Final Exam Flashcards
Firewalls can stop hackers from breaking into your system
true
Firewalls can stop internet traffic that appears to be from a legitimate source
false
Firewalls can stop viruses and worms that spread through the internet
true
Firewalls can stop spyware being put on your system
false
Firewalls can stop viruses and worms that are spread through email
false
Lists the types of traffic authorized to pass through the firewall
Firewall access policy
________ is developed from the organization’s information security risk assessment and policy, and a broad specification of which traffic types the organization needs to support
Firewall access policy
Firewalls cannot protect when
____ or ____
Traffic that does not cross it (routing around, internal traffic)
when misconfigured
Malware can disable:
A) Software Firewalls
B) Hardware Firewalls
C) Antivirus checkers
A & C
Firewalls can stop/control
A) Pings
B) Packet sniffing
C) Outbound network traffic
A & C
This type of firewall filtering makes decisions on a packet-by-packet basis
Packet Filtering (no state information is saved)
________ is the simplest and most efficient type of firewall filtering
Packet Filtering
What are packet filtering rules based on?
Information contained in the network packet
- Source IP
- Destination IP
- Source & Dest transport level address
- IP protocol field
- interface
What are the 2 default policies of firewall packet filtering?
Discard (prohibit unless explicitly allowed)
Forward (permit unless explicitly forbidden) -> easier to manage, but less secure
What are the advantages of a Packet Filtering firewall?
- Simplicity
* Typically transparent to users and very fast
What are the disadvantages of a Packet Filtering firewall?
- Cannot protect against attacks that use application specific vulnerabilities
- Limited logging functionality
- Vulnerable to attacks and exploits that take advantage of TCP/IP
- Susceptible to security breaches caused by improper configuration
Packet filtering countermeasure:
_____ discard packets with an inside source address if the packet arrives on an external interface
IP Address spoofing countermeasure
Packet filtering countermeasure:
____ discard all packets in which the source destination specifies the route
Source routing attacks countermeasure
Packet filtering countermeasure:
_____ enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header
Tiny fragment attack countermeasure
Packet Filtering
In order for a fragmented packet to be successfully reassembled at the destination, each fragment must obey the following rules:
A) Must not share a common fragment identification number
B) Each fragment must say what place or offset is in the original unfragmented packet
C) Each fragment must tell the length of the data carried in the fragment
D) The fragment does not need to know whether more fragments follow this one
B & C
a _______ firewall uses a connection state table
stateful inspection firewall
______ acts as a relay of application level traffic (basically a man or system in the middle)
Application-level gateway (or application proxy)
Application level gateways tend to be more secure than packet filters
true
Application level gateways may restrict application features supported
true
An Application level gateway can generically filter traffic for any application
False; must have proxy code for specific applications
A packet filtering firewall is typically configured to filter packets going in both directions
true
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection
true
A packet filtering firewall can decide if the current packet is allowed based on another packet it has just examined
false
A stateful inspection firewall needs to keep track of information of an active connection in order to decide on the current packet
true
A _______ serves as a platform for an application-level gateway, and is a system identified as a critical strong point in the network’s securty
bastion host
__________ firewalls are used to secure an individual host
host based firewalls
The primary role of a personal firewall is to ___________
deny unauthorized remote access
______ hides the system from the internet by dropping unsolicited communication packets
stealth mode
A company has a conventional firewall in place on its network. Which (if any) of these situations requires an additional personal firewall:
A) An employee uses a laptop on the company network and at home
B) An employee uses a desktop on the company network to access websites worldwide
C) A remote employee uses a desktop to create a VPN on the company’s secure network
D) None of the above, in each case the employee’s computer is protected by the company firewall
A & C
Typically the systems in the _____ require or foster external connectivity such as the corporate web site, an e-mail server, or a DNS server
A) DMZ
B) IP protocol field
C) boundary firewall
D) VPN
A) DMZ
A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control
A) packet filtering firewall
B) distributed firewall
C) Boundary firewall
D) VPN
B) distributed firewall
Technology and other safeguards for cyber security are largely defensive in nature. The only way they can impact a threat source is by increasing the work factor for an attacker. Can laws be used to reduce the magnitude of threats?
