Quiz Questions from Lessons

Question 1

Subnet Spoofing

Answer 1

Generate random addresses within

a given address space.

Question 2

Random Spoofing

Answer 2

Generate 32-bit numbers and stamp

packets with them.

Question 3

Fixed Spoofing

Answer 3

The spoofed address is the address

of the target.

Question 4

Server Application DOS attack

Answer 4

The attack is targeted to a specific

application on a server

Question 5

Network Access DOS attack

Answer 5

The attack is used to overload or
crash the communication mechanism of a
network.

Question 6

Infrastructure DOS attack

Answer 6

The motivation of this attack is a
crucial service of a global internet
operation, for example core router

Question 7

Random Scanning

Answer 7

Each compromised computer probes

random addresses

Question 8

Permutation Scanning

Answer 8

All compromised computers share a
common pseudo-random permutation of the
IP address space.

Question 9

Signpost Scanning

Answer 9

Uses the communication patterns of the

compromised computer to find new target.

Question 10

Hitlist Scanning

Answer 10

A portion of a list of targets is supplied to

a compromised computer.

Question 11

Which of these are reasons why the UDP-based NTP

protocol is particularly vulnerable to amplification attacks?

Answer 11

A small command can generate a large response.
Vulnerable to source IP spoofing.
It is difficult to ensure computers communicate only with legitimate NTP severs.

Question 12

The server must reject all TCP options because the server discards the SYN queue entry. T or F?

Answer 12

True

Question 13

With regards to a UDP flood attack, which of the

following statements are true:

Answer 13

Attackers can spoof the IP address of their UDP packets
Firewalls cannot stop a flood because the firewall is
susceptible to flooding.

Question 14

Client puzzles should be stateless

Answer 14

True

Question 15

Puzzle complexity should increase as the strength of the

attack increases.

Answer 15

True

Question 16

Which of the following are assumptions that can be

made about Traceback?

Answer 16

Attackers may work alone or in groups

Question 17

Select all the statements that are true for edge

sampling:

Answer 17

Multiple attackers can be identified since edge identifies splits in reverse path
Requires space in the IP packet header

Question 18

Self defense against reflector attacks should

incorporate:

Answer 18

Server redundancy - servers should be located in multiple networks and locations.
Traffic limiting - traffic from a name server should be limited
to reasonable thresholds.

Question 19

Deep web

Answer 19

It is not indexed by standard search

engines

Question 20

Dark web

Answer 20

Web content that exists on darknets

Question 21

Surface web

Answer 21

Readily available to the public, and

searchable with standard search engines

Question 22

Doorway pages

Answer 22

A webpage that lists many keywords, in
hopes of increasing search engine
ranking. Scripts on the page redirect to
the attackers page.

Question 23

Crypters

Answer 23

A program that hides malicious code

from anti-virus software

Question 24

Blackhat Search Engine Optimizer

Answer 24

It increases traffic to the attacker’s site

by manipulating search engines.

Question 25

Trojan Download Manager

Answer 25

Software that allows an attacker to
update or install malware on a victim’s
computer.

Question 26

What are the two defining characteristics of internet spam?

Answer 26

Inappropriate or irrelevant

Large number of recipients

Question 27

Name the top three countries where spam directed visitors

added items to their shopping cart:

Answer 27

United States
Canada
Philippines

Question 28

Which events should trigger a penetration test?

Answer 28

Applications are added or modified
End user policies are changed
Security patches are installed
Infrastructure is added or modified

Question 29

List the steps attackers used to access RSA’s Adobe Flash software:

Answer 29

Identify employees that are
vulnerable
Craft an email subject line that
entices an employee to open it
Hide an executable file in the
email that will install onto the
victim's computer when the
email is opened

Question 30

Flash or CD Autoplay Attack

Answer 30

A flash is created that has a program that

creates a connection to the exploit server

Question 31

Reverse Shell Applet Attack

Answer 31

A signed Java applet is sent to the user, if they
accept it, a shell is sent back to the exploit
server.

