Network Security Essentials Applications and Standards 4e ALL Tests SOLUTIONS AT THE END OF FILE
ANSWER KEY IS AT THE BOTTOM...
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 1) With the introduction of the computer the need for automated tools for protecting files and other information stored on the computer became evident.
2) There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs.
3) There are clear boundaries between network security and internet security.
4) The CIA triad embodies the fundamental security objectives for both data and for information and computing services.
5) In developing a particular security mechanism or algorithm one must always consider potential attacks on those security features.
6) A loss of confidentiality is the unauthorized modification or destruction of information.
7) Patient allergy information is an example of an asset with a moderate requirement for integrity.
8) The more critical a component or service, the higher the level of availability required.
9) Data origin authentication provides protection against the duplication or modification of data units.
10) The emphasis in dealing with passive attacks is on prevention rather than detection.
11) Data integrity is the protection of data from unauthorized disclosure.
12) Information access threats exploit service flaws in computers to inhibit use by legitimate users.
13) Viruses and worms are two examples of software attacks.
14) A connection-oriented integrity service deals with individual messages without regard to any larger context and generally provides protection against message modification only.
15) Pervasive security mechanisms are not specific to any particular OSI security service or protocol layer.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 16) _________ security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information. A) Internet B) Computer C) Network D) Intranet
17) Verifying that users are who they say they are and that each input arriving at the system came from a trusted source is _________ . A) accountability B) authenticity C) integrity D) confidentiality
18) __________ assures that systems work promptly and service is not denied to authorized users. A) Availability B) Integrity C) System integrity D) Data confidentiality
19) __________ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. A) System integrity B) Availability C) Data confidentiality D) Privacy
20) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity is _________ . A) authenticity B) privacy C) accountability D) integrity
21) __________ attacks attempt to alter system resources or affect their operation. A) Active B) Release of message content C) Traffic analysis D) Passive
22) A __________ takes place when one entity pretends to be a different entity. A) masquerade B) passive attack C) replay D) modification of message
23) X.800 defines _________ as a service that is provided by a protocol layer of communicating open systems and that ensures adequate security of the systems or of data transfers. A) integrity B) security service C) replay D) authenticity
24) _________ is a professional membership society with worldwide organizational and individual membership that provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the IETF and the IAB. A) ITU-T B) ISOC C) ISO D) FIPS
25) The protection of data from unauthorized disclosure is _________ . A) nonrepudiation B) data confidentiality C) access control D) authentication
26) __________ is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private sector innovation. A) NIST B) ISO C) ITU-T D) ISOC
27) The prevention of unauthorized use of a resource is __________ . A) data confidentiality B) authentication C) access control D) nonrepudiation
28) The __________ service addresses the security concerns raised by denial-of-service attacks. A) routing control B) availability C) event detection D) integrity
29) _________ is the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. A) Routing control B) Traffic padding C) Authentication exchange D) Notarization
30) _________ is a variety of mechanisms used to assure the integrity of a data unit or stream of data units. A) Data integrity B) Authentication exchange C) Event detection D) Trusted functionality
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 31) _________ is defined as "the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources".
32) Three key objectives that are at the heart of computer security are: confidentiality, availability, and _________ .
33) An intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is an __________ .
34) A loss of _________ is the disruption of access to or use of information or an information system.
35) __________ is the use of mathematical algorithms to transform data into a form that is not readily intelligible, in which the transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.
36) Student grade information is an asset whose confidentiality is considered to be highly important by students and, in the United States, the release of such information is regulated by the __________.
37) A possible danger that might exploit a vulnerability, a _________ is a potential for violation of security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
38) A __________ attack attempts to learn or make use of information from the system but does not affect system resources.
39) The common technique for masking contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message is _________ .
40) Active attacks can be subdivided into four categories: replay, modification of messages, denial of service, and __________ .
41) X.800 divides security services into five categories: authentication, access control, nonrepudiation, data integrity and __________ .
42) In the context of network security, _________ is the ability to limit and control the access to host systems and applications via communications links.
43) The __________ is a worldwide federation of national standards bodies that promote the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity.
44) __________ prevents either sender or receiver from denying a transmitted message; when a message is sent the receiver can prove that the alleged sender in fact sent the message and when a message is received the sender can prove that the alleged receiver in fact received the message.
45) A __________ is data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 46) Public-key encryption is also referred to as conventional encryption, secret-key, or single-key encryption.
47) The advantage of a block cipher is that you can reuse keys.
48) Ciphertext is the scrambled message produced as output.
49) The security of symmetric encryption depends on the secrecy of the algorithm, not the secrecy of the key.
50) The ciphertext-only attack is the easiest to defend against because the opponent has the least amount of information to work with.
51) The Feistel structure is a particular example of the more general structure used by all symmetric block ciphers.
52) Smaller block sizes mean greater security but reduced encryption/decryption speed.
53) The essence of a symmetric block cipher is that a single round offers inadequate security but that multiple rounds offer increasing security.
54) Triple DES was first standardized for use in financial applications in ANSI standard X9.17 in 1985.
55) The most commonly used symmetric encryption algorithms are stream ciphers.
56) The principal drawback of 3DES is that the algorithm is relatively sluggish in software.
57) AES uses a Feistel structure.
58) Random numbers play an important role in the use of encryption for various network security applications.
59) The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than do block ciphers.
60) One desirable property of a stream cipher is that the ciphertext be longer in length than the plaintext.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 61) A symmetric encryption scheme has _________ ingredients. A) four B) five C) three
61) D) six
62) _________ is the original message or data that is fed into the algorithm as input. A) DES B) Ciphertext C) Encryption key D) Plaintext
63) _________ mode requires only the implementation of the encryption algorithm and not the decryption algorithm. A) CTR B) CBC C) DKS D) ECB
64) A __________ processes the input elements continuously, producing output one element at a time, as it goes along. A) keystream B) stream cipher C) cryptanalysis D) block cipher
65) If both sender and receiver use the same key the system is referred to as _________ encryption. A) symmetric B) public-key C) asymmetric D) two-key
66) If the sender and receiver each use a different key the system is referred to as __________ encryption. A) secret-key B) asymmetric C) conventional D) single-key
67) A _________ approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained. A) brute-force B) triple DES C) block cipher D) computational
68) With the ________ mode if there is an error in a block of the transmitted ciphertext only the corresponding plaintext block is affected. A) ECB B) CTS C) CBC D) TSR
69) The most common key length in modern algorithms is ________ . A) 128 bits B) 32 bits C) 256 bits
69) D) 64 bits
70) A ________ takes as input a source that is effectively random and is often referred to as an entropy source. A) PSRN B) PRNG C) TRNG D) PRF
71) A symmetric block cipher processes _________ of data at a time. A) four blocks B) one block C) two blocks
D) three blocks
72) In _________ mode a counter equal to the plaintext block size is used. A) CBC B) ECB C) CFB
72) D) CTR
73) The _________ algorithm performs various substitutions and transformations on the plaintext. A) codebook B) cipher C) keystream D) encryption
74) If the analyst is able to get the source system to insert into the system a message chosen by the analyst, a _________ attack is possible. A) known plaintext B) ciphertext only C) chosen ciphertext D) chosen plaintext
75) The _________ key size is used with the Data Encryption Standard algorithm. A) 128 bit B) 56 bit C) 32 bit
75) D) 168 bit
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 76) The _________ algorithm takes the ciphertext and the same secret key and produces the original plaintext.
