CYSE 101 FINAL

What is the difference between a stateful packet filtering firewall and a basic packet filtering firewall? A stateful packet filtering firewall tracks sessions between systems A basic packet filtering firewall inspects all bytes in every packet A stateful packet filtering firewall does not track sessions between systems A basic packet filtering firewall tracks sessions between systems

A stateful packet filtering firewall tracks sessions between systems

What is competitive counterintelligence? Actions to spy on your competition Actions to defeat competitive intelligence activities Actions your competition uses to spy on you

Actions to defeat competitive intelligence activities

Case Study: Automobile Hacking (video)

Basically, exploited through injection or modification of messages -> physically able to access the car's features

Which of the following is not part of operating system hardening? Making alterations to common accounts Applying software updates in a timely manner Changing the main network firewall ruleset Applying the principle of least privilege Making use of logging and auditing functions Removing or turning off unessential services Removing unnecessary software

Changing the main network firewall ruleset

Name the two main categories of Web security. Buffer overflows and SQL injection Client-side attacks and server-side attacks Denial of Service (DoS) and Distributed Denial of Service (DDoS) Race conditions and input validation

Client-side attacks and server-side attacks

Case Study: RQ-170 Sentinel (UAV)

How Exploited: UAV's (Unmanned Aerial Vehicles) blocked communication Vulnerabilities: - insecure communication - untrusted navigation - unencrypted data - exposed designs and tech Threat: Nation States Controls: mainly Cryptography and Physical Security (encryption)

Case Study: Hainan Island Incident

How Exploited: physical access to systems; not all encrypted (and keys present for some) Impacts: MAINLY CONFIDENTIALITY (exposure of data, code, and designs); possibly integrity and availability Vulnerabilities: - unencrypted data at rest and in process Threat: Nation States Controls: mainly Cryptography and Physical Security (encryption)

Case Study: Stuxnet

How Exploited: Centrifuge failures at Iran nuclear plant due to virus discovered in USB Impact: Integrity and Availability Vulnerabilities: - external media (what's allowed in) - code integrity - weak internal security Threats: Hackers for hire, nation states, hactivists, terrorists, insiders Controls: (most controls apply) - no media allowed in/out - file integrity checkers - disable services/ports

Case Study: Ukraine Power Grid

How Exploited: phish led to IT network access, compromised workstations Vulnerabilities: - weak antimalware - weak human antiphishing - 1 factor authentication Threats: Hackers for hire, nation states, hactivists, terrorists, insiders, other Controls: Most controls apply

What is the third law of operations security? If you are not protecting it (the information), . . . DON'T WORRY, SOMEONE ELSE WILL! If you are not protecting it (the information), . . . THE DRAGON WINS! If you are not protecting it (the information), . . . POLISH YOUR RESUME! If you are not protecting it (the information), . . . YOU ARE OK!

If you are not protecting it (the information), . . . THE DRAGON WINS!

Which of the following is not a reason why clicking on a shortened URL from a service such as bit.ly be dangerous? The user doesn't know the real URL The real URL might be malicious It is easier than typing the long URL

It is easier than typing the long URL

When we have cycled through the entire operations security process, are we finished? No, we continue to iterated through the steps Yes, after one cycle we are done

No, we continue to iterated through the steps

What does the European Union s (EU) Data Protection Directive (Directive 95/46/EC) deal with? AES PII XKCD RSA PGP

PII

What does PII stand for? Privacy, Identify, and Integrity Protocol Independent Identity Protocol Independent Integrity Personally Identifiable Information

Personally Identifiable Information

What is the purpose of a network DMZ? Encrypt the traffic to and from sensitive systems Provide external access to systems that need to be exposed to external networks such as the Internet in order to function Encrypt the hard drives of sensitive systems Isolate systems so that they cannot be reached from external networks such as the Internet

Provide external access to systems that need to be exposed to external networks such as the Internet in order to function

What does a fuzzing tool do? Decrypts strongly encrypted content Provide multiple data and inputs to discover vulnerabilities Decrypts poorly encrypted content Guesses a password to gain system access

Provide multiple data and inputs to discover vulnerabilities

The term operations security and the acronym OPSEC were coined by what Vietnam War-era study? Red Dragon Operation Barbarossa Purple Dragon The Tet Offensive