A) YES, laws can provide criminal sanctions agains those who commit cyber crime
B) NO, cyber crime has increased even as new laws have been put in place
A) YES
P3L3
Cyber crime is a big problem. According to a recent report, what is an estimate of the cost of cybercrime for the United States?
A) 10 billion dollars
B) over 100 billion dollars
B) Over 100 billion dollars
P3L3
The Computer Fraud and Abuse Act (CFAA) was used to prosecute the creator of the Melissa virus and he was sentenced in a federal prison and fined by using its provisions. What abuse was perpetrated by the Virus?
A) Data stored on computers was destroyed
B) Denial of service attacks that made computers unusable
B) Denial of service attacks that make computers unusable
P3L3
Several people have argued about the overly general and vague language of the CFAA. For example, how exactly is unauthorized access defined? In one case, a company sued its competitor because the competitor’s employees create a trial subscription and downloaded data that was available to its subscribers. Do you think this is a violation of unauthorized access?
A) No, because the data was publicly available
B) Yes, because it potentially can cause financial loss to the company that sued its competition
A) No, because the data was publicly available
P3L3
The DCMA includes exclusions for researchers, but companies have threatened to sue researchers who wanted to publish work related to circumvention of anti-piracy technologies. Which of these is an example of such a threat under the DCMA:
A) Prof. Ed Felten’s research on audio watermarking removal by RIAA
B) A research project done by MIT students that found vulnerabilities in the MBTA
A) Prof. Ed Felten’s research on audio watermarking removal by RIAA
P3L3
By mistake, a friend sends sensitive health data in an email to you (wrong attachment). You should not read the information in the attached document because:
A) Professional code of ethics requires you to respect the privacy of others
B) You can be liable under CFAA
A) Professional code of ethics requires you to respect privacy of others
P3L3
US_CERT follows a responsible disclosure process for vulnerabilities reported to it. Such a process must:
A) Make vulnerability information available to everyone who may be affected by it immediately
B) Provide a certain period of time for the vendor of the vulnerable system to develop a patch
B) Provide a certain period of time for the vendor of the vulnerable system to develop a patch
A 2015 Pew survey of American adults’ attitudes about privacy. What percentage feel that it is important that they be able to control who gets information about them
A) 50%
B) 25%
C) 90%
C) 90%
P3L3
In 2014, the European Court of Justice ruled that EU citizens have the “right to be forgotten” on the internet. For example, Google must not return links to information that can be shown to be “inaccurate, inadequate, irrelevant, or excessive”. Which one of the following is an example of information that Google decided not to return as a search result to meet the ECJ ruling?
A) Story about criminal conviction that was quashed on appeal
B) A doctor requesting removal of links to newspaper stories about botched procedures performed by him
A) Story about criminal conviction that was quashed on appeal
P3L3
The Electronic Frontier Foundation (EFF) ranks websites with privacy scores based on how they deal with issues related to privacy. It gate AT&T one of the lowest scores (1 out of 5 scores). What explains this low score?
A) Does not disclose data retention policies
B) Does not use industry best-practices
C) Does not tell users about government data demands
A) does not disclose data retention policies
and
C) Does not tell users about government data demands
P3L3
Does Google’s privacy policy disclose data retention policy?
No
P3L3
Poor privacy is good for bad guys because they can use information about you to craft:
A) targeted phishing attacks
B) Gain access to your online accounts
A & B
P3L3
The FTC charged Fandango, the online move ticket purchasing company, for not protecting user privacy. This action was taken because Fandango:
A) Shared user data without informing users
B) Did not secure user data
B) did not secure user data
P3L3
If a company tracks your activities based on your machine’s IP address, on possible defense against it is to:
A) Disable cookies
B) Use Tor
B) Use Tor
P3L3
Cyber security planning and management in an enterprise must define allowed computer and network use by employees. Georgia Tech’s computer and network use policy strives to do this for students, faculty, and staff. What is required by this policy
A) Georgia tech passwords should be changed periodically
B) A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech
C) Georgia Tech computers cannot be used to download illegal content (e.g. child porm)
A) Georgia tech passwords should be changed periodically
B) A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech
C) Georgia Tech computers cannot be used to download illegal content (e.g. child porm)
P3L1
A botnet operator compromises a number of computers in a company. The malware executed by the bots only sends large amounts of spam email but does not exfiltrate sensitive data or interfere with legitimate activities. What is the appropriate action:
A) The company should detect and prevent abuse of its resources by unauthorized parties
B) Since it poses no risk to company’s sensitive data or normal ops it can be ignored
A) the company should detect and prevent abuse of its resources by unauthorized parties
P3L1
A news story in 2014 reported that an inspector general’s report gave the VA a failing grade for the 16th straight year. The CIO of VA discussed a number of challenges that could explain this grade. What are some possible reasons?
