CYSE 101 Final
If we are using an identity card such as a driver's license as the basis for our authentication scheme, which of the following additions would *not* represent multifactor authentication?
A birth certificate
Why does access control based on the Media Access Control (MAC) address of the systems on our network not represent strong security?
MAC addresses can be easily spoofed or changed
What do we call the process in which the client authenticates to the server and the server authenticates to the client?
Mutual authentication
How do we know at what point we can consider our environment to be secure?
Never; perfect security does not exist
When we have cycled through the entire operations security process, are we finished?
No, we continue to iterated through the steps
Which of the following would *not* be part of a solution in the Polycom case study?
Off site backups
What does the European Union s (EU) Data Protection Directive (Directive 95/46/EC) deal with?
PII
Which of the following is an example of a race condition?
Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded)
From a security perspective, why might we not want to allow personal equipment to be attached to the network of our organization?
malware and intellectual property issues
What is the foremost concern as related to physical security?
protect people
If we are using an 4-character password that contains only lowercase English alphabetic characters (26 different characters), how many *more* possible passwords are there if we use a 5-character password (still only lowercase English alphabetic characters?
11,424,400 more possibilities
What is the difference between a stateful packet filtering firewall and a basic packet filtering firewall?
A stateful packet filtering firewall tracks sessions between systems
Which of the following about vulnerabilities and threats is *not* true?
A vulnerability or a threat, but not both, are required to create risk
What is competitive counterintelligence?
Actions to defeat competitive intelligence activities
Which of the following is true regarding the history of cybersecurity as presented in class and the associated document?
Advances (firewalls, intrusion detection, encryption algorithms, etc.) often followed attacks or apparent weaknesses
Which should take place first, authorization or authentication?
Authentication
Which of the following is *not* true about complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as !Hs4(j0qO$&zn1%2SK38cn^!Ks620! ?
Brute force password crackers will break them as quickly as a 4-digit PIN
Name the two main categories of Web security.
Client-side attacks and server-side attacks
In a data breach (such as the OPM case) which security characteristic of data has been violated?
Confidentiality
What does the Brewer and Nash model protect against?
Conflict of interest
What do we call the rate at which we fail to authenticate legitimate users in a biometric system?
False Rejection Rate (FRR)
What is the third law of operations security?
If you are not protecting it (the information), . . . THE DRAGON WINS!
What is the difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
In DAC, the owner of the resource determines access; in MAC, the owner of the resource does not determines access
The primary vulnerability in the Lodz Tram Hack case study was:
Lack of authentication
Considering the CIA triad and the Parkerian hexad, which of the following is true?
Parkerian is more complete but not as widely known
What does PII stand for?
Personally Identifiable Information
What does the concept of defense in depth mean?
Protect your data and systems with tools and techniques from different layers
What is the purpose of a network DMZ?
Provide external access to systems that need to be exposed to external networks such as the Internet in order to function
What does a fuzzing tool do?
Provide multiple data and inputs to discover vulnerabilities
The term operations security and the acronym OPSEC were coined by what Vietnam War-era study?
Purple Dragon
What is the quantitative formula for risk presented in class?
RISK = P(E|V,T) * Impact
What is residual data and why is it a concern when protecting the security of our data?
Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public
At a high level, what does the Federal Privacy Act of 1974 do?
Safeguards privacy through creating four rights in personal data
What does the tool Nikto do?
Scans a web server for common vulnerabilities
Why is it important to use strong passwords?
Strong passwords are harder (take longer) to brute force
When considering possible risk mitigation actions, which relationship between risk reduction and cost of the action would cause us to recommend the action?
The reduction in risk is greater than the cost of the action
Why is it important from a security perspective to remove extraneous files from a Web server?
They may provide information or vulnerabilities useful to an attacker
For what might we use the tool Kismet?
To detect wireless devices
What is the "principal of least privilege"?
Users are only provided the level of access needed for the task
What is pretexting?
Using a fake identity and creating a believable scenario for malicious purposes
Which of the following is *not* true?
