Final Exam Flashcards by Seth Richards

Firewalls can stop hackers from breaking into your system

true

How well did you know this?

Not at all

Perfectly

Firewalls can stop internet traffic that appears to be from a legitimate source

false

How well did you know this?

Not at all

Perfectly

Firewalls can stop viruses and worms that spread through the internet

true

How well did you know this?

Not at all

Perfectly

Firewalls can stop spyware being put on your system

false

How well did you know this?

Not at all

Perfectly

Firewalls can stop viruses and worms that are spread through email

false

How well did you know this?

Not at all

Perfectly

Lists the types of traffic authorized to pass through the firewall

Firewall access policy

How well did you know this?

Not at all

Perfectly

________ is developed from the organization’s information security risk assessment and policy, and a broad specification of which traffic types the organization needs to support

Firewall access policy

How well did you know this?

Not at all

Perfectly

Firewalls cannot protect when

____ or ____

Traffic that does not cross it (routing around, internal traffic)

when misconfigured

How well did you know this?

Not at all

Perfectly

Malware can disable:
A) Software Firewalls
B) Hardware Firewalls
C) Antivirus checkers

A & C

How well did you know this?

Not at all

Perfectly

Firewalls can stop/control
A) Pings
B) Packet sniffing
C) Outbound network traffic

A & C

How well did you know this?

Not at all

Perfectly

This type of firewall filtering makes decisions on a packet-by-packet basis

Packet Filtering (no state information is saved)

How well did you know this?

Not at all

Perfectly

________ is the simplest and most efficient type of firewall filtering

Packet Filtering

How well did you know this?

Not at all

Perfectly

What are packet filtering rules based on?

Information contained in the network packet

Source IP
Destination IP
Source & Dest transport level address
IP protocol field
interface

How well did you know this?

Not at all

Perfectly

What are the 2 default policies of firewall packet filtering?

Discard (prohibit unless explicitly allowed)

Forward (permit unless explicitly forbidden) -> easier to manage, but less secure

How well did you know this?

Not at all

Perfectly

What are the advantages of a Packet Filtering firewall?

Simplicity

* Typically transparent to users and very fast

How well did you know this?

Not at all

Perfectly

What are the disadvantages of a Packet Filtering firewall?

Cannot protect against attacks that use application specific vulnerabilities
Limited logging functionality
Vulnerable to attacks and exploits that take advantage of TCP/IP
Susceptible to security breaches caused by improper configuration

How well did you know this?

Not at all

Perfectly

Packet filtering countermeasure:

_____ discard packets with an inside source address if the packet arrives on an external interface

IP Address spoofing countermeasure

How well did you know this?

Not at all

Perfectly

Packet filtering countermeasure:

____ discard all packets in which the source destination specifies the route

Source routing attacks countermeasure

How well did you know this?

Not at all

Perfectly

Packet filtering countermeasure:

_____ enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header

Tiny fragment attack countermeasure

How well did you know this?

Not at all

Perfectly

Packet Filtering

In order for a fragmented packet to be successfully reassembled at the destination, each fragment must obey the following rules:

A) Must not share a common fragment identification number

B) Each fragment must say what place or offset is in the original unfragmented packet

C) Each fragment must tell the length of the data carried in the fragment

D) The fragment does not need to know whether more fragments follow this one

B & C

How well did you know this?

Not at all

Perfectly

a _______ firewall uses a connection state table

stateful inspection firewall

How well did you know this?

Not at all

Perfectly

______ acts as a relay of application level traffic (basically a man or system in the middle)

Application-level gateway (or application proxy)

How well did you know this?

Not at all

Perfectly

Application level gateways tend to be more secure than packet filters

true

How well did you know this?

Not at all

Perfectly

Application level gateways may restrict application features supported

true

How well did you know this?

