EXAM Flashcards by Will Barker

T or F. The potential for a hacker to compromise the system is called an attack.

F. The potential for a hacker to compromise the system is called an attack.

It’s a threat

How well did you know this?

Not at all

Perfectly

T or F. A virus deletes all of the content of your hard drive at home. This was the virus’ transport mechanism.

F. A virus deletes all of the content of your hard drive at home. This was the virus’ transport mechanism.

It’s the payload – or what the virus does when it executes.

How well did you know this?

Not at all

Perfectly

T or F. A particular type of malware looks for an Administrator’s name on the payroll. If its not found, it starts to delete files. This is known as a backdoor.

F. A particular type of malware looks for an Administrator’s name on the payroll. If its not found, it starts to delete files. This is known as a backdoor.

This describes a logic bomb

How well did you know this?

Not at all

Perfectly

T or F. A virus is a fragment of code that requires user action to deliver its payload.

T. A virus is a fragment of code that requires user action to deliver its payload.

Worms are standalone code that automatically replicates across the network.

How well did you know this?

Not at all

Perfectly

Sarbanes-Oxley applies to which industry?

Publicly traded companies
Healthcare
Financial
Retail

Sarbanes-Oxley applies to which industry?

-Publicly traded companies

How well did you know this?

Not at all

Perfectly

GLBA applies to which industry?

Publicly traded companies
Healthcare
Financial
Retail

GLBA applies to which industry?

-Financial

How well did you know this?

Not at all

Perfectly

PCI-DSS applies to which industry?

Publicly traded companies
Healthcare
Financial
Retail

PCI-DSS applies to which industry?

-Retail

How well did you know this?

Not at all

Perfectly

Information about yourself, such as your SSN, is called _____ ________ ______.

Personally Identifiable Information.

How well did you know this?

Not at all

Perfectly

True or False. FISMA only applies to federal agencies.

True

How well did you know this?

Not at all

Perfectly

Which of the following is the estimated asset value loss for the year? (ALE, ARO, AV)

ALE

How well did you know this?

Not at all

Perfectly

Risk acceptance means what, and would be used when?

Do nothing to mitigate (reduce) the risk. It would be used when the cost of the risk is less than the cost of the control.

How well did you know this?

Not at all

Perfectly

T or F. Your boss asks you to do a port scan of a competitor’s website. This is OK as long as you document that the boss asked you to do this.

& What is the law you just broke if you did hack the competitor?

18 U.S.C. 1030

How well did you know this?

Not at all

Perfectly

What section in the act governs unauthorized eavesdropping on transmitted communications?

Section 2511

How well did you know this?

Not at all

Perfectly

Breaking a cipher by trying to use every possible key combination is a __________ attack.

Brute Force attack

How well did you know this?

Not at all

Perfectly

The process of defeating cryptographic systems is known as ___________________.

Cryptography
Cryptanalysis
Cryptology
Decryption

Cryptanalysis

How well did you know this?

Not at all

Perfectly

SNMP is a protocol that traps network messages into a MIB that can be logged into to access the data.

What version of SNMP should you be using and why?

3.0 or higher as it encrypts network traffic and the “community string” which is the SNMP password at the devices.

How well did you know this?

Not at all

Perfectly

A wireless encryption protocol that has a weakness with its initialization vector

WEP
WPA
DES
WPA2 Enterprise

WEP – WPA2 is the one that you should be using (802.11i)

How well did you know this?

Not at all

Perfectly

_______ is the protocol that resolves IP addresses to MAC addresses

ARP

How well did you know this?

Not at all

Perfectly

T or F. Changing your IP Address to masquerade as someone else is called IP Poisoning.

It’s called IP Spoofing

How well did you know this?

Not at all

Perfectly

An _______________ ______________ is an attack on a wireless network in which an Access Point is configured exactly like an authorized AP.

Evil Twin

How well did you know this?

Not at all

Perfectly

An address associated with an application running on the system is known as a (MAC address, IP address, port number). Pick one.

port number

How well did you know this?

Not at all

Perfectly

This is an attack on a network layer protocol that resolves application layer addresses to network layer addresses. It can be used to redirect the user to a malicious Web site where authentication credentials can be obtained.