77) A _________ cipher processes the plaintext input in fixed sized blocks and produces a block of ciphertext of equal size for each plaintext block.
78) With the use of symmetric encryption, the principal security problem is maintaining the secrecy of the _________ .
79) Three broad categories of cryptographic algorithms are commonly used to create PRNGs: Asymmetric ciphers, Hash functions and message authentication codes, and ___________ .
80) The process of attempting to discover the plaintext or key is known as _________ .
81) An encryption scheme is __________ if the cost of breaking the cipher exceeds the value of the encrypted information and/or the time required to break the cipher exceeds the useful lifetime of the information.
82) The three most important symmetric block ciphers are: triple DES (3DES), the Advanced Encryption Standard (AES), and the ___________ .
83) The ________ source is drawn from the physical environment of the computer and could include things such as keystroke timing patterns, disk electrical activity, mouse movements, and instantaneous values of the system clock.
84) A PRNG takes as input a fixed value called the ________ and produces a sequence of output bits using a deterministic algorithm.
85) __________ is a stream cipher used in the Secure Sockets Layer/Transport Layer Security standards that have been defined for communication between Web browsers and servers and is also used in WEP and WPA protocols.
86) In the _________ mode the input to the encryption algorithm is the XOR of the current plaintext block and the preceeding ciphertext block; the same key is used for each block.
87) Also referred to as conventional encryption, secret-key, or single-key encryption, _________ encryption was the only type of encryption in use prior to the development of public-key encryption in the late 1970's.
88) Two requirements for secure use of symmetric encryption are: sender and receiver must have obtained copies of the secret key in a secure fashion and a strong __________ is needed.
89) All encryption algorithms are based on two general principles: _________, in which each element in the plaintext is mapped into another element, and transposition, in which elements in the plaintext are rearranged.
90) Many symmetric block encryption algorithms including DES have a structure first described by _________ of IBM in 1973.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 91) Public key algorithms are useful in the exchange of conventional encryption keys.
92) Private key encryption is used to produce digital signatures which provide an enhanced form of message authentication.
93) The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
94) The two important aspects of encryption are to verify that the contents of the message have not been altered and that the source is authentic.
95) In the ECB mode of encryption if an attacker reorders the blocks of ciphertext then each block will still decrypt successfully, however, the reordering may alter the meaning of the overall data sequence.
96) Message encryption alone provides a secure form of authentication.
97) Because of the mathematical properties of the message authentication code function it is less vulnerable to being broken than encryption.
98) In addition to providing authentication, a message digest also provides data integrity and performs the same function as a frame check sequence.
99) Cryptographic hash functions generally execute slower in software than conventional encryption algorithms such as DES.
100) The main advantage of HMAC over other proposed hash based schemes is that HMAC can be proven secure, provided that the embedded hash function has some reasonable cryptographic strengths.
101) Public key algorithms are based on mathematical functions rather than on simple operations on bit patterns.
102) The private key is known only to its owner.
103) The security of the Diffie-Hellman key exchange lies in the fact that, while it is relatively easy to calculate exponentials modulo a prime, it is very easy to calculate discrete logarithms.
104) The key exchange protocol is vulnerable to a man-in-the-middle attack because it does not authenticate the participants.
105) Even in the case of complete encryption there is no protection of confidentiality because any observer can decrypt the message by using the sender's public key.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 106) ________ protects against passive attack (eavesdropping). A) SCR B) Message authentication C) Encryption D) Obfuscation
107) The most important hash function is ________ . A) MAC B) ECB
107) C) SHA
108) __________ is a procedure that allows communicating parties to verify that received messages are authentic. A) Encryption B) Message authentication C) Passive attack D) ECB
109) If the message includes a _________ the receiver is assured that the message has not been delayed beyond that normally expected for network transit. A) shared key B) timestamp C) error detection code D) sequence number
110) The purpose of a ___________ is to produce a "fingerprint" of a file, message, or other block of data. A) public key B) message authentication C) cipher encryption D) hash function
111) It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). A hash function with this property is referred to as __________ . A) collision resistant B) preimage resistant C) one-way D) weak collision resistant
112) "It is easy to generate a code given a message, but virtually impossible to generate a message given a code" describes the __________ hash function property. A) collision resistant B) strong collision resistant C) preimage resistant D) second preimage resistant
113) The __________ property protects against a sophisticated class of attack known as the birthday attack. A) collision resistant B) one-way C) preimage resistant D) second preimage resistant
114) Secure Hash Algorithms with hash value lengths of 256, 384, and 512 bits are collectively known as _________ . A) SHA-3 B) SHA-1 C) SHA-0 D) SHA-2
115) Public key cryptography is __________ . A) asymmetric B) one key
115) C) symmetric
D) bit patterned
116) The readable message or data that is fed into the algorithm as input is the __________ . A) encryption algorithm B) plaintext C) private key D) ciphertext
117) The key used in conventional encryption is typically referred to as a _________ key. A) cipher B) secret C) primary D) secondary
118) The most widely accepted and implemented approach to public-key encryption, _________ is a block cipher in which the plaintext and ciphertext are integers between 0 and n - 1 for some n. A) SHA B) CTR C) RSA D) MD5
119) The purpose of the _________ algorithm is to enable two users to exchange a secret key securely that then can be used for subsequent encryption of messages and depends on the difficulty of computing discrete logarithms for its effectiveness. A) DSS B) Diffie-Hellman C) Rivest-Adleman D) RSA
120) Based on the use of a mathematical construct known as the elliptic curve and offering equal security for a far smaller bit size, __________ has begun to challenge RSA. A) RIPE-160 B) DSS C) ECC D) TCB
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 121) Protection against active attack (falsification of data and transactions) is known as ___________ .
122) The __________ property is the "one-way" property and is important if the authentication technique involves the use of a secret value.
123) The __________ approach has two advantages: it provides a digital signature as well as message authentication and it does not require the distribution of keys to communicating parties.
124) Like the MAC, a __________ accepts a variable size message M as input and produces a fixed size message digest H(M) as output. Unlike the MAC, it does not take a secret key as input.
125) The __________ property guarantees that it is impossible to find an alternative message with the same hash value as a given message thus preventing forgery when an encrypted hash code is used.
126) As with symmetric encryption there are two approaches to attacking a secure hash function: brute-force attack and ___________ .
