# Information Security

## Midterm 2 Study Guide

Notice a tyop typo? Please submit an issue or open a PR.

# Midterm 2 Study Guide

## Chapter 7: Denial-of-Service Attacks

Multiple Choice

SYN spoofing attack targets ___.

• A. Email service
• B. TCP connections table
• C. DNS service
• D. None of the above

B

Source

Stallings, 4th Edition, Section 7.1, page 227

Multiple Choice

What is a poison packet?

• A. A packet that triggers a bug in the network software and makes it crash.
• B. A packet that contains the signature of a virus.
• C. A packet that infects other packets in the network buffer.
• D. A packet that redirects other packets to a malicious target.

A

Source

Text pg 226

Multiple Choice

What is a cyber slam?

• A Cyber slam is a made up term.
• B. Another name for a DDoS attack.
• C. A firewall packet strategy that helps to thwart a DoS or DDoS attack.
• D. A large number of queries that severely load a server.

D

Source

Text pg 226

Multiple Choice

If an attacker directs a large number of forged requests to a server, what type of attack is being made?

• A. Slowloris
• C. SYN spoofing
• D Reflector
• E Amplifier

C

Source

Text pg 230

True or False?

ICMP flood attacks remain common because some ICMP packets are critical to normal network behavior and cannot be filtered.

True

Source

Text pg 233

Multiple Choice

What is the difference between a TCP SYN flood attack and a SYN spoofing attack?

• A. There is no difference, they are synonymous.
• B. The difference is in the volume of packets.
• C. SYN spoofing works with UDP only.
• D. TCP SYN flood attacks don't use spoofed source addresses.

B

TCP SYN flood attacks may or may not use spoofed addresses, but the difference is in the volume of packets sent, meant to overwhelm the server. The SYN spoofing attack is meant to overwhelm the server in sending SYN-ACK messages to spoofed (preferably not invalid) addresses.

Source

Text pg 231 and 234

Multiple Choice

What type of attack is based on sending a large number of INVITE requests with spoofed IP addresses to a server?

• A. Reflection attack
• B. Smurf attack
• C. Slashdot attack
• D. SIP flood attack

D

Source

Text pg 236, pg 241

True or False?

The best defense against a reflection attack is to not allow directed broadcasts to be routed into a network.

False

The description is the best defense for an Amplification attack. To defend against a reflection attack, filtering to block spoofed-source packets.

Source

Text pg 241, 242

True or False?

A characteristic of reflection attacks is the lack of backscatter traffic.

True

Source

Text pg 241

Multiple Choice

What are some ways to prevent SYN spoofing attacks?

• B. Modify the size of the TCP connections table or timeout period
• C. Impose rate limits on network links
• D. Use selective or random dropping of TCP table entries
• E All of the above
• F None of the above

E

Source

Text pg 246

True or False?

Slowloris uses a ping flood via ICMP echo request packets.

False

That is the smurf attack. Slowloris exploits servers that use multiple threads by sending multiple incomplete connections (by not including the terminating newline sequence) to a server.

Source

Text pg 238, 242

True or False?

In a TCP spoofing attack, attacker ideally wishes to use addresses that will not respond to the SYN-ACK with a RST.

True

Source

Text pg 231

Multiple Choice

A recursive HTTP flood attack is also known as what?

• A. a Fraggle attack
• B. a Delayed Binding attack
• C. a Spidering attack
• D. a SIP flood

C

bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.

Source

Text pg 237

## Chapter 9: Firewalls and Intrusion Prevention Systems

Multiple Choice

When it comes to defense against attacks one of the most important principle is what?

• A. Authorization
• B. Authentication
• C. Defense-in-depth
• D. Time

C

Source

Defense in Depth in lecture

Multiple Choice

Firewalls are what type of mechanisms?

• A. Prevention
• B. Botnet
• C. Attack
• D. None of the above

A

Source

Defense in depth lecture

True or False?

The firewall will enforce different security restrictions on traffic.

True

Source

What is a Firewall

Multiple Choice

A _ is a device that provide secure connectivity between networks

• A. Enterprise intranet
• B. Trusted Users
• C. Firewall
• D. DMZ

C

Source

What is a Firewall

Multiple Choice

Firewalls as a prevention mechanism should be designed to enforce what?

• A. User safety
• B. Security Policy
• C. Organizational Policy
• D. Public Key Infrastructure

B

Source

Firewall

True or False?

All traffic from internal network to the internet and vice versa (external and out of the network) must pass through the firewall

True

Source

Firewall

Multiple Choice

The critical component of planning and implementation of a firewall is specifying a suitable ____ policy?

• A. Security
• B. Access
• C. Network
• D. Directory

B

Source

Firewall Access Policy

Multiple Choice

At a high level the types of traffic that are allowed through the access policy is what?

• A. Address ranges (Machines, protocols, the applications and the contents)
• B. IPSec & TLS
• C. Intranet
• D. Defense in depth

A

Source

Firewall Access Policy

True or False

A policy should not be developed based on the security and risk assessment/organizations needs but how the CEO thinks it should be.

False

It should be based on the whole organization

Source

Firewall Access Policy

True or False?

Firewalls always provide protection 100% of the time.

False

The firewall isn't 100% secure.

Source

(Firewall limitations)

True or False?

Firewalls can log all traffic and can provide Network Address Translation.

True

Source

Multiple Choice

What is firewall filtering?

• A. Firewall filtering is when policies are defined for the firewall
• B. Firewalls authenticate users into the system
• C. Firewall filtering means the firewall decides whether to let the traffic through or not
• D. Firewall filtering means whether it will allow for a defense in depth strategy to protect the organizations digital assets.

C

Source

Firewalls and Filtering

True or False?

Packet filtering at a very high level is essentially a policy that has a set of access control lists based on packet types.

True

Source

Filtering types

Multiple Choice

Session filtering is based on the context within a session. In order to do this a firewall maintains a session or connection and performs a __.

• A. Traffic Block
• B. Stateful inspection
• C. DMZ re route
• D. Virtual Switch

B

Source

Filtering types

True or False?

In a packet filtering firewall decisions are made on a per packet basis and not other packets.

True

Source

Packet filtering

True or False?

The packet filtering firewall applies a list of rules to match the IP or TCP header of a packet and based on the rules match the firewall and then to decide to forward or discard the packet.

True

Source

Packet Filtering Firewall

IP or TCP header information that a firewall can use to filter a packet:

• Source IP address (where the packets are coming from)
• Destinations IP address (this is the IP for the destination)
• Source and destination transport-level address (This defines the port number and applications such as smtp, http)
• IP Protocol field (this defines TCP , UDP or ICMP)
• Interface (this is with three or more ports with which interface the packet came or where it is going to.)

Multiple Choice

What policies for packet filtering firewalls are used?

• B. Default forward policy
• C. Default Isolation Policy
• D. Default write down policy
• E. C & B
• F. A & B

F

Source

Packet Filtering Firewall

When there is no rule that matches the packet it will be discarded this is safe procedure but also a hindrance to users who see that some traffic isn't allowed.

Forward policy is easier to use and manage and use but less secure it just lets all packets in.