A) The need to manage cyber security for over a million devices, each running many services
B) lack of sense of urgency in fixing cyber vulnerabilities
C) Choosing to support key functions even when this could introduce vulnerabilities
A) the need to manage cyber security for over a million devices, each running many services
and
C) Choosing to support key functions even when this could introduce vulnerabilities
P3L1
Chief Information Security Officer (CISO) is the executive who is responsible for information security in a company. Did target, the major retailer, have a CISO when it suffered the serious breach?
No.
P3L1
Does Georgia Tech’s computer and network use policy prohibit personal use of university resources?
No.
P3L1
GATech systems store student data such as grades. The Institute must protect such data due to:
A) Regulatory reasons (FERPA)
B) Because the data is sensitive it can only be disclosed to the student and his/her family
A) Regulatory reasons (FERPA)
P3L1
Anthem suffered a breach in 2015. Based on an analysis of its response to the breach, did Anthem respond well?
Yes.
P3L1
A company stores sensitive customer data. The impact of a breach of such data must include:
A) Cost of purchasing identity theft protection for customers
B) Loss of business due to reduced customer confidence
C) Compensation for new cyber security personnel the company hires to better manage cyber security in the future
A) Cost of purchasing identity theft protection for customers
and
B) loss of business due to reduced customer confidence
P3L1
A company is considering 2 possible IDS solutions to reduce its exposure to attacks on its network. The first one costs $100K and reduces risk exposure by $150K. The second costs $250K but reduces exposure by $500K. Which would you recommend?
The more expensive one.
P3L1
Risk leverage =
(Risk exposure without control - Risk exposure with control)/ cost of control
P3L1
Cyber insurance is not very popular. Based on a 2014 survey, what percentage of customers of major insurance brokers were interested in buying cyber insurance?
A) Less than 25%
B) over 50%
A) less than 25%
P3L1
Are cyber security budgets increasing as the number of reported incidents increase?
No.
P3L1
An example of a proactive security measure is:
A) Making sure the company complies with all regulatory requirements
B) Chief risk officer (CRO) of the company addressing cyber risk regularly at highest level (eg board) when other risks are discussed
B) Chief risk officer addressing the board
P3L1
Cookies are created by ads that run on websites
true
P3L2
Cookies are created by websites a user is visiting
true
P3L2
Cookies are compiles pieces of code
false
P3L2
Cookies can be used as a form of virus
false
P3L2
Cookies can be used as a form of spyware
true
P3L2
A web browser can be attacked by any website that it visits
true
P3L2
Even if a browser of compromised, the rest of the computer is still secure
false
P3L2
Web servers can be compromised because of exploits on web applications
true
P3L2
When a user’s browser visits a compromised or malicious site, a malicious script is returned
true
P3L2
To prevent XSS, any user input must be checked and preprocessed before it is used
true
P3L2
Checking the HTTP referrer header to see if the request comes from an authorized page can protect against XSRF
true
P3L2
Using a synchronizer token pattern where a token for each request is embedded by the web application in all HTML forms and verified on the server side can protect agains XSRF
true
P3L2
Logging off immediately after using a web application can protect against XSRF
true
P3L2
Not allowing the browser to save username/password and not allowing web sites to remember user login can protect against XSRF
true
P3L2
Not using the same browser to access sensitive web sites and to surf the web freely can protect against XSRF
true
P3L2
________ is the better way to prevent SQL injection
Whitelisting to allow only well-defined set of safe values
P3L2
Eavesdropping is a security threat to WiFi security
true
P2 L11
Injecting bogus messages is a threat to WiFi security
true
P2 L11
Replaying previously recorded messages is a threat to WiFi security
true
P2 L11
Illegitimate access to the network and its services is a threat to WiFi securty
true
P2 L11
Denial-of-service is a threat to Wifi security
true
P2 L11
What are the security threats to WiFi?