DNS Poisoning
ARP Poisoning
IP Spoofing
Smurf Attack

DNS Poisoning

How well did you know this?

Not at all

Perfectly

Which of the following is not a range used by NAT for private IP Addresses.

a. 10.0. 0.0 – 10.255. 255.255.
b. 172.16. 0.0 – 172.31. 255.255.
c. 192.168. 0.0 – 192.168. 255.255.

172.16. 0.0 – 172.31. 255.255.

How well did you know this?

Not at all

Perfectly

An attack in which the system is flooded with packets to make it unavailable to others is a _____________.

DoS or DDoS

How well did you know this?

Not at all

Perfectly

Two documents that are hashed produce the same digest (output). This is called a/an ____________.

collision

A MAC function uses what as inputs?

Shared key and message

T or F. If the hashing algorithm is known, it can be reverse-engineered to figure out the object that was hashed.

T or F. Multi-factor authentication increases the probability of a false positive.

T or F. The most stringent form of access control is DAC.

F. MAC is the most stringent

Authentication through the process of measuring physiological or behavioral characteristics is ___________.

biometrics

T or F. A centralized access control system in which users from different companies can access resources using a single sign on is called identity management.

An authentication system that uses tickets to manage user access is called _______.

Kerberos

A firewall that checks data at an application layer is called a/an: A. Stateful packet inspecting firewall B. Stateful packet inspecting firewall C. Deep packet inspecting firewall D. Host-based IDS

Deep packet inspecting firewall

George’s IDS baselined the amount of traffic to the email server. One morning, his IDS alerts that the traffic at the server is in considerable excess to that expected. This type of IDS would be: - Anomaly-based - Host-based - Signature-based

Anomaly-based

An IDS that takes action, such as blocking a port at the firewall, when an intrusion is identified is called a/an: _________________

IPS, or active IDS

A team that responds to a security incident is known as a/an _________________.

Computer Security Incident Response Team (CSIRT)

The first three steps in an Incident Response Process are Detection, Analysis, and ____________.

Escalation

The first three steps in an Incident Response Process are Detection, Analysis, and ____________.

Escalation

Law that deal with information technology are called ____________.

Cyberlaw

T or F. It is legal for email providers to read your personal email.

T or F. Backup tapes should be stored onsite so they are accessible.

F Really a trick question – a copy should be accessible, however make certain you store them off-site so they are preserved if the building burns down.

The process of retrieving deleted data from a hard drive is called A. Data carving B. Data recovery C. Anti-forensics D. Data delineation

Data carving

Laws that criminalize bad behavior by imprisonment are known as ___________ A. Cyberlaw B. Civil Law C. Criminal Law D. Administrative Law

Criminal Law

Disconnecting the systems infected with a virus so that other systems don’t become infected is done during the ___________ stage of an incident response. - Containment - Reporting - Escalation - Recovery

Containment

Which of the following forensics assessment types is characterized by looking active connections? - Network analysis - Media analysis - Software analysis - Forensic analysis

Network analysis

A DoS attack in which the attacker sets up multiple connections, but never completes the connections, is called a/an: - TCP SYN Flood - Fraggle - Smurf - Ping of Death

TCP SYN Flood

T or F. Blocking an attacker’s address at the firewall is known as IP Spoofing.

In a TCP 3-way handshake, which packet closes the communication? A. SYNCED B. SYN-ACK C. ACK D. FIN

SYN-ACK

129.10.15.8:80 is called a/an _______________.

socket – it's a combination of an IP address and a port number

T or F. An attack in which network traffic is captured and re-sent is called a Replay Attack.

T or F. Users who bring in modems or other devices to circumvent security controls on a network create backdoors.

Which class of fire extinguisher would be used on an electrical fire? - A - B - C - D

What are the 3 As of Forensics?

- Acquisition (i.e. duplicating the drive, collecting evidence) - Authentication (hashing the files on the drive) - Analysis (finding the evidence).

A document that accompanies the evidence to show where it goes, who has it, and what was done is called a/an: ________________.

Chain of Custody

An attack in which an attacker’s content is viewed in your browser when you access the website is called a/an _____________.

