IPSec and TLS, Wireless and Mobile Security, Web Security Flashcards
In IPSec, packets can be protected using ESP or AH but not both at the same time.
False
In IPSec, if A uses DES for traffic from A to B, then B must also use DES for traffic from B to A.
False
In IPSec, the sequence number is used for preventing replay attacks.
True
Most browsers come equipped with SSL and most Web servers have implemented the protocol.
True
Even web searches have (often) been in HTTPS.
True
In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.
True
Compared with WEP, WPA2 has more flexible authentication and stronger encryption schemes.
True
iOS has no vulnerability.
False
In iOS, each file is encrypted using a unique, per-file key.
True
In iOS, an app can run its own dynamic, run-time generated code.
False
The App Store review process can guarantee that no malicious iOS app is allowed into the store for download
False
In iOS, each app runs in its own sandbox
True
In Android, all apps have to be reviewed and signed by Google.
False
In Android, an app will never be able to get more permission than what the user has approved.
False
Since Android is open-source, each handset vendor can customize it, and this is good for security (hint: consider security updates).
False
The most complex and important part of TLS is the ________.
handshake protocol
_______ is a list that contains the combinations of cryptographic algorithms supported by the client.
CipherSuite
ESP supports two modes of use: transport and ________.
tunnel
benefits of IPsec are________.
A. that it is below the transport layer and transparent to applications
B. there is no need to revoke keying material when users leave the organization
C. it can provide security for individual users if needed
The ______ field in the outer IP header indicates whether the association is an AH or ESP security association.
protocol identifier
A cookie can be used to authenticate a user to a web site so that the user does not have to type in his password for each connection to the site.
True
Malicious JavaScripts is a major threat to browser security.
True
XSS is possible when a web site does not check user input properly and use the input in an outgoing html page.
True
XSS can perform many types of malicious actions because a malicious script is executed at user?s browser.
True
XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive.
True
In XSRF, the malicious site can send malicious script to execute in the user?s browser by embedding the script in a hidden iframe.
True
It is easy for the legitimate site to know if a request is really from the (human) user.
False
Using an input filter to block certain characters is an effective way to prevent SQL injection attacks.
False
SQL injection is yet another example that illustrates the importance of input validation.
True
Organizational security objectives identify what IT security outcomes should be achieved.
True
Since the responsibility for IT security is shared across the
organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.
True
Legal and regulatory constraints may require specific approaches to risk assessment.
True
One asset may have multiple threats and a single threat may target multiple assets.
True
It is likely that an organization will not have the resources to implement all the recommended controls.
True
The IT security management process ends with the implementation of controls and the training of personnel.
False
The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.
True
The purpose of the privacy functions is to provide a user protection against discovery and misuse of identity by other users.
True
An IT security plan should include details of ________.
A. risks
B. recommended controls
C. responsible personnel
______ is a function that removes specific identifying information from query results, such as last name and telephone number, but creates some sort of unique identifier so that analysts can detect connections between queries.
Anonymization