Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

INF3510 > Eksamen 2016 > Flashcards

Eksamen 2016 Flashcards

1
Q
  1. Write the definition (approximately) of confidentiality according to ISO27001.
A

Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Security controls can be grouped into three main categories.
    Padlocks and security guards represent which category of security controls?

User authentication and data encryption represent which category of security controls?

Security policies and awareness training represent which category of security controls?

A
  1. Physical security controls (padlocks and security guards).
  2. Technical security controls (user authentication and data encryption).
  3. Administrative controls (security policies and awareness training)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Give one example of a preventive security control.
    Give one example of a detective security control.
    Give one example of a corrective security control.
A
  1. Valid preventive control: encryption, authentication, awareness, padlock.
  2. Valid detective control: IDS (intrusion detect.sys.) surveillance cameras.
  3. Valid corrective control: backup of data & software, removal of malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. In which aspect is non-repudiation of data origin stronger than data authentication ?
    Which control/mechanism is typically used to implement non-repudiation?
A

Non-repudiation can provide proof of data authenticity to third parties. Data authentication can only prove authenticity to intended recipient of data.

Non-repudiation is implemented with digital signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Give the name of ISO27001.

Briefly describe what ISO27001 is about (1 sentence is enough).

A

ISO27001 = Information Security Management System.

It describes a framework setting up and managing an ISMS, i.e. establishing and operating a security program within an organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Give the name of ISO27002.

Briefly describe what ISO27002 is about (1 sentence is enough).

A

ISO27002 = Code of practice for information security management.

It provides a checklist of security controls that organisations can consider using and implementing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. 20 CSC (Critical Security Controls) is a framework which describes a set of elements for each of the 20 essential security controls.

Select two correct elements

A

Why the control is critical (specified by 20 CSC).

Effectiveness metrics (specified by 20 CSC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Which is the highest level in COBIT’s PCL (Process Capability Level) model ?

Which aspect of security governance in PCL is the most fundamental/important?

What is the basis for knowing the effectiveness of a security control?

Which PCL level requires: ”Security culture permeates the organization” ?

A

Level 5 (Optimizing) is the highest in the COBIT Process Capability Levels.

Risk assessment is the most important aspect of security governance.

Effectiveness metrics are used to determine the effectiveness of controls.

Level 5 (Optimizing) requires: ”Security culture permeates the organization”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Mention 2 typical approaches to identify relevant threat scenarios.
A

Attacker-Centric threat identification

System-Centric (aka. SW, design or architecture centric) threat identification

Asset-Centric threat identification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Briefly explain the principle for determining risk levels with a qualitative method.
A

A matrix is used to determine a qualitative level of risk as a function of qualitative levels of likelihood and impact of incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Assume a quantitative risk model, where for a particular risk the following values are set:
    AV (Asset Value) = EUR 1,000,000

EF (Exposure Factor) = 0.2,
ARO (Annualised Rate of

Occurrence) = 0.1.

Give the SLE (Single Loss Expectancy) and the ALE (Annualised Loss Expectancy).

A

SLE = EUR 200,000

ALE = EUR 20,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Mention two (of the four) strategies for managing risk.
A

Reduce/mitigate risk (security and mitigation controls)

Share/transfer risk (outsource activity that causes risk, or insure)

Retain risk (understand tolerate potential consequences)

Avoid risk (stop activity that causes risk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What are the block size and possible key sizes in AES ?
A

Block size 128 bits.

Key sizes i) 128, ii) 192, iii) 256 bits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Select two important factors for the cryptographic strength of a cipher.

– The design randomness
– The cipher’s key size
– The cipher’s ability to hide statistical patterns in data
– The computation speed

A

The cipher’s key size

The cipher’s ability to hide statistical patterns in data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. The cryptoperiod (which my consist of separate protection and processing periods) limits the time a cryptographic key can be used, and mandates the key to be changed. Select the correct statement regarding cryptoperiods.

– The usage frequency of a key does not influence its cryptoperiod.
– Frequent use of a key requires longer cryptoperiod.
– Frequent use of a key requires shorter cryptoperiod.

A

Frequent use of a key requires longer cryptoperiod.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Select the correct statement regarding cryptoperiods.

– High overhead for changing a key does not influence the cryptoperiod.
– High overhead for changing a key requires longer cryptoperiod.
– High overhead for changing a key requires shorter cryptoperiod.

A

High overhead for changing a key requires longer cryptoperiod.

17
Q
  1. Select the correct statement regarding cryptoperiods.

– High criticality and sensitivity does not influence the key’s cryptoperiod.
– High criticality and sensitivity requires longer cryptoperiod of the key.
– High criticality and sensitivity requires shorter cryptoperiod of the key.

A

High criticality and sensitivity of the encrypted messages requires shorter cryptoperiod of the key.

18
Q
  1. Select the correct statement regarding cryptoperiods.

– Fast computation of the encryption algorithm does not influence the key’s cryoptoperiod.
– Fast computation of the encryption algorithm requires longer cryoptoperiod of the key.
– Fast computation of the encryption algorithm requires shorter cryoptoperiod of the key

A

Fast computation of the encryption algorithm does not influence the key’s
cryoptoperiod.

19
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 1024 bit RSA key?

A

1024 bit RSA key for protection: Not allowed now.

20
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 1024 bit RSA key?

A

1024 bit RSA key for processing: Not allowed now (but legacy use OK).

21
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 2048 bit RSA key?