Cross-site Scripting (XSS)

An attack in which the malware is delivered to your system using pixels on the page that are too small for you to see is called ____________.

iFrame attack

Small sensors or other devices with microcode or small amounts of firmware that are used to control the nation’s critical infrastructure is called _________.

Industrial Control Systems

T or F. A buffer overflow attack that redirects the system to instructions of the attackers choosing is a heap overflow.

F | This is a stack overflow

Which of the following would not be a method of preventing SQL Injection attacks? -Least permissions on database accounts -Encrypting input – what good would this do? The command would just be decrypted before it executed. -Use of stored parameters -Input validation

Encrypting input – what good would this do? The command would just be decrypted before it executed.

George performs full-volume backups every Friday. Mondays – Thursdays, he performs incremental backups. On Tuesday, he has a catastrophic failure of his hard drive array before the backup runs. What tapes, and in what order would be installed? How much data would he lose? A drive array that provides fault tolerance by copying everything written to one set of drives to a spare set of drives is RAID ______. A drive array that provides no fault tolerance is RAID _________.

- Friday full, Monday. Tuesday didn’t run, so it is not available. He lost all day on Tuesday. - RAID 1 - Mirroring - RAID 0 - Striping

The security service that deters an individual from claiming that he or she did not take part of a transaction is:

Non-Repudiation

Your student records contain a lot of personally identifiable information, such as SSNs, that can lead to identity theft. Which of the following security services is the most important to protect against that?

Confidentiality

You receive an email stating you won the London Lottery (although you’ve never played the London Lottery). Which of the following security services would be necessary to know that this email was really from the London Lottery?

Authentication

T or F. The more usable a system is, the more secure it is.

A snowstorm has knocked out Blackboard. Which of the security services has been negatively impacted?

Availability

You are a security officer for a hospital, and are worried about a hacker accessing electronic health records and changing blood type and other patient information in the record. Which of the following security services would be implemented to detect unauthorized changes to the record?

Integrity

Malware that constantly changes its characteristics in order to avoid detection by anti-virus software is called a/an:

Polymorphic Virus

The potential to negatively impact the security of a system in known as a/an

Threat

Which of the following is NOT a type of threat? a. Attack b. Natural event c. Breach d. Human error

C. Breach

Which of the following is NOT another term for a successful attack? a. Advanced Persistent Threat (APT) b. Compromise c. Incident d. Event

d. Event

Oops!!! You downloaded what you thought was a loan calculator for a new car you want, and you have infected your PC with malware. This type of malware is considered to be a/an ______________.

Trojan Horse

Malware that autonomously replicates from one system to another, without user action is known as a/an:

Worm

T or F. A car alarm is a detective control.

T or F. Malware that delivers its payload when a person is no longer on the company payroll, as an example, is considered to be a time bomb.

T or F. A tape backup of your files, so that they can be restored in the event your computer crashes, is considered a preventive control.

T or F. An attack that occurs against a company that takes advantage of a previously unknown vulnerability is known as an zero day attack.

T or F. If your boss asks you to port scan a competitor's site, or gain access to test their security, you may do this as long as you have asked your boss to place his request in writing.

A ___________ is a document that your company provides to you that describes the expectations employees are to follow with regard to their ethical behavior.

