CS527 final prep

Multi: Who should be able to modify a log? A) System Admins B) No one C) Pen testers D) Users

B

Backups. encryption and access controls are used on which layers of defense A) internal networks B) External network C) Application D) Data

D

True/False: is it possible to make a difficult password to break and still be able to memorize it?

True

Multi: Which is the true statement about authorization and access control? A) they are the same thing B) Authorization is the process of determining exactly what an authentication party can do C) authentication are required for access D) You typically implement access control using authorization tools and the system you ouse deny or allow access.

B

What do you call the process in which the client authenticates to the server and the server authentication to the client? A) Unilateral authentication B) Mutual authentication C) Unique authentication D) Bilateral authentication

B

What does CAPTCHA primary protect against A) A hacker attacking a system manually B) Bot activity and automated attacks C) Slow typers D) Phishing Attacks

B

What does a successful clickjacking attack require? A) The victim must be located in a certain country. B) The attacker has to have modified the website rendering in some way. C) The victim must have visited the site multiple times before. D) A CAPTCHA submission.

B

What does this UNIX file permission configuration mean? "- rw- rwx r-x" A) Everyone can read and write to the file, but only the owner can execute it. B) The owner can read and write, group members can read, write, and execute it, and others can read and execute the file.. C) Everyone can execute and write to the file. D) Everyone can read and write the file.

B

What is one of the differences between block and stream ciphers? A) With stream ciphers, if a single bit is transmitted incorrectly, then the rest of the message becomes unreadable. B) Block ciphers work better on inputs where the size is known beforehand, whereas stream ciphers can work on any input size. C) Block ciphers tend to be much faster than stream ciphers. D) Stream ciphers are much more complex than block ciphers.

B

Which aspect of CIA has to do with preventing unauthorized changes to data A) All of the above B) Integrity C) Availability D) Confidentiality

B

Which one of the following is the most likely to happen in a high FAR and low FRR biometric system? A) Alice cannot be enrolled. B) Trudy is recognized as Alice. C) Alice is recognized as Trudy. D) Alice cannot be recognized.

B

Why are hash functions useful for checking whether a message has been tampered with? A) They are symmetric. B) Modifying the message even slightly drastically changes their output. C) They are used to encrypt messages. D) They can reveal some of an encrypted message's contents for verification.

B

Why is metal authentication important? A) it protects against DDOS B) it verifies that both parties are who they say they are C) it shows that the login system is still working D) All of the above

B

Which category of attacks is an attack against confidentiality? A) Interruption B) Interception C) Fabrication D) Modification

B)

What is one of the problems with biometric authentication? A) it's faster to setup for new users B) None of the above C) Accuracy with authentication is never the problem D) If biometric data is compromised it is impossible to reissue

B) you can rehash if compromised which allows to be reused

True/False: Is it a new threat, if the web servers in your environment are based on Microsoft's Internet Information Services (IIS) and a new worm is discovered that attacks Apache web servers?

False

True/False: There's no need to plan for the eradication and post-incident activity phases of incident response if the preparation and containment phases are good enough.

False

True/False: When the author of an encrypted message uses their private key to sign it for later verification, it's okay for them to share their private key with the message recipient.

False

True/False: if a hash is broken, it can be used to reveal the contents of an encrypted message.

False

True/False: penetration testing can be done on any public website without permission as long as the intent behind it is only to test for security problems.

False

True/False:Setting an administrative policy describing password requirements is enough to enforce strong passwords.

False

True/False:Verification and authentication of an identity are the same?

False

True/False:You should authorize before authenticating?

False

True / False : Holding someone accountable means making sure that person is responsible for their actions.

True

True / False :The first law of operations security is "If you don't know the threat, how do you know what to protect?"

True

True/ False : Posting on social media can lead to a security breach.

True

True/ False : Were good security practices followed in storing the employee passwords?

True

True/False: Access control lists become incredibly complex on larger systems.

True

True/False: Auditing can prevent attacks

True

True/False: Clickjacking and cross-site request forgeries are examples of the confused deputy problem.

True

True/False: Does access control based on the Media Access Control of the system on our network, not represent strong security.

True

True/False: If you using any eight char password that contains only lowercase letters would increasing the length by two significantly increase the password strength?

True

True/False: Is using HTTPS for internal communications between servers considered a best practice?

True

True/False: It's possible to create a password that is difficult to break and easy to memorize.

