following is true?

Parkerian is more complete but not as widely known

What does PII stand for?

Personally Identifiable Information

What does the concept of defense in depth mean?

Protect your data and systems with tools and techniques from different layers

What is the purpose of a network DMZ?

Provide external access to systems that need to be exposed to external networks such as the Internet in order to function

What does a fuzzing tool do?

Provide multiple data and inputs to discover vulnerabilities

The term operations security and the acronym OPSEC were coined by what Vietnam War-era study?

Purple Dragon

What is the quantitative formula for risk presented in class?

RISK = P(E|V,T) * Impact

What is residual data and why is it a concern when protecting the security of our data?

Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public

At a high level, what does the Federal Privacy Act of 1974 do?

Safeguards privacy through creating four rights in personal data

What does the tool Nikto do?

Scans a web server for common vulnerabilities

Why is it important to use strong passwords?

Strong passwords are harder (take longer) to brute force

When considering possible risk mitigation actions, which relationship between risk reduction and cost of the action would cause us to recommend the action?

The reduction in risk is greater than the cost of the action

Why is it important from a security perspective to remove extraneous files from a Web server?

They may provide information or vulnerabilities useful to an attacker

For what might we use the tool Kismet?

To detect wireless devices

What is the "principal of least privilege"?

Users are only provided the level of access needed for the task

What is pretexting?

Using a fake identity and creating a believable scenario for malicious purposes

Which of the following is *not* true?

Voice authentication requires speech to text capability

How does an XSRF attack works?

a link or script on one web page is executed in the context of another open web page or web application

Which of the following would not be a type of physical access control might we put in place in order to block access to a vehicle?

cameras

What is the primary purpose of a network firewall?

control the traffic allowed in and out of a network

Does an SQL injection attack compromise content in the database or content in the Web application?

database

What is the primary purpose of a Network Intrusion Detection System?

detect possible attack traffic

Which of the following is *not* a physical control that constitutes a deterrent?

encryption

Which of the following is *not* a types or categories of control we use for physical security?

evidence measures

Which of the following would *not* be considered a logical (technical) control?

fences

Did the formal OPSEC methodology emerge from the government/military or commercial/industrial sectors?

government/military

What does California's SB 1386 deal with?

handling unauthorized exposure of data relating to California residents

How can we prevent buffer overflows in our applications?

implement proper bounds checking

Why might we want to use information classification?

it makes the task of identifying our critical information considerably easier

Which of the following is not a provision of the Federal Privacy Act of 1974?

it provides individuals the "right to be removed from the Internet"

Which of the following is not a protocol for wireless encryption?

kismet

Why does network segmentation generally improve security?

malicious traffic cannot freely traverse the internal network

What tool mentioned in the text might we use to scan for devices on a network, to include fingerprinting the operating system and detecting versions of services on open ports?

nmap

Is it OK to use the same password for all of our accounts?

no because a compromise of one account leads to a compromise of all accounts using the same password

How does a spear phishing attack differ from a general phishing attack?

number of targets and custom messages

Name the three major priorities for physical security, in order of importance.

people, data, equipment

What biometric factor describes how well a characteristic resists change over time?

permanence

What is the difference between a port scanner and a vulnerability assessment tool?

port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports

How does the principle of least privilege apply to operating system hardening?

prevents attack actions that require administrator or root privilege

What does executable space protection do for us and how?

prevents buffer overflow attacks from working by blocking code execution on the memory stack

Which of the following is not something we can do to more effectively reach users in our security awareness and training efforts?

randomly fire employees regardless of their actions

Which of the following is not a reason to use a honeypot?

release classified or PII data

What is one of the best steps we can take to protect people?

remove them from the dangerous situation

What did the PCI DSS establish?

security standards as a condition of processing credit card transactions

If an antivirus tool is looking for specific bytes in a file (e.g., hex 50 72 6F etc.) to label it malicious, what type of AV detection is this?

signature

Why is it important to identify our critical information?

so we can focus on protecting those assets first

The confused deputy problem can allow unauthorized privilege escalation to take place; how does this happen?

software has greater privilege than the user of the software

A physical key (like for a door lock) would be described as which type of authentication factor?

something you have

Which of the following is *not* an example of how a living organism (e.g., insects or small animals) might constitute a threat to our equipment?

steal passwords

What was the primary topic of the material that Edward Snowden released?

surveillance of electronic communications of US citizens

In a security context, tailgating is...

the act of following someone through an access control point

Why might using the wireless network in a hotel with a corporate laptop be dangerous?

the network may not be secure

What is a cyber attack surface?

the total of the number of available avenues through which our system might be attacked

Why might we want to use RAID?

to ensure that we do not lose data from hardware failures in individual disks

In the fake finger video from class, what was the printed circuit board used for?

to etch the fingerprint

Why is input validation important from a security perspective?

to prevent certain types of attacks

How might we use a sniffer to increase the security of our applications?

to watch the network traffic being exchanged with a particular application or protocol

Why are humans considered to be the weak link?

user actions can bypass all of our other security measures

What is the difference between verification and authentication of an identity?

verification is a weaker confirmation of identity than authentication

In the operations security process, what is the difference between a vulnerability and a threat?

vulnerabilities are weaknesses, threats are actors

Does an organization's location or the national origin or location of data they are transmitting or storing affect the organization's use of encryption or how they treat employee information?

yes

The Bell-LaPadula and Biba multilevel access control models each have a different primary security focus. Can these two models be used in conjunction?

yes

Are nmap results always accurate, or is it sometimes necessary to verify nmap output with another tool?

you should verify nmap results with another tool or data source