127) The two most widely used public key algorithms are RSA and _________ .
128) The _________ was developed by NIST and published as a federal information processing standard in 1993.
129) __________ is a term used to describe encryption systems that simultaneously protect confidentiality and authenticity (integrity) of communications.
130) The key algorithmic ingredients of __________ are the AES encryption algorithm, the CTR mode of operation, and the CMAC authentication algorithm.
131) The __________ algorithm accepts the ciphertext and the matching key and produces the original plaintext.
132) A __________ is when the sender "signs" a message with its private key, which is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message.
133) A _________ is when two sides cooperate to exchange a session key.
134) Using an algorithm that is designed to provide only the digital signature function, the _________ makes use of the SHA-1 and cannot be used for encryption or key exchange.
135) Bob uses his own private key to encrypt the message. When Alice receives the ciphertext she finds that she can decrypt it with Bob's public key, thus proving that the message must have been encrypted by Bob. No one else has Bob's private key and therefore no one else could have created a ciphertext that could be decrypted with Bob's public key. Therefore the entire encrypted message serves as a _________ .
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 136) For symmetric encryption to work the two parties to an exchange must share the same key, and that key must be protected from access by others.
137) It is not necessary for a certification authority to maintain a list of certificates issued by that CA that were not expired but were revoked.
138) A session key is destroyed at the end of a session.
139) Kerberos relies exclusively on asymmetric encryption and makes use of public key encryption.
140) The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of users to access a number of servers and for the servers to exchange data with each other.
141) If an opponent captures an unexpired service granting ticket and tries to use it they will be denied access to the corresponding service.
142) The ticket-granting ticket is encrypted with a secret key known only to the authentication server and the ticket granting server.
143) If the lifetime stamped on a ticket is very short (e.g., minutes) an opponent has a greater opportunity for replay.
144) Kerberos version 4 did not fully address the need to be of general purpose.
145) One of the major roles of public-key encryption is to address the problem of key distribution.
146) It is not required for two parties to share a secret key in order to communicate securely with conventional encryption.
147) X.509 is based on the use of public-key cryptography and digital signatures.
148) User certificates generated by a CA need special efforts made by the directory to protect them from being forged.
149) The principal underlying standard for federated identity is the Security Assertion Markup Language (SAML) which defines the exchange of security information between online business partners.
150) Federated identity management is a concept dealing with the use of a common identity management scheme across multiple enterprises and numerous applications and supporting many thousands, even millions, of users.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 151) A _________ is a key used between entities for the purpose of distributing session keys. A) session relay key B) permanent key C) key distribution center D) symmetric key
152) The __________ knows the passwords of all users and stores these in a centralized database and also shares a unique secret key with each server. A) authentication server B) ticket server C) management server D) key distribution server
153) Once the authentication server accepts the user as authentic it creates an encrypted _________ which is sent back to the client. A) ticket B) access code C) key D) password
154) In order to solve the problem of minimizing the number of times that a user has to enter a password and the problem of a plaintext transmission of the password a __________ server is used. A) authentication B) access code C) ticket granting D) password ciphering
155) In order to prevent an opponent from capturing the login ticket and reusing it to spoof the TGS, the ticket includes a __________ indicating the date and time at which the ticket was issued. A) validation B) timestamp C) realm D) certificate
156) A ___________ is a service or user that is known to the Kerberos system and is identified by its principal name. A) Kerberos realm B) Kerberos key C) Kerberos ticket D) Kerberos principal
157) Kerberos version 4 requires the use of ____________ . A) MAC address B) Ethernet link address C) IP address D) ISO network address
158) Encryption in version 4 makes use of a nonstandard mode of DES known as ___________ . A) PCBC B) CBC C) KDC D) PKI
159) A random value to be repeated to assure that the response is fresh and has not been replayed by an opponent is the __________ . A) rtime B) option C) nonce D) realm
160) Used in most network security applications the __________ standard has become universally accepted for formatting public-key certificates. A) IETF B) X.509 C) X.905 D) PKIX
161) Containing the hash code of the other fields encrypted with the CA's private key, the __________ covers all of the other fields of the certificate and includes the signature algorithm identifier. A) extension B) subject unique identifier C) issuer unique identifier D) signature
162) The _________ extension lists policies that the certificate is recognized as supporting, together with optional qualifier information. A) directory attribute B) authority key identifier C) policy mappings D) certificate policies
163) _________ are entities that obtain and employ data maintained and provided by identity and attribute providers, which are often used to support authorization decisions and to collect audit information. A) CAs B) Principals C) Federations D) Data Consumers
164) An __________ manages the creation and maintenance of attributes such as passwords and biometric information. A) identity provider B) authorizing agent C) authenticator D) attribute service
165) __________ is a centralized, automated approach to provide enterprise wide access to resources by employees and other authorized individuals, with a focus of defining an identity for each user, associating attributes with the identity, and enforcing a means by which a user can verify identity. A) PKIX management B) Registration authority C) Federated managing authority D) Identity management SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 166) The strength of any cryptographic system rests with the _________ technique, a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.
167) A __________ indicates the length of time for which a ticket is valid (e.g., eight hours).
168) When two end systems wish to communicate they establish a logical connection and, for the duration of that logical connection, all user data are encrypted with a one-time __________ which is destroyed at the end of the session.
169) After determining which systems are allowed to communicate with each other and granting permission for the two systems to establish a connection, the _________ provides a one-time session key for that connection.
170) Rather than building elaborate authentication protocols at each server, _________ provides a centralized authentication server whose function is to authenticate users to servers and servers to users.
171) A __________ server issues tickets to users who have been authenticated to the authentication server.
172) A __________ is a set of managed nodes that share the same Kerberos database which resides on the Kerberos master computer system that is located in a physically secure room.
173) Kerberos version 5 defines all message structures by using __________ and Basic Encoding Rules (BER), which provide an unambiguous byte ordering.
174) The technical deficiencies of Kerberos version 4 are: double encryption, PCBC encryption, session keys and __________ .
175) A _________ is the client's choice for an encryption key to be used to protect this specific application session.
176) A _________ consists of a public key plus a user ID of the key owner, with the whole block signed by a trusted third party which is typically a CA that is trusted by the user community.
177) __________ defines a framework for the provision of authentication services by the X.500 directory to its users and defines alternative authentication protocols based on the use of public-key certificates.
178) The _________ exentsion is used only in certificates for CAs issued by other CAs and allows an issuing CA to indicate that one or more of that issuer's policies can be considered equivalent to another policy used in the subject CAs domain.
179) With a principal objective of enabling secure, convenient and efficient acquisition of public keys, __________ is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.
180) __________ is a process where authentication and permission will be passed on from one system to another, usually across multiple enterprises, thereby reducing the number of authentications needed by the user.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 181) SSl/TLS includes protocol mechanisms to enable two TCP users to determine the security mechanisms and services they will use.