Multiple Choice

What are the weaknesses to packet filtering?

• A. Limited logging functionality
• B. Vulnerable to attacks that take advantage of TCP/IP
• C. Can't Prevent attacks that employ application specific vulnerabilities or functions
• D.Packet filter firewalls are susceptible to security breaches if improperly configured.
• E. All of the above

E

Source

Packet Filtering

Multiple Choice

Packet Filtering Firewall Countermeasures are all of the following except?

• B. Source Routing Attacks
• C. Tiny Fragment Attack
• D. Stateful inspection Attack

D

Source

Packet filtering firewall countermeasures are A,B,C

IP Address Spoofing countermeasures: Discard packets with an inside source address if the packet arrives on an external interface

Source Routing Attacks: Discards all packets in which the source destinations specifies to the route

Tiny Fragment Attack: Enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header.

In textbook

IP address spoofing: The intruder transmits packets from the outside with a source IP address field containing an address of an internal host. The attacker hopes that the use of a spoofed address will allow penetration of systems that employ simple source address security, in which packets from specific trusted internal hosts are accepted. The countermeasure is to discard packets with an inside source address if the packet arrives on an external interface. In fact, this countermeasure is often implemented at the router external to the firewall.

Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information. A countermeasure is to discard all packets that use this option.

Tiny fragment attacks: The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. The attacker hopes the filtering firewall examines only the first fragment and the remaining fragments are passed through. A tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments.

True or False?

Firewalls can only be one single computer system.

False

Source

Firewalls can be a set of two or more systems (Page 290)

Multiple Choice

The goals of a firewall are all the following except which?

• A. All traffic from inside to outside and vice versa must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall.
• B. Only authorized traffic as defined by the local security policy will be allowed to pass.
• C. Only unauthorized users are defined by the local security policy and will be allowed to pass.
• D. The firewall is immune to penetration

C

Source

Page 290…. It should also be noted that since the firewall itself is immune to penetration this implies the use of a hardened system with a secured operating system.

True or False?

A major component in the planning and implementation of a firewall is specifying an access policy.

True

Source

(True Page 290 This lists the types of traffic authorized to pass through the firewall, including address ranges, protocols, applications, and content types. This policy should be developed from the organization's information security risk assessment and policy)

Multiple Choice

A firewall access policy would use which of the following to filter traffic?

• A. IP Address and Protocol values
• B. Application Protocol
• C. User Identity
• D. Network Activity
• E. All of the Above

E

Source

Page 290-291 IP Address and Protocol Values-This controls access based on the source and destination IP address and port numbers, direction of flow (either inbound or outbound). This type of filtering is used with packet filter and stateful inspection firewall designs. This practice is used to limit access to a specific service. Application Protocol- This controls access on the basis of authorized application protocol data. This type of filtering is used by application-level-gateway that relays and monitors the exchange of information for specific application protocols (for example SMTP, HTTP (email and web requests) for authorized users) User Identity- Controls Access based on user identity typically for inside users who identity themselves use secure authentication such as IPSec Network Activity- Controls the access based on: time or request such as only during businesss hours, rate of request etc.

Multiple Choice

The following are all in the scope of a firewall except which?

• A. Firewalls are a single choke point that attempts to keep unauthorized users out of the network, prohibit potential vulnerable services from entering or leaving the network and provide protection from various kinds of IP spoofing or routing attacks.
• B. Firewalls provide a location for monitoring security-related events
• C. Firewalls fully protect against internal threats which include disgruntled employee.
• D. Firewalls allow for several internet functions that are not security related also to happen such as Network Address Translators and Network management function.
• E. A firewall can serve as a platform for IPSec. Firewalls can be used to implement VPN's as well

C

Source

this is a limitation of the firewall Page 291 A firewall defines a single choke point that attempts to keep unauthorized users out of the protected network, prohibit potentially vulnerable services from entering or leaving the network, and provide protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage. A firewall can serve as the platform for IPSec. Using the tunnel mode capability described in Chapter 22, the firewall can be used to implement virtual private networks. Firewalls have their limitations, including the following: The firewall cannot protect against attacks that bypass the firewall. Internal systems may have wired or mobile broadband capability to connect to an ISP. An internal LAN may have direct connections to peer organizations that bypass the firewall. The firewall may not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. An improperly secured wireless LAN may be accessed from outside the organization. An internal firewall that separates portions of an enterprise network cannot guard against wireless communications between local systems on different sides of the internal firewall. A laptop, PDA, or portable storage device may be used and infected outside the corporate network, then attached and used internally.

True or False?

A web proxy is a form of application-level gateway.

True

Source

Lecture, Application Level Gateway

## Chapter 8: Intrusion Detection

Multiple Choice

Intrusion is what?

• A. Any attack that aims to compromise the security goals of an Organization
• B. Any attack that is hidden from a user
• C. A form of detection which users are able to see everyone on the network
• D. A form of encryption which allows end to end security.

A

Source

Intrusion Examples

True or False?

Intrusion Detection systems are part of the defense in depth strategy

True

Source

Intrusion Detection Systems (IDS)

Multiple Choice

Defense in depth strategies should include the following except what?

• A. Encrypting sensitive information
• B. Intrusion detection systems
• C. Detailed audit trails
• D. Strong authentication and authorization controls
• E. Zero day exploits
• F. Actively management of operating systems
• G. Application security

E

Source

Intrusion Detection systems

Multiple Choice

What is the correct order for how an attacker behaves during intrusion:

• A. Maintaining Access this is important because an attack may not be a onetime action they may install backdoors or other malicious software on a target system so they can continue to access.
• B. Information Gathering System Exploit this is when an attacker has already gained sufficient privilege on a system and he or she can find out more about the network and the organization or even move to another target system to further exploit on the network.
• C. Covering Tracks: This is when the user makes sure there is no evidence of them on the system this can be done by disabling or even editing the system audit logs to remove evidence of attack activities. Alternatively, the user can install a root kit to hide the installed malware.
• D. Privilege Escalation this is taken after initial access ad the attacker will try to use a local exploit to escalate its privilege form from normal user to root on target system.
• E. Initial Access this is accomplished by exploiting a remote network vulnerability.
• F. Target acquisition and information gathering this is when the attacker identifies the target system using publicly available information both technical and non-technical and they also use network tools to analyze target resources.

The order for these values are: F, E, D, B, A, C

Source

Intruder Behavior

True or False?

The key design elements for an intrusion detection system is examining network and group activities

False

The key design elements of an intrusion detection system is examining network and user activities

Source

Elements of Intrusion Detection

True or False?

From an algorithmic perspective models capture intrusion evidence meanwhile features piece evidence together.

False

From the Point of view of a detection algorithm we need to find out how to represent data from: Features- capture intrusion evidences Models – piece evidences together

Source

Elements of Intrusion Detection

Multiple Choice

Which of the components is not part of an Intrusion detection system?

• A. Data preprocessor
• B. Detection Models
• C. Detection Engines
• D. Decision Table
• E. Reporting and Analytics
• F. Decision Engine

E

Source

Components of an IDS lecture

True or False?

