CS 3113 L1-L12
When viewing a Drone Pilot app, the screen will show "flight instruments" that indicate how fast the drone is flying and how high it is off the ground. Which method is this an example of?
Abstraction
The process of regulating the permission an individual has to specific data or resources (i.e. what are you allowed to do) is known as which of the following?
Access Control
"If a security measure or control has failed for whatever reason, the system is not rendered to an insecure state" is a statement of what security principle?
Fail-Safe Default
Aircraft are generally designed with some ability to glide and can be landed without any engine power. This is related to what NSA Design Principle?
Fail-Safe Default
(T/F) Users won't specify protections correctly if the specification doesn't make sense to them. This is known as Psychological Acceptability which is related to the design principle of Simplicity as it "keeps things simple" .
False
(T/F) When you strip everything else away, all security problems ultimately boil down to a problem with software "a bug" or error in the development of the code.
False
True or False: The United States has stated that it will respond to cyberattacks with equivalent cyberattacks at a time and choosing of its own.
False
True or False: The importance of cyberspace today has led to a uniform definition for what cyberspace is. Basically, it is a global domain within the information environment whose character is defined by the use of electronics and the electromagnetic spectrum.
False
True or False: Information Communications Technology (ICT) has had little impact on the spread of democratic ideas as well as a limited ability to enhance national security but has been the driving force behind reducing the interdependencies between infrastructures.
False
What does the concept of "5 Nines" refer to?.
Five nines refers to the percentage of uptime that is desired. This is a type of availability management.
What is the name given to the software testing technique, which basically consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion?
Fuzzing
How is generality related to complexity in coding?
Generality contributes to complexity
What are the 4 methods for reducing complexity discussed in class?
Hierarchy, abstraction, layering, modularity
Which level of threat generally is considered to include terrorists?
Highly structured threats
Rather than deliver the system as a single delivery, the development and delivery is broken down into increments with each increment delivering part of the required functionality describes which development model?
Incremental Development
Which one of the following countries did NOT have a large percentage of individuals using the Internet?
India
In the lesson on the key concepts of cyber, the situation in Turkmenistan was discussed. In 2016 the government prohibited the distribution of foreign press and suppressed freedom of speech. They also launched a campaign to destroy all satellite antennas and dishes. These efforts were described using which of the following terms?
Information Blockade
The aggregate of individuals, organizations, or systems that collect, process, or disseminate information is known as which of the following?
Information Environment
An individual who simply "listens" to the traffic that is being sent by an authorized user between systems is an example of which of the following threat types?
Interception
An individual who blocks the traffic from an authorized user to a system they are authorized to access is conducting which of the following threat types?
Interruption
"Multiple privileges should be needed to achieve access (or complete a task)" is a statement closely related to which NSA design principle?
Isolation, Separation, and Encapsulation
"Public access should be separated from critical resources (no connection between public and critical information)" is a statement closely related to which NSA design principle?
Isolation, Separation, and Encapsulation
"Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key" is a statement closely related to which NSA design principle?
Isolation, Separation, and Encapsulation
In cyber security, one of the best ways to protect a computer or network is with a strategy called defense in depth. This strategy means that there are multiple defenses put in place. If one fails, it is likely another will catch the problem. Which method of reducing complexity is this concept most closely aligned with?
Layering
Which NSA security design principle has as a basic tenet that if a necessary feature has a high surprise factor, it may be necessary to redesign the feature?
Least Astonishment
"When you log into a computer, it is a good practice to do so as a regular user instead of as an administrator or super user. A normal user can perform most of the common tasks and does not need to be an administrator. It also protects a computer from increased harm if there is a virus present" is a statement of what security principle?
Least Privilege
The military security rule of need-to-know is most closely associated with which NSA design principle?
Least Privilege
The statement "if a middleware server only requires access to the network, read access to a database table, and the ability to write to a log, this describes all the permissions that should be granted and under no circumstances should the middleware be granted administrative privileges" is most closely aligned with which of the following NSA Design Principles?
Least Privilege
The military security rule of 'need-to-know is most closely associated with which NSA design principle?
Least privilege
In which disclosure paradigm may disclosure provide little advantage for the defenders but potentially have a tremendous benefit for attackers?
Military
Which of the following was NOT one of the attributes that was discussed as differentiating cyberspace from the more conventional domains of military and intelligence?
Military domains need to be completely separate in order to be considered a different
"Users should not share system mechanisms except when absolutely necessary" is a statement closely related to which NSA design principle?
Minimize Common Mechanism
If an encryption key is compromised, it must be replaced. If few people know the key, then replacing it is easier than if a large number of people know the key. Which design principle is this an example of?
Minimize Secrets
Many computers are built with parts that can easily be taken out and replaced with other parts. This makes it easier to troubleshoot and fix. What is the name for this method of reducing complexity?
Modularity
(Y/N) Can all issues with complexity be avoided through the use of one of the secure design principles identified in class?
NO
This principle states that a mechanism should be public, depending on the secrecy of relatively few key items. It allows for independent confirmation of the design.