182) Unlike traditional publishing environments, the Internet is three-way and vulnerable to attacks on the Web servers.
183) Sessions are used to avoid the expensive negotiation of new security parameters for each connection that shares security parameters.
184) Microsoft Explorer originated SSL.
185) The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets.
186) One way to classify Web security threats is in terms of the location of the threat: Web server, Web browser, and network traffic between browser and server.
187) The encryption of the compressed message plus the MAC must increase the content length by more than 1024 bytes.
188) The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol.
189) The SSL Record Protocol is used before any application data is transmitted.
190) The first element of the CipherSuite parameter is the key exchange method.
191) The certificate message is required for any agreed on key exchange method except fixed Diffie-Hellman.
192) Phase 3 completes the setting up of a secure connection of the Handshake Protocol.
193) The shared master secret is a one-time 48-byte value generated for a session by means of secure key exchange.
194) The TLS Record Format is the same as that of the SSL Record Format.
195) Server authentication occurs at the transport layer, based on the server possessing a public/private key pair.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 196) The SSL Internet standard version is called _________ . A) TLS B) SLP C) SSH 197) The most complex part of SSL is the __________ . A) Change Cipher Spec Protocol C) Alert Protocol
196) D) HTTP 197)
B) Handshake Protocol D) SSL Record Protocol
198) _________ attacks include impersonating another user, altering messages in transit between client and server and altering information on a Web site. A) Active B) Shell C) Passive D) Psuedo
199) The symmetric encryption key for data encrypted by the client and decrypted by the server is a _________ . A) client write key B) server write key C) sequence key D) master key
200) _________ provides secure, remote logon and other secure client/server facilities. A) TLS B) SLP C) HTTPS D) SSH
201) An SSL session is an association between a client and a server and is created by the ___________ . A) administrator B) user C) Spec Protocol D) Handshake Protocol
202) An arbitrary byte sequence chosen by the server to identify an active or resumable session state is a _________ . A) session identifier B) compression C) cipher spec D) peer certificate
203) The _________ is used to convey SSL-related alerts to the peer entity. A) Handshake Protocol B) Alert Protocol C) SSL Record Protocol D) Change Cipher Spec Protocol
204) With each element of the list defining both a key exchange algorithm and a CipherSpec, the list that contains the combination of cryptographic algorithms supported by the client in decreasing order of preference is the __________ . A) Random B) CipherSuite C) Session ID D) Version
205) Phase _________ of the Handshake Protocol establishes security capabilities. A) 4 B) 2 C) 3
205) D) 1
206) The __________ approach is vulnerable to man-in-the-middle attacks. A) Fortezza B) Anonymous Diffie-Hellman C) Ephemeral Diffie-Hellman D) Fixed Diffie-Hellman 15
207) The final message in phase 2, and one that is always required, is the ___________ message, which is sent by the server to indicate the end of the server hello and associated messages. A) goodbye B) server_done C) no_certificate D) finished
208) Defined as a Proposed Internet Standard in RFC 2246, _________ is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL. A) CCSP B) SHA-1 C) SSH D) TLS
209) A Pseudorandom Function takes as input: A) a seed value C) an identifying label
209) B) a secret value D) all of the above
210) _________ is organized as three protocols that typically run on top of TCP for secure network communications and are designed to be relatively simple and inexpensive to implement. A) SSL B) SSI C) SSH D) TLS
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 211) __________ provides security services between Transport Layer Protocol and applications that use TCP.
212) The _________ Protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm along with cryptographic keys to be used to protect data sent in an SSL Record.
213) _________ attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted.
214) __________ provides confidentiality using symmetric encryption and message integrity using a message authentication code.
215) The _________ takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment.
216) __________ refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server.
217) Two important SSL concepts are the SSL session and the SSL _________ .
218) Three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer are: SSL/TLS, HTTPS, and _________.
219) Three higher-layer protocols defined as part of SSL and used in the management of SSL exchanges are: The Handshake Protocol, The Change Cipher Spec Protocol, and the __________ .
220) _________ would appear to be the most secure of the three Diffie-Hellman options because it results in a temporary, authenticated key.
221) A signature is created by taking the hash of a message and encrypting it with the sender's _________ .
222) The handshake is complete and the client and server may begin to exchange application layer data after the server sends its finished message in phase _________ of the Handshake Protocol.
223) _________ require a client write MAC secret, a server write MAC secret, a client write key, a server write key, a client write IV, and a server write IV, which are generated from the master secret in that order.
224) TLS makes use of a pseudorandom function referred to as __________ to expand secrets into blocks of data for purposes of key generation or validation.
225) __________ allows the client to set up a "hijacker" process that will intercept selected application-level traffic and redirect it from an unsecured TCP connection to a secure SSH tunnel.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 226) IEEE 802.11 is a standard for wireless LANs.
227) A basic service set may be isolated or it may connect to a backbone distribution system through an access point, which functions as a bridge and a relay point.
228) WAP was not designed to work with all wireless network technologies.
229) The integration service enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN.
230) One notable approach to WAP assumes that the mobile device implements TLS over TCP/IP and the wireless network supports transfer of IP packets.
231) The DS can be a switch, a wired network, or a wireless network.
232) The pairwise master key is derived from the group key.
233) IEEE 802.11 defines seven services that need to be provided by the wireless LAN to achieve functionality equivalent to that which is inherent to wired LANs.
234) Ports are logical entities defined within the authenticator and refer to physical network connections.
235) The actual method of key generation depends on the details of the authentication protocol used.
236) The WAP architecture is designed to cope with the two principal limitations of wireless Web access: the limitations of the mobile node and the high data rates of wireless digital networks.
237) WML presents mainly text-based information that attempts to capture the essence of the Web page.
238) WTLS provides security services between the mobile device and the WAP gateway.
239) The WTLS Record Protocol takes user data from the next higher layer and encapsulates these data in a PDU.
