Exam

Question 1

The common resources that can be targeted in DoS attacks are ___ and ___ ?

Answer 1

The common resources that can be targeted in DoS attacks are network bandwidth (for network) and system resources (like memory and CPU).

Question 2

Lamport’s one-time password scheme relies on using hash functions that are ___ and ___ .

Answer 2

Lamport’s one-time password scheme relies on using hash functions that are one way and collision resistant.

Question 3

Examples of each of the main authentication bases are … ? (Three examples)

Answer 3

1. Something you know (password, PIN, security questions)
2. Something you have (Security Tokens, smart cards, etc.)
3. Something you are (Fingerprint, Facial Recognition)

Question 4

“Online” and “Offline” attacks differ in that ___.

Answer 4

• Online requires the connection to be active, therefore imposing certain restriction for breaking a password.
• Offline does not require the connection to be active, therefore has unlimited chances to break the password.

Question 5

A minimum time between password changes is specified so users ___.

Answer 5

So that users do not change their password too often in a short period - which could lead to weaker password choices.

Question 6

Two security properties of cryptographic hash functions are ___ and ___.

Answer 6

1. Collision Resistance - Hard to find two different inputs that produce the same hash.
2. Preimage Resistance - Difficult to figure out the original input from its hash.

Question 7

A mechanism capable of distinguishing between humans and computers may be a ___.

Answer 7

CAPTCHA

Question 8

3 classes of intruders that an IDS may attempt to find are…?

Answer 8

1. Clandestine Users - Individuals who gain unauthorised access to privileged system resources or data.
2. Masqueraders - Users who access the system by impersonating another legitimate user, often through stolen credentials.
3. Misfeasor - A legitimate user who has authorised access but uses them in an improper or unauthorised manner.

Question 9

Two primary properties used in malware classification are ___ and ___.

Answer 9

1. Functionality - What the malware does such as stealing data, encrypting files for ransom or causing system damage.
2. Propagation Method - How the malware spreads, like through email attachments, infected websites, or network vulnerabilities.

Question 10

Race conditions can occur when ___ and can result in ___.

Answer 10

Race conditions occurs when two or more processes try to change or access the same data at the same time and can result in unpredictable or incorrect behaviour in a system.

It’s like two people trying to edit the same document simultaneously without coordinating. If they don’t take turns properly, they might overwrite each other’s changes or create confusion.

Question 11

Phishing emails are typically sent in bulk because ___.

Answer 11

Phishing emails are typically sent in bulk because attackers want to increase the chance of victims falling for the scam.

Question 12

The Biba model is for the purpose of ___ while BLP is for the purpose of ___.

Answer 12

The Biba model is for the purpose of ensuring data integrity, while BLP (Bell-LaPadula) is for the purpose of maintaining data confidentiality.

The Biba model focuses on preventing unauthorized users from modifying sensitive data, thereby ensuring that the information remains accurate and uncorrupted.
The Bell-LaPadula model, on the other hand, is primarily concerned with keeping sensitive information secret and preventing unauthorized access to it.

Question 13

SYN flooding is an example of ___.

Answer 13

Denial of Service attack (Dos).

Question 14

To be stateless means ___ and is relevant in the context of ___.

Answer 14

To be stateless means each request from a client to a server is treated as completely new, with no memory of past interactions.

It is relevant in the context of client puzzle connection protocol.

Question 15

What’s the difference between spear phishing and general phishing?

Answer 15

Spear Phishing is targeting a specific person.

General Phishing is targeting all victims and expecting some to be fooled.

Question 16

Three types of malware are?

Answer 16

1. Viruses
2. Trojan Horses.
3. Worms

Question 17

The term “shellcode” refers to ___ and is relevant in the context of ___.

Answer 17

“Shellcode” refers to code that hackers use to control a compromised computer system.

It’s important in the context of computer security breaches and attacks.

Question 18

The difference between logging and auditing is ___.

Answer 18

Logging - involves recording detailed information about events and actions in a system.

Auditing - the process of reviewing and analysing these log files to check for anything unusual or important.

Question 19

A firewall cannot typically protect against ___ or ___.