Open Design
Which disclosure paradigm has as its assumptions that 1) an attacker will learn little or nothing from disclosure; 2) Disclosure will prompt designers to improve the design of defenses, and 3) Disclosure will prompt other defenders to take action?
Open Source
Which of the following is a design method that minimizes losses when a risk is realized?
Passive Safety
Which of the following was NOT one of the pillar of national security discussed?
Physical Security
In which attack technique does an attacker gain access to a secure facility because an authorized user deliberately allows them to follow (e.g. by holding open a secured door)?
Piggybacking
What is the name given to a form of host-to-host communication in which information flows across closed ports. Information may be encoded into a port sequence or a packet-payload. In general, data are transmitted to closed ports and received by a monitoring daemon which intercepts the information without sending a receipt to the sender.
Port Knocking
What is the name of the method of communication between two computers (arbitrarily named here client and server) in which information is encoded, and possibly encrypted, into a sequence of port numbers? Initially, the server presents no open ports to the public and is monitoring all connection attempts. The client initiates connection attempts to the server by sending SYN packets to the ports specified in a special sequence. The server offers no response to the client during this phase, as it "silently" processes the port sequence. When the server decodes a valid sequence it triggers a server-side process and response.
Port Knocking
Which of the following is the term used to describe the strategic/tactical advantages one country has over another? From a cyber perspective, it specifically refers to the potential vulnerabilities present with an opponent's systems.
Positive Asymmetry
Which of the following is the name for a program that holds a computer "hostage" while demanding a ransom?
Ransomware
Which of the following is the NIST Cyber Security Framework core function that is aimed at developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event?
Recover
Which of the following is the BSIMM domain is aimed at practices associated with analysis and assurance of particular software development artifacts and processes?
SSDL Touchpoints
The practice of designing out health and safety risks is known as which of the following?
Safety by Design
As employees move up and around in your organization, they likely end up with more (or different) responsibilities. Often their access to previous information is not revoked even if their new duties do not require them to maintain this access. This phenomenon is commonly referred to as which of the following?
Scope Creep
The approach to security in which an organization relies on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted is known as ____________. This approach counts on lowering the prominence of those vulnerabilities to provide security.
Security through minority
The incredible number of special cases in the United States tax code makes filling out an income tax return a difficult job. The impact of any one exception may be minor, but the cumulative impact of many interacting exceptions can make a system that is very difficult to understand. This (as an example of what not to do) would be most closely related to what design principle?
Simplicity
While a password should be long and complex so that it will be difficult to break, the password should be easy for you to remember. One way to do this is to take the first letter of each word from a song that you know. Which design principle is this most closely aligned with?
Simplicity
In the calculation of a nation's digital power, which of the following was the measure used to represent the robustness of a country's cyber domain, measuring networks, access, and information communications technology spending as a percentage of the GDP?
Technological Infrastructure & Industrial Application
Which of the following was NOT one of the original critical infrastructures that we discussed in class?
The Retail Sector
Which of the following was described as the main drawback to the waterfall software development model?
The Waterfall model does not easily accomodate change after the process is underway. One phase has to be completed before moving onto the next phase.
In politics and international relations, which of the following is the one primary type of power nations are concerned with?
The ability to get one's way
From a security perspective, which of the following is a definition of the technique known as "dumpster diving"?
The process of going through the trash (as found in a dumpster) looking for any object that might prove useful to a cyber attacker.
A user error message that states (in its entirety) "Can't rename file. Specify a different name." would be an example of a good error message or a poor one?
This is an example of a poor message as it does not provide enough detail (i.e. what file and why couldn't it be renamed).
In which NIST CSF Tier have risk management practices been approved by management but may not be established as organizational-wide policy at this time?
Tier 2 Risk Informed
The two types of covert channels are:
Timing and Storage
Which of the following is the name for a program that appears to do one thing (and may indeed do it) but that hides something else?
Trojan Horse
(T/F) "Applications will never be 100 percent secure. Testing has the capability to demonstrate only that an application responds properly when subjected to specific attacks. It cannot prove that the software is secure in a general sense."
True
(T/F) "Testing is a very important part of software development but all too often, in the rush to get a product" out the door" it will not get the attention that it should."
True
(T/F) Availability Management is the management of the uptime of business and technology services. It is typically focused on designing services for high availability, managing maintenance activities, and reporting uptime data to customers and internal clients.
True
(T/F) Because cryptography is a highly mathematical subject, companies that market cryptographic software or use cryptography to protect user data frequently keep their algorithms secret. Experience has shown that such secrecy adds little if anything to the security of the system. Worse, it gives an aura of strength that is all too often lacking in the actual implementation of the system.
True
(T/F) Issues of proprietary software and trade secrets complicate the application of the Open Design principle. In some cases companies may not want their designs made public, lest their competitors use them. The principle then requires that the design and implementation be available to people barred from disclosing it outside of the company.
True
(T/F) The number of bugs introduced by a bug fix release may actually exceed the number of bugs fixed by that release.
