Tentafrågor Flashcards

Question 1

Q

Encryption is one way to protect confidentiality.

Question 2

Q

The main security properties (CIA) are confidentiality, integrity, and authenticity.

Question 3

Q

Eavesdropping is an attack on integrity.

Question 4

Q

Authentication has two parts, identification (who is the subject, e.g., user id) and verification
(making sure they really are who they claim to be).

Question 5

Q

Authentication always requires proving that you know a secret, e.g., a password.

Question 6

Q

The reason for individual salts for hashing passwords is to compensate for different lengths of passwords, which would otherwise make them easier to guess.

Question 7

Q

With symmetric encryption, the sender and receiver use the exact same secret key.

Question 8

Q

For digital envelopes to work, the sender and receiver first need to agree on a shared key.

Question 9

Q

If Alice sends a message to Bob using public-key cryptography, Bob needs to have both his own private key and Alice’s public key to decrypt the message and be sure that it is from Alice.

Question 10

Q

Strong collision resistance means that a secure hash function withstands brute force attacks
to find a collision with a given hash value even from attackers with high computational power.

Question 11

Q

If the interpreter or JIT is correct, the usage of memory safe languages (like Java) prevents buffer overflows.

Question 12

Q

Functions check stack canaries (to be unmodified) just before they return.

Question 13

Q

Stack canaries can be used to detect all possible buffer overflows.

Question 14

Q

The main propagation strategy of a worm consists of exploiting vulnerabilities of remote
programs.

Question 15

Q

The main propagation strategy of a virus consists of exploiting vulnerabilities of remote programs.

Question 16

Q

An antivirus using generic description emulates the CPU, executes the virus in the interpreter, and waits that the virus decrypts itself to identify the malicious payload.

Question 17

Q

Flooding (non-distributed) attacks like ICMP flood require that the attacker has more band- width than the victim.

Question 18

Q

A successful DOS is a loss of confidentiality.

Question 19

Q

In a TCP/IP SYN spoof attack the attacker attempts to fill the TCP connection table of the
victim.

Question 20

Q

Guard pages are regions of virtual memory whose execution is forbidden, but writable accesses are permitted.

Question 21

Q

Address space randomization counters buffer overflows because it prevents an attacker from knowing the size of the buffers.

Question 22

Q

In case of executable address space protection, the heap is configured as writable and non- executable.

Question 23

Q

In multi-level security, users (subjects) have clearance levels and resources (objects) have classification levels. What a user with a specific clearance can do to a resource with a specific classification depends on the security model.

Question 24

Q

Discretionary access control means that it’s up to owner of a resource (e.g., a file) to decide whether an access request is checked.

Question 25

Q

Role-based access control assigns rights to roles and maps users to roles. Roles can be hierarchical.

Question 26

Q

White listing will let less bad traffic through than blacklisting.

Question 27

Q

The two main approaches to intrusion detection are signature based (meaning only install pro- grams that are authentic, e.g., checked the message digest or digital signature) and anomaly based (meaning using a list of malicious programs that do not behave like normal programs and detecting if a program is on the list)

Question 28

Q

DMZ (demilitarized zone) means that there is no firewall or intrusion detection system set up around it.

Question 29

Q

A side-channel attack usually relies on a buffer overflow.

Question 30

Q

Constant time programming is a programming technique guaranteeing that no condition of
branches and no index of array depend on secret information.

Question 31

Q

Cache partitioning prevents an attacker to extract secret information by analyzing execution time of the victim (time-driven attacks).

Question 32

Q

A side-channel attack is based on information gained from the execution of a system, for instance by measuring its execution time.

Question 33

Q

The GDPR (general data protection regulation) has one set of rules for all EU countries and it even applies to companies outside the EU if they offer services in the EU.

Question 34

Q

Purpose binding means that once a user (data subject) has consented to their data being analyzed and used by an organization or company (data controller , data processor) for a given purpose, they have no right to get their data deleted.