Anomaly detection tries to detect what is normal and is using machine learning meanwhile Signature detection uses a database to identify virus patterns.

True

Source

Lectures

True or False?

Another name for an intruder is a hacker or a cracker.

True

Source

Lectures & PG 252

Multiple Choice

An IDS is comprised of three logical components which of the following is not a component:

• A. Analyzers
• B. User interface
• C. Deep Learning
• D. Sensors

C

Deep learning is not part of the IDS logical component the IDS is composed of the following Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a sensor includes network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.

Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion. The sensor inputs may also be stored for future analysis and review in a storage or database component.

User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component.

Source

Page 256

Multiple Choice

In an IDS system the sensors do what?

• A. Determine if an intrusion has occurred
• B. Allow users to view the output of the system
• C. Provide guidance about what actions to take when the intrusion occurs.
• D. Collect and forward information to the analyzer

D

Source

PG 256

True or False?

Analyzers are responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. But the output 100% of the time doesn't include evidence supporting the conclusion that an intrusion has occurred.

False

The analyzer output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion.

Source

Page 256

True or False?

Intrusion Detection Systems are only allowed to use a single sensor.

False

IDS can use multiple sensors across a range of host and network devices sending information to a centralized analyzer and user interface in a distributed architecture.

Source

Page 256

True or False?

One of many intruder behaviors is Maintaining Access. This is done by adding a machine code backdoor that is hard to detect. Detection is difficult because the backdoor modifies machine level code.

True

Source

Lecture notes Object Code Backdoors- This backdoor is hard to detect because it modifies machine code.

Multiple Choice

Match the appropriate Intrusion Detection classification to its correct value

• I. Monitors characteristics of a single host and the events occurring within the host
• II.Monitors Network Traffic for particular network segments or devices
• III. Combines information from multiple sensors often both host and network based and dumps the information into a central analyzer
• A. Distributed or Hybrid IDS is III, Network-based IDS is I and Host based IDS is II
• B. Network-based IDS is II, Host-Based IDS is I and Distributed IDS is III
• C. Host-Based IDS is III, Network based IDS is I and Host based IDS is I
• D. There are no other IDS architectures just one Host-Based IDS

B

Host-based IDS (HIDS): Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.

Network-based IDS (NIDS): Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

Distributed or hybrid IDS: Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity.

Source

Page 257

True or False?

In the context of IDS systems a false negative is when a authorized user is identified as an intruder and a false positive is identified where intruders are not identified as intruders.

False

Source

Thus, a loose interpretation of intruder behavior, which will catch more intruders, will also lead to a number of false positives, or false alarms, where authorized users are identified as intruders. On the other hand, an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false negatives, or intruders not identified as intruders. Thus, there is an element of compromise and art in the practice of intrusion detection.

Page 257

True or False?

The base-rate fallacy of IDS states that if the numbers of intrusions are low compared to the number of legitimate uses of a system then the false alarm rate will be high unless the test is extremely discriminating

True

Source

Page 258

Multiple Choice

Anomaly detection involves the collection of data relating to a behavior over a period of time. Then once the data is collected the data is analyzed to determine whether or not the behavior is legitimate or not. An issue with Anomaly detection can be what?

• A. High false positive rate
• B. High False negative rate
• C. Both High false positive and negative rates
• D. Low false positive rate

A

Source

Lecture Notes & Pg 259

True or False?

Signature or Heuristic detection uses a set of pre-defined malicious data patterns or attack rules that are compared with current behavior to decide if it is that of an intruder.

True

This statement above is correct and this approach can only identify known attacks for which is has patterns or rules

Source

Pg 259

Multiple Choice

The disadvantages of locating a honeypot in an internal network are:

• a) It has little or no ability to trap internal attackers and it cannot detect a misconfigured firewall.
• b) If it is compromised, it can attack other internal systems and its location requires the outer firewall to permit traffic through its filters.
• c) It puts more load on the external firewall and on the resources of the internal system.
• d) It leads to honey files, which are malicous byproducts of the prolonged use of the honeypot.
• e) It leads to a honey do list, which can ruin a Saturday.

B

Source

Text pg 279

Multiple Choice

Which of the following is not listed as a desired quality of an IDS?

• A. Be able to scale to monitor a large number of hosts.
• B. Be able to monitor itself and detect if it has been modified by an attacker.
• C. Be able to be configured to the policies of the system it is monitoring.
• D. Impose a minimal overhead on the system.
• E. Be able to recover from crashes and reinitializations.
• F. Require static configuration, so changes in configuration require a system restart.
• G. Be able to adapt to changes in system and user behavior over time.
• H. Provide graceful degradation of service in the event that some components of the IDS stop working.

F

The IDS should allow dynamic reconfiguration -- the ability to reconfigure the IDS without restarting it.

Source

Text pg 258

True or False?

The SNORT system is a signature-based NIDS.

False

The SNORT system is a rule-based NIDS. A large collection of rules exist for it to detect a wide variety of network attacks.

Source

Text pg 261

True or False?

A key limitation of anomaly detection approaches used by many IDS's is that they are generally only trained with legitimate data.

True

Source

Text pg 261

Multiple Choice

The advantages of __ anomaly detection include relative simplicity and low computation cost, and lack of assumptions about behavior expected. Disadvantages include difficulty in selecting suitable metrics, and that all behaviors can't be modeled using this approach.

• A. Statistical
• B. Knowledge based
• C. Machine-learning
• D. Heuristic
• E. Signature

A

Source

Text pg 259

Multiple Choice

A key disadvantage of ___ anomaly detection is the significant time and computational resources needed.

• A. Statistical
• B. Knowledge based
• C. Machine-learning
• D. Heuristic
• E. Signature

C

Source

Text pg 259

Multiple Choice

The advantages of __ approaches include their robustness and flexibility. A disadvantage is the difficulty and time required and the need for expert assistance.

• A. Statistical
• B. Knowledge based
• C. Machine-learning
• D. Heuristic
• E. Signature

B

Source

pg 259

True or False?

Signature detection would be suitable to detect buffer overflows, password guessing, or malware transmission attacks.

True

Source

Text pg 271

True or False?

Anomaly detection would be suitable to detect policy violation attacks.

False

Signature detection is better suited.

Source

Text pg 271

True or False?

Signature detection would be suitable to worm attacks.

False

Anomaly detection is better suited.

Source

Text pg 271

## Chapter 2: Cryptographic Tools

True or False?

Symmetric Encryption relies on a public and private key meanwhile asymmetric encryption relies on a shared key between two parties

False

Source

Lectures

Multiple Choice

There are two schemes to attack a symmetric encryption scheme. What are they?

• A. Cryptanalysis & Brute-Force attacks
• B. Cryptanalysis & DDoS
• C. Brute-force attack and CipherText
• D. Cryptanalysis & Caesar

A

There are two general approaches to attacking a symmetric encryption scheme. The first attack is known as cryptanalysis. Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext, or even some sample plaintext-ciphertext pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used. If the attack succeeds in deducing the key, the effect is catastrophic: All future and past messages encrypted with that key are compromised.

The second method, known as the brute-force attack, is to try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.