Purple Dragon

What is the quantitative formula for risk presented in class? RISK = P(impact) * P(E|V,T) RISK = P(V,T|E) * Impact RISK = P(V|T) * Impact RISK = P(E|V,T) * Impact

RISK = P(E|V,T) * Impact

What is residual data and why is it a concern when protecting the security of our data? Residual data is data that is encrypted after it has been used, thus alleviating any concerns Residual data is data stolen from a breached database; the data may later be made public Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public Residual data is data that is destroyed after it has been used, thus alleviating any concerns

Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public

At a high level, what does the Federal Privacy Act of 1974 do? Provides for the electronic surveillance of US citizens without a warrant Proposes security standards as a condition of processing credit card transactions Safeguards privacy through creating four rights in personal data Provides algorithms for the strong encryption of data

Safeguards privacy through creating four rights in personal data

What does the tool Nikto do? Guesses a password to gain system access Decrypts poorly encrypted content Decrypts strongly encrypted content Scans a web server for common vulnerabilities

Scans a web server for common vulnerabilities

What is a key difference between signature and anomaly detection in IDSs? Signature detection uses fingerprints or distinct patterns of attacks to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions Signature detection uses software behaviors to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions Anomaly detection uses fingerprints or distinct patterns of attacks to detect intrusions; signature detection uses deviation from baseline activity to detect instructions Anomaly detection uses code genealogy (derived code) to detect instructions; signature detection uses fingerprints or distinct patterns of attacks to detect intrusions

Signature detection uses fingerprints or distinct patterns of attacks to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions

Why is it important to use strong passwords? A strong password can be safely shared across multiple sites Weak passwords are just as good as strong ones Strong passwords are easier to remember Strong passwords are harder (take longer) to brute force

Strong passwords are harder (take longer) to brute force

When considering possible risk mitigation actions, which relationship between risk reduction and cost of the action would cause us to recommend the action? The relationship between reduction in risk and cost of the action is not relevant The reduction in risk is less than the cost of the action The reduction in risk is greater than the cost of the action

The reduction in risk is greater than the cost of the action

Why is it important from a security perspective to remove extraneous files from a Web server? They may be misunderstood by legitimate users or customers They may provide information or vulnerabilities useful to an attacker They take up memory They take up disk space

They may provide information or vulnerabilities useful to an attacker

Which of the following is an example of a race condition? Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded) A malicious user leaves a trojan horse program for a later user to execute Two bank transactions (withdrawals) run sequentially and the balances are not properly accumulated (recorded) An attacker sends high volumes of network traffic to overwhelm a target

Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded)

What is pretexting? Using a fake identity and creating a believable scenario for malicious purposes Texting a remote site before connecting to it over a network Send text message before sunrise Inserting hidden text before the start of a message

Using a fake identity and creating a believable scenario for malicious purposes

How does an XSRF attack works? a link or script on one web page is executed in the context of another open web page or web application a buffer overflow on one site is executed by a remote user on a another site a link or script on one web page is executed in the context of that same web page a user's credentials compromised in one attack are used to log in to another target

a link or script on one web page is executed in the context of another open web page or web application

Which of the following would not be a type of physical access control might we put in place in order to block access to a vehicle? fences concrete barriers security landscaping cameras

cameras

What is the primary purpose of a network firewall? control the traffic allowed in and out of a network encrypt network traffic allow connections to any internal system IP address allow connections to any internal system port number

control the traffic allowed in and out of a network

Does an SQL injection attack compromise content in the database or content in the Web application? web application neither database both

database

What is the primary purpose of a Network Intrusion Detection System? encrypt network traffic detect possible attack traffic block malicious network traffic attack (hack back) against the source of malicious traffic

detect possible attack traffic

Exploit frameworks make it... harder to recognize possible attacks on the network harder to amateurs to launch cyber attacks easier for amateurs to launch cyber attacks

easier for amateurs to launch cyber attacks

Which of the following is *not* a physical control that constitutes a deterrent? signs in public places that indicate that video monitoring is in place encryption dogs fences regulations policies yard signs with alarm company logos that we might find in residential areas guards locks well-lit areas