Question 35

Q

Privacy concerns not only the data itself (e.g., contents of files or messages) but also metadata, meaning data about the data.

Question 36

Q

One way to prevent SQL injection is to use parameterized queries.

Question 37

Q

Cross-site scripting takes advantage of a user being authenticated for a session with a server
and makes it look like a transaction was initiated by the authenticated user.

Question 38

Q

One of the OWASP Top 10 most critical web application security risks is broken access control. There are many ways to bypass access control, such as by manipulating things like the URL, request parameters or cookies.

Question 39

Q

Social engineering exploits often positive human traits, not lack of intelligence.

Question 40

Q

The security policy is best developed by one or two security experts, as users or managers usu- ally do not know enough about security and tend to increase the complexity of the document which in turn increases the probability of errors.

Question 41

Q

An organizational security policy is a formal statement of rules by which people given access to the organization’s technology and information assets must abide.

Question 42

Q

Blockchains rely on consensus (a majority must agree on something) and on proof of work (proving that one has dedicated processing power, although there are alternative proposals for proofs).

Question 43

Q

DevOps security defines the set of options developers need to integrate into programs so that users can configure the program settings in a secure way.

Question 44

Q

Mobile network security in 4G/5G is about securing the access to the radio network, all other functions, such as identity management, privacy, or confidentiality and integrity on the wired network (core network or Internet) are done by the application (banking, social networks, etc.).

Question 45

Q

􏰀When some unauthorized entity reads my secret file, it is a violation of integrity.

Question 46

Q

Availability is only threatened when a server is under a DoS attack. Preventing an individ-
ual person from accessing their account by, e.g., changing the password, does not qualify.

Question 47

Q

The principle of least privilege means only those permissions that are needed to carry out the task should be granted, for example, do not grant write access to files that need only b􏰀e read. 􏰀

Question 48

Q

The principle of complete mediation means that every single request for access is checked.

Question 49

Q

Confidentiality means only authorized entities can read a resource.

Question 50

Q

The principle of psychological acceptability means that if access to a resource, e.g., a file, is refused, the requesting user needs to be notified in a polite way or they could threaten the system.

Question 51

Q

The GDPR is a recommendation for EU member countries for how to change their privacy laws from May 25, 2018.

Answer

A

False, not just recommendation

Question 52

Q

The GDPR extends to all foreign companies processing data of EU residents. 􏰀

Question 53

Q

􏰀
Important principles of the EU data protection directive 95/46/EC were data minimization,
anonymity, unlinkability, purpose specification, and purpose binding.

Answer

A

False, (anonymity, unlinkability)

Question 54

Q

Privacy by Design is a set of principles that prioritizes privacy over security once a minimum
level of security is reached.

Answer

A

False (zero-sum)

Question 55

Q

For privacy, data confidentiality is not enough; much information can be inferred from
metadata.

Question 56

Q

Transparency-enhancing technologies include both tools that show what would happen
before an action is taken and those that show how data was handled after the fact.

Question 57

Q

In discretionary access control, anyone who has access rights to a resource (e.g., a file) can
change the permissions to give access rights to others.

Question 58

Q

Role based access rights follow the hierarchy of the organization, for example, if an employee
has access to file X, her manager also has access to file X, all the way up to the CEO.

Question 59

Q

Mandatory access control means every access request is checked, whereas in discretionary
access control it is up to the administrator to decide which requests are checked.

Question 60

Q

In mandatory access control, whether access is granted depends on the requested access (read, write, or execute), security levels of the subject (requester) and the object (requested resource), and the policy that says which level needs to be greater than or equal to the other.

Question 61

Q

In discretionary access control, the owner of a resource (e.g., a file) can give access rights to others.

Question 62

Q

In role-based access control, the user’s identity is not as important as what role they have at the moment. Users can have several roles and switch between them.

Brainscape's Knowledge GenomeTM

Tentafrågor Flashcards

Brainscape's Knowledge Genome^TM