Not at all

Perfectly

An Application level gateway can generically filter traffic for any application

False; must have proxy code for specific applications

A packet filtering firewall is typically configured to filter packets going in both directions

true

A prime disadvantage of an application-level gateway is the additional processing overhead on each connection

true

A packet filtering firewall can decide if the current packet is allowed based on another packet it has just examined

false

A stateful inspection firewall needs to keep track of information of an active connection in order to decide on the current packet

true

A _______ serves as a platform for an application-level gateway, and is a system identified as a critical strong point in the network's securty

bastion host

__________ firewalls are used to secure an individual host

host based firewalls

The primary role of a personal firewall is to ___________

deny unauthorized remote access

______ hides the system from the internet by dropping unsolicited communication packets

stealth mode

A company has a conventional firewall in place on its network. Which (if any) of these situations requires an additional personal firewall: A) An employee uses a laptop on the company network and at home B) An employee uses a desktop on the company network to access websites worldwide C) A remote employee uses a desktop to create a VPN on the company's secure network D) None of the above, in each case the employee's computer is protected by the company firewall

A & C

Typically the systems in the _____ require or foster external connectivity such as the corporate web site, an e-mail server, or a DNS server A) DMZ B) IP protocol field C) boundary firewall D) VPN

A) DMZ

A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control A) packet filtering firewall B) distributed firewall C) Boundary firewall D) VPN

B) distributed firewall

Technology and other safeguards for cyber security are largely defensive in nature. The only way they can impact a threat source is by increasing the work factor for an attacker. Can laws be used to reduce the magnitude of threats? A) YES, laws can provide criminal sanctions agains those who commit cyber crime B) NO, cyber crime has increased even as new laws have been put in place

A) YES P3L3

Cyber crime is a big problem. According to a recent report, what is an estimate of the cost of cybercrime for the United States? A) 10 billion dollars B) over 100 billion dollars

B) Over 100 billion dollars P3L3

The Computer Fraud and Abuse Act (CFAA) was used to prosecute the creator of the Melissa virus and he was sentenced in a federal prison and fined by using its provisions. What abuse was perpetrated by the Virus? A) Data stored on computers was destroyed B) Denial of service attacks that made computers unusable

B) Denial of service attacks that make computers unusable P3L3

Several people have argued about the overly general and vague language of the CFAA. For example, how exactly is unauthorized access defined? In one case, a company sued its competitor because the competitor's employees create a trial subscription and downloaded data that was available to its subscribers. Do you think this is a violation of unauthorized access? A) No, because the data was publicly available B) Yes, because it potentially can cause financial loss to the company that sued its competition

A) No, because the data was publicly available P3L3

The DCMA includes exclusions for researchers, but companies have threatened to sue researchers who wanted to publish work related to circumvention of anti-piracy technologies. Which of these is an example of such a threat under the DCMA: A) Prof. Ed Felten's research on audio watermarking removal by RIAA B) A research project done by MIT students that found vulnerabilities in the MBTA

A) Prof. Ed Felten's research on audio watermarking removal by RIAA P3L3

By mistake, a friend sends sensitive health data in an email to you (wrong attachment). You should not read the information in the attached document because: A) Professional code of ethics requires you to respect the privacy of others B) You can be liable under CFAA

A) Professional code of ethics requires you to respect privacy of others P3L3

US_CERT follows a responsible disclosure process for vulnerabilities reported to it. Such a process must: A) Make vulnerability information available to everyone who may be affected by it immediately B) Provide a certain period of time for the vendor of the vulnerable system to develop a patch

B) Provide a certain period of time for the vendor of the vulnerable system to develop a patch

A 2015 Pew survey of American adults' attitudes about privacy. What percentage feel that it is important that they be able to control who gets information about them A) 50% B) 25% C) 90%

C) 90% P3L3

In 2014, the European Court of Justice ruled that EU citizens have the "right to be forgotten" on the internet. For example, Google must not return links to information that can be shown to be "inaccurate, inadequate, irrelevant, or excessive". Which one of the following is an example of information that Google decided not to return as a search result to meet the ECJ ruling? A) Story about criminal conviction that was quashed on appeal B) A doctor requesting removal of links to newspaper stories about botched procedures performed by him

A) Story about criminal conviction that was quashed on appeal P3L3

The Electronic Frontier Foundation (EFF) ranks websites with privacy scores based on how they deal with issues related to privacy. It gate AT&T one of the lowest scores (1 out of 5 scores). What explains this low score? A) Does not disclose data retention policies B) Does not use industry best-practices C) Does not tell users about government data demands

A) does not disclose data retention policies and C) Does not tell users about government data demands P3L3

Does Google's privacy policy disclose data retention policy?