Answer 19

• Internal Threats: These are threats originating from within an organization, such as a malicious employee. Since firewalls are designed to monitor and control incoming and outgoing network traffic, they are less effective against threats that originate inside the network.
• Social Engineering Attacks: These are techniques that trick people into revealing sensitive information or performing certain actions. Since these attacks exploit human vulnerabilities rather than technical ones, firewalls, which focus on network traffic, cannot prevent them.

Question 20

The purpose of sanitisation in the context of auditing is to ___.

Answer 20

The purpose of sanitization in the context of auditing is to hide or delete sensitive information from data to protect privacy while still allowing the data to be reviewed or analyzed.

Question 21

Part B

Describe two distinct types of attack against password systems and the countermeasures against each of those attacks.

Answer 21

Brute Force Attack - The attacker trying every possible password combination until the correct password is found.

Countermeasure - Implement rate limiting where user gets locked out after certain amount of failed attempts.

Phishing Attack - The attacker tricks a user into revealing their password.

Countermeasure - Educating the dangers of phishing and how to recognise it. In addition, use 2FA for extra layer of security.

Question 22

Part B

Describe two general “good practices in coding”. For each of them explain why they are appropriate and give an example off what could go wrong if that practice is not followed.

Answer 22

1. Never store secrets in code :

Importance - Keeping passwords or keys in code is risky because if somebody gets the code, they get the secrets too.

Risk of not following - If a sensitive API is stored in the code, and leaked, the attacker can use this API to interact with the 3rd party services leading to incurred cost or accessing restricted data.

2. Set default to deny instead of default to allow :

Importance - This means only giving access when necessary and not letting anyone has access unless they’re specifically granted.

Risk of not following - If default is set to allow, someone could easily access things they shouldn’t.

Question 23

Part B

Explain what tailored attacks are. Give some specific examples in two different domains and explain how they perform relative to the others attacks in those domains.

Answer 23

1. Corporate Espionage.

Example - An attacker might gather detailed information about a company’s IT infrastructure and employee habits. The attacker then spear phishes specific employees with high levels access, using information they gathered to form believable scams for the target to fall into.

Performance relative to other attacks - Tailored attacks in corporate settings are typically more successful than generic attacks because they use specific gathered information to bypass security measures and exploit human vulnerabilities effectively.

2. Government or Political Targeting.

Example - A state-sponsored group might conduct a tailored attack against another government’s infrastructure, like targeting a specific power grid or election system. They would use knowledge about the system’s architecture and possibly even insider information to create a precise, damaging attack.

Performance Relative to Other Attacks - In the realm of government or political systems, tailored attacks can be more dangerous than widespread attacks because they are designed to undermine specific, critical functions or to gather highly sensitive information, often going undetected for longer periods due to their sophisticated and targeted nature.

Question 24

Part C

Explain how Unix protects user passwords

Answer 24

Unix protects password using a layered approach.

1. Passwords are hashed.
2. Salting is then added to ensure each password hash is unique.
3. The password file is then stored securely so that it’s not easily accessible to unauthorised users.
4. File permissions restricts access to the password file to root or privileged processes.

Question 25

What is a malware that reproduces?

Answer 25

A Virus

Question 26

Inference is the derivation of ___ from ___.

Answer 26

Inference is the derivation of sensitive information from non-sensitive, typically aggregate data.

Question 27

Error-based SQL injection uses ___.

Answer 27

Error-based SQL injection uses Error messages thrown by the database server to obtain information about the structure of the database.

Question 28

The principle of least privilege implies we should ___ .

Answer 28

The principle of least privilege implies we should grant users only the access necessary to perform their duties.

Question 29

The common ground between misfeasors and masqueraders is that both ___.

Answer 29

Both have the password for a legitimate account.

Question 30

What is the Biba mandatory rule?

Answer 30

No read down, no write up.

Question 31

DoS amplification is characterised by ___.

Answer 31

DoS amplification is characterized by using a small initial input to generate a large amount of traffic.

Question 32

Explain the relevance of false positives and false negatives in the context of intrusion detection. Give an example of each.

Answer 32

False Positive : It is when the system wrongly identifiers normal activity as an attack. For example, the security system flags an employee for downloading a large file for work as a potential data theft.