encryption

Which of the following is *not* a types or categories of control we use for physical security? detective measures deterrent measures evidence measures preventive measures

evidence measures

What does applying a vendor OS update (patch) usually do? creates vulnerabilities in the OS code exploits a vulnerability in the OS code fixes vulnerabilities in the OS code detects a vulnerability in the OS code

fixes vulnerabilities in the OS code

Did the formal OPSEC methodology emerge from the government/military or commercial/industrial sectors? government/military commercial/industry

government/military

What does California's SB 1386 deal with? handling unauthorized exposure of data relating to all US residents how US federal agencies can share an individual s data with other people and agencies handling unauthorized exposure of data relating to California residents requirements to show an individual any records kept on him or her

handling unauthorized exposure of data relating to California residents

Why might we want a (software) firewall (FW) on our host if one already exists on the network? host FWs know more about the local system host FWs see more network-wide traffic than network FWs host FWs provide no advantage over network FWs host FWs know less about the local system

host FWs know more about the local system

How can we prevent buffer overflows in our applications? implement proper bounds checking use strong passwords only run programs on Linux add network capacity

implement proper bounds checking

Why might we want to use information classification? it makes the task of identifying our critical information considerably easier it creates extra paperwork and bureaucracy it makes the task of identifying our critical information considerably harder it helps confuse the adversary

it makes the task of identifying our critical information considerably easier

Which of the following is not a provision of the Federal Privacy Act of 1974? it requires agencies to follow certain principles, called fair information practices, when gathering and handling personal data it places restrictions on how agencies can share an individual s data with other people and agencies it requires government agencies to show an individual any records kept on him or her it provides individuals the "right to be removed from the Internet" it lets individuals sue the government for violating its provisions

it provides individuals the "right to be removed from the Internet"

Which of the following is not a protocol for wireless encryption? WPA kismet WEP WPA2

kismet

Why might extradition be a delicate issue when prosecuting computer crimes? lack of a consistent set of laws regarding extradition currency exchange rates lack of a common world-wide operating system a consistent set of laws regarding computer crime means you can prosecute anywhere

lack of a consistent set of laws regarding extradition

Why does network segmentation generally improve security? traffic on each isolated segment is faster different people are in charge of different networks network segmentation does not generally improve security malicious traffic cannot freely traverse the internal network

malicious traffic cannot freely traverse the internal network

From a security perspective, why might we not want to allow personal equipment to be attached to the network of our organization? lost work hours malware and intellectual property issues inequity among employees electricity cost

malware and intellectual property issues

Which category of physical control listed would not include a lock? deterrent preventive detective mimicry

mimicry

What tool mentioned in the text might we use to scan for devices on a network, to include fingerprinting the operating system and detecting versions of services on open ports? honeypots nmap wireshark WPA2

nmap

Is it OK to use the same password for all of our accounts? yes because sites use SSL/TLS to secure the communication yes because using different passwords is hard to remember yes as long as the password is strong no because a compromise of one account leads to a compromise of all accounts using the same password

no because a compromise of one account leads to a compromise of all accounts using the same password

How does a spear phishing attack differ from a general phishing attack? number of targets and custom messages size of the message whether message has embedded javascript or not whether message has malware attached or not

number of targets and custom messages

Name the three major priorities for physical security, in order of importance. equipment, data, people people, data, equipment data, people, equipment people, equipment, data

people, data, equipment

What is the difference between a port scanner and a vulnerability assessment tool? port scanners close listening ports; vulnerability assessment tools open listening ports port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports vulnerability assessment tools close listening ports; port scanners open listening ports vulnerability assessment tools discover listening ports; port scanners report known vulnerabilities on listening ports

port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports

How does the principle of least privilege apply to operating system hardening? allows attack actions that require administrator or root privilege prevents attacks by blocking known malicious code from executing prevents attacks by blocking code execution on the memory stack prevents attack actions that require administrator or root privilege

prevents attack actions that require administrator or root privilege

What does executable space protection do for us and how? prevents virus attacks from working by detecting specific byte strings in the code prevents buffer overflow attacks from working by allowing code execution on the memory stack prevents virus attacks from working by preventing an application from running prevents buffer overflow attacks from working by blocking code execution on the memory stack

prevents buffer overflow attacks from working by blocking code execution on the memory stack