Source

Page 32

True or False?

The most commonly used asymmetric encryption are block ciphers. They are DES, Triple DES and AES.

False

These are symmetric encryption algorithms.

Source

Page 33

Multiple Choice

The two categories of concern about DES fall into two categories. What are they?

• A. 128 bit encryption and the algorithm itself (i.e. its cryptanalysis)
• B. The Key length of 56 bits and 256 bit encryption
• C. The key length of 56 bits and the cryptanalysis of the algorithm
• D. All of the above

C

Source

Page 33

True or False?

The main reason most companies go with 3DES is because the algorithm is relatively faster in software compared to normal DES and AES

False

The principal drawback of 3DES is that the algorithm is relatively sluggish in software.

Source

Pg 35

Multiple Choice

If Alice wants to send verification of her identity, she can send a message encrypted with her ____ and anyone with her __ can verify that it was from her.

• A. secret key, secret key
• B. public key, private key
• C. hash function, private key
• D. private key, public key

D

Alice can send a message using her private key, and anyone knowing her public key can verify that.

Source

P2_L5 Notes, page 10

True or False?

If you want to achieve the highest level of privacy and reliability, it is often best to use a new or unpublished encryption algorithm.

False

It practice, we should always use the widely known and deployed algorithms and standards.

Source

P2_L5 Notes, pg 9

True or False?

A digital envelope is a technique for attaching a one-time key that encrypts a message to the receiver's public key.

True

Source

Text pg 55

True or False?

The primary advantage of a block cipher is that block ciphers are almost always faster and use far less code than do stream ciphers.

False

Source

Text pg 35

Multiple Choice

All but one of the following situations are examples were Message Authentication confidentiality would not be preferable. Select that situation.

• A. When a message or notification is broadcast to many different users.
• B. When the receiver is expecting a message from the sender, or when both the user and sender have the same access privileges.
• C. When the system for either the sender or recipient are heavily loaded and cannot afford the time to encrypt.
• D. When authenticating a computer program, allowing it to execute without having to perform a decryption each time.

B

Source

Text pg 37

Multiple Choice

Which of the following is not a characteristic that is sought in random (or pseudo random) numbers used in cryptography?

• A. The overall distribution of numbers is normal or approximately normal.
• B. Values are statistically independent of one another.
• C. The sequence is unpredictable.

A

The values should be uniformly distributed.

Source

Text pg 55

True or False?

It is possible to for a computer chip to use software to generate true random numbers.

True

The Intel DRNG, offered on multi-core chips since 2012, uses thermal noise within the silicon to output a random stream of bits.

Source

True or False?

So called data at rest is often not encrypted, but it should be encrypted.

True

Source

Text pg 57

Multiple Choice

Under which of the following situations would Message Authentication confidentiality NOT be preferable?

• A. Encryption software is slow.
• B. Hash functions are irreversible
• C. Encryption hardware is not inexpensive.
• D. Encryption hardware is geared toward larger data sizes.
• E. Encryption algorithms may be patent protected.

B

Source

Text pg 41

Multiple Choice

What are some uses of hash functions?

• I. Message encryption
• II. Message authentication
• III. Creating Digital Signatures
• V. Intrusion detection
• A. I, II, and III
• B. All of the choices
• C. I, III, and V
• D. II, IV, and V
• E. All except I.
• F. All except IV.

E

Source

Text pg 44

## Chapter 20: Symmetric Encryption and Message Confidentiality

True or False?

A symmetric cipher is characterized by ciphertext that is the same size as the original plaintext.

False

It can be characterized by the use of a shared secret key.

Source

Text pg 31 (Chapter 2)

True or False?

For applications such as file transfer, email, and database, a stream cipher may be more appropriate.

False

A block cipher may be more appropriate for applications that deal with large blocks of data. Stream ciphers may be more appropriate for data in web browsers or data communications channels.

Source

Text pg 620

True or False?

A number of attacks against RC4 have been published, but if a large enough key is used, none of those attacks are practical.

True

Source

Text pg 622

True or False?

RC4 is a very fast and simple to explain, and it allows for variable key lengths.

True

Source

Text pg 620

Multiple Choice

Which of the following is not among the ways two users can arrange to exchange keys?

• A. If the two parties have recently used a key, they can transmit the old key, using the new key to encrypt.
• B. A third party could physically deliver the key to the second party.
• C. If the two parties have an encrypted connection to a third party, the third party can deliver the key.
• D. None of the above answers are correct.

A

Source

Text pg 628

Multiple Choice

Which of the following defines a Session Key?

• A. A key used between entities for the purpose of distributing keys.
• B. A one-time key used to communicate between two end systems.
• C. The authority that determines which systems are allowed to communicate with each other.
• D. A shared key that is used in Asymmetric encryption standards such as RSA.

B

Source

Text pg 628

Multiple Choice

How can 3DES be used to decrypt DES encrypted ciphertext?

• A. By setting Key1 = Key2 and Key3 = Key_DES
• B. By setting Key1 = Key2 = Key3 = Key_DES
• C. By setting Key3 = Key_DES
• D. By setting Key1 = Key3 and Key2 = Key_DES.

B

Source

Text pg 612, P2_L6 Notes pg 8

Multiple Choice

In a public-key system using RSA, you intercept the ciphertext C=10 sent to a user whose public key is e=5, n=35. What is the plaintext M (as an integer)?

• A. 50
• B 25
• C. 17
• D. 30
• E. 5

B

n=35, so p = 7 and q = 5, so phi(n) = 6x4 = 24, so d = e^-1 mod phi(n) = 5, since 5x5 = 25 = 1 mod 24, M = C^d (mod N) = 10^5 mod 35 = 5

Source

Text pg 658, problem 21.8

Multiple Choice

Consider a Diffie-Hellman scheme with a common prime q=11 and a primitive root $\alpha$=2. If user A has public key YA=9, what is A's private key XA?

• A. 6
• B. 4
• C. 10
• D. 5
• E. 2

A

YA = 2^x mod 11 = 9, by inspection, 2^6 = 64 mod 11 = 9, so x = 6 = private key

Source

Text pg 653 and pg 658 problem 21.12

True or False?

The structure and functions used in SHA-1 and SHA-2 are substantially different from those used in SHA-3.

True

Source

Text pg 639

Multiple Choice

The CTR cipher block mode does not have which of the following advantages listed, according to the text?

• A. Simplicity
• B. Preprocessing capability
• C. Software efficiency
• D. Hardware efficiency
• E. Scalability
• F. Random Access capability
• G. Provable Security

E

Source

Text pg 627

True or False?

It is possible to convert any block cipher into a stream cipher.

True

Using the Cipher Feedback Mode

Source

Text pg 625

## Chapter 21: Public Key Cryptography and Message Authentication

True or False?

AES is a Feistel cipher.

False

Source

True or False?

The primary advantage of a block cipher is that block ciphers are almost always faster than stream ciphers.

False

Source

Text pg 35

Multiple Choice

What is the main reason 3DES uses an encrypt-decrypt-encrypt sequence?