240) The most complex part of Wireless Transport Layer Security is the Change Cipher Spec Protocol.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 241) The term used for certified 802.11b products is ___________ . A) WEP B) Wi-Fi C) WPA
241) D) WAP
242) The layer of the IEEE 802 reference model that includes such functions as encoding/decoding of signals and bit transmission/reception is the _________ . A) control layer B) logical link layer C) media access layer D) physical layer
243) A WML _________ is similar to an HTML page in that it is identified by a URL and is the unit of content transmission. A) card B) unit C) page D) deck
244) WAP security is primarily provided by the __________ which provides security services between the mobile device and the WAP gateway to the Internet. A) WTLS B) MSDU C) CCMP D) TKIP
245) The function of the __________ is to on transmission assemble data into a frame, on reception disassemble frame and perform address recognition and error detection, and govern access to the LAN transmission medium. A) media access control layer B) physical layer C) transmission layer D) logical layer
246) The master session key is also known as the __________ key. A) STA B) GTK C) MIC
246) D) AAA
247) The __________ is the information that is delivered as a unit between MAC users. A) DS B) BSS C) MPDU D) MSDU
248) The __________ layer keeps track of which frames have been successfully received and retransmits unsuccessful frames. A) transmission B) media access control C) physical layer D) logical link control
249) The purpose of the discovery phase in the ___________ is for a STA and an AP to recognize each other, agree on a set of security capabilities, and establish an association for future communication using those security capabilities. A) WPA B) WAE C) TKIP D) RSN
250) The specification of a protocol along with the chosen key length is known as a __________ . A) cipher suite B) extended service C) distribution system D) RSN
251) The _________ is used to ensure the confidentiality of the GTK and other key material in the 4-Way Handshake. A) TK B) EAPOL-KEK C) MIC key D) EAPOL-KCK
252) The PMK is used to generate the _________ which consists of three keys to be used for communication between a STA and AP after they have been mutually authenticated. A) PTK B) PSK C) AAA Key D) GTK
253) _________ is a standard to provide mobile users of wireless phones and other wireless terminals access to telephony and information services including the Internet and the Web. A) WEP B) WML C) WPA D) WAP
254) _________ was designed to describe content and format for presenting data on devices with limited bandwidth, limited screen size, and limited user input capability and to work with telephone keypads, styluses, and other input devices common to mobile, wireless communication. A) WPA B) WAE C) WAP D) WML
255) The __________ is used to convey WTLS-related alerts to the peer entity. A) Counter Mode MAC Protocol B) Cipher Spec Protocol C) Alert Protocol D) WAP Protocol
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 256) __________ specifies security standards for IEEE 802.11 LANs including authentication, data integrity, data confidentiality, and key management.
257) The _________ is a universal open standard developed to provide mobile users of wireless phones and other wireless terminals such as pages and personal digital assistants access to telephony and information services including the Internet and the Web.
258) __________ is the primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS.
259) To certify interoperability for 802.11b products an industry consortium named the __________ was formed.
260) The __________ function is the logical function that determines when a station operating within a BSS is permitted to transmit and may be able to receive PDUs.
261) Derived from the GMK, the _________ is used to provide confidentiality and integrity protection for multicast/broadcast user traffic.
262) An __________ is a set of one or more interconnected BSSs and integrated LANs that appear as a single BSS to the LLC layer at any station associated with one of these BSSs.
263) The __________ layer is responsible for detecting errors and discarding any frames that contain errors.
264) The smallest building block of a wireless LAN is a __________ which consists of wireless stations executing the same MAC protocol and competing for access to the same shared wireless medium.
265) In order to accelerate the introduction of strong security into WLANs, the Wi-Fi Alliance promulgated __________ as a set of security mechanisms for the Wi-Fi standard.
266) The MPDU authentication phase consists of three phases. They are: connect to AS, EAP exchange and _________ .
267) Forming a hierarchy beginning with a master key from which other keys are derived dynamically and used for a limited period of time, __________ are used for communication between a pair of devices typically between a STA and an AP.
268) The MPDU exchange for distributing pairwise keys is known as the _________ which the STA and SP use to confirm the existence of the PMK, to verify the selection of the cipher suite, and to derive a fresh PTK for data sessions.
269) Consisting of tools and formats that are intended to ease the task of developing applications and devices supported by WAP, the ________ specifies an application framework for wireless devices such as mobile telephones, pagers, and PDAs.
270) The WAP Programming Model is based on three elements: the client, the original server, and the _________ .
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 271) PGP incorporates tools for developing public-key certificate management and a public-key trust model.
272) PGP provides confidentiality through the use of asymmetric block encryption.
273) E-mail is the most common distributed application that is widely used across all architectures and vendor platforms.
274) As a default, PGP compresses the message after applying the signature but before encryption.
275) Each PGP entity must maintain a file of its own public/private key pairs as well as a file of private keys of correspondents.
276) A means of generating predictable PGP session keys is needed.
277) To enhance security an encrypted message is not accompanied by an encrypted form of the session key that was used for message encryption.
278) A message component includes the actual data to be stored or transmitted as well as a filename and a timestamp that specifies the time of creation.
279) PGP has a very rigid public-key management scheme.
280) The key legitimacy field is derived from the collection of signature trust fields in the entry.
281) Only single user IDs may be associated with a single public key on the public-key ring.
282) The MIME-Version field must have the parameter value 1.0 in order for the message to conform to RFCs 2045 and 2046.
283) For the text type of body no special software is required to get the full meaning of the text aside from support of the indicated character set.
284) The objective of MIME Transfer Encodings is to provide reliable delivery across the largest range of environments.
285) Native form is a format, appropriate to the content type, that is standardized for use between systems.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 286) __________ is an Internet standard approach to e-mail security that incorporates the same functionality as PGP. A) MIME B) HTTPS C) DKIM D) S/MIME
287) PGP provides authentication through the use of _________ . A) symmetric block encryption B) radix-64 C) asymmetric block encryption D) digital signatures
288) PGP provides e-mail compatibility using the __________ encoding scheme. A) radix-64 B) MIME C) digital signature D) symmetric block
289) The __________ enables the recipient to determine if the correct public key was used to decrypt the message digest for authentication. A) key ID of the sender's public key B) leading two octets of message digest C) filename D) timestamp
290) Key IDs are critical to the operation of PGP and __________ key IDs are included in any PGP message that provides both confidentiality and authentication. A) two B) six C) four D) three
291) MIME is an extension to the ________ framework that is intended to address some of the problems and limitations of the use of SMTP. A) RFC 821 B) RFC 3852 C) RFC 4871 D) RFC 5322
292) The ________ MIME field is a text description of the object with the body which is useful when the object is not readable as in the case of audio data. A) Content-Description B) Content-Type C) Content-ID D) Content-Transfer-Encoding
293) The __________ field is used to identify MIME entities uniquely in multiple contexts. A) Content-Description B) Content-ID C) Content-Transfer- Encoding D) Content-Type
294) Video content will be identified as _________ type. A) JPEG B) MPEG
294) C) GIF
295) The __________ subtype is used when the different parts are independent but are to be transmitted together. They should be presented to the receiver in the order that they appear in the mail message. A) multipart/alternative B) multipart/digest C) multipart/parallel D) multipart/mixed
296) For the __________ subtype the order of the parts is not significant. A) multipart/mixed B) multipart/digest C) multipart/alternative D) multipart/parallel
297) S/MIME cryptographic algorithms use __________ to specify requirement level. A) SHOULD and MIGHT B) SHOULD and MUST C) CAN and MUST D) SHOULD and CAN
298) E-banking, personal banking, e-commerce server, software validation and membership-based online services all fall into the VeriSign Digital ID _________ . A) Class 2 B) Class 4 C) Class 3 D) Class 1
299) The _________ accepts the message submitted by a Message User Agent and enforces the policies of the hosting domain and the requirements of Internet standards. A) Message Transfer Agent B) Mail Submission Agent C) Mail Delivery Agent D) Message Store
300) Typically housed in the user's computer, a _________ is referred to as a client e-mail program or a local network e-mail server. A) Message Store B) Message User Agent C) Mail Submission Agent D) Message Transfer Agent
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 301) ___________ is an open-source, freely available software package for e-mail security.