Eavesdropping injecting bogus messages replaying previously recorded messages illegitimate access to the network and its services denial of service
P2 L11
_____ is the security standard that should be used for WiFi
WPA2
P2 L11
What are the 3 operating systems with the most vulnerabilities in 2014?
Apple Mac OS X
Apple iOS
Linux Kernel
In iOS, all cryptographic keys are stored in flash memory
false
P2 L11
in iOS, trusted boot can verify the kernel before it is run
true
P2 L11
in iOS, all files of an app are encrypted using the same key
false
P2 L11
How were researches able to bypass Apple’s App Store security in 2013?
Uploaded an app that morphed into malware after it passed the review process.
P2 L11
What weakness were exploited by researchers in the Apple apps security in 2015?
The malware was uploadable to the Apple Apps store
The malware was able to bypass Sandbox security
The malware was able to hijack browser extensions and collect passwords
P2 L11
in iOS, each app runs in a sandbox and has its own home directory for its files
true
P2 L11
All iOS apps must be reviewed and approved by Apple
true
P2 L11
iOS apps can be self-signed by app developers
false
P2 L11
Android apps can be self-signed
true
P2 L11
Android apps can have more powerful permissions than iOS apps
true
P2 L11
IP spoofing is useful for ____________ communication
unidirectional
P2 L10
IPsec can assure that ___________________
A router advertisement comes from an authorized router
a routing update is not forged
a redirect message comes from the router to which the initial packet was sent
P2 L10
Encapsulated Security Payload (ESP) can be used in
A) encryption only mode
B) authentication only mode
C) encryption and authentication mode
A, B, and C
P2 L10
Encapsulated Security Payload (ESP) can provide both confidentiality and integrity protection
true
P2 L10
If the authentication option of ESP is chosen, message integrity code is computed before encryption
false
P2 L10
To protect the confidentiality and integrity of the whole original IP packet, we can use ESP with the authentication option in tunnel mode
true
P2 L10
In Authentication Header, the integrity hash covers the IP header
true
P2 L10
The security association, SA, specifies a two-way security arrangements between the sender and receiver
false
P2 L10
Security Parameter Index (SPI) is used to help receiver identify the Security Association (SA) to unprocess the IPSec packet
true
P2 L10
If the sequence number of the IPSec header is greater than the largest number of the current anti-reply window the packet is rejected
false
P2 L10
If the sequence number in the IPSec header is smaller than the smallest umber of the current anti-replay window the packet is rejected
true
P2 L10
The Diffie-Hellman key exchange is restricted to two party communication only
false
P2 L10
An IKE SA needs to be established before IPSec SAs can be negotiated
true
P2 L10
The identity of the responder and receiver and the messages they have exchanged need to be authenticated
(authentication and key exchange)
true
P2 L10
With perfect forward secrecy, the IPSec SA keys are based on the IKE shared secret established in phase I.
false
P2 L10
Most browsers come equipped with SSL and most web servers have implemented the protocol
true
P2 L10
Since TLS is for the transport later, it relies on IPSec, which is for the IP later
false
P2 L10
In most applications of TLS or SSL, public keys are used for authentication and key exchange
true
P2 L10
The challenge values used an an authentication protocol can be repeatedly used in multiple sessions
false
P2 L9
The authentication messages can be captured and replayed by an adversary
true
P2 L9
Authentication can be one-way, e.g. only authenticating Alice to Bob
true
P2 L9
A reflection attack is a form of man-in-the-middle-attack
true
P2 L9
To defeat a reflection attack, we can use an odd number as a challenge from the initiator and an even number from the responder
true
P2 L9
We can use signing with public keys to achieve mutual authentication
true
P2 L9
A session key should be a secret and unique to the session
true
P2 L9
Authentication should be accomplished before the session key exchange
true
P2 L9
A key benefit of using KDC (Key distribution center) is scalability
true
P2 L9
In order to for Bob to verify Alice’s public key, the certificate authority must be online
false (just need the CA’s public key, which may be cached)
P2 L9
Signing the message exchanges in Diffie-Helman eliminates the man-in-the-middle attack during session key exchange.
true
P2 L9
Kerberos provides authentication and access control
true
P2 L9
Kerberos distributes session keys
true
P2 L9
To avoid over-exposure of a user’s master key, Kerberos uses a per-day key and a ticket-granting-ticket
true
P2 L9
The authenticators used in requests to KDC and application server can be omitted in Kerberos
false
P2 L9
Access to any network resource requires a ticket issued by the KDC in Kerberos
true
P2 L9
if the length of a hash is 128 bits, then how many messages does an attack need to search in order to find two that share the same hash?