• A. It makes it more difficult to crytanalyze by eavesdroppers.
• B. It is faster than encrypt-encrypt-encrypt would be.
• C. It can decrypt DES encrypted messages.
• D It is easier to use with cipher block chaining.

C

Source

Text pg 611

Multiple Choice

Which of the following is not a mode of operation used in Cipher blocks?

• A. Random Bit Optimization
• B. Electronic Code Book
• C. Cipher Feedback
• D. Output Feedback
• E. Counter

A

source

Text pg 622

Multiple Choice

Which of the following is the weakest form of attack?

• A. Chosen Plaintext
• B. Chosen Ciphertext
• C Known Plaintext
• D Ciphertext Only
• E. Chosen Text

D

Source

https://notes.shichao.io/cnspp/ch2/

Multiple Choice

What is RC4?

• A. A stream cipher.
• B. A symmetric block cipher
• C An asymmetric block cipher.
• D. A set of standards used in Internet encryption.

A

Source

Text pg 619

True or False?

CTR mode is used for timing, for example, to ensure that encrypted streams remain in sync with one another.

False

Source

Text pg 627

Multiple Choice

What operation does the Diffie-Hellman algorithm use as a one way function?

• A. Discrete exponentiation
• B. Elliptical Key Cryptography.
• C. Discrete logarithms
• D. Hashing functions.

C

Source

Text pg 653

Multiple Choice (True or False?)

OCB offers Authenticated Encryption (T/F?). It used 3DES to encrypt messages. (T/F?) Its structure is similar to ECB mode, which makes it vulnerable to repeated messages. (T/F?) It uses the same key for authentication and encryption. (T/F?)

• A. True, True, True, True
• B. True, False, True, False
• C. False, False, False, False
• D. True, False, False, True
• E. False, False, False, True
• F. True, True, False, False
• G. None of these are choices are correct.

G

T, F, (it uses AES) F (while it's structure is similar to ECB, it uses an offset xor'ed with PT in each block), T

Source

Text pg 646

True of False?

The MD5 hash function, despite being susceptible to the birthday attack, is suitable for HMAC.

True

Source

Text pg 643

True of False?

RSA can be used for both encryption and key exchange, but DSS cannot.

True

Source

Text pg 656

True or False?

If someone finds an efficient way to factor large integers, then AES will be obsolete.

False

Source

P2_L6 Notes, pg 20

True or False?

The Certification Authority is responsible for generating the public keys.

False

Source

Multiple Choice

HMAC treats the SHA function as a black box. What benefits does this have?

• I. The hash algorithm used in HMAC is hidden from hackers.
• II. It is easy to replace the given hash function.
• III. HMAC code can be prepackaged and ready to use without modification.
• A. I and II
• B. I and III
• C. II and III
• D. I, II, and III

C

Source

Text pg 641

True of False?

Using the Pigeonhole Principle, given that a hash can take an input of any size and output a value of fixed size, then it should have collisions.

True

Source

Notes: P2_L8 - Hashes, pg 5

True or False?

The Pigeonhole Principle can be used as a counterexample to the Collision Resistance property of hashes.

False

While the Pigeonhole Principle says there exist collisions, the collision resistance property says that it is computationally infeasible to find them. So even though collisions exist, they are hard to find, thus keeping the collision resistance property of hashes intact.

Source

Notes P2_L8 - Hashes pg 5

Multiple Choice

From the birthday "paradox", if the length of the hash is x bits, then a hacker would have to search 2^(x/2) messages in order to find a collision. In doing so, what is the probability, approximately, that the hacker will find a collision?

• A. nearly 100%
• F. less than 25%

D

The approximate 2^(n/2) = sqrt(2^n) gives the probability of about 50% that the hacker will find at least 1 match.

So it's misleading to say that the hacker would have to search 2^(n/2) messages to "find a match". This would only give the hacker better than 50% chance of finding it without some more strategic choices.

Source

Notes P2_L8 - Hashes pg 4

True or False?

SHA-1 allows message sizes as large as 2 terabytes.

True

That's quite an understatement, though. SHA-1 holds messages up to 2^64 bits, which is a (2^21)*(2^43), , so the answer is more like up to a 2 million terabytes. And SHA-384 and SHA-512 accept messages of that size squared! (2^128)

Source

Notes P2_L8 - Hashes pg 7

True or False?

A truly ideal hash function should be nondeterministic.

False

You want to be able to always get the same hash for a given input, hence, it must be deterministic.

Source

https://en.wikipedia.org/wiki/Cryptographic_hash_function

Multiple Choice

What is the main advantage of ECC compared to RSA?

• A. Its technique is not as difficult to explain.
• B. Hackers have not shown interest in it.
• C. Its theory has been around for a long time.
• D. It offers equal security with smaller key size.

D

(A and B are the opposite of being true, and C is a true statement, but it's not relevant here.

Source

Text pg 656

True or False?

Diffie-Hellman Key Exchange is, on its own, completely vulnerable to a man in the middle attack.

True

It is vulnerable because it does not authenticate the participants.

Source

Text pg 656

True or False?

In attacks on RSA, it has been demonstrated that if the public key d is less than n and the private key d is less than the fourth root of n, then d can be "easily determined".

True

Source

Text pg 650

True or False?

According to the text, the largest product of primes that has been factored to date was over 200 decimal digits long.

True

In fact, it was 232 digits long, and that was done in late 2009.

Source

Text pg 650

Multiple Choice

Name all simple countermeasures for a timing attack:

• I. Ensure all exponentiations take the same amount of time before returning results
• II. Ensure true random numbers, and not pseudo random numbers, are used.
• III. Add a random delay to the exponentiation algorithm.
• IV. Ensure that all operations are optimized.
• V. Multiply the ciphertext by a random number before performing exponentiation.
• A. All choices: I, II, III, IV, and V.
• B. I, III, and V.
• C. II and IV.
• D. I, II, III, and IV.
• E. II, III, IV, and V.

B

Source

Text pg 652

True or False?

Blinding, or multiplying ciphertext by a random number before performing exponentiation during RSA encryption, incurs a 2 to 10% performance penalty.

True

Source

Text pg 652

Multiple Choice

All hash functions operate using these two principles: (select two)

• I. The size of the input is greater than the size of the output
• II. The input is viewed as a sequence of n-bit blocks.
• III. The input value is "randomized" to overcome regularities.
• IV. Ciphertext does not change when blocks are permuted.
• V. Input is processed one block at a time in an iterative fashion.
• A. I and II
• B. I and III
• C. II and III
• D. II and V
• E. III and IV
• F. III and V

D

Source

Text pg 635

True or False?

SHA-512 is more efficient than SHA-256 on many 64-bit systems.

True

Source

Text pg 637

True or False?

SHA-512 makes use of constants derived from the first 64 bits of fractional parts of cube roots of the first 80 (one for each round) prime numbers.

True

Source

Text pg 639

Multiple Choice

A longitudinal redundancy check is reasonably effective for random data as a data integrity check. It uses which bitwise function?

• A. XOR
• B. MOD
• C. NOT
• D. LOG
• E. EXP
• F. OR
• G. AND
• H. Circular Shift

A

Source

Text pg 635

## Chapter 23: Internet Authentication Applications

Multiple Choice

What are the principal elements of a Kerberos system?