No P3L3

Poor privacy is good for bad guys because they can use information about you to craft: A) targeted phishing attacks B) Gain access to your online accounts

A & B P3L3

The FTC charged Fandango, the online move ticket purchasing company, for not protecting user privacy. This action was taken because Fandango: A) Shared user data without informing users B) Did not secure user data

B) did not secure user data P3L3

If a company tracks your activities based on your machine's IP address, on possible defense against it is to: A) Disable cookies B) Use Tor

B) Use Tor P3L3

Cyber security planning and management in an enterprise must define allowed computer and network use by employees. Georgia Tech's computer and network use policy strives to do this for students, faculty, and staff. What is required by this policy A) Georgia tech passwords should be changed periodically B) A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech C) Georgia Tech computers cannot be used to download illegal content (e.g. child porm)

A) Georgia tech passwords should be changed periodically B) A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech C) Georgia Tech computers cannot be used to download illegal content (e.g. child porm) P3L1

A botnet operator compromises a number of computers in a company. The malware executed by the bots only sends large amounts of spam email but does not exfiltrate sensitive data or interfere with legitimate activities. What is the appropriate action: A) The company should detect and prevent abuse of its resources by unauthorized parties B) Since it poses no risk to company's sensitive data or normal ops it can be ignored

A) the company should detect and prevent abuse of its resources by unauthorized parties P3L1

A news story in 2014 reported that an inspector general's report gave the VA a failing grade for the 16th straight year. The CIO of VA discussed a number of challenges that could explain this grade. What are some possible reasons? A) The need to manage cyber security for over a million devices, each running many services B) lack of sense of urgency in fixing cyber vulnerabilities C) Choosing to support key functions even when this could introduce vulnerabilities

A) the need to manage cyber security for over a million devices, each running many services and C) Choosing to support key functions even when this could introduce vulnerabilities P3L1

Chief Information Security Officer (CISO) is the executive who is responsible for information security in a company. Did target, the major retailer, have a CISO when it suffered the serious breach?

No. P3L1

Does Georgia Tech's computer and network use policy prohibit personal use of university resources?

No. P3L1

GATech systems store student data such as grades. The Institute must protect such data due to: A) Regulatory reasons (FERPA) B) Because the data is sensitive it can only be disclosed to the student and his/her family

A) Regulatory reasons (FERPA) P3L1

Anthem suffered a breach in 2015. Based on an analysis of its response to the breach, did Anthem respond well?

Yes. P3L1

A company stores sensitive customer data. The impact of a breach of such data must include: A) Cost of purchasing identity theft protection for customers B) Loss of business due to reduced customer confidence C) Compensation for new cyber security personnel the company hires to better manage cyber security in the future

A) Cost of purchasing identity theft protection for customers and B) loss of business due to reduced customer confidence P3L1

A company is considering 2 possible IDS solutions to reduce its exposure to attacks on its network. The first one costs $100K and reduces risk exposure by $150K. The second costs $250K but reduces exposure by $500K. Which would you recommend?

The more expensive one. P3L1

Risk leverage =

(Risk exposure without control - Risk exposure with control)/ cost of control P3L1

Cyber insurance is not very popular. Based on a 2014 survey, what percentage of customers of major insurance brokers were interested in buying cyber insurance? A) Less than 25% B) over 50%

A) less than 25% P3L1

Are cyber security budgets increasing as the number of reported incidents increase?

No. P3L1

An example of a proactive security measure is: A) Making sure the company complies with all regulatory requirements B) Chief risk officer (CRO) of the company addressing cyber risk regularly at highest level (eg board) when other risks are discussed

B) Chief risk officer addressing the board P3L1

Cookies are created by ads that run on websites

true P3L2

Cookies are created by websites a user is visiting

true P3L2

Cookies are compiles pieces of code

false P3L2

Cookies can be used as a form of virus

false P3L2

Cookies can be used as a form of spyware

true P3L2

A web browser can be attacked by any website that it visits

true P3L2

Even if a browser of compromised, the rest of the computer is still secure

false P3L2

Web servers can be compromised because of exploits on web applications

true P3L2

When a user's browser visits a compromised or malicious site, a malicious script is returned

true P3L2

To prevent XSS, any user input must be checked and preprocessed before it is used

true P3L2

Checking the HTTP referrer header to see if the request comes from an authorized page can protect against XSRF

true P3L2

Using a synchronizer token pattern where a token for each request is embedded by the web application in all HTML forms and verified on the server side can protect agains XSRF

true P3L2

Logging off immediately after using a web application can protect against XSRF

true P3L2

Not allowing the browser to save username/password and not allowing web sites to remember user login can protect against XSRF