302) The key legitimacy field, the signature trust field and the owner trust field are each contained in a structure referred to as a ___________ .
303) PGP provides compression using the __________ algorithm.
304) To provide transparency for e-mail applications, an encrypted message may be converted to an ASCII string using _________ conversion.
305) PGP makes use of four types of keys: public keys, private keys, one-time session keys, and ___________ symmetric keys.
306) Computed by PGP, a _________ field indicates the extent to which PGP will trust that this is a valid public key for this user; the higher the level of trust, the stronger the binding of this user ID to this key.
307) __________ is a security enhancement to the MIME Internet e-mail format standard based on technology from RSA Data Security.
308) The __________ MIME field describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal with the data in an appropriate manner.
309) The _________ type refers to other kinds of data, typically either uninterpreted binary data or information to be processed by a mail-based application.
310) The _________ transfer encoding is useful when the data consists largely of octets that correspond to printable ASCII characters.
311) The _________ transfer encoding, also known as radix-64 encoding, is a common one for encoding arbitrary binary data in such a way as to be invulnerable to the processing by mail-transport programs.
312) A _________ is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer, which is then encoded using base64 encoding.
313) S/MIME provides the following functions: enveloped data, signed data, clear signed data, and ________ .
314) A specification for cryptographically signing e-mail messages permitting a signing domain to claim responsibility for a message in the mail stream, _________ allow message recipients to verify the signature by querying the signer's domain directly to retrieve the appropriate public key and thereby confirming that the message was attested to by a party in possession of the private key for the signing domain.
315) The _________ is a directory lookup service that provides a mapping between the name of a host on the Internet and its numerical address.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 316) IP security is a capability that can be added to either current version of the Internet Protocol by means of additional headers.
317) The principal feature of IPsec is that it can encrypt and/or authenticate all traffic at the IP level.
318) Transport mode provides protection to the entire IP packet.
319) Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.
320) Authentication must be applied to the entire original IP packet.
321) An end user whose system is equipped with IP security protocols can make a local call to an ISP and gain secure access to a company network.
322) Both tunnel and transport modes can be accommodated by the encapsulating security payload encryption format.
323) An individual SA can implement both the AH and the ESP protocol.
324) By implementing security at the IP level an organization can ensure secure networking not only for applications that have security mechanisms but also for the many security ignorant applications.
325) IPSec can guarantee that all traffic designated by the network administrator is authenticated but cannot guarantee that it is encrypted.
326) Any traffic from the local host to a remote host for purposes of an IKE exchange bypasses the IPsec processing.
327) IPsec is executed on a packet-by-packet basis.
328) The Payload Data Field is designed to deter replay attacks.
329) The Security Parameters Index identifies a security association.
330) The default automated key management protocol for IPsec is referred to as ISAKMP/Oakley.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 331) Authentication applied to the entire original IP packet is _________ . A) transport mode B) security mode C) cipher mode
D) tunnel mode
332) _________ defines a number of techniques for key management. A) KMP B) IKE C) SKE
333) Authentication applied to all of the packet except for the IP header is _________ . A) tunnel mode B) transport mode C) association mode D) security mode
334) The __________ mechanism assures that a received packet was in fact transmitted by the party identified as the source in the packet header and assures that the packet has not been altered in transit. A) confidentiality B) key management C) authentication D) security
335) __________ provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. A) IKE B) ISA C) IPsec D) IAB
336) The _________ facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. A) authentication B) confidentiality C) security D) key management
337) The key management mechanism that is used to distribute keys is coupled to the authentication and privacy mechanisms only by way of the _________ . A) ESP B) SPD C) IAB D) SPI
338) A _________ is a one way relationship between a sender and a receiver that affords security services to the traffic carried on it. A) SAD B) SPI C) SA D) SPD
339) The means by which IP traffic is related to specific SAs is the _________ . A) TRS B) SAD C) SPD
339) D) SPI
340) _________ consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication. The current specification is RFC 4303. A) ISA B) SPI C) IPsec D) ESP
341) _________ identifies the type of data contained in the payload data field by identifying the first header in that payload. A) Sequence Header B) Security Parameters Index C) Payload Data D) Next Header
342) A value chosen by the responder to identify a unique IKE SA is a _________ . A) Responder Cookie B) Message ID C) Flag D) Initiator SPI
343) IKE key determination employs __________ to ensure against replay attacks. A) nonces B) groups C) cookies
343) D) flags
344) The __________ payload contains either error or status information associated with this SA or this SA negotiation. A) Notify B) Nonce C) Encrypted D) Configuration
345) The _________ payload allows peers to identify packet flows for processing by IPsec services. A) Traffic Selector B) Vendor ID C) Configuration D) Extensible Authentication Protocol
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 346) IPsec encompasses three functional areas: authentication, key management, and __________ .
347) _________ mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPsec.
348) IPsec policy is determined primarily by the interaction of two databases: The security policy database and the __________ .
349) Confidentiality is provided by an encryption format known as __________ .
350) A __________ attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination.
351) Authentication makes use of the _________ message authentication code.
352) A security association is uniquely identified by three parameters: Security Protocol Identifier, IP Destination Address, and ________ .
353) The __________ facility is concerned with the secure exchange of keys.
354) _________ can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and traffic flow confidentiality.
355) IPsec provides security services at the ________ layer by enabling a system to select required security protocols, determine the algorithms to use for the services and put in place any cryptographic keys required to provide the requested services.
356) The selectors that determine a Security Policy Database are: Name, Local and Remote Ports, Next Layer Protocol, Remote IP Address, and _________ .
357) The term _________ refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services.
358) Generic in that it does not dictate specific formats, the _________ is a key exchange protocol based on the Diffie-Hellman algorithm with added security.
359) Three different authentication methods can be used with IKE key determination: Public key encryption, symmetric key encryption, and _________ .
360) At any point in an IKE exchange the sender may include a _________ payload to request the certificate of the other communicating entity.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 361) Unauthorized intrusion into a computer system or network is one of the most serious threats to computer security. 26
362) A Trojan horses and viruses are confined to network based attacks.
363) Intrusion detection involves detecting unusual patterns of activity or patterns of activity that are known to correlate with intrusions.
364) Statistical approaches attempt to define proper behavior and rule-based approaches attempt to define normal or expected behavior.
365) The main advantage of the use of statistical profiles is that a prior knowledge of security flaws is not required.
366) One important element of intrusion prevention is password management.
367) The ID determines the privileges accorded to the user.
368) Insider attacks are among the easiest to detect and prevent.
369) The hacking community is a strong meritocracy in which status is determined by level of competency.