False Positive : It is when the system does not recognise an attack, thinking it is normal activity. For example, the system thinks everything is ok when the hacker’s methods were stealthy and disguised as normal traffic.

Question 33

Briefly explain the idea of rainbow tables and what they are used for?

Answer 33

Rainbow tables are a tool used to crack passwords by reversing the hashing process.

Hackers use them to quickly find a password if they already have its hashed version.

The purpose is to reverse the hash function and finding the original password from a hash.

Question 34

Why could using the same password on multiple sites be a problem?

Answer 34

Using the same password on multiple sites can be a problem because if an attacker successfully guesses the correct password on one site, the attacker can then use that same password on another site, which if it’s the same password, can grant the attacker access.

Question 35

Describe how virus and worm propagation differs?

Answer 35

Virus propagates by attaching itself to legitimate programs or files. This requires user interaction to spread.

A worm replicates itself to spread to other computers, usually without any human interaction.

Question 36

Describe two methods we might use to detect a trojan horse. Explain when each would be appropriate.

Answer 36

1. Signature-based detection - This uses a database of known trojans signatures to scan and compare. If a match is found, the system flags it as a potential trojan.
2. Behavioural Analysis - This method analyses the behaviour of a program/system. If there is unusual activity, the system flags it as a potential trojan.

Question 37

What is ransomware and what does it attempt to do?

Answer 37

Ransomware is malware that encrypts a user’s files, then demands payment for the decryption key. It’s a way for attackers to extort money by holding the victim’s data hostage.

Question 38

What is a Trojan horse malware?

Answer 38

A trojan is a type of malicious software that disguises itself as a legitimate program to deceive users into installing it. Once installed, it can perform a range of harmful actions such as stealing data.

Question 39

What is a honeypot?

Answer 39

A honeypot is a cybersecurity mechanism designed to mimic one or more aspects of a computer system such as servers, networks or applications.

Its primary role is to attract cyber attackers and serve as a decoy to lure attackers away from legitimate systems while gathering information about attacker methods and behaviour.

Question 40

Describe a typical deceptive phishing process.

Answer 40

A deceptive phishing is the most common type of phishing scam.

In this process, an attacker impersonates a legitimate entity and trick individuals into revealing sensitive information such as their account username and passwords, credit card numbers etc.

For example
1. Impersonation: Attacker poses as a trusted entity via email.
2. Urgency: Email prompts immediate action, creating urgency.
3. Fake Link: Email contains a link to a counterfeit website.
4. Data Entry: Victim enters personal information on the site.
5. Data Theft: Attacker harvests data and may redirect to a real site to avoid suspicion.

Question 41

Describe three components of a virus.

Answer 41

1. Infection mechanism - This is how the virus enters and spreads in a system.
2. Payload - This is the malicious actions that the virus performs like deleting files or stealing data.
3. Trigger - This is a specific condition or event that activates the virus’ payload.

Question 42

Name and describe the two types of errors that occur in authentication systems.

Answer 42

1. False Positive - An example would be the system incorrectly accepts an unauthorised user entry into the system, thinking it is a legitimate user.
2. False negative - An example would be the system wrongly rejects or fails to recognise an authorised user, denying them access.

Question 43

One type of malware that reproduces is…?

Answer 43

Worm

Question 44

Password registration typically involves a user entering a password twice because ___.

Answer 44

Passwords are entered twice to ensure that the passwords are correctly entered and to avoid typing errors. If the two entries do not match, there must be a typo in either password.

Question 45

The principle of least privilege implies we should ___.

Answer 45

The principle of least privilege implies we should only grant users only the access and permissions that are necessary to perform their duties or tasks.

This means by default, access should be to “deny” and not “allow”.

Question 46

External traffic in a honeypot can all be usefully analysed because ___.

Answer 46

External traffic in a honeypot can all be usefully analysed because it is assumed that any interactions with a honeypot are likely to be malicious or unauthorised as honeypots are decoys used to attract attackers and capture their activities.

Question 47

Two types of activity we would expect to log in a computer system are ___ and ___.

Answer 47

1. User authentication attempts.
2. System changes.