True
Only the minimum necessary rights should be assigned to a subject that requests acces to a resource and should be in effect for the shortest duration necessary. Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. Therefore, carful delegation of access rights can limit attackers from damaging a system.
True
True or False: A nation such as North Korea can develop an offensive cyber unit and ignore the need for a defensive cyber unit because it has little to no reliance on cyber technologies in its homeland. This is an example of a situation where a small state wielding cyber weapons might have a greater degree of relative power than a large state as it has significant theoretical and demonstrated capabilities but few vulnerabilities.
True
True or False: Command and control warfare (C2W) is an application of IW in military operations and employs various techniques and technologies to attack or protect a specific target set — command and control (C2). C2W is the integrated use of psychological operations (PSYOP), military deception, operations security (OPSEC), electronic warfare (EW), and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary C2 capabilities while protecting friendly C2 capabilities against such actions)
True
True or False: Cyber warfare could be the archetypal illustration of asymmetric warfare - a struggle in which one opponent might be weak in conventional terms but is clever and agile, while the other is strong but complacent and inflexible.
True
True or False: In 2016 a group of non-profit organizations attempted to break the hold of the North Korean government on information that its citizens were able to access. Since the government tightly controlled sources like radio, TV, and the Internet, this group elected to utilize thumb drives which were loaded with Western TV and movies and smuggled them into the country. This campaign was known as "Flash Drives for Freedom".
True
True or False: The TCP/IP Protocol Suite was a tremendous step in the evolution of networking. It provided an efficient mechanism to conduct packet switching in an often unreliable networking environment. One thing that was not emphasized in the original designs of the protocol suite was security. The goal was reliable transmission of packets/messages in as an efficient manner as possible.
True
The use for authentication of an ATM card and a pin is an example of which of the following?
Two factor authentication
Based on our discussion of what constitutes a good password, which of the following would be considered a good password?
UTSAisthec00lest!
Which level of threat includes disgruntled employees seeking to harm your systems?
Unstructured threats
What is the most common form of authentication for computer systems and networks?
Userid and Password.
Which of the following is the name for a program that reproduces by attaching copies of itself to other programs and which often carries a malicious "payload"?
Virus
Which of the following is a description of what a "zero-day exploit" is?
A previously unknown vulnerability which is now being used in an attack.
The operation of verifying that the individual (or process) is who they claim to be is known as?
Authentication
Which of the following are advantages of an iterative design process?
B, C, and D but not A B) Having a working system available at all times helps provide assurance that something can be built. C) It provides on-going experience with the current technology ground rules and an opportunity to discover and fix bugs. D) It is easier to incorporate technology changes that arrive during the system development.
Which of the following is a community-developed list of common software security weaknesses that serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts?
Common Weakness Enumeration (CWE)
Which NSA design principle states that access rights should be completely validated every time an access occurs?
Complete Mediation
Which design principle states access rights should be validated every time an access occurs.
Complete Mediation
When discussing coding errors that lead to security problems, what has been said to be the worst enemy of security?
Complexity
Which of the following describes the "CIA of Security"?
Confidentiality
A type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy is known as which of the following?
Covert Channel
Which of the following is the term used to describe the ability of a nation-state to establish control and exert influence within and through cyberspace, in support of and in conjunction with the other domain-elements of national power?
Cyber Power
The term used to refer to all activities conducted in and through cyberspace in support of the military, intelligence, and business operations of the Department of Defense is known as which of the following?
Cyberspace Operations
What is the name given to the strategy for making sure that end users do not send sensitive or critical information outside of the corporate network?
Data Loss Prevention (DLP)
Which of the following was NOT one of the steps listed in determining what is (or should be) secret from an operational security standpoint?
Decide who might be a threat to your organization or operation.
This principle states that layered security mechanisms increase security of the system as a whole. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system. For example, it is not a good idea to totally rely on a firewall to provide security for an internal-use-only application, as firewalls can usually be circumvented by a determined attacker. Other security mechanisms should be added to complement the protection that a firewall affords. What is the name given to this principle?
Defense-in-depth
Which of the following is the practice of mistake proofing a design based on the assumption that if there is a wrong way to use something, customers will find it?
Defensive Design
In which domain of the BSIMM model would you find Penetration Testing?
Deployment
Which design principle states that you should start with a simple, working system that meets only a modest subset of the requirements, and then evolve the system in small steps to gradually encompass more and more of the full set of requirements?
Design for Iteration
Which of the following is the NIST Cyber Security Framework core function that is aimed at developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event?
Detect
In the calculation of a nation's digital power, which of the following was the measure used to represent the quality of the nation's potential cyber warfare units?
Economic and Social Context
"A simple design is easier to test and validate" is the hallmark of what principle?
Economy of Mechanism
"The design of the system should be small, simple, and straightforward. Such a systems can be carefully analyzed and exhaustively tested." This is a description of which design principle?
Economy of Mechanism
The design of the system should be small, simple, and straightforward. Such a systems can be carefully analyzed and exhaustively tested." This is a description of which design principle?
Economy of Mechanism