370) Penetration identification is an approach developed to detect deviation from previous usage patterns.
371) A weakness of the IDES approach is its lack of flexibility.
372) To be of practical use an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
373) System administrators can stop all attacks and hackers from penetrating their systems by installing software patches periodically.
374) Password crackers rely on the fact that some people choose easily guessable passwords.
375) Traditional hackers usually have specific targets, or at least classes of targets in mind.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 376) Software trespass can take the form of a _________ . A) virus B) all of the above
376) C) Trojan horse
377) A _________ is an individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. A) Misfeasor B) Sniffer C) Clandestine User D) Masquerader
378) _________ involves counting the number of occurrences of a specific event type over an interval of time. A) Threshold detection B) Rule-based detection C) Resource usage D) Profile-based system
379) A ________ is a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. A) Misfeasor B) Masquerader C) Clandestine User D) Emissary
380) The simplest statistical test is to measure the _________ of a parameter over some historical period which would give a reflection of the average behavior and its variability. A) Markov process B) time series C) multivariate D) mean and standard deviation
381) _________ detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations. A) Profile-based anomaly B) Action condition C) Statistical anomaly D) Threshold
382) A ________ is an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. A) Misfeasor B) Mole C) Clandestine User D) Masquerader
383) The _________ model is used to establish transition probabilities among various states, such as looking at transitions between certain commands. A) Markov process B) Multivariate C) Operational D) Profile-based
384) The _________ is based on a judgment of what is considered abnormal rather than an automated analysis of past audit records. A) Operational model B) Markov process C) Time series D) Mean and standard deviation
385) The ________ is an audit collection module operating as a background process on a monitored system whose purpose is to collect data on security related events on the host and transmit these to the central manager. A) intruder alert module B) LAN monitor agent module C) central manager module D) host agent module
386) The _________ prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned at different times. A) rule based intrusion detection B) salt C) honeypot D) audit record
387) An operation such as login, read, perform, I/O or execute that is performed by the subject on or with an object is the _________ audit record field. A) Object B) Resource-usage C) Subject D) Action
388) A ________ is used to measure the current value of some entity. Examples include the number of logical connections assigned to a user application and the number of outgoing messages queued for a user process. A) Counter B) Interval timer C) Gauge D) Resource utilization
389) A ________ model is based on correlations between two or more variables. A) Operational B) Multivariate C) Markov process D) Mean and Standard Deviation
390) The most promising approach to improved password security is __________ . A) a reactive password checking strategy B) a proactive password checker C) user education D) computer generated passwords
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 391) __________ systems have been developed to provide early warning of an intrusion so that defensive action can be taken to prevent or minimize damage.
392) _________ detection involves the collection of data relating to the behavior of legitimate users over a period of time. Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.
393) The three classes of intruders identified by Anderson are: Masquerader, Misfeasor, and _________ .
394) Password files can be protected in one of two ways: One-way function or __________ .
395) Metrics that are useful for profile-based intrusion detection are: counter, gauge, resource utilization, and _________ .
396) _________ is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
397) Two types of audit records used are Detection-specific audit records and _________ audit records.
398) _________ techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious.
399) Designed to lure a potential attacker away from critical systems ____________ are decoy systems that divert an attacker from accessing critical systems, collect information about the hacker's activity, and encourage the attacker to stay on the system long enough for administrators to respond.
400) The focus of the __________ is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to management that may need to interact with them.
401) A _________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.
402) A fundamental tool for intrusion detection is the _________ record.
403) An example of a metric used for profile-based intrusion detection is _________ which is a non-negative integer that may be incremented but not decremented until it is reset by management action. Examples include the number of logins by a single user during an hour, the number of times a given command is executed during a single user session, and the number of password failures during a minute.
404) _________ identification takes a very different approach to intrusion detection. The key feature of such systems is the use of rules for identifying known penetration or penetrations that would exploit known weaknesses. Typically the rules used in these systems are specific to the machine and operating system.
405) One of the most important results from probability theory is known as ________ which is used to calculate the probability that something really is the case, given evidence in favor of it.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 406) In addition to propagation a worm usually performs some unwanted function.
407) Viruses, logic bombs, and backdoors are examples of independent malicious software.
408) Malware is another name for Malicious Software.
409) Bot programs are activated by a trigger.
410) An encrypted virus is a virus that mutates with every infection, making detection by the signature of the virus impossible.
411) Backdoors become threats when unscrupulous programmers use them to gain unauthorized access.
412) Macro viruses infect documents, not executable portions of code.
413) A multipartite virus uses multiple methods of infection or transmission to maximize the speed of contagion and the severity of the attack.
414) Spyware is software that collects information from a computer and transmits it to another system.
415) The success of the digital immune system depends on the ability of the virus analysis machine to detect new and innovative virus strains.
416) Like heuristics or fingerprint based scanners, behavior blocking software integrates with the operating system of a ghost computer and monitors program behavior in real time for malicious actions.
417) Stealth is not a term that applies to a virus as such but, rather, refers to a technique used by a virus to evade detection.
418) The generic decryption system is a comprehensive approach to virus protection developed by IBM and refined by Symantec.
419) A behavior blocker can block suspicious software in real time thus giving it an advantage over such established antivirus detection techniques as fingerprinting or heuristics.
420) The challenge in coping with DDoS attacks is the sheer number of ways in which they can operate.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 421) Malicious software that needs a host program is referred to as _________ . A) flooders B) blended C) logic bomb
421) D) parasitic
422) The sheer number of ways in which they can operate make coping with _________ attacks challenging because the countermeasures must evolve with the threat. A) DDoS B) Slammer C) logic bomb D) peer
423) A _________ is a secret entry point into a program that allows someone who is aware of it to gain access without going through the usual security access procedures. A) multipartite B) Trojan horse C) hatch D) backdoor
424) A _________ is used when the programmer is developing an application that has an authentication procedure or a long setup requiring the user to enter many different values to run the application. A) direct trap B) mobile entrance C) maintenance hook D) boot door
425) _________ are used to attack networked computer systems with a large volume of traffic to carry out a denial-of-service attack. A) Keyloggers B) Exploits C) Bots D) Flooders
426) ________ attacks make computer systems inaccessible by flooding servers, networks, or even end user systems with useless traffic so that legitimate users can no longer gain access to those resources. A) DDoS B) Flooder C) Backdoor D) PWC
427) A _________ virus is a form of virus explicitly designed to hide itself from detection by antivirus software. A) stealth B) encrypted C) polymorphic D) metamorphic
428) _________ is a mass mailing e-mail worm that installs a backdoor in infected computers thereby enabling hackers to gain remote access to data such as passwords and credit card numbers. A) Sobig.f B) Code Red C) Mydoom D) Slammer
429) The IDEAL solution to the threat of viruses is __________ . A) prevention B) identification C) removal
430) _________ antivirus programs are memory resident programs that identify a virus by its actions rather than its structure in an infected program. A) Second generation B) First generation C) Fourth generation D) Third generation
431) Unlike heuristics or fingerprint based scanners,the _________ integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions. A) generic decryption B) behavior blocking software C) mobile code D) digital immune system
432) The _________ worm exploits a security hole in the Microsoft Internet Information Server to penetrate and spread to other hosts. It also disables the system file checker in Windows. A) Warezov B) Code Red C) Slammer D) Mydoom
433) In a __________ attack the slave zombies construct packets requiring a response that contains the target's IP address as the source IP address in the packet's IP header. These packets are sent to uninfected machines that respond with packets directed at the target machine. A) blended B) direct DDoS C) internal resource D) reflector DDoS
434) Mobile phone worms communicate through Bluetooth wireless connections or via the _________ . A) PWC B) SQL C) TRW D) MMS
435) Worm propagation proceeds through __________ phases. A) 4 B) 5 C) 2
435) D) 3
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 436) __________ is software that is intentionally included or inserted in a system for a harmful purpose.