Question 32

Click Logger Attack

Answer 32

Used to determine which users click on links in

emails

Question 33

Download Connection Attack

Answer 33

An email contains an attachment. When the
attachment is downloaded an connection is made
to the exploit server.

Question 34

On this pie chart, what are the top three industries that were targets
of cyber attacks in 2016?

Answer 34

Defense contractor
Restaurant
Software

Question 35

Tier One

Answer 35

A network can reach every other network

through peering.

Question 36

Tier Two

Answer 36

A network that peers some of its network

access and purchases some of it.

Question 37

Tier Three

Answer 37

A network that purchases all transit from

other networks

Question 38

IP provides only best effort delivery, it is not

guaranteed.

Answer 38

True

Question 39

Due the connectionless nature of IP, data
corruption, packet loss, duplication, and
out-of-order delivery can occur.

Answer 39

True

Question 40

Network layer controls can protect the data within the

packets as well as the IP information for each packet.

Answer 40

True

Question 41

IP information cannot be protected by transport layer controls.

Answer 41

True

Question 42

Address Resolution Protocol (ARP)

Answer 42

protocol designed to map IP network
addresses to the hardware addresses
used by a data link protocol

Question 43

Open Shortest Path First (OSPF)

Answer 43

protocol uses a link state routing
algorithm and falls into the group of
interior routing protocols

Question 44

Border Gateway Protocol (BGP)

Answer 44

protocol designed to exchange routing
and reachability information among
autonomous systems (AS)

Question 45

Denial of Service

Answer 45

Create a false route or kill a legitimate one.

Question 46

Sniffing

Answer 46

The attacker must control a device along

the victim’s communication path.

Question 47

Routing to Endpoints in Malicious

Networks

Answer 47

The first step is to hijack traffic from a

legitimate host

Question 48

Creating Route Instabilities

Answer 48

Not yet used by hackers because damage
cannot be contained. It can blowback to the
attacker.

Question 49

Revelation of Network Topologies

Answer 49

Unmasking the AS relationships by hacking

the routing table

Question 50

Domain name

Answer 50

A name in the DNS format

Question 51

DNS zone

Answer 51

A set of names under the same

authority (ie “.com”)

Question 52

Delegation

Answer 52

Transfer of authority for/to a subdomain

Question 53

Changing a domain name into an IP address involves a large
number of steps. To save time, the records are <>
on a local server for reuse later

Answer 53

cached

Question 54

Each record has a <> that states how long a record

can be kept for future use.

Answer 54

TTL

Question 55

All domain names and IP addresses are stored at the

Central Registry.

Answer 55

True

Question 56

It can take several days for information to propagate

to all DNS servers.

Answer 56

True

Question 57

The attacker’s server responds with a short TTL
record. The attacker needs to register a domain and
delegate it to a server under his control. The attacker exploits the same origin policy

Answer 57

True

Question 58

Using Components with Known Vulnerabilities

Answer 58

Uses unpatched third party components.

Question 59

Missing Function Level Access Control

Answer 59

Privilege functionality is hidden rather than

enforced through access controls

Question 60

Sensitive Data Exposure

Answer 60

Abuses lack of data encryption

Question 61

Security Misconfiguration

Answer 61

Exploits misconfigured servers.

Question 62

Insecure Direct Object References

Answer 62

Attackers modify file names

Question 63

Cross Site Scripting

Answer 63

Inserts Javascript into trusted sites.

Question 64

Broken Authentication and Session

Answer 64

Program flaws allow bypass of authentication

methods.

Question 65

Injection

Answer 65

Modifies back-end statement through user input

Question 66

Given the list of attributes, which 2 should not be combined?
Put a check next to the 2 attributes that should not be combined in sandbox

Answer 66

allow-same-origin

allow-scripts

Question 67

CSP will allow third party widgets (e.g. Google

+1 button) to be embedded on your site.