Code of Conduct

``` Which of the following would contain mandatory security controls that need to be implemented? a. Standard Operating Procedures b. Standards c. Guidelines d. Policies ```

b. Standards

Kathy and Betty have to both log in at a computer in order to run a sensitive program. Which of the following describes this? a. mandatory vacation b. Segregation of duties c. Least privilege d. need-to-know

b. Segregation of duties

T or F. In order to be protected, material to be copyrighted must be formally registered and marked with a copyright symbol. ©

Which of the following is not a best practice to promulgate security policy? ``` a. require acknowledgement in writing b. send an email out c. post policies online on a site that appears when users log in d. schedule training sessions ```

b. send an email out

This security framework would be used by commercial organizations. It addresses 11 different areas that should be addressed with security controls. a. COBIT b. COSO c. ISO 27000 series d. FISMA

c. ISO 27000 series

You, as a user on a network, decide one day to fire up and use Wireshark ( a packet tracer that captures all network packets on a network) on your boss’ network. Without authorization, this is a felony violation of what law below? a. COPA b. ECPA c. U.S. Patriot Act d. Terrorist Surveillance Program

b. ECPA

Bob has a key employee in a critical IT position. He is worried about the possibility of the employee committing undetected faud. Which of the following is the best personnel security control he can implement to control this? a. Segregation of duties b. need to know c. Least privilege d. mandatory vacation

d. mandatory vacation

On your company’s network, you have no expectation of privacy. Which of the following is the principal or law that provides an expectation of privacy from unlawful search and seizure? a. 4th amendment b. ECPA c. 1st Amendment d. U.S. Patriot Act

a. 4th amendment

George has implemented a new technology that centrally allows him to manage all of the users on his network. He is able to provision them and, when they leave, click on one button to disable their accounts. This is an example of: a. Federated Identity b. Kerberos c. Identity Management d. Radius

c. Identity Management

Betty tries to go in to the Payroll folder, to which she doesn’t have access. It logs the event and, when the supervisor sees it, she is fired. The fact that logging was being performed on this relates best to: a. Authorization b. Auditing c. Access control d. Authentication

b. Auditing

In Blackboard, students can access their own work only, however the TA can access everyone’s work. The Professor can do all of that and also add people to the course. This is an example of which type of access control? a. Mandatory b. Rule based c. Discretionary d. Role based

d. Role based

An older type of authentication service that was popular with dial-up services is:

RADIUS

T or F. Bob is a network administrator for Acme Products. He has had no problems with physically accessing the fingerprint reader for the last month, however today he walked up to it, put his finger on the scanner, and was denied access. This is an example of a false acceptance.

Windows and UNIX are examples of which Access Control Model? a. Rule based Access control b. Discretionary c. Role based Access control d. Mandatory access control

b. Discretionary

T or F. Requiring multi-factor authentication results in higher false rejection rates.

You enter your user ID and your password. Which of the 3 As does this address?

Authentication

What are the 3 As of forensics?

Authentication Analyze Acquisition

In 1959, a 500-block area of Manhattan lost complete electrical power for more than13 hours. This was a/an: a. Brownout b. Fault c. Sag d. Blackout

d. Blackout

Barbara updated the Disaster Recovery Plan to include instructions on how personnel should safely evacuate the building in the event of a hazardous spill or fire. This is an example of which type of physical security group of controls? a. Operational b. Technical c. Physical d. Administrative

d. Administrative

A type of motion detector that alerts when there is a change of lighting in the room is: a. Infrared b. Wave based c. Heat based d. Passive audio

a. Infrared

T or F. We would first want to implement a security control that denies physical access to unauthorized individuals.

T or F. A static charge of 17000 volts can cause permanent damage to circuits and equipment.

The type of forensics that would examine logs from Wireshark to track when a hacker came through the firewall would be: a. Forensic Analysis b. Media Analysis c. Code Analysis d. Network Analysis

d. Network Analysis

``` Which of the following fire extinguishers would you use on a fire in your server room? Class: a b c d ```

Class C - electrical fires

T or F. Tracking the average time it takes to fix a printer is an example of MTTR.

T or F. The process of recovering files that have been deleted on a hard drive and are resident in its slack space is called file carving.

T or F. The primary problem with symmetric encryption is that it is slow.

T or F. The primary issue with asymmetric encryption is that it can be difficult verifying who sent you the public key.

T or F. An attack in which the attacker tries to match passwords protecting crypto keys to real words is called a brute force attack.

The process of “cracking” a key is called ___________

Cryptanalysis

___________ uses a shared key to both encrypt and decrypt a. Hashing b. HMAC c. Asymmetric d. Symmetric

d. Symmetric

A _________ cipher leaves all of the characters, just rearranging them. a. Transposition b. Substitution c. Hybrid d. Product