• I. AS
• II. TGT
• III. TGS
• A. I, II, and III
• B. I and II only
• C. I and III only
• D. II and III only

C

Source

Text pg 685 (see image)

Multiple Choice

What of the following are steps Kerberos uses to ensure security and authentication?

• A. It includes a timestamp to prevent replay attacks.
• B. It sets a lifetime on TGTs.
• C. It uses short-lived authenticators encrypted with session keys.
• D. It encrypts the TGT with the server key to prevent alteration.
• E. All of the above
• F. Duh

E

Source

Multiple Choice

What is an authenticator, as used by Kerberos?

• A. A software application that verifies a user's identity.
• B. An encrypted message which contains the ID, the address of the user, and a timestamp.
• C. An application that creates a one-time password that authenticates a user.
• D. A server which contains the IP, user ID, and user password, used for authentication.
• E. None of the above.

B

Source

Text pg 686

True of False?

The Authentication Server holds a copy of symmetric keys for all clients and servers.

True

Source

Text pg 686

True of False?

The TGT includes a key ("ticket") that gives the client access to the requested service.

False

Source

Text pg 686

True or False?

The user cannot read the TGT, she only passes it forward along with other information, to the TGS.

True

Source

Text pg (you guessed it) 686

Multiple Choice

The set of keys and and user ID's / passwords in a Kerberos network (i.e., a full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers) are known as __.

• A. a realm.
• B. a session.
• C. a dictionary.
• D. an organization
• E. a Kerberos policy.

A

Source

Text pg 688

True or False?

PKI is defined as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on symmetric cryptography.

False

Change symmetric to asymmetric, and it's true!

Source

Text pg 694

Multiple Choice

Which of the following is not a long-known problem with the X-509 PKI model?

• A. There is not a standardized set of trust stores used by all browsers and operating systems.
• B. The user is sometimes relied upon to make an informed decision regarding certificate trust.
• C. All CA's in the trust store are assumed to be equally trusted, well managed, and applying equal policies.
• D. The trust certificates shared in the trust store are not encrypted.

D

Source

Text pg 694

Multiple Choice

What is a trust store?

• A. A database of IP addresses of known trusted servers.
• B. A list of CA's and their public keys.
• C. A CA that issues authentication certificates.
• D. A single internationally specified hierarchy of government regulated CAs.

B

Source

Text pg 694

True or False?

Kerberos provides both authentication and access control.

True

Source

Notes P2_L9 Security Protocols, pg 15

True or False?

The authenticator is a program that checks the user's TGT versus the value on file.

False

The authenticator checks the user's identifying information and time stamp using the session key.

Source

P2_L9 - Security Protocols, pg 14

Multiple Choice

How does Trudy, the (wo)man in the middle, initiate a mutual authentication reflection attack between two users, Bob and Alice?

• A. She tricks Bob into sharing Alice's public key with her.
• B. She tricks Bob into solving a challenge response from Alice.
• C. She tricks Alice into sending her challenge twice.
• D. She simply re-sends the challenge response that she intercepted from Alice, back to her.

B

Source

Notes P2_L9 - Security Protocols, pg 7

Multiple Choice

What is a major shortcoming of using a pairwise key exchange based on a shared secret (key)?

• A. It does not scale well.
• B. It lacks computational security.
• C. Session keys expire after a set time.
• D. It is vulnerable to the man in the middle attack.

A

As new users are added, each must share a new pair of master keys. The number of keys increases rapidly as users are added.

Source

Notes P2_L9 Security Protocols pg 10

True or False?

In Kerberos, the localhost must store the user's password (or password hash) after retrieving the session key from the key distribution center.

False

Source

P2_L9 Security Protocols, pg 13

Multiple Choice

What are some reasons a user would revoke a certificate before it expires?

• I. A key has been compromised.
• II. Upgrades require a new key.
• III. The key has been duplicated.
• A. I, II, and III
• B. I and II only
• C. II and III only
• D. I and III only
• E I only

B

Source

Text pg 692

True or False?

Conventional X.509 certifications have validity periods of months to years.

True

Source

Text pg 692

## Chapter 22: Internet Security Protocols and Standards

Multiple Choice

Which of the following features does MIME add to the original RFC 822 Internet Mail Format?

• I. New header fields to define information about the body of the message.
• II. Cryptographic message syntax to sign, authenticate, digest, or encrypt message content.
• III. Context formats to standardize representations for support of multimedia email, such as images, audio and video.
• IV. The ability to sign and encrypt email messages.
• A. I, II, III, and IV.
• B. I, II, and IV.
• C. I and III.
• D. II and IV
• E. None of these

C

II and IV are features added by S/MIME.

Source

Text pg 661

Multiple Choice

What is the main difference between signed data and clear signed data?

• A. Signed data allows users without S/MIME capability to view message content, but clear signed data does not.
• B. Clear signed data uses base 64 encoding, signed data uses does not.
• C. Clear signed data is not authenticated, signed data is.
• D. Clear signed data allows users to use PKI, signed data requires users to apply a private key.
• E. None of the above are correct.

E

If you switch clear signed data and signed data in answer A, it would be correct. ; )

Source

Text pg 664

Multiple Choice

What is radix 64 encoding (aka base 64 encoding)?

• A. Encryption that is optimized for use with 64 bit computers.
• B. Encoding that uses binary logarithmic functions (radix base 2) to map input to output values.
• C. Encoding that maps binary data to ASCII characters.
• D. Encoding that encrypts a message using the receiver's 64 bit private key.
• E. None of the above are correct.

C

Source

Text pg 663

True or False?

The basic tool that permits the wide scale use of S/MIME is a pseudo random key generator.

False

The tool is a public key certificate that conforms to X509v3 standards.

Source

Text pg 664

Multiple Choice (Matching)

Match the Internet mail acronym to the function. (Put the letters in order that match the acronym):

Acronyms:

1. MUA
1. MSA
1. MTA
1. MDA
1. MS

Definitions:

• AA. Transfers the message from the message handling agent to the message store.
• BB. Typically referred to as a client email program or a local network email server.
• CC. A long term repository, possibly on a remote server that is accessed by POP or IMAP.
• DD. Relays mail between others of its kind, adding trace information to the message header, until the message reaches the next step.
• EE. Accepts the message and enforces policies of the hosting domain and Internet standards.

Choices:

• A. AA, BB, CC, DD, EE
• B. BB, EE, DD, AA, CC
• C. AA, EE, CC, DD, BB
• D. CC, EE, BB, AA, DD
• E. DD, BB, CC, EE, AA

B

Source

Text pg 665

True or False?

A primary difference between DKIM and S/MIME is that in the former, the message is signed transparently using the private key of the admin domain from the originator, whereas the latter requires the originator's private key.

True

Source

Text pg 665

True or False?

For most modern users of email, most incoming and outgoing mail is encoded using S/MIME.

False

Source

Text pg 665

True or False?

TLS sessions avoid the need for updating security parameters for each connection.

True

Source

Text pg 668

Multiple Choice

Why is a random parameter sent along with client_hello message during phase 1 of a TLS handshake?