A

2048 bit RSA key for protection: Until 2030

22
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 2048 bit RSA key?

A

2048 bit RSA key for processing: Until 2030 (only legacy use after that)

23
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended protection period time for a 3072 bit RSA key?

A

3072 bit RSA key for protection: After 2030

24
Q
  1. NIST SP800-57, Part 1, “Recommendation for Key Management” gives recommendations about
    cryptoperiods.

What is the latest recommended processing period time for a 3072 bit RSA key? (

A

3072 bit RSA key for processing: After 2030

25
Q
  1. Virtual machine architectures have implications for security. Select the correct statements
    about VMs and security.

– Virtual machines prevent social engineering attacks.
– Virtual machines are immune against computer viruses.
– The OS or hypervisor can not interfere with VMs.
– Malware can be executed in a VM without posing a risk for the rest of the computer.
– Hackers can not hide their malware in a VM.
– Malware can easily be detected in a VM.
– A VM crash caused by malware can easily be analysed.
– VMs running on the same physical machine are isolated/protected from each other.

A

Malware can be executed in a VM without posing a risk for the rest of thecomputer

A VM crash caused by malware can easily be analysed.

VMs running on the same physical machine are isolated/protected from each
other.

26
Q
  1. Mention two types of synchronized authentication tokens.

Mention the authentication principle used by tokens not based on synchronization, and
which is typically used by physical access cards.

A

Synchronised clock-based authentication tokens.

Synchronised counter-based authentication tokens.

Challenge-response authentication.

27
Q
  1. Briefly explain the two main effects/purposes of password salting.
A

Password salting ensures that equal passwords have different hashes.

Makes cracking difficult by preventing the use of pre-computed hash tables.

28
Q
  1. User authentication frameworks for eGovernment typically specify 3 different classes of requirements per authentication assurance level. Mention these 3 requirement classes.
A

Authentication Method Strength requirements.

Credential Management Assurance requirements.

Identity Registration Assurance requirements.

29
Q
  1. Briefly describe the concept of Identity Federation.
A

A set of agreements, standards and technologies that enable a group of SPs to recognise and trust user identities and credentials from different IdPs (Identity Providers), CrPs (Credential Providers) and SPs (Service Providers).

30
Q
  1. DROWN is the name of an attack against TLS server software.

i) What does the acronym DROWN stand for?
ii) Briefly describe the nature of the DROWN vulnerability in TLS software.
iii) Briefly describe the standard way of removing the DROWN vulnerability.

A

DROWN: Decrypting RSA with Obsolete and Weakened eNcryption

DROWN is a cross-protocol attack that abuses weaknesses in SSLv2 combined with the secure TLS protocol. Servers that run TLS but allow SSLv2 for
backwards compatibility are vulnerable to DROWN attacks.

To remove DROWN vulnerabilities, update TLS server software, and disable
SSLv2 (and SSLv3).

31
Q
  1. TLS/SSL stripping is an attack against TLS/SSL. HSTS is a technology to protect against the TLS/SSL stripping attack.

i) Briefly describe the nature of the TLS/SSL stripping attack.
ii) What does the acronym HSTS stand for?
iii) Briefly explain how HSTS works.

A

TLS/SSL stripping is a MitM (Man-in-the-Middle) attack, whereby a rogue
(WIFI) router acts as a hidden proxy between a client and server, via a https
connection to the server and a http connection to the client. The rogue router can
then read, and inject data into the communication between the client and server.

HSTS: HTTP Strict Transport Security.

HSTS forces the browsers to only use https to servers that support HSTS.
Users are not able to override the HSTS policy.

32
Q
  1. How can a user know when TLS-encrypted traffic is being inspected in a firewall ?
A

The user must view the certification path of the received server certificate,
and know the difference between a Browser PKIX root certificate and the internal
proxy root certificate used for validation. If the certification path leads to an authentic
root certificate of the Browser PKI, then there is no TLS inspection. If the certification
path leads to the internal proxy root CA, the there is TLS inspection.

33
Q
  1. What is OWASP Top 10 ?
A

The OWASP Top 10 is a document describing the 10 most prevalent security
risks/vulnerabilities in current web application, as well as how they can be avoided.

34
Q
  1. Name the nr.1 in OWASP Top 10, and explain why it is so prevalent.
A

(SQL) Injection vulnerabilities/attacks

SQL injection is still nr.1 because software developers ignore how to prevent it, or because they are lazy

35
Q
  1. What is specified as the first phase in Microsoft SDL (Secure Development Lifecycle)?
A

Security training is the first phase on Microsoft SDL.

36
Q
  1. What do the abbreviations OpenSAMM and BSIMM stand for ?
A

OpenSAMM: Open Software Assurance Maturity Mode.

BSIMM Build Security In Maturity Mode.

37
Q
  1. What is the purpose of using a framework like OpenSAMM and BSIMM ?
A

They offer a framework for helping software development organisations to
become better at making secure software, and a method for an organisation to
assess how good (how mature) they are at doing secure software development.

38
Q
  1. Mention 1 difference between OpenSAMM and BSIMM.
A

OpenSAMM

  • Based on experience and principles of secure software development
  • Enables you to evaluate yourself against best practice
  • Prescriptive
  • Sponsored by OWASP
  • Not commercially oriented

BSIMM

  • Based on study of software security practices
  • Enables you to compare yourself against others
  • Descriptive
  • Sponsored by Cigital and FortifySoftware
  • Commercially oriented

INF3510 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions