Info Sec Midterm study

In information security PKI stands for_________________

Public Key Infrastructure

Examples of Asymm Encryption algorithms

RSA ElGamal

Examples of digital signature algorithsm

RSA Elliptic Curve DSA

Octal Codes Read Write Execute

Read 4 Write 2 Execute 1

In a PKI, what role does the CA play? (Choose all that apply) Revokes Cerificates Uses its private key to digitally sign certifictaes Uses its public key to digitally sign certifictaes Filters malicious packets

Revokes Cerificates Uses its private key to digitally sign certifictaes

Which two authentication factors are used when a server sends your cell phone a code and asks you to enter your password for the site? (There may be more than one. Choose all that apply) Something you know Something you have Something you are None of these

Something you know Something you have

Match the statement to True or False. Asking a user for a pin number and a password would qualify for two-factor authentication. Authentication implies what the authenticated party is allowed to do. Uniqueness is an important characteristic to have for biometric authentication. Hardware tokens may implement something you are factor.

T F T T

Confidentiality

The data can be viewed by only authorized users

Which of the following are true about passwords in Linux ? (Choose two.) The passwd file can be viewed by all users. The shadow file can be viewed by all users. Passwords are stored in plaintext The shadow file contains the hashes of the user passwords User passwords are stored in a file called passwd

The passwd file can be viewed by all users. The shadow file contains the hashes of the user passwords

Principle of least privilege

allow the bare minum of access to a subject

Problems with Asymm Encryption

Authentication•How does Bob know that the message is indeed from Alice?•Someone else might have used Bob's public key, sent him the message, and claimed he/she was Alice! •Integrity•How does Bob know that the message was not altered on the way (in transit)? •Even if Bob is able to authenticate that the message is from Alice, it may be that someone altered the message on the way. How can he avoid this?

__________ is the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.

Nonrepudiation

RWX R-X --x

Owner: Read Write Execute Group: Read ---- Execute Other: Execute

Octal Code: 754

Owner: Read write execute Group: Read Execute Other: Read

Based on the Parkerian hexad, what principles are immediately affected if we lose a shipment of encrypted backup tapes that contain personal and payment information of our customers? Confidentiality and integrity Only confidentiality Confidentiality and ownership Ownership and availability

Ownership and availability

Which of the following does a digital certificate NOT include? Choose 2. Question options: Private key of owner Public key of the owner (subject) Private key of issuer Validity period The algorithm used for signing

Private key of owner Private key of issuer

Defense in depth is a strategy that formulates a __________defense mechanism to prevent single point of failure.

layered

When someone working in a sales department is not allowed access to data in human resources principle of ________________ is followed. least privlege Kerckhoff confused deputy problem noe of the above

least privelage

fabrication

making unwanted data

In _________ access control access to a resource is determined by a group or individual who has the authority to set access on resources. Mandatory Role-based Discretionary Attribute-based

mandatory

An authentication mechanism in which both parties (server and client) authenticate each other is called ________________. multifactor authentication symmetric authentication mutual authentication multi-party authentication

mutual authentication

integrity

only authorized users change

rainbow table

pre computed hash values

incident response steps

prep detection containment eradication recovery post incident

Assume Alice and Bob both have public and private keys in a public key setting. If Alice and Bob want to agree on a secret value, then Alice uses her ________________ key and Bob's ____________ key to compute the secret value. private /private public / private public / public private / public

private / public

In order to reduce rainbow table attacks against passwords random bits are added to the password before hashing. This sequence of random bits is called _________

salt

Kerckhoff's Principle

should be secure if the system is known

authenticity

the data originates from claimed user

Capabilities

use token to control access

Symmetric Key

uses same key, only 2 parties know

Order risk management:

asset identification threat identification vulnerability identification risk assessment risk mitigation

chosen plaintext attack

attacker has ciphertext and can choose a limited number of plaintexts and compute corresponding cipher text You have the opportunity to choose a plaintext and get its ciphertext (without knowing the key). What would you choose for the plaintext?

known plaintext attacks

attacker has ciphertext and plaintext - You know that HELLO encrypts to MJQQT. Can you find the key

chosen ciphertext attacks

attacker has same ability with chosen plain text attacksm but can query a limited number of ciphertexts and get the plaintext for them You have the opportunity to choose a ciphertext and get the plaintext for it (without knowing the key). What would you choose for the ciphertext

chiphertext only attacks

attacker only has ciphertexts How can you proceed to break the cipher if all you have is the ciphertext, GJFZYNKZQ IFD

Brute force

attempts all posibilities

Which should take place first, authorization or authentication?

authentication

dictionary

dictionary of common words

Assume Alice and Bob both have public and private keys in a pubic key setting. If Alice wants to send Bob a signed message, Alice first hashes her message and _______ the hash using ______'s ____________ key. Question options: encrypts/Alice/private encrypts/ Bob/public decrypts/ Alice/ private decrypts/ Bob/ private

enecrypt - Alice - private

Alice uses a shift cipher with a shift of 4 to encrypt her message to Bob. If the ciphertext she obtains is "ksshpygo", what is her message in plaintext?

goodluck

Order the steps in risk management. ____ Risk assessment ____ Vulnerability assessment ____ Asset identification ____ Threat identification ____ Risk mitigation

Asset identification Threat ident Vulnerability assessment Risk assess Risk mitigation

Digital Certificates include

A digital certificate is an electronic document that binds a public key with an entity (person, organization).• It includes •The owner (subject) name/id• The public key of the owner• The digital signature (seal) of the issuing entity (authority) • Validity period of the certificate• Algorithms used

Steps to Risk management

1. identify assets 2. identify threats 3. assess vulnerabilities 4. assess risk 5. mitigate

To verify a signature on a message from Alice, Bob uses _____________. Question options: Alice's public key Alice's private key his private key his public key

Alice's public key

Assume Alice and Bob both have public and private keys in a public key setting. If Alice wants to send Bob a secret message, Alice encrypts her message using _________________ key and Bob decrypts it using ___________________key. Alice's private Bob's public Alice's private Bob's private Bob's public Bob's private Alice's public Bob's private

Bob's public Bob's private

In ____________is the study of the frequency of letters or groups of letters in a ciphertext.

Frequency Analysis

are used to tell a human from a bot.

CAPTCHAs

In which of these attack scenarios is the attacker most powerful? Ciphertext only attacks Incorrect Response Known plaintext attacks Correct Answer Chosen plaintext attack The attacker always has the same power

Chosen plaintext attack

Main tenets of info sec

Confidentiality integrity authenticity nonrepudiation

CIA stands for:

Confidentiality, Integrity, Availability

Which of the following are symmetric key ciphers? Select all that apply. RSA DES AES Diffie-Hellman

DES AES

Examples of Keyy Agreement Schemes

Diffle Hellman Elliptic Curve

Uses of Hash Functions

Digital signatures password files intrusion/ virus detection construction of pseudorandom numbers file synch

public key cryptography

Each user has a public and private key public keys are published private keys are secret

Public Key (Asymmetric) Encryption

Encrypt the shared secret key for symmetric ciphers using asymmetric (public key) encryption and send over the (not secure) channel.

Which of the following measures the rate at which we fail to authenticate legitimate users in a biometric system. EER FAR FRR FER

FRR

Order the steps for access control. ____ Auhtorization ____ Accountability ____ Identification ____ Authentication

Identification Authentication Authorization Accountability

Which of the following are true about passwords in Linux ? (Choose two.) The shadow file contains the hashes of the user passwords Passwords are stored in plaintext The passwd file can be viewed by all users. User passwords are stored in a file called passwd The shadow file can be viewed by all users

The shadow file contains the hashes of the user passwords The passwd file can be viewed by all users.

Software licensing can and should be audited in a company. True False

Tr

interception

Unauthorized access of information (e.g. Tapping, sniffing, unsecured wireless communication, emanations)

Order the steps for access control. ____ Auhtorization ____ Accountability ____ Identification ____ Authentication

__1__ Identification __2__ Authentication __3__ Auhtorization __4__ Accountability

Key Agreement Algorithms

Use public and private keys to agree on a key without exchanging any private information.

attribute-based access control ABAC

based on subject attributes, example: height requirement for a ride

Role-Based Access Control (RBAC)

based on the role of the subject

ACL Access control list

built for a specific resource includes subjects and access rights R W X

Which type of access control would be used in the case where we wish to prevent users from logging in to their accounts after business hours? Capabilities Access control list Both of these None of these

capabilities

interruption

causing asset to be unusable

A user with username student logs in to a Linux machine and executes the following commands in the given order: student$ mkdir homework student$ mkdir homework/hw1 student$ cd homework student$ mkdir hw2 student$ cd hw2 Choose the commands that would end the user in hw1 directory. (There are two of them) cd ~/hw1 cd ../hw1 cd ../../hw1 cd /home/student/homework/hw1

cd ../hw1 cd /home/student/homework/hw1

In which of these attacks does the attacker construct or modify the site in order to place an invisible layer over something the client would normally click on, in order to cause the client to execute a command differing from what they actually think they are performing? None of these XSS CSRF Clickjacking

clickjacking

Interception attacks are primarily against __________of information.

confidentiality

mandatory access control

decided by group or individual

Discretionary Access Control (DAC)

determined by owner

hybrid

dictionary attack but mixes in numbers and symbols