• A. It is used as a nonce which is combined with a security key.
• B. It prevents an eavesdropper from replaying the message.
• C. It is used to to exchange a key using the Diffie-Hellman protocol.
• D. It is sent to confuse bots to prevent a DDoS attack.
• E. It is part of legacy code, sent to allow back compatibility.

B

Source

Text pg 670

Multiple Choice

What is the basic tool that permits the widespread use of S/MIME?

• A. Public-key certificates
• B. HMAC
• C. MIME
• D. DKIM
• E. SMTP

A

Source

Text pg 664

True or False?

The SSL Record protocol provides both confidentiality and message integrity.

True

Source

Text pg 669

True or False?

The Heartbleed vulnerability was due to a design flaw that was discovered in the TLS specification.

False

It was due to a programming mistake in the commonly-used OpenSSL library.

Source

Text pg 673

Multiple Choice

Which of the following statements concerning benefits of IPSec is false?

• A. IPSec is transparent to applications.
• B. No need to train users.
• C. IPSec can ensure that a routing update is forged.
• D. IPSec can ensure that a routing advertisement comes from an authorized router.

C

It can ensure the update is not forged, i.e., that it is authentic.

Source

Text pg 677

Multiple Choice

Who signs the message to authenticate when DKIM is used?

• A. MUA
• B. MSA
• C. MTA
• D. MS
• E. MDA

B

Source

Text pg 667

True or False?

When ESP is used in IPSec transport mode, the packet payload and ESP trailer are encrypted, but the ESP header is not encrypted.

True

The header gives security information such as which algorithm or secret key was used.

Source

P2_L10+IPSEC+and+TLS notes, pg 5

True or False?

The Security Policy Database and the Security Association Database are maintained in separate tables.

True

Source

P2_L10+IPSec+and+TLS.pptx, slide 20 reviewer notes

True or False?

The SA is a two-way relationship between a sender and receiver, defined by IPSec parameters.

False

It is a one-way relationship -- one SA for inbound traffic, and another for outbound traffic.

Source

P2_L10+IPSec+and+TLS notes, pg 8

True or False?

In default mode, if a pre-shared key is compromised during phase 2 of Internet Key Exchange, then all IPSec keys previously computed are compromised.

True

If perfect forward security is required, then for each IPSec SA, the shared key along with new public components from Diffie-Hellman and new nonce values are used, protecting previously generated keys.

Source

P2_L10+IPSec+and+TLS notes pg 14

Multiple Choice

Which IPSec mode offers end-to-end security protection?

• A. ESP Mode
• B. IKE Mode
• C. Tunnel Mode
• D. TLS Mode
• E. Transport Mode

E

Source

Lesson 19 lecture video: Concept 7

Multiple Choice

What is done if the sequence number in the IPSec header of a packet is less than the the maximum sequence number minus the sliding window value?

• A. The packet is rejected.
• B. The packet is replayed.
• C. The packet is returned.
• D. The packet is accepted.
• E. The packet is forwarded.

A

The packet is rejected to prevent replay attacks.

Source

Lesson 19 Lecture video: Concept 23

True or False?

Multiple IPSec SAs can be established with one IKE SA.

True

Source

Lesson 19 Lecture Video: Concept 25

Multiple Choice

Which is the main reason a cookie is sent during Phase 1 of IKE?

• A. To authenticate the users
• C. To help prevent DoS attacks.
• D. To store header information, such as time stamp, a nonce, and the user's public key.

C

Source

Lesson 19 Lecture Video: Concept 27

## Chapter 24: Wireless Network Security

Multiple Choice

Adding firewall policies to limit the scope of data and application access for all mobile devices, as well as setting up IDS and IPS configured to have tighter rules for mobile device traffic is:

• A. Device security
• B. Traffic security
• C. Barrier security
• D None of the above

C

Source

Text pg 707-708

Multiple Choice

Using Virtual Private Network(VPN) configured so that all traffic between mobile devices and the organization's network is an example of:

• A. Device security
• B. Traffic security
• C. Barrier security
• D None of the above

B

Source

Text pg 708

Multiple Choice

What are the main threats to wireless transmission?

• I. Eavesdropping
• II. Disrupted transmissions
• III. Message integrity attacks
• IV. Signal attenuation attacks
• A. I and II
• B. I, III, and V
• C. II, III, and IV
• D. I, II, III, IV, and V
• E. none of the above

E

The correct pairing should be I, II, and III (altering or inserting messages = message integrity attack)

Source

Text pg 703

True or False?

The main threat to wireless access points is disruption.

False

Source

Text pg 703

True or False?

Configuring routers to use MAC authentication will block unauthorized access to the network.

False

MAC addresses can be spoofed, so this is just one element of a defense in depth strategy.

Source

Text pg 703

Multiple Choice

What does the concept of de-perimeterization mean, regarding mobile device security?

• A. Guests, their-party contractors, and business partners should have limited access from non-centralized locations.
• B. Threats to the network mainly exist at the perimeter, where intruders gain unauthorized access.
• C. The network perimeter is no longer static, but must include a variety of devices, locations, roles, virtualizations, and access times.
• D. Administrators must put short time constraints on wireless access credentials so long-time users don't create a virtual perimeter wall and block other users from access.
• E. None of the above.

C

Source

Text pg 704

True or False?

IDS and IPS should be configured to have tighter rules for mobile device traffic.

True

Source

Text pg 707

True or False?

WPA security mechanisms eliminates most of the weaknesses of the WEP algorithm.

True

Source

Text pg 714

Multiple Choice

What services does the 802.11i security specification define?

• I. End to end encryption
• II. Authentication
• III. Key exchange facilitation
• IV. Message integrity
• V. VPN
• A. All of the services listed
• B. I, II, III, and IV
• C. II, III, and IV
• D. None of these choices

C

802.11i only ensures security from the station to the access point. A VPN is a different service that may be run individually.

Source

Text pg 715

Multiple Choice

What does association mean, with respect to the 802.11i phase?

• A. The station and access point agree on a set of security capabilities to be used in future hook ups.
• B. The MAC address of the station and the access point.
• C. The key that is used for communication from a station to an access point or another station.
• D. The four step handshaking procedure that is completed when signing in to a wireless network.

A

Before the distribution service can deliver data to or accept data from a station, that station must be associated.

Source

Text pg 717

Multiple Choice

Which key is used for user traffic on a wireless connection?

• A. EAPOL - KCK
• B. TK
• C. EAPOL - KEK
• D. GTK
• E. PSK

B

The temporal key (TK) is used for protecting user traffic. The EAPOL-KCK (used for origin authenticity and access control) and EAPOL-KEK (used for confidentiality of other keys and data) along with the TK are parts of the PTK (Pairwise Transient Key)

Source

Text pg 722

True or False?

The MAC layer is responsible for authorization and validation.

False

It is responsible for detecting errors and discarding frames that contain errors.

Source

Text pg 710

Multiple Choice

Which term corresponds to what is referred to in literature as a cell?