2^64 (the square root of 2 to the 128th)
P2 L8
The one-way has function is important not only in message authentication, but also in digital signatures
false
(in digital signatures, the input plain-text is sent anyway)
P2 L8
SHA processes the input one block at a time, but each block goes through the same processing
true
P2 L8
HMAC is secure provided that the embedded hash function has good cryptographic strengths such as one-way and collision-resistance
true
P2 L8
What is the additive inverse of 8 MOD 20
12
The number that when we add 8 to, 8 MOD 20 results in 0
P2 L7
what is the multiplicative inverse of 3 MOD 17
6
Given X, find Y such that X*Y MOD N = 1
P2 L7
if n=21, what is totient(n)
12
find relatively prime factors of n
21 = 3 * 7, (3-1)*(7-1) = 12
P2 L7
Use the totient technique to find c:
c = 7^27 MOD 30
this is the same as 7 ^ (27 MOD totient(30))
totient(30) = totient(3) * totient(10) = 2 * (2-1)(5-1) = 2 * 4 = 8
27 MOD 8 = 3
7^3 (MOD 30) =
343 MOD 30 = 13
P2 L7
RSA
Given p = 3 and q = 11
A) compute n
B) compute totient(n)
Assume e = 7
C) compute d
D) what is the public key
E) what is the private key
A) n = p*q = 33 B) totient(n) = (3-1)*(11-1) = 20 C) d = (e * d) MOD totient(n) = 1 = (7 * d) MOD 21 = 1; d = 3 D) (e, n) = (7, 33) E) (d, n) = (3, 33)
P2 L7
What is the RSA encryption formula for value X?
public key = (e, n)
(X ** e) MOD n
P2 L7
What is the RSA decryption formula for value X?
private key = (d, n)
(X ** d) MOD n
P2 L7
When implementing RSA, it is best to use:
A) Your own custom software, to ensure a secure system
B) use the standard libraries for RSA
B)
P2 L7
In Diffie Helman, Alice and Bob agree to use prime q = 23 and primitive root alpha = 5
Alice choses secret A = 6, and Bob chooses secret B = 15.
What number does Alice send Bob?
What number does Bob send Alice?
Alice sends bob (5^6) mod 23 = 8
Bob sends Alice (5^15) mod 23 = 19
P2 L7
RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n
true
P2 L7
If someone invents a very efficient method to factor large integers, then RSA becomes insecure
true
P2 L7
The Diffie-Helman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms
true
P2 L7
The Diffie-Helman key exchange protocol is vulnerable to a man-in-the-middle attack because it does not authenticate the participants
true
P2 L7
RSA and Diffie-Helman are the only public-key algoritms
false
P2 L7
A block cipher should use substitution to achieve confusion
true
P2 L6
A block cipher should user _______ to achieve diffusion
permutation
P2 L6
a block cipher should use a few rounds, each with a combination of _________ and ____________
substitution, permutation
P2 L6
Block cipher algorithms should be kept secret
false
P2 L6
An S-box substitutes a ____ bit value with a ____ bit value
6 bit value with a 4 bit value using a predefined table
P2 L6
To decrypt using DES, the same algorithm is used, but with per-round keys are used in the reverse order
true
P2 L6
With triple-DES, the effective key length can be 56, 112, and 168
true
P2 L6
Each round of DES contains both substitution and permutation operations
true
P2 L6
The logics behind S-boxes are well-known and verified
false; they’ve been kept secret
P2 L6
To decrypt using AES, just run the same algorithm in the same order of operations
false (algorithm is run in reverse)
P2 L6
Each operation or stage in AES is reversible
true
P2 L6
AES can support key length of ___, ___, ____
128, 192, 256
P2 L6
AES is much more efficient than Triple DES
true
P2 L6
Which is more secure, CBC or ECB?
CBC
P2 L6
We can protect both confidentiality and integrity protection with CBC by using just one key
false
P2 L6
If the only form of attack that that could be made on an algorithm is brute-force, then the way to counter such attacks would be to ______________
use a longer key length
P2 L5
What weaknesses can be exploited in the Vigenere cipher
It uses repeating key letters,
The length of the key can be determined using frequency analysis
P2 L5
Which of the following characteristics would improve password security?