a. Transposition

``` Let’s say you are shopping online at Amazon and see the lock and https. Which key is used in a hybrid crypto system to encrypt the session keys that are sent back to Amazon? a. A shared key shared between you and Amazon b. Amazon’s private key c. Amazon’s public key d. None, the transmission isn’t encrypted until the session keys are received by Amazon ```

c. Amazon’s public key

Meaningful data that you can read is called

plaintext

George wants to send an email to Gary and doesn’t want anyone else to be able to read it. Which key will be used to encrypt it? a. George’s private key b. Gary’s private key c. Gary’s public key d. George’s public key

c. Gary’s public key

When Gary receives the email, which key will be used to decrypt it? a. Gary’s private key b. George’s private key c. George’s public key d. Gary’s public key

a. Gary’s private key

T or F. A digital signature is an encrypted message digest (hash).

Which key will be used to verify that it did come from Eva? a. Eva’s public key b. Don’s public key c. Don’s private key d. Eva’s private key

a. Eva’s public key

If Eva wants to digitally sign a message that she is sending to Don, which key is used to encrypt the message digest to prove it came from Eva? a. Eva’s private key b. Don’s public key c. Eva’s public key d. Don’s private key

a. Eva’s private key

T or F. DES is an asymmetric encryption algorithm.

T or F. A hashing algorithm will produce a string of characters that is the same size regardless of the object being hashed. As an example, you can hash a single file on your hard drive and the output string will be the same size as if you were to hash the entire hard drive.

T or F. A collision, in terms of hashing, are when two different documents produce different hashes.

T or F. An example of a hashing algorithm is MD5.

``` A MAC or HMAC can provide some assurance of authentication of origin, but not such that it might stand up in court if there is a dispute and the sender says “I didn’t send it” for which of the following reasons? a. It uses a key shared between the two individuals. b. The key is public. c. It isn't really designed to provide for authentication of origin. d. It uses a very weak algorithm. ```

a. It uses a key shared between the two individuals.

``` Which of the following is not true about hashes a. A hash results in a fixed- size output b. A hard drive that is hashed will produce the same size output as a file that is hashed, if using the same algorithm c. It can be decrypted to reveal the contents of whatever was hashed d. Provides integrity services ```

c. It can be decrypted to reveal the contents of whatever was hashed

T or F. When attacked, a valid response is to counter-attack in order to stop the attacker from accessing more information.

T or F. When an IDS alerts to a attacker on the network, an email should be sent to the administrator so that they can respond right away.

T or F. An active IDS is also known as an IPS (Intrustion Prevention System) and can work with the firewall to block malicious traffic when it is detected.

Which of the following is an example of a “socket”? a. AA-FC-1B-FD-44-BE b. 129.10.16.8:8080 c. None of the above d. www.gmu.edu:8080

b. 129.10.16.8:8080

This type of firewall only compares filters incoming traffic based on a set of defined rules (i.e. allowed IP addresses) a. Stateful or dynamic b. Circuit-based c. Deep packet inspection d. Static or stateless

d. Static or stateless

This type of firewall can read into the application layer to block malware and suspicious web content. a. Static or stateless b. Circuit-based c. Stateful or dynamic d. Deep packet inspection

d. Deep packet inspection

A type of network attack in which a web server, such as www.gmu.edu, is overwhelmed with connection requests until it can't allow any more connections. a. SYN attack b. Replay attack c. Fraggle attack d. Smurf attack

a. SYN attack

Users who bring in a modem or other device to circumvent security controls can inadvertently create a _____________ ?

Back channel

An IDS creates a baseline of traffic to an email server, registering that normal protocols are SMTP, POP, IMAP, etc. One day, a TELNET packet comes into the network - headed for the email. The email server alerts on this as it has not been seen before. This type of IDS is best described as a/an___________ IDS.

Anomaly based

``` Which of the following is not a reason to implement an IDS? a. To filter out subnets you don’t want to access your network. b. To gather information about servers that might be of interest to attackers (maybe with an unreported vulnerability) c. To collect information after an attack occurs. d. To identify malicious traffic and block that traffic. ```

a. To filter out subnets you don’t want to access your network.

T or F. An attack in which content not visible to the person accessing the site is executed in their browser as an invisible popup from the attacker is called a cross-site scripting attack.

T or F. An attack in which more data than what was designed to be held by a program’s allocated RAM, allowing data to be corrupted, is known as a stack buffer overflow attack.

T or F. A package of crypto tools that secure email, including symmetric and asymmetric encryption, is called PGP.

T or F. A problem with SNMP is that it, in versions under Version 3, it passes data and the password over in plaintext.