true P3L2

Not using the same browser to access sensitive web sites and to surf the web freely can protect against XSRF

true P3L2

________ is the better way to prevent SQL injection

Whitelisting to allow only well-defined set of safe values P3L2

Eavesdropping is a security threat to WiFi security

true P2 L11

Injecting bogus messages is a threat to WiFi security

true P2 L11

Replaying previously recorded messages is a threat to WiFi security

true P2 L11

Illegitimate access to the network and its services is a threat to WiFi securty

true P2 L11

Denial-of-service is a threat to Wifi security

true P2 L11

What are the security threats to WiFi?

``` Eavesdropping injecting bogus messages replaying previously recorded messages illegitimate access to the network and its services denial of service ``` P2 L11

_____ is the security standard that should be used for WiFi

WPA2 P2 L11

What are the 3 operating systems with the most vulnerabilities in 2014?

Apple Mac OS X Apple iOS Linux Kernel

In iOS, all cryptographic keys are stored in flash memory

false P2 L11

in iOS, trusted boot can verify the kernel before it is run

true P2 L11

in iOS, all files of an app are encrypted using the same key

false P2 L11

How were researches able to bypass Apple's App Store security in 2013?

Uploaded an app that morphed into malware after it passed the review process. P2 L11

What weakness were exploited by researchers in the Apple apps security in 2015?

The malware was uploadable to the Apple Apps store The malware was able to bypass Sandbox security The malware was able to hijack browser extensions and collect passwords P2 L11

in iOS, each app runs in a sandbox and has its own home directory for its files

true P2 L11

All iOS apps must be reviewed and approved by Apple

true P2 L11

iOS apps can be self-signed by app developers

false P2 L11

Android apps can be self-signed

true P2 L11

Android apps can have more powerful permissions than iOS apps

true P2 L11

IP spoofing is useful for ____________ communication

unidirectional P2 L10

IPsec can assure that ___________________

A router advertisement comes from an authorized router a routing update is not forged a redirect message comes from the router to which the initial packet was sent P2 L10

Encapsulated Security Payload (ESP) can be used in A) encryption only mode B) authentication only mode C) encryption and authentication mode

A, B, and C P2 L10

Encapsulated Security Payload (ESP) can provide both confidentiality and integrity protection

true P2 L10

If the authentication option of ESP is chosen, message integrity code is computed before encryption

false P2 L10

To protect the confidentiality and integrity of the whole original IP packet, we can use ESP with the authentication option in tunnel mode

true P2 L10

In Authentication Header, the integrity hash covers the IP header

true P2 L10

The security association, SA, specifies a two-way security arrangements between the sender and receiver

false P2 L10

Security Parameter Index (SPI) is used to help receiver identify the Security Association (SA) to unprocess the IPSec packet

true P2 L10

If the sequence number of the IPSec header is greater than the largest number of the current anti-reply window the packet is rejected

false P2 L10

If the sequence number in the IPSec header is smaller than the smallest umber of the current anti-replay window the packet is rejected

true P2 L10

The Diffie-Hellman key exchange is restricted to two party communication only

false P2 L10

An IKE SA needs to be established before IPSec SAs can be negotiated

true P2 L10

The identity of the responder and receiver and the messages they have exchanged need to be authenticated (authentication and key exchange)

true P2 L10

With perfect forward secrecy, the IPSec SA keys are based on the IKE shared secret established in phase I.

false P2 L10

Most browsers come equipped with SSL and most web servers have implemented the protocol

true P2 L10

Since TLS is for the transport later, it relies on IPSec, which is for the IP later

false P2 L10

In most applications of TLS or SSL, public keys are used for authentication and key exchange

true P2 L10

The challenge values used an an authentication protocol can be repeatedly used in multiple sessions

false P2 L9

The authentication messages can be captured and replayed by an adversary

true P2 L9

Authentication can be one-way, e.g. only authenticating Alice to Bob

true P2 L9

A reflection attack is a form of man-in-the-middle-attack

true P2 L9

To defeat a reflection attack, we can use an odd number as a challenge from the initiator and an even number from the responder

true P2 L9

We can use signing with public keys to achieve mutual authentication

true P2 L9

A session key should be a secret and unique to the session

true P2 L9

Authentication should be accomplished before the session key exchange

true P2 L9

A key benefit of using KDC (Key distribution center) is scalability

true P2 L9

In order to for Bob to verify Alice's public key, the certificate authority must be online

false (just need the CA's public key, which may be cached) P2 L9

Signing the message exchanges in Diffie-Helman eliminates the man-in-the-middle attack during session key exchange.

true P2 L9

Kerberos provides authentication and access control

true P2 L9

Kerberos distributes session keys

true P2 L9

To avoid over-exposure of a user's master key, Kerberos uses a per-day key and a ticket-granting-ticket

true P2 L9

The authenticators used in requests to KDC and application server can be omitted in Kerberos

false P2 L9

Access to any network resource requires a ticket issued by the KDC in Kerberos

true P2 L9

if the length of a hash is 128 bits, then how many messages does an attack need to search in order to find two that share the same hash?

2^64 (the square root of 2 to the 128th) P2 L8

The one-way has function is important not only in message authentication, but also in digital signatures

false (in digital signatures, the input plain-text is sent anyway) P2 L8

SHA processes the input one block at a time, but each block goes through the same processing

true P2 L8

HMAC is secure provided that the embedded hash function has good cryptographic strengths such as one-way and collision-resistance

true P2 L8

What is the additive inverse of 8 MOD 20

12 The number that when we add 8 to, 8 MOD 20 results in 0 P2 L7

what is the multiplicative inverse of 3 MOD 17

6 Given X, find Y such that X*Y MOD N = 1 P2 L7

if n=21, what is totient(n)

12 find relatively prime factors of n 21 = 3 * 7, (3-1)*(7-1) = 12 P2 L7

Use the totient technique to find c: c = 7^27 MOD 30

this is the same as 7 ^ (27 MOD totient(30)) totient(30) = totient(3) * totient(10) = 2 * (2-1)(5-1) = 2 * 4 = 8 27 MOD 8 = 3 7^3 (MOD 30) = 343 MOD 30 = 13 P2 L7

RSA Given p = 3 and q = 11 A) compute n B) compute totient(n) Assume e = 7 C) compute d D) what is the public key E) what is the private key