A) Use a one-way hash function
B) Should not use the avalanche effect
C) Should only check to see that the hash function output is the same as stored output
A) Use a one-way hash function
C) should only check to see that the hash function output is the same stored output
P2 L5
Attack:
A method to determine the encryption function by analyzing known phrases and their encryption
linear cryptanalysis
P2 L5
Attack:
Analyzing the effect of changes in input on the encrypted output
differential cryptanalysis
P2 L5
Attack:
Compare the cipher texts with its known plaintext
chosen-plaintext attacks
P2 L5
Attack:
A method where a specific known plaintext is compared to its ciphertext
Known-plaintext attacks
P2 L5
Asymmetric encryption is better for:
A) provide confidentiality of a message
B) securely distribute a session key
C) scalability
B) securely distribute a session key
C) scalability
P2 L5
Symmetric encryption can only be used to provide confidentiality
false
P2 L5
Public-key encryption can be used to create digital signatures
true
P2 L5
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained
false
P2 L5
The secret key is input to the encryption algorithm
true
P2 L5
_______ tries to stop intrusion from happening
Firewall or IDS
firewall
P2 L4
_______ tries to evaluate an intrusion after it has happened
Firewall or IDS
IDS
P2 L4
_______ watches for intrusions that start within the system
Firewall or IDS
IDS
P2 L4
_______ limits access between networks to prevent intrusion
Firewall
P2 L4
An intruder can also be referred to as a hacker or cracker
true
P2 L4
Activists are either individuals or members of an organized crime group with a goal of financial reward
false
P2 L4
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion
true
P2 L4
Those who hack into computer do so for the thrill of it or for status
false
P2 L4
Intruders typically use steps from a common attack methodology
true
P2 L4
This backdoor is hard to detect because it modifies machine code
Object code backdoors
P2 L4
This backdoor can only be used by the person who created it, even if it is discovered by others
Asymmetric backdoors
P2 L4
This backdoor inserts backdoors into other programs during compilation
Compiler backdoors
P2 L4
The longer an anomaly detection system is in use, the more it learns about network activity
true
P2 L4
If malicious activity looks like normal traffic to the anomaly detection system, it will not detect an attack
true
P2 L4
False positives from an anomaly detection system can become a problem, normal usage can be mistaken for an attack
true
P2 L4
With signature based detection, new threats can be detected immediately
false
P2 L4
With signature based detection, when a new virus is identified, it must be added to the signature databases
true
P2 L4
Signature-based detection systems can only detect an intrusion attempt if it matches a pattern that is in the database
true
P2 L4
Which of the following could be considered an anomaly to a typical network
A) An IP address
B) A port address
C) Packet length
D) Flag setting
All of them
P2 L4
with _________, any action that does not fit the normal behavior profile is considered an attack
statistical intrusion detection
P2 L4
with _________, any action that is not classified as normal is considered to be an attack
knowledge based intrusion detection
P2 L4
_______ anomaly detection detects attacks similar to past attacks
machine learning intrusion detection
P2 L4
One of the weaknesses of anomalous intruder detection is that a system must learn what is normal behavior. WHile it is learning this, the network is vulnerable to attack. What can be done to mitigate this weakness?
use a firewall.
P2 L4
In the thriving 0-day attack marketplace hackers sell information on software vulnerabilities. Can you guess some of the buyers?
A) Apple
B) Google
C) Microsoft,
D) U.S. Government
all
P2 L4
with a(n) _______ attack, an attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited
scanning attack
P2 L4
with a(n) _______ attack, the attack attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users
DOS
P2 L4
with a(n) _______ attack, an attacker gains unauthorized control of a system
penetration
P2 L4
Can you think of a way to reduce the impact of excessive reporting on a system’s administrator?
Prioritize the alerts
P2 L4
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified
true
P2 L4
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
true
P2 L4
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior
false
P2 L4
A network IDS sensor monitors a copy of network traffic, the actual traffic does not pass through the devices
true
P2 L4
Network-based intrusion detection can make use of signature detection and anomaly detection
true
P2 L4
When using sensors, which of the following is considered good practice?