You are monitoring for attacks on your network and see that someone has Telneted to port 25. Which service might they be attacking? a. SNMP b. CMIP c. SMTP d. HTTP

c. SMTP

Mason students are often the target of _________ attacks, in which large groups of individuals are targeted. In this example, you might receive an email from the “IT Help Desk” asking you to visit a link and change your password. a. phishing b. vishing c. spear phishing d. whaling

c. spear phishing

``` Systems (sensors and actuators) that control pieces of the nation’s critical infrastructure are called a. Critical Infrastructure Control Systems b. Industrial Control Systems c. Information Control Systems ```

b. Industrial Control Systems

An attack in which database commands are inserted into a database from a web-based form is a/an: a. iframes attack b. redirection c. cross-site scripting attack d. SQL injection

d. SQL injection

``` Developers can prevent SQL injections by ensuring ___________ in their web forms. a. API checking b. the use of multi-factor authentication c. Input sanitization d. Type setting ```

c. Input sanitization

``` Which of the following is not a VoIP issue? a. Calls sent over unencrypted networks b. Gateway vulnerabilities c. Phone calls are subject to EMI, which negatively impacts call clarity d. Misconfigured phones can result in interception of voice calls ```

c. Phone calls are subject to EMI, which negatively impacts call clarity

T or F. A concern during the Containment phase of the Incident Response Process is that you might reload the attacker’s rootkit.

T or F. If you run Wireshark at work to capture traffic on your network without your permission, you could be prosecuted under Section 2511 of the 18 U.S.C. 1030 (ECPA).

T or F. An off-site location that has all of the hardware/software necessary to transition operations over to it in the event of a disaster is called a warm site.

T or F. The Federal Rules of Evidence govern what evidence can be considered admissible in court.

``` The activity that is concerned with how a company will continue to meet their mission, even in the event of a disaster such as a fire or flood is called: a. Emergency Response Procedures b. Disaster Recovery Planning c. Business Impact Analysis d. Business Continuity Planning ```

d. Business Continuity | Planning

The first priority for disaster response should be: a. Backup media b. Remote access c. Paper records d. Personnel safety

d. Personnel safety

``` The best definition of downtown tolerance is: a. The maximum amount of downtime a business could sustain before bankruptcy b. The method used to recover backup data c. The location of the recovery site d. The maximum amount of data loss ```

a. The maximum amount of downtime a business could sustain before bankruptcy

The step, or phase, in which investigators might disconnect workstations from the network to prevent them from becoming infected would be the __________ phase. a. Investigation b. Tracking c. Analysis d. Containment

d. Containment

T or F. A Data Manipulation Language trigger would issue an alert if the properties of a table were altered or dropped.

This version of RAID provides fault tolerance and requires at least 3 drives to implement. It stripes data across all of the drives, and adds some redundant (parity) information, also striped across the drives..

RAID 5

This version of RAID provides no fault tolerance and requires at least 2 drives to implement.

RAID 0 (no fault tolerance)

A backup that is performed as each file is being worked on (saving it to a different location) is called a. Shadowing b. Incremental c. Image d. File/Directory Data Backup

a. Shadowing

``` A company has a field office in San Antonio and another in Seattle. They decide to backup in real-time data from one field office to the other. This is called: a. Warm site b. Data Loss Prevention c. Continuous Data Protection d. Digital Rights Management ```

c. Continuous Data | Protection

``` A set of policies, procedures, and systems designed to prevent sensitive data from being released to unauthorized individuals is called: a. Continuous Data Protection b. Hot site c. Digital Rights Management d. Data Loss Prevention ```

d. Data Loss Prevention

``` Which if the following is not a database security method? a. Rename the admin and guest accounts. b. Run the database under the Admin account to ensure that all of the protections are enabled. c. Restrict users to only the columns and rows that they need to access d. Sanitize user input. ```

b. Run the database under the Admin account to ensure that all of the protections are enabled.

You want to sell your laptop so you can buy a new one. Which method do you use to ensure that the data on the drive is not recoverable, but the drive is still usuable. a. Pulverize the drive b. Delete the data and empty the Recycle Bin c. Delete the data d. Wipe the drive

d. Wipe the drive

A/an ___________ is a search tool that combines results from multiple sites. a. Mashup b. Spiders c. Web scrapers d. Search engine

a. Mashup