IPSec and TLS, Wireless and Mobile Security, Web Security

Question 1

In IPSec, packets can be protected using ESP or AH but not both at the same time.

Answer 1

False

Question 2

In IPSec, if A uses DES for traffic from A to B, then B must also use DES for traffic from B to A.

Answer 2

False

Question 3

In IPSec, the sequence number is used for preventing replay attacks.

Answer 3

True

Question 4

Most browsers come equipped with SSL and most Web servers have implemented the protocol.

Answer 4

True

Question 5

Even web searches have (often) been in HTTPS.

Answer 5

True

Question 6

In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.

Answer 6

True

Question 7

Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes.

Answer 7

True

Question 8

iOS has no vulnerability.

Answer 8

False

Question 9

In iOS, each file is encrypted using a unique, per-file key.

Answer 9

True

Question 10

In iOS, an app can run its own dynamic, run-time generated code.

Answer 10

False

Question 11

The App Store review process can guarantee that no malicious iOS app is allowed into the store for download

Answer 11

False

Question 12

In iOS, each app runs in its own sandbox

Answer 12

True

Question 13

In Android, all apps have to be reviewed and signed by Google.

Answer 13

False

Question 14

In Android, an app will never be able to get more permission than what the user has approved.

Answer 14

False

Question 15

Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).

Answer 15

False

Question 16

The most complex and important part of TLS is the ________.

Answer 16

handshake protocol

Question 17

_______ is a list that contains the combinations of cryptographic algorithms supported by the client.

Answer 17

CipherSuite

Question 18

ESP supports two modes of use: transport and ________.

Answer 18

tunnel

Question 19

benefits of IPsec are________.

Answer 19

A. that it is below the transport layer and transparent to applications

B. there is no need to revoke keying material when users leave the organization

C. it can provide security for individual users if needed

Question 20

The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.

Answer 20

protocol identifier

Question 21

A cookie can be used to authenticate a user to a web site so that the user does not have to type in his password for each connection to the site.

Answer 21

True

Question 22

Malicious JavaScripts is a major threat to browser security.

Answer 22

True

Question 23

XSS is possible when a web site does not check user input properly and use the input in an outgoing html page.

Answer 23

True

Question 24

XSS can perform many types of malicious actions because a malicious script is executed at user?s browser.

Answer 24

True

Question 25

XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive.

Answer 25

True

Question 26

In XSRF, the malicious site can send malicious script to execute in the user?s browser by embedding the script in a hidden iframe.

Answer 26

True

Question 27

It is easy for the legitimate site to know if a request is really from the (human) user.

Answer 27

False

Question 28

Using an input filter to block certain characters is an effective way to prevent SQL injection attacks.

Answer 28

False

Question 29

SQL injection is yet another example that illustrates the importance of input validation.

Answer 29

True

Question 30

Organizational security objectives identify what IT security outcomes should be achieved.

Answer 30

True

Question 31

Since the responsibility for IT security is shared across the
organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.

Answer 31

True

Question 32

Legal and regulatory constraints may require specific approaches to risk assessment.

Answer 32

True

Question 33

One asset may have multiple threats and a single threat may target multiple assets.

Answer 33

True

Question 34

It is likely that an organization will not have the resources to implement all the recommended controls.

Answer 34

True

Question 35

The IT security management process ends with the implementation of controls and the training of personnel.

Answer 35

False

Question 36

The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.

Answer 36

True

Question 37

The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users.

Answer 37

True

Question 38

An IT security plan should include details of ________.

Answer 38

A. risks

B. recommended controls

C. responsible personnel

Question 39

______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.

Answer 39

Anonymization