True

True/False: Monitoring and maintaining the physical state of the hardware that hosts data is just as important as monitoring for online threats and attackers.

True

True/False: One of the pitfalls to digital signatures is that it's possible for an attacker to use their own public/private key to sign a message and claim they are the expected sender.

True

True/False: Removing extra software is an important part of maintaining operating system security.

True

True/False: The critical information for one company may be completely different than the critical information for another.

True

True/False: The exact point at which you can be considered secure presents a bit of a challenge.

True

True/False: The second law of operations security is "If you don't know what to protect, how do you know you are protecting it?"

True

Cryptography can be used when: A) Using email B) Visiting webpages C) Making phone calls D) All of the above.

d

In a typical three tier app where are user passwords stored? A) Web tier B) All of the above C) Application tier D) Database

d

Multi: Which access control model could you use to prevent users from logging into their accounts after business hours. A) Discretionary access control B) Role-Based access control C) Mandatory Access Control D) Attribute-Based access Control

d

What is risk? A) Sensitive data. B) a vulnerability in a system. C) An employee that writes their passwords on post-it notes at their desk. D) Both a vulnerability in a system, and the threat that could take advantage of it.

d

Which is a not password cracking tool? A) John the Ripper B) Hydra C) Hashcat D) Kali

d

True / False : You should authorize before authenticating

False

True/False: In a digital signature, The sender uses the receiver's public key to sign the message.

False

Quiz 3 done

I need food

Quiz one cards above

:)

Actions taken to reduce risk are part of which phase of operations security? A) Assessment of risk. B) Applications of countermeasures. C) Vulnerability assessment. D) Identification of critical information.

A

Multi: What does the Brewer and Nash model protect against? A) Conflicts of interest B) Dynamically changing access C) Availability D) Classified systems

A

What attributes can network ACLs specify for filtering incoming traffic? A)All of the above. B) MAC addresses C) IP addresses D) Port numbers

A

What is password spraying? A) Trying the same password against many user accounts. B) Spraying all new passwords against a known password list for matches C) Trying many passwords on a single account D) Trying all known hashes against the password database

A

What is the primary weakness of symmetric key cryptography? A)The key must be shared between users before they can use the algorithm. B) The math behind it is very complex. C) It requires multiple keys, making it difficult to maintain. D) It's hard to create unique keys.

A

What's the difference between authentication and identification? A) Identification describes who someone is and authentication whether the claim to there id is true B)They are the same C)Authentication describes who someone is and identification describes access control D) Identification is the term collecting operating system information and authentication has to do with checking passwords

A

Which one is a logical control? A)Firewall B)Acceptable use policy C)Man-trap to enter a data center D)Password policy

A

If you develop a new policy for your environment that requires users to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as "!Qa4(j0nO$&xn1%2AL34ca#!Ps321$," what can you not expect users to do? A)Write them down. B) Remember them. C)Use a password manager. D) Change to Competitor if possible

B

Multi: What does the Parkerian hexad add the CIA triad? A) Utility B) Possession C) Integrity D) Authenticity

A,B,D

Multi: Based on the Parkerian hexad, what principles are affected if you lose a shipment of encrypted backup tapes that contain personal and payment information for your customers? A) Possession B) Integrity C) Confidentiality D) Utility

A,D

Multi:Name three reasons why an Identity card alone might not make an idea sole method of authentication A) Lost/Stolen B) Dirty C) Forged D) Plastic

A,b,c

Multi: Which are security benefits of accountability? A) Nonrepudiation B) Deterrence C) Open Source intellence D) Access Control

AB

Multi: Items you might want to audit? A) Passwords B) Logical access controls C) Internet usage D) Software Licenses

ABCD

multi: Items you might want to audit. A) Logical access control B) internet usage C) Software licenses D) Passwords

ABCD

Backups, Encryption and access controls are used on which layers of defense? A) Application B) Data C) Internal Network D) External Network

B

Multi: Logs can be used for which of the following A) Nonrepudiation B) All of the above C) Incident analysis D) compliance checking

B

Logging is... ? A) required of all companies by federal law B) cheap C) proactive D) reactive

D

True/ False : Forcing users and/or employees to change their password annually is considered by NIST to be a good security practice.

False

True/ False: Monitoring is more preventive technique than a reactive one.

False

What does it mean if an authentication system has a high false rejection rate(FRR)? A) All of the above. B)An intruder will have an easy time being authenticated as someone else. C) The system will display incorrect statistics about how many logins it has each day. D) A will often be incorrectly prevented from entering.