``` A) n = p*q = 33 B) totient(n) = (3-1)*(11-1) = 20 C) d = (e * d) MOD totient(n) = 1 = (7 * d) MOD 21 = 1; d = 3 D) (e, n) = (7, 33) E) (d, n) = (3, 33) ``` P2 L7

What is the RSA encryption formula for value X?

public key = (e, n) (X ** e) MOD n P2 L7

What is the RSA decryption formula for value X?

private key = (d, n) (X ** d) MOD n P2 L7

When implementing RSA, it is best to use: A) Your own custom software, to ensure a secure system B) use the standard libraries for RSA

B) P2 L7

In Diffie Helman, Alice and Bob agree to use prime q = 23 and primitive root alpha = 5 Alice choses secret A = 6, and Bob chooses secret B = 15. What number does Alice send Bob? What number does Bob send Alice?

Alice sends bob (5^6) mod 23 = 8 Bob sends Alice (5^15) mod 23 = 19 P2 L7

RSA is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n

true P2 L7

If someone invents a very efficient method to factor large integers, then RSA becomes insecure

true P2 L7

The Diffie-Helman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms

true P2 L7

The Diffie-Helman key exchange protocol is vulnerable to a man-in-the-middle attack because it does not authenticate the participants

true P2 L7

RSA and Diffie-Helman are the only public-key algoritms

false P2 L7

A block cipher should use substitution to achieve confusion

true P2 L6

A block cipher should user _______ to achieve diffusion

permutation P2 L6

a block cipher should use a few rounds, each with a combination of _________ and ____________

substitution, permutation P2 L6

Block cipher algorithms should be kept secret

false P2 L6

An S-box substitutes a ____ bit value with a ____ bit value

6 bit value with a 4 bit value using a predefined table P2 L6

To decrypt using DES, the same algorithm is used, but with per-round keys are used in the reverse order

true P2 L6

With triple-DES, the effective key length can be 56, 112, and 168

true P2 L6

Each round of DES contains both substitution and permutation operations

true P2 L6

The logics behind S-boxes are well-known and verified

false; they've been kept secret P2 L6

To decrypt using AES, just run the same algorithm in the same order of operations

false (algorithm is run in reverse) P2 L6

Each operation or stage in AES is reversible

true P2 L6

AES can support key length of ___, ___, ____

128, 192, 256 P2 L6

AES is much more efficient than Triple DES

true P2 L6

Which is more secure, CBC or ECB?