A) Set the IDS level to the highest sensitivity to detect every attack
B) Monitor both outbound and inbound traffic
C) Use a shared network resource to gather NIDS data
D) NIDS sensors are not turnkey solutions, system administrators must interpret alerts
B) monitor both outbound and inbound traffic
D) NIDS sensors are not turnkey solutions, system administrators must interpret alerts
P2 L4
A common location for a NIDS sensor is just inside the external firewall
true
P2 L4
A honeypot can be a workstation that a user uses for work
false
P2 L4
There is no benefit of deploying a NIDS or honeypot outside of the firewall
false
P2 L4
To improve detection performance, an IDS should reduce false alarm rate while detecting as many intrusions as possible
true
P2 L4
to improve detection performance, an IDS should apply detection models at all unfiltered packet data directly.
false
P2 L4
to improve detection performance, an IDS should apply detection models at processed event data that has higher base rate
true
P2 L4
To defeat an IDS, attackers can send a huge amount of traffic
true
P2 L4
To defeat an IDS, attackers can embed attack in packets which cause non-uniform processing by different operating systems, e.g. bad checksum, overlapping fragments
true
P2 L4
To defeat an IDS, attackers can send traffic that purposely matches detection rules
true
P2 L4
To defeat an IDS, attackers can send a packet that would trigger a buffer-overload in the IDS code
true
P2 L4
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
true
A firewall can serve as the platform for IPSec.
true
A packet filtering firewall is typically configured to filter packets going in both directions.
true
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.
true
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
false
The _______ defines the transport protocol.
A. destination IP address
B. source IP address
C. interface
D. IP protocol field
D
A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
circuit-level
Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server.
DMZ
A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.
Distributed firewall
The ________ attack is designed to circumvent filtering rules that depend on TCP header information.
tiny fragment
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
true
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
true
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
false
A common location for a NIDS sensor is just inside the external firewall.
true
Network-based intrusion detection makes use of signature detection and anomaly detection.
true
Symmetric encryption is used primarily to provide confidentiality.
true
Two of the most important applications of public-key encryption are digital signatures and key management.
true
The secret key is one of the inputs to a symmetric-key encryption algorithm.
true
The strength of a hash function against brute-force attacks depends on the length of the hash code produced by the algorithm.
true
Public-key algorithms are based on simple operations on bit patterns.
false
A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
host-based IDS
_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Signature detection
_______ involves the collection of data relating to the behavior of legitimate users over a period of time.
Anomaly detection
A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
inline-sensor
The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
analyzer
On average, ________ of all possible keys must be tried in order to achieve success with a brute-force attack.
half
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to ________ .
use longer keys
________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
message authentication
The purpose of a ________ is to produce a ?fingerprint? of a file, message, or other block of data.
hash function
A _________ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key.
digital signature
Symmetric encryption is also referred to as secret-key or single-key encryption.
true
The ciphertext-only attack is the easiest to defend against.
true
A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained.
true
AES uses a Feistel structure.
false
Each block of 64 plaintext bits is encoded independently using the same key? is a description of the CBC mode of operation.
false
Timing attacks are only applicable to RSA.
false
Using PKCS (public-key cryptography standard), when RSA encrypts the same message twice, different ciphertexts will be produced.
true
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms
true
A key exchange protocol is vulnerable to a man-in-the-middle attack if it does not authenticate the participants.
true
Just like RSA can be used for signature as well as encryption, Digital Signature Standard can also be used for encryption
false
In general, public key based encryption is much slower than symmetric key based encryption.
true
________ is the original message or data that is fed into the encryption process as input.
plaintext
Which of the following would allow an attack that to know the (plaintext of) current message must be the same as one previously transmitted because their ciphtertexts are the same?
A. CBC
B. ECB
C. CFB
D. OFB
B
________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.
Key distribution technique
Which of the following feature can only be provided by public-key cryptography?
A. Confidentiality protection
B. Integrity protection
C. Non-repudiation
D. None of the above
C
Cryptographic systems are generically classified by _______.
A. the type of operations used for transforming plaintext to ciphertext
B. the number of keys used
C. the way in which the plaintext is processed
D. all of the above
D
________ attacks have several approaches, all equivalent in effort to factoring the product of two primes.
mathematical
________ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number.
timing attacks
_________ was the first published public-key algorithm.
Diffie-helman
The principal attraction of ________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead.