• A. the Logical Link Layer
• B. the Distribution System
• C. the Access Point
• D. the Mac Service Data Unit
• E. the Basic Service Set

E

Source

Text pg 710

True or False?

The principal elements of a mobile device security strategy are device security, client/server traffic security, and barrier security.

True

Source

Text pg 706

True or False?

Disassociation is a policy under the 802.11 standard which protects a channel from interference from eavesdroppers and third parties.

False

Disassociation: A notification from either a station or an AP that an existing association is terminated.

Source

Text pg 713

True or False?

All Android apps must be signed and reviewed by Google / Android.

False

All apps are self-signed by developers. Third-party apps are not signed by a CA. There is no vetting process.

Source

Notes: Project2_L12 Wireless and Mobile Security notes, page 15

## Chapter 14: IT Security Management and Risk Assessment

True or False?

Security standards recommend that the overall responsibility for an organization's IT security be assigned to a single person.

True

Source

Text pg 464

Multiple Choice

Which of the following is the definition of risk index?

• A. Max Threat - Min Defence
• B. Max Likelihood of Events / Max Likelihood of Occurrence
• C. Max Impact + Max Likelihood of Occurrence + Magnitude of Impact
• D. Max Info Sensitivity - Min User Clearance
• E. Number of Threats / Likelihood of Occurrence

D

Source

Text pg 469

True or False?

An organization's risk appetite is the net value that it invests in risk management.

False

It is the level of risk the organization views as acceptable

Source

Text pg 470

Multiple Choice

What is a threat agent?

• A. An IT specialist who performs risk analysis for an organization.
• B. The perpetrator of a threat, be it a person or act of God.
• C. A manager or CEO of a company, who makes decisions based on risk analyses.
• D. A person who makes a threat, via ransomware, toward an organization.

B

Source

Text pg 472

Multiple Choice

What is the definition of risk, in terms of organizational security?

• A. (Probability that a threat occurs) x (Cost to the organization)
• B. (Sum of costs of all threats) - (Sum of benefits of preventative measures)
• C. (Net loss due to threats) / (Net worth of the organization)
• D. (Estimated cost of repairs to threats) + (Estimated costs to prevent threats)

A

Cost can also be defined as impact to the organization

Source

Text pg 474

True or False?

A rating of Likely or higher, in a risk analysis, suggests that the threat has occurred previously.

True

Source

Text pg 475

Multiple Choice

What is a risk register?

• A. A table describing risks and their associated levels.
• B. A ledger of estimated costs due to threats, weighting costs by the likelihood of each threat.
• C. A table risks on assets, detailing threats, controls, likelihood, consequences, and level of risk.
• D. A summary of losses incurred, along with the corresponding costs involved, people, and resources affected.

C

Source

Text pg 477

Multiple Choice

What is the definition of risk exposure?

• A. (Size of an Organization) x (Risk Index)
• B. Sum of the values in the organization's Risk Register.
• C. (Total value of resources) x (Probability of Risks)
• E. (Risk exposure w/o control - risk exposure after control) / (cost of control)

D

Source

Notes P3_L1_Cybersecurity, pg 12

Multiple Choice

What is the definition of Risk Leverage?

• A. The amount of risk an organization can tolerate as a fraction of total perceived risk.
• B. The reduction in risk from imposing controls as a fraction of the cost of the controls.
• C. The expected gain from imposing controls less the expected loss from not imposing them.
• D. The resources available for controls as a fraction of the revenue stream of the organization.

B

Risk leverage = (Risk exp before (w/o) control - Risk exp. after control) / (cost of control)

Source

Notes P3_L1_Cybersecurity pg 12

Multiple Choice

What values of risk leverage imply that the controls are effective?

• A. negative
• B. 0 (or close to 0)
• C. 1 (or close to 1)
• D. greater than 1

D

Values greater than 1 imply that the reduced risk is greater than the cost of controls

Source

P3_L1_Cybersecurity pg 13

## Chapter 15: IT Security Controls, Plans, and Procedures

True or False?

Contingency planning, incident response, maintenance, media protection, personnel security, physical and environmental protection, and system and information integrity are all Operational security controls.

True

Source

Text pg 492, Table 15.1

True or False?

An IT Security plan includes details of risks, controls, priorities, resources, personnel, dates, and maintenance requirements needed to mitigate risks.

True

Source

Text pg 498

True or False?

Security and Awareness training often receives the least attention and in many cases is an afterthought, if at all.

False

Replace Security and Awareness training with monitoring affected systems and checking for security implications

Source

Text pg 500

True or False?

The decision as to whether to install the latest patches immediately, or to test to ensure that they don't adversely affect other applications is a part of the Change Management process of monitoring risks.

True

Source

Text pg 500

True or False?

As the number of reported incidents have increased, the budgets invested in cyber security have drastically increased.

False

In fact, the budges dipped (as of 2014).

Source

Notes P3_L1_Cybersecurity pg 21

Multiple Choice

Which of the following is not cited in the Articles on the Convention on Cybercrime?

• A. Illegal access
• B. Fake news
• C. Illegal interception
• D. Data interference
• E. System interference
• F. Pass interference
• G. Misuse of devices
• H. Computer-related forgery
• I. Computer-related fraud
• J. Offenses related to child pornography
• L. Attempt and aiding or abetting

B and F

Source

Text pg 580

Multiple Choice

Which of the following are copyright owner rights against infringement?

• I. Reproduction right
• II. Fair Use right
• III. Distribution right
• IV. Fair compensation right
• V. Public-performance right
• VI. Public-display right

All except for II and IV. (Also add Modification right)

Source

Text pg 584

True or False?

Both criminal and civil penalties apply to individuals who attempt to circumvent technological measures used to thwart access to or copying of copyrighted material.

True

Source

Text pg 586

True or False?

Algorithms can be patented.

True

Source

Text pg 585

Multiple Choice

Under the Digital Millennium Copyright ACT, individuals may be allowed to do which of the following?

• I. Distribute portions of the work for review.
• II. Reverse engineer in order to achieve interoperability
• III. Attempt to decrypt technology in order to advance the development of the technology.
• IV. Testing a vulnerability in a computer or network.
• V. Bypassing technological measures to protect PII.
• A. I, II, III, IV, V
• B. I, IV, V
• C. I, II, IV, V
• D. III, IV, V

A

Source

Text pg 586

True or False?

Anonymity directly conflicts with authorization and access control functions.

False

It need not conflict, because these are bound to computer-based user IDs, not to personal user information.

Source

Text pg 592

True or False?

PII in anonymized data can sometimes be re-identified.

True

Source

Text pg 594

True or False?

Privacy is the principle that only authorized persons should have access to information. Confidentiality is the control that individuals have over who can access their personal information.

False

Switch privacy and confidentiality, and it's true

Source

Text pg 594

True or False?

Software applications embedded in toys may be classified as a computing artifact.

True

computing artifact refers to any artifact that includes an executing computer program. This includes software applications running on a general purpose computer, programs burned into hardware and embedded in mechanical devices, robots, phones, Web bots, toys, programs distributed across more than one machine, and many other configurations.

Source

Text pg 599

OMSCS Notes is made with in NYC by Matt Schlenker.