CBC P2 L6

We can protect both confidentiality and integrity protection with CBC by using just one key

false P2 L6

If the only form of attack that that could be made on an algorithm is brute-force, then the way to counter such attacks would be to ______________

use a longer key length P2 L5

What weaknesses can be exploited in the Vigenere cipher

It uses repeating key letters, The length of the key can be determined using frequency analysis P2 L5

Which of the following characteristics would improve password security? A) Use a one-way hash function B) Should not use the avalanche effect C) Should only check to see that the hash function output is the same as stored output

A) Use a one-way hash function C) should only check to see that the hash function output is the same stored output P2 L5

Attack: | A method to determine the encryption function by analyzing known phrases and their encryption

linear cryptanalysis P2 L5

Attack: | Analyzing the effect of changes in input on the encrypted output

differential cryptanalysis P2 L5

Attack: | Compare the cipher texts with its known plaintext

chosen-plaintext attacks P2 L5

Attack: | A method where a specific known plaintext is compared to its ciphertext

Known-plaintext attacks P2 L5

Asymmetric encryption is better for: A) provide confidentiality of a message B) securely distribute a session key C) scalability

B) securely distribute a session key C) scalability P2 L5

Symmetric encryption can only be used to provide confidentiality

false P2 L5

Public-key encryption can be used to create digital signatures

true P2 L5

Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained

false P2 L5

The secret key is input to the encryption algorithm

true P2 L5

_______ tries to stop intrusion from happening | Firewall or IDS

firewall P2 L4

_______ tries to evaluate an intrusion after it has happened | Firewall or IDS

IDS P2 L4

_______ watches for intrusions that start within the system | Firewall or IDS

IDS P2 L4

_______ limits access between networks to prevent intrusion

Firewall P2 L4

An intruder can also be referred to as a hacker or cracker

true P2 L4

Activists are either individuals or members of an organized crime group with a goal of financial reward

false P2 L4

Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion

true P2 L4

Those who hack into computer do so for the thrill of it or for status

false P2 L4

Intruders typically use steps from a common attack methodology

true P2 L4

This backdoor is hard to detect because it modifies machine code

Object code backdoors P2 L4

This backdoor can only be used by the person who created it, even if it is discovered by others

Asymmetric backdoors P2 L4

This backdoor inserts backdoors into other programs during compilation

Compiler backdoors P2 L4

The longer an anomaly detection system is in use, the more it learns about network activity

true P2 L4

If malicious activity looks like normal traffic to the anomaly detection system, it will not detect an attack

true P2 L4

False positives from an anomaly detection system can become a problem, normal usage can be mistaken for an attack

true P2 L4

With signature based detection, new threats can be detected immediately

false P2 L4

With signature based detection, when a new virus is identified, it must be added to the signature databases

true P2 L4

Signature-based detection systems can only detect an intrusion attempt if it matches a pattern that is in the database

true P2 L4

Which of the following could be considered an anomaly to a typical network A) An IP address B) A port address C) Packet length D) Flag setting

All of them P2 L4

with _________, any action that does not fit the normal behavior profile is considered an attack

statistical intrusion detection P2 L4

with _________, any action that is not classified as normal is considered to be an attack

knowledge based intrusion detection P2 L4

_______ anomaly detection detects attacks similar to past attacks

machine learning intrusion detection P2 L4

One of the weaknesses of anomalous intruder detection is that a system must learn what is normal behavior. WHile it is learning this, the network is vulnerable to attack. What can be done to mitigate this weakness?

use a firewall. P2 L4

In the thriving 0-day attack marketplace hackers sell information on software vulnerabilities. Can you guess some of the buyers? A) Apple B) Google C) Microsoft, D) U.S. Government

all P2 L4

with a(n) _______ attack, an attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited

scanning attack P2 L4

with a(n) _______ attack, the attack attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users

DOS P2 L4

with a(n) _______ attack, an attacker gains unauthorized control of a system

penetration P2 L4

Can you think of a way to reduce the impact of excessive reporting on a system's administrator?