ECC
SHA is perhaps the most widely used family of hash functions.
true
SHA-1 is considered to be very secure.
false
HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths.
true
The additive constant numbers used in SHA-512 are random-looking and are hardcoded in the algorithm.
true
The strong collision resistance property subsumes the weak collision resistance property.
true
Cryptographic hash functions generally execute faster in software than conventional encryption algorithms such as DES and AES.
true
A hash function such as SHA-1 was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key.
true
It is a good idea to use sequentially increasing numbers as challenges in security protocols.
false
Assuming that Alice and Bob have each other?s public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob?s public key, and send the encrypted k to Bob and then Bob will know he has a key shared with Alice.
false
In security protocol, an obvious security risk is that of impersonation.
true
In Kerberos, the authentication server shares a unique secret key with each authorized computer on the network.
true
In Kerberos, each human user has a master key shared with the authentication server, and the key is usually derived from the user’s password.
true
In Kerberos, the purpose of using ticket-granting-ticket (TGT) is to minimize the exposure of a user?s master key.
true
Kerberos ticket-granting ticket is never expired.
false
Kerberos does not support inter-realm authentication.
false
SHA-1 produces a hash value of _______ bits.
160
Issued as RFC 2104, _______ has been chosen as the mandatory-to-implement MAC for IP Security.
HMAC
The DSS makes use of the _______ and presents a new digital signature technique, the Digital Signature Algorithm (DSA).
SHA-1
The purposes of a security protocol include:
A. Authentication
B. Key-exchange
C. Negotiate crypto algorithms and parameters
D. All the above
D
Which of the following scenario requires a security protocol:
A. log in to mail.google.com
B. connecting to work from home using a VPN
C. Both A and B
C
In IPSec, packets can be protected using ESP or AH but not both at the same time.
false
In IPSec, if A uses DES for traffic from A to B, then B must also use DES for traffic from B to A.
false
In IPSec, the sequence number is used for preventing replay attacks.
true
Most browsers come equipped with SSL and most Web servers have implemented the protocol.
true
Even web searches have (often) been in HTTPS.
true
In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.
true
Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes.
true
iOS has no vulnerability.
false
In iOS, each file is encrypted using a unique, per-file key.
true
In iOS, an app can run its own dynamic, run-time generated code.
false
The App Store review process can guarantee that no malicious iOS app is allowed into the store for download.
false
In iOS, each app runs in its own sandbox.
true
In Android, all apps have to be reviewed and signed by Google.
false
In Android, an app will never be able to get more permission than what the user has approved.
false
Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).
false
The most complex and important part of TLS is the ________.
handshake protocol
_______ is a list that contains the combinations of cryptographic algorithms supported by the client.
CipherSuite
ESP supports two modes of use: transport and ________.
tunnel
A benefit of IPsec is ________.
A. that it is below the transport layer and transparent to applications
B. there is no need to revoke keying material when users leave the organization
C. it can provide security for individual users if needed
D. all of the above
D
The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.
protocol identifier
A cookie can be used to authenticate a user to a web site so that the user does not have to type in his password for each connection to the site.
true
Malicious JavaScripts is a major threat to browser security.
true
XSS is possible when a web site does not check user input properly and use the input in an outgoing html page.
true
XSS can perform many types of malicious actions because a malicious script is executed at user?s browser.
true
XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive.
true
In XSRF, the malicious site can send malicious script to execute in the user?s browser by embedding the script in a hidden iframe.
true
It is easy for the legitimate site to know if a request is really from the (human) user.
false
SQL injection attacks only lead to information disclosure.
false
Using an input filter to block certain characters is an effective way to prevent SQL injection attacks.
false
SQL injection is yet another example that illustrates the importance of input validation.
true
Organizational security objectives identify what IT security outcomes should be achieved.
true
Since the responsibility for IT security is shared across the
organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.
true
Legal and regulatory constraints may require specific approaches to risk assessment.
true
One asset may have multiple threats and a single threat may target multiple assets.
true
It is likely that an organization will not have the resources to implement all the recommended controls.
true
The IT security management process ends with the implementation of controls and the training of personnel.
false
The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.
true
The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users.
true
An IT security plan should include details of ________.
A. risks
B. recommended controls
C. responsible personnel
D. all of the above
D
______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.
Anonymization