Voice authentication requires speech to text capability
How does an XSRF attack works?
a link or script on one web page is executed in the context of another open web page or web application
Which of the following would not be a type of physical access control might we put in place in order to block access to a vehicle?
cameras
What is the primary purpose of a network firewall?
control the traffic allowed in and out of a network
Does an SQL injection attack compromise content in the database or content in the Web application?
database
What is the primary purpose of a Network Intrusion Detection System?
detect possible attack traffic
Which of the following is *not* a physical control that constitutes a deterrent?
encryption
Which of the following is *not* a types or categories of control we use for physical security?
evidence measures
Which of the following would *not* be considered a logical (technical) control?
fences
Did the formal OPSEC methodology emerge from the government/military or commercial/industrial sectors?
government/military
What does California's SB 1386 deal with?
handling unauthorized exposure of data relating to California residents
How can we prevent buffer overflows in our applications?
implement proper bounds checking
Why might we want to use information classification?
it makes the task of identifying our critical information considerably easier
Which of the following is not a provision of the Federal Privacy Act of 1974?
it provides individuals the "right to be removed from the Internet"
Which of the following is not a protocol for wireless encryption?
kismet
Why does network segmentation generally improve security?
malicious traffic cannot freely traverse the internal network
What tool mentioned in the text might we use to scan for devices on a network, to include fingerprinting the operating system and detecting versions of services on open ports?
nmap
Is it OK to use the same password for all of our accounts?
no because a compromise of one account leads to a compromise of all accounts using the same password
How does a spear phishing attack differ from a general phishing attack?
number of targets and custom messages
Name the three major priorities for physical security, in order of importance.
people, data, equipment
What biometric factor describes how well a characteristic resists change over time?
permanence
What is the difference between a port scanner and a vulnerability assessment tool?
port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports
How does the principle of least privilege apply to operating system hardening?
prevents attack actions that require administrator or root privilege
What does executable space protection do for us and how?
prevents buffer overflow attacks from working by blocking code execution on the memory stack
Which of the following is not something we can do to more effectively reach users in our security awareness and training efforts?
randomly fire employees regardless of their actions
Which of the following is not a reason to use a honeypot?
release classified or PII data
What is one of the best steps we can take to protect people?
remove them from the dangerous situation
What did the PCI DSS establish?
security standards as a condition of processing credit card transactions
If an antivirus tool is looking for specific bytes in a file (e.g., hex 50 72 6F etc.) to label it malicious, what type of AV detection is this?
signature
Why is it important to identify our critical information?
so we can focus on protecting those assets first
The confused deputy problem can allow unauthorized privilege escalation to take place; how does this happen?
software has greater privilege than the user of the software
A physical key (like for a door lock) would be described as which type of authentication factor?
something you have
Which of the following is *not* an example of how a living organism (e.g., insects or small animals) might constitute a threat to our equipment?
steal passwords
What was the primary topic of the material that Edward Snowden released?
surveillance of electronic communications of US citizens
In a security context, tailgating is...
the act of following someone through an access control point
Why might using the wireless network in a hotel with a corporate laptop be dangerous?
the network may not be secure
What is a cyber attack surface?
the total of the number of available avenues through which our system might be attacked
Why might we want to use RAID?
to ensure that we do not lose data from hardware failures in individual disks
In the fake finger video from class, what was the printed circuit board used for?
to etch the fingerprint
Why is input validation important from a security perspective?
to prevent certain types of attacks
How might we use a sniffer to increase the security of our applications?
to watch the network traffic being exchanged with a particular application or protocol
Why are humans considered to be the weak link?
user actions can bypass all of our other security measures
What is the difference between verification and authentication of an identity?
verification is a weaker confirmation of identity than authentication
In the operations security process, what is the difference between a vulnerability and a threat?
vulnerabilities are weaknesses, threats are actors
Does an organization's location or the national origin or location of data they are transmitting or storing affect the organization's use of encryption or how they treat employee information?
yes
The Bell-LaPadula and Biba multilevel access control models each have a different primary security focus. Can these two models be used in conjunction?
yes
Are nmap results always accurate, or is it sometimes necessary to verify nmap output with another tool?
you should verify nmap results with another tool or data source