What is the foremost concern as related to physical security? protect profits protect people protect equipment protect data

protect people

Which of the following is not something we can do to more effectively reach users in our security awareness and training efforts? posters offer repeated and varied avenues for communication gamification randomly fire employees regardless of their actions make the training more interesting and produce positive results

randomly fire employees regardless of their actions

Which of the following is not a reason to use a honeypot? alert us to an attacker's presence release classified or PII data detect, monitor, and sometimes tamper with the activities of an attacker attract the attention of attackers in order to study them and their tools

release classified or PII data

According to the text, which of the following is not a security professional's obligation relating to information protection and unauthorized disclosure? release test data to see where it shows up be able to catalog and categorize what information was taken if there is a leak prevent information from unauthorized release

release test data to see where it shows up

What is one of the best steps we can take to protect people? require two factor authentication give them oxygen masks lock all doors from the outside remove them from the dangerous situation

remove them from the dangerous situation

What did the PCI DSS establish? maximum dollar values for electronic financial transactions protocols for encryption on credit and debit card chips encryption algorithm performance requirements security standards as a condition of processing credit card transactions

security standards as a condition of processing credit card transactions

If an antivirus tool is looking for specific bytes in a file (e.g., hex 50 72 6F etc.) to label it malicious, what type of AV detection is this? behavior reputation zero-day signature

signature

Why is it important to identify our critical information? so we can focus on protecting those assets first it's impossible to distinguish between critical information and the rest it's not important all information your organization has is equally important

so we can focus on protecting those assets first

Which of the following is *not* an example of how a living organism (e.g., insects or small animals) might constitute a threat to our equipment? interfere with cooling fans steal passwords cause electrical shorts chew on wiring

steal passwords

What was the primary topic of the material that Edward Snowden released? Vault7 cyber tools CIA human assets (spies) overseas nuclear weapons surveillance of electronic communications of US citizens

surveillance of electronic communications of US citizens

In a security context, tailgating is... removing a door from its hinges in order to bypass security enjoying the weather, friends, and food before a football game following too closely in a car the act of following someone through an access control point

the act of following someone through an access control point

Why might using the wireless network in a hotel with a corporate laptop be dangerous? the network may not be secure it may be slow it may be expensive

the network may not be secure

What is a cyber attack surface? the number of vulnerabilities in the network area of security the total of the number of available avenues through which our system might be attacked the number of vulnerabilities in the human area of security the size of the facility housing our critical systems

the total of the number of available avenues through which our system might be attacked

For what might we use the tool Kismet? to block network traffic to patch computers to detect wireless devices to detect wired devices

to detect wireless devices

Why might we want to use RAID? to ensure that we do not lose data from hardware failures in individual disks to protect against theft of the computer housing RAID disks to encrypt data to destroy data

to ensure that we do not lose data from hardware failures in individual disks

Why is input validation important from a security perspective? to prevent certain types of attacks to ensure bank balances are correct to authenticate users to catch brute force attacks

to prevent certain types of attacks

How might we use a sniffer to increase the security of our applications? to read (decrypt) encrypted traffic to slow down network traffic to speed up network traffic to watch the network traffic being exchanged with a particular application or protocol

to watch the network traffic being exchanged with a particular application or protocol

Why are humans considered to be the weak link? technical solutions are not effective user actions can bypass all of our other security measures good cryptography is not in place we have no other security measures in place

user actions can bypass all of our other security measures

In the operations security process, what is the difference between a vulnerability and a threat? vulnerabilities are weaknesses, threats are actors threats only affect the operating system threats are weaknesses, vulnerabilities are actors vulnerabilities only exist in software

vulnerabilities are weaknesses, threats are actors

Does an organization's location or the national origin or location of data they are transmitting or storing affect the organization's use of encryption or how they treat employee information? yes no

yes

Are nmap results always accurate, or is it sometimes necessary to verify nmap output with another tool? you do not need to verify nmap results with another tool or data source you should verify nmap results with another tool or data source

you should verify nmap results with another tool or data source