Prioritize the alerts P2 L4

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified

true P2 L4

The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.

true P2 L4

Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior

false P2 L4

A network IDS sensor monitors a copy of network traffic, the actual traffic does not pass through the devices

true P2 L4

Network-based intrusion detection can make use of signature detection and anomaly detection

true P2 L4

When using sensors, which of the following is considered good practice? A) Set the IDS level to the highest sensitivity to detect every attack B) Monitor both outbound and inbound traffic C) Use a shared network resource to gather NIDS data D) NIDS sensors are not turnkey solutions, system administrators must interpret alerts

B) monitor both outbound and inbound traffic D) NIDS sensors are not turnkey solutions, system administrators must interpret alerts P2 L4

A common location for a NIDS sensor is just inside the external firewall

true P2 L4

A honeypot can be a workstation that a user uses for work

false P2 L4

There is no benefit of deploying a NIDS or honeypot outside of the firewall

false P2 L4

To improve detection performance, an IDS should reduce false alarm rate while detecting as many intrusions as possible

true P2 L4

to improve detection performance, an IDS should apply detection models at all unfiltered packet data directly.

false P2 L4

to improve detection performance, an IDS should apply detection models at processed event data that has higher base rate

true P2 L4

To defeat an IDS, attackers can send a huge amount of traffic

true P2 L4

To defeat an IDS, attackers can embed attack in packets which cause non-uniform processing by different operating systems, e.g. bad checksum, overlapping fragments

true P2 L4

To defeat an IDS, attackers can send traffic that purposely matches detection rules

true P2 L4

To defeat an IDS, attackers can send a packet that would trigger a buffer-overload in the IDS code

true P2 L4

The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.

true

A firewall can serve as the platform for IPSec.

true

A packet filtering firewall is typically configured to filter packets going in both directions.

true

A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.

true

A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.

false

The _______ defines the transport protocol. A. destination IP address B. source IP address C. interface D. IP protocol field

A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.

circuit-level

Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server.

DMZ

A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.

Distributed firewall

The ________ attack is designed to circumvent filtering rules that depend on TCP header information.

tiny fragment

Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.

true

To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

true

An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

false

A common location for a NIDS sensor is just inside the external firewall.

true

Network-based intrusion detection makes use of signature detection and anomaly detection.

true

Symmetric encryption is used primarily to provide confidentiality.

true

Two of the most important applications of public-key encryption are digital signatures and key management.

true

The secret key is one of the inputs to a symmetric-key encryption algorithm.

true

The strength of a hash function against brute-force attacks depends on the length of the hash code produced by the algorithm.

true

Public-key algorithms are based on simple operations on bit patterns.

false

A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

host-based IDS

_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.

Signature detection

_______ involves the collection of data relating to the behavior of legitimate users over a period of time.

Anomaly detection

A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

inline-sensor

The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.

analyzer

On average, ________ of all possible keys must be tried in order to achieve success with a brute-force attack.

half

If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to ________ .

use longer keys

________ is a procedure that allows communicating parties to verify that received or stored messages are authentic.

message authentication

The purpose of a ________ is to produce a ?fingerprint? of a file, message, or other block of data.

hash function

A _________ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key.

digital signature

Symmetric encryption is also referred to as secret-key or single-key encryption.

true

The ciphertext-only attack is the easiest to defend against.

true

A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained.

true

AES uses a Feistel structure.

false

Each block of 64 plaintext bits is encoded independently using the same key? is a description of the CBC mode of operation.

false

Timing attacks are only applicable to RSA.

false

Using PKCS (public-key cryptography standard), when RSA encrypts the same message twice, different ciphertexts will be produced.

true

The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms

true

A key exchange protocol is vulnerable to a man-in-the-middle attack if it does not authenticate the participants.

true

Just like RSA can be used for signature as well as encryption, Digital Signature Standard can also be used for encryption

false

In general, public key based encryption is much slower than symmetric key based encryption.

true

________ is the original message or data that is fed into the encryption process as input.

plaintext

Which of the following would allow an attack that to know the (plaintext of) current message must be the same as one previously transmitted because their ciphtertexts are the same? A. CBC B. ECB C. CFB D. OFB

________ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.

Key distribution technique

Which of the following feature can only be provided by public-key cryptography? A. Confidentiality protection B. Integrity protection C. Non-repudiation D. None of the above

Cryptographic systems are generically classified by _______. A. the type of operations used for transforming plaintext to ciphertext B. the number of keys used C. the way in which the plaintext is processed D. all of the above

________ attacks have several approaches, all equivalent in effort to factoring the product of two primes.

mathematical

________ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number.

timing attacks

_________ was the first published public-key algorithm.

Diffie-helman

The principal attraction of ________ compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby reducing processing overhead.