D

What would be an example of a logical control? A)A company policy that dictates acceptable workstation usage B)A power surge protector C) a security guard posted to check ID badges at a datacenter D) A firewall configured to block traffic from unauthorized IP addresses

D

Which is true when implementing the concept of defense in depth? A) Using multiple external firewalls. B) Turning off logging, because it is not a defense. C) Using multiple solutions on the internal network. D) Using different solutions in different logical layers.

D

True/ False: Pretty Safe Electronics has single sign-in because all authentication is done on the Active Directory domain controller.

False

True/False: Auditing is a practice only used by companies that specialize in finical services

False

multi: If you have a file containing sensitive data on a linux operating system would setting the permissions to rw-rw-rw cause a potential security issue? Which portions of CIA triad? A) No issue B) Confidentiality C) Availability D) Integrity

BCD

Multi: Which are asymmetric cipher algorithms A) 3DES B) RSA C) AES D) ECC

BD

Multi: Which is the true statement about authorization and access control. A) You typically implement access controls, using authorization tools and the systems you use deny or allow access. B) They are the same thing C) Authorization is the process of determining exactly what an authenticated party can do. D) Authorizations are required for access

C

What can be used for multi-factor authentication? A) Passwords B) Hardware tokens C) All of the above. D) Fingerprints

C

Why is it important to iterate through the operations security process multiple times? A) To catch any mistakes made when applying countermeasures. B) New threats and vulnerabilities may be discovered after the analysis and assessment phases. C) All of the above. D)Critical information may change over time.

C

Why is maintaining admissibility of records important? A) In the case that evidence has to be transported or modified, it provides an explanation as to why. B) It protects against losing important data. C) All of the above D) It makes tampering with evidence incredibly difficult.

C

What biometric factor describes how well a characteristic resists change over time? A) Collectability B) Uniqueness C) Permanence D) Performance

C hey Siri what is permanence

Multi: If you're developing a multifactor authentication system for an environment where you might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might you want to use? A) Something you are B) Something you know C) Something you do D) Something you have

C,D

True/False: Capabilities are lists people and their access right5s to a file or system

False

Multi: A three (3) tier application typically has: a web server, app server, and database. Which tier does Joomla provide? A) All of the above B) Database C) Application tier D) Web tier

CD

Backups, encryption, and access controls are used on which layer of defense? A) External network B) Application C) Internal network D) Data

D

Given an environment containing servers that handle sensitive customer data, some of which are exposed to the Internet. would you want conduct a? A) Vulnerability assignment B) Reverse engineering test C) Grey water test D) Pen test

D

How do you measure the rate at which you fail to authenticate legitimate users in a biometric system? A) False positive rate B) False acceptance rate C) Rejects per attempt D) False rejection rate

D

If you're using an identity card as the basis for your authentication scheme, what steps might you add to the process to allow you to move to multifactor authentication? A) RFID chip B) Identity chip C)Serial number D) PIN

D

True/False: Clickjacking is the term used to describe hijacking a user connection to gain control over a website.

False

True/False: Entering a password is an example for mutual authentication

False

True / False : The third law of operations security is "There are no laws if you give away your data."

False

True/False : The Bell - Lapdula and Biba multilevel access control model both have a primary security focus. Can these models be used together?

No...false

In hashing algorithms, what is a collision? A) The same input entered twice and producing different outputs. B) A message that is too long to be hashed. C) Two different inputs resulting in the same output. D)When cryptographers accidentally invent and publish the same algorithm at the same time.

c

Multi: Which access control model could you use to prevent users from logging into their accounts after business hours? A) Role-Based Access Control B) Mandatory Access Control C) Attribute-Based Access Control D) Discretionary access control

c

The current RockYou password database available online contains how many passwords? A) 100,000 B) 1,000 C) Over 14 million D) 121 million

c

Password quiz unadded rest

almost halfway done :/

Multi: If you have a file containing sensitive data on a Linux operating system, would setting the permissions to rw-rw-rw- cause a potential security issue? If so, which portions of the CIA triad might be affected? A) Not an issue B) Integrity C) Availability D) Confidentiality

b,c,d

Where do enterprises typically store employee passwords? A)On a machine that only the security director has access B) in a secured database C) Active Directory domain controller D) /etc/passwd

c

Done Quiz 4

got food

Quiz 2 done

this is gonna take awhile fml