Answer 67

True

Question 68

If you have third party forum software that has

inline script, CSP cannot be used

Answer 68

false

Question 69

CORS allows cross-domain communication from the browser

CORS requires coordination between the server and client

Answer 69

true

Question 70

CORS is not widely supported by browsers
The CORS header can be used to secure resources on a
website

Answer 70

false

Question 71

The token must be stored somewhere
Tokens expire, but there should still be mechanisms to
revoke them if necessary

Answer 71

true

Question 72

Active session hijacking involves disconnecting the
user from the server once that user is logged on.
Social engineering is required to perform this
type of hijacking.

Answer 72

true

Question 73

Select all of the items that can be encrypted by HTTPS

Answer 73

Request URL
Query parameters
Headers
Cookies

Question 74

Which of the following are real disadvantages

to using HTTPS

Answer 74

You need to buy an SSL certificate
Mixed modes issue- loading insecure content on a
secure site
Proxy caching problems- public caching cannot occur

Question 75

According to Wikipedia, which of these devices is a mobile device?

Answer 75

Smart phone held by person
Self Driving car
Robot

Question 76

List the four areas of the C based toolchain where hardening

can occur

Answer 76

Configuration
Preprocessor
Compiler
Linker

Question 77

A Botnet is a of bots controlled by a
.
It is a key platform for and other
exploits.
network
Bot Master
fraud for-profit
More precisely, a coordinated group of malware
instances that are controlled via command and
control (C&C) channels. C&C architectures:
centralized (e.g., IRC, HTTP), distributed (e.g., P2P)
attacker

Answer 77

true

Question 78

Which of these behaviors are indicative of botnets?

Answer 78

Linking to an established C&C server
Generating Internet Relay Chat (IRC) traffic using a
specific range of ports
Generating SMTP emails/traffic
Reducing
Generating SIMULTANEOUS
IDENTICAL DNS requests is suspicious

Question 79

hat can botnets do to evade C-plane clustering?

Answer 79

Manipulate communication patterns.
Introduce noise (in the form of random packets) to reduce similarity
between C&C flows

Question 80

What can botnets do to evade A-plane monitoring?

Answer 80

Perform slow spamming
Use undetectable activities (spam sent with Gmail, download exe
from HTTPS server)

Question 81

Which of the information should be considered in order to identify the
source (perpetrator) of an APT attack?

Answer 81

Source IP address of TCP-based attack packets
Coding style of malware
Inclusion of special libraries with known authors
Motives of the attack
Language encoding

Question 82

Footprinting (FP)

Answer 82

The attacker gathers information about a target.
The kind of information gathered is: DNS, email
servers, and the IP address range.

Question 83

Scanning (S)

Answer 83

The attacker uses the internet to obtain information
on specific IP addresses. The kind of information
gathered is: O.S., services, and architecture of the
target system

Question 84

Enumeration (E)

Answer 84

The attacker gathers information on network user
and group names, routing tables, and simple
network management protocol.

Question 85

Which protocol is used to break data into packets?

Which protocol reassembles the data packets?

Answer 85

TCP

Question 86

Which protocol is used to move packets from router to

router?

Answer 86

IP

Question 87

Why does ZMap find more hosts than Nmap?

Answer 87

Statelessness leads to both
higher performance and
increased coverage

Question 88

With regards to computing, what is entropy?
Randomness for use in cryptography or other applications that
require random data.
What are the two sources of entropy?
Hardware sources and randomness generators
A lack of entropy will have a negative impact on performance
and security.

Answer 88

True

Question 89

NoBL DNSBL level

Answer 89

This IP address does not send spam, and should not

be blacklisted. But it is not fully trustworthy.

Question 90

Grey DNSBL level

Answer 90

This IP address is not directly involved in spamming

but is associated with spam-like behaviors

Question 91

Yellow DNSBL level

Answer 91

This IP address is known to produce spam and nonspam

email

Question 92

C Botnets(B),
A Spyware(S),
B Adware(A)

Answer 92

A. Anonymously registered domains
B. Disposable domains
C. Short lived domains

Question 93

List the types of characters a malicious domain name detection
program should look for in a domain name.