ECC

SHA is perhaps the most widely used family of hash functions.

true

SHA-1 is considered to be very secure.

false

HMAC can be proven secure provided that the embedded hash function has some reasonable cryptographic strengths.

true

The additive constant numbers used in SHA-512 are random-looking and are hardcoded in the algorithm.

true

The strong collision resistance property subsumes the weak collision resistance property.

true

Cryptographic hash functions generally execute faster in software than conventional encryption algorithms such as DES and AES.

true

A hash function such as SHA-1 was not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on a secret key.

true

It is a good idea to use sequentially increasing numbers as challenges in security protocols.

false

Assuming that Alice and Bob have each other?s public key. In order to establish a shared session key, Alice just needs to generate a random k, encrypt k using Bob?s public key, and send the encrypted k to Bob and then Bob will know he has a key shared with Alice.

false

In security protocol, an obvious security risk is that of impersonation.

true

In Kerberos, the authentication server shares a unique secret key with each authorized computer on the network.

true

In Kerberos, each human user has a master key shared with the authentication server, and the key is usually derived from the user's password.

true

In Kerberos, the purpose of using ticket-granting-ticket (TGT) is to minimize the exposure of a user?s master key.

true

Kerberos ticket-granting ticket is never expired.

false

Kerberos does not support inter-realm authentication.

false

SHA-1 produces a hash value of _______ bits.

160

Issued as RFC 2104, _______ has been chosen as the mandatory-to-implement MAC for IP Security.

HMAC

The DSS makes use of the _______ and presents a new digital signature technique, the Digital Signature Algorithm (DSA).

SHA-1

The purposes of a security protocol include: A. Authentication B. Key-exchange C. Negotiate crypto algorithms and parameters D. All the above

Which of the following scenario requires a security protocol: A. log in to mail.google.com B. connecting to work from home using a VPN C. Both A and B

In IPSec, packets can be protected using ESP or AH but not both at the same time.

false

In IPSec, if A uses DES for traffic from A to B, then B must also use DES for traffic from B to A.

false

In IPSec, the sequence number is used for preventing replay attacks.

true

Most browsers come equipped with SSL and most Web servers have implemented the protocol.

true

Even web searches have (often) been in HTTPS.

true

In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.

true

Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes.

true

iOS has no vulnerability.

false

In iOS, each file is encrypted using a unique, per-file key.

true

In iOS, an app can run its own dynamic, run-time generated code.

false

The App Store review process can guarantee that no malicious iOS app is allowed into the store for download.

false

In iOS, each app runs in its own sandbox.

true

In Android, all apps have to be reviewed and signed by Google.

false

In Android, an app will never be able to get more permission than what the user has approved.

false

Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).

false

The most complex and important part of TLS is the ________.

handshake protocol

_______ is a list that contains the combinations of cryptographic algorithms supported by the client.

CipherSuite

ESP supports two modes of use: transport and ________.

tunnel

A benefit of IPsec is ________. A. that it is below the transport layer and transparent to applications B. there is no need to revoke keying material when users leave the organization C. it can provide security for individual users if needed D. all of the above

The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.

protocol identifier

A cookie can be used to authenticate a user to a web site so that the user does not have to type in his password for each connection to the site.

true

Malicious JavaScripts is a major threat to browser security.

true

XSS is possible when a web site does not check user input properly and use the input in an outgoing html page.

true

XSS can perform many types of malicious actions because a malicious script is executed at user?s browser.

true

XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive.

true

In XSRF, the malicious site can send malicious script to execute in the user?s browser by embedding the script in a hidden iframe.

true

It is easy for the legitimate site to know if a request is really from the (human) user.

false

SQL injection attacks only lead to information disclosure.

false

Using an input filter to block certain characters is an effective way to prevent SQL injection attacks.

false

SQL injection is yet another example that illustrates the importance of input validation.

true

Organizational security objectives identify what IT security outcomes should be achieved.

true

Since the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.

true

Legal and regulatory constraints may require specific approaches to risk assessment.

true

One asset may have multiple threats and a single threat may target multiple assets.

true

It is likely that an organization will not have the resources to implement all the recommended controls.

true

The IT security management process ends with the implementation of controls and the training of personnel.

false

The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.

true

The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users.

true

An IT security plan should include details of ________. A. risks B. recommended controls C. responsible personnel D. all of the above

______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.

Anonymization