Answer 93

Number of characters
Number of hyphens
Number of digits

Question 94

C Network-based features(N),
B Zone-based features(Z),
A Evidence-based features (E)

Answer 94

A. The number of distinct malware samples
that connected to any of the IPs.
B. The average length of domain names,
the occurrence frequency of different
characters, etc.
C. Quantities such as the total number of
IPs historically associated with the
diversity of their geographical locations,
the number of distinct autonomous
systems, etc.

Question 95

A dynamic malware-related domain

detection system should

Answer 95

Have global visibility into DNS request and response
messages
Not require data from other networks
Be able to detect malware-related domains even if there is
no reputation data

Question 96

A proven method to stop botnets requires isolating the C&C
domain from the botnet

Answer 96

true

Question 97

Hash functions do not have a key
Hash functions are also called one-way encryption
Hash functions are primarily used for message integrity

Answer 97

True

Question 98

The security of crypto currency ledgers depends on

the honesty of its miners.

Answer 98

True

Question 99

With regards to Bitcoin, which of the following statements

are true?

Answer 99

Proof of work is costly and time consuming to
produce
Changing a block requires regenerating all
successors and redoing the work they contain.

Question 100

With regards to Sybil attacks, check all true statements

Answer 100

The attacker creates a lot of fake identities and
uses them to change voting outcomes or control the
network
A Sybil attack is designed to attack reputation
systems in a peer-to-peer network
Sybil attack can be stopped if users are willing to
give up anonymity.

Question 101

Two Merkle trees can be compared if they have the same
.
If two Merkle trees have the same root hashes, then their
data blocks can be considered to be .
In a bitcoin block, the is stored in the block
header.
hash depth
the same
Merkle root

Answer 101

True

Question 102

A time-stamping service prevents people from

double spending Bitcoins

Answer 102

True

Question 103

the main task is to find patterns, structures, or knowledge in
unlabeled data

Answer 103

Unsupervised

Question 104

the task is to find a function or model that explains the data

Answer 104

Supervised

Question 105

some of the data is labeled during acquisition

Answer 105

Semi-supervised

Question 106

Select the true statements with regards to decision tree based
detection models:

Answer 106

Can supplement honeypot analysis
Can supplement penetration testing
Can detect previously unknown network anomalies

Question 107

A polymorphic attack can change its appearance with
every instance.
A polymorphic attack has no predictable signature for
the attack.

Answer 107

True

Question 108

Each instance of polymorphic code has different, but

normal, appearance.

Answer 108

false

Question 109

Which of the following are true statements with regards to a

polymorphic blending attack?

Answer 109

The process should not result in an abnormally large
attack size
The blending needs to be economical in time and space

Question 110

List the goals of a successful poison attack:

Answer 110

Is undetected
• Continues for a period of time
• Cause damage to data

Question 111

If we can completely control the process of generating or
collecting the training data and ascertain the authenticity
and integrity of the dataset, we don’t have to worry
about data poisoning attacks

Answer 111

true

Question 112

If the training data is obtained in an open environment,
e.g., the Web, there is always the potential of poisoning
attacks (i.e., such attacks can’t be eliminated)

Answer 112

true

Question 113

List some of the characteristics that all four cloud models share:

Answer 113

Massive scale
Homogeneity
Virtualization
Resilient computing
Low cost software
Geographic distribution
Service orientation
Advanced security technologies

Question 114

Broad Network Access 
Rapid Elasticity
Measured Service
On Demand Self-Service
Resource Pooling

Answer 114

True for cloud

Question 115

Most data in transit is encrypted

Answer 115

true

Question 116

Disconnect the VM from the internet when opening

questionable files.

Answer 116

true

Question 117

Select the statements that are true with regards to ORAM

Answer 117

Client must have a private source of randomness
Each access to the remote storage must have a read
and a write

Question 118

What is a major weakness of the Naive Secret Sharing scheme?

Answer 118

The major weakness of naive secret sharing is the more shares
you have of the secret, the less work you have to do to guess the
secret.