437) Worms and bot programs are examples of __________ malicious software programs.
438) A __________ attack is an attempt to prevent legitimate users of a service from using that service.
439) __________ software is essentially fragments of programs that cannot exist independently of some actual application program, utility, or system program.
440) The _________ is code embedded in some legitimate program that is set to "explode" when certain conditions are met. Examples of such conditions that can be used as triggers are the presence or absence of certain files, a particular day of the week or date, or a particular user running the application.
441) Advertising that is integrated into software that can result in pop-up ads or redirection of a browser to a commercial site is called _________ .
442) The Nimda attack, erroneously referred to as a worm, uses four distribution methods: Windows shares, Web servers, Web clients, and __________ .
443) A computer virus has three parts: infection mechanism, trigger, and __________ .
444) _________ technology enables the antivirus program to easily detect even the most complex polymorphic viruses while maintaining fast scanning speeds.
445) Two major trends in Internet technology that have had an increasing impact on the rate of virus propagation in recent years are: integrated mail systems and _________ systems.
446) _________ software runs on server and desktop computers and is instructed through policies set by the network administrator to let benign actions take place but to intercede when unauthorized or suspicious actions occur.
447) A network worm exhibits the same characteristics as a computer virus: a dormant phase, a propagation phase, a __________ phase, and an execution phase.
448) In a ________ attack an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target.
449) There are three lines of defense against DDoS attacks: Attack prevention and preemption (before the attack), Attack source traceback and identification (during and after the attack), and __________ (during the attack).
450) _________ exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation. It is suitable for deployment in high-speed, low cost network devices and is effective against the common behavior seen in worm scans.
TRUE/FALSE. Write 'T' if the statement is true and 'F' if the statement is false. 451) A firewall may be designed to operate as a filter at the level of IP packets or may operate at a higher protocol layer.
452) The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header.
453) The direction control determines the types of Internet services that can be accessed, inbound or outbound.
454) The firewall cannot fully protect against internal threats.
455) A firewall may not act as a packet filter.
456) A stateful packet inspection firewall reviews the same packet information as a packet filtering firewall but also records information about TCP connections.
457) One advantage of a packet filtering firewall is its simplicity.
458) Packet filter firewalls examine upper layer data therefore they can prevent attacks that employ application specific vulnerabilities or functions.
459) Due to the small number of variables used in access control decisions packet filter firewalls are susceptible to security breaches caused by improper configurations.
460) Packet filters tend to be more secure than application level gateways.
461) A circuit level proxy can be a stand alone system or it can be a specialized function performed by an application level gateway for certain applications.
462) An example of application level gateway implementation is the SOCKS package.
463) Firewall functionality can also be implemented as a software module in a router or LAN switch.
464) The primary role of the personal firewall is to deny unauthorized remote access to the computer.
465) The external firewall adds more stringent filtering capability in order to protect enterprise servers and workstations from external attack.
MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question. 466) _________ can be an effective means of protecting a local system or network of systems from network based security threats while at the same time affording access to the outside world via wide area networks and the Internet. A) SOCKS B) Firewalls C) Proxys D) VPNs
467) The _________ is the address of the system that originated the IP packet. A) IP protocol field B) Interface C) Source IP address D) Source and destination transport level address
468) The technique that controls how particular services are used is the _________ control. The firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server. A) direction B) service C) behavior D) user
469) The _________ is the transport level port number which defines applications such as SNMP or TELNET. A) Interface B) IP protocol field C) Source IP address D) Source and destination transport level address
470) A _________ firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. A) stateful inspection B) distributed C) packet filtering D) host-based
471) The __________ defines the transport protocol. A) source IP address C) destination IP address
471) B) IP protocol field D) interface 34
472) The _________ attack is designed to circumvent filtering rules that depend on TCP header information. A) network layer address spoofing B) tiny fragment C) source routing D) IP address spoofing
473) A typical use of a _________ is a situation in which the system administrator trusts the internal users. A) stateful inspection firewall. B) packet filtering firewall C) application level gateway D) circuit level gateway
474) SOCKS is defined in _________ as "a framework for client server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall". A) RFC 1024 B) RFC 1935 C) RFC 1928 D) RFC 1046
475) Available in many operating systems or provided as an add on package, a ________ is a software module used to secure an individual host and also filters and restricts the flow of packets. A) host based firewall B) DMZ C) circuit level gateway D) application level gateway
476) An important aspect of a distributed firewall configuration is _________ . A) change control B) security monitoring C) configuration alerting D) network frame locking
477) A ________ is a single router between internal and external networks with stateless or full packet filtering. This arrangement is typical for SOHO applications. A) host resident firewall B) DMZ C) screening router D) single bastion T
478) Common for large businesses and government organizations, the ________ configuration is required for Australian government use. A) Double bastion inline B) Double bastion T C) Single bastion T D) Single bastion inline
479) ________ has a third network interface on bastion to a DMZ where externally visible servers are placed. This is a common appliance configuration for medium to large organizations. A) single bastion inline B) double bastion T C) double bastion inline D) single bastion T
480) The iTunes Music Sharing inbound service is port number ________ . A) 3031 B) 5298 C) 3869
480) D) 5297
SHORT ANSWER. Write the word or phrase that best completes each statement or answers the question. 481) A _________ forms a barrier through which the traffic going in each direction must pass and dictates which traffic is authorized to pass.
482) The four general techniques that firewalls use to control access and enforce the site's security policy are: service control, direction control, user control, and __________ control.
483) Common for large businesses and government organizations, the _________ configuration sandwiches the DMZ between bastion firewalls.
484) The default _________ policy increases ease of use for end users but provides reduced security because the security administrator must, in essence, react to each new security threat as it becomes known.
485) A __________ attack is where the source station specifies the route that a packet should take as it crosses the Internet in the hopes that this will bypass security measures that do not analyze the source routing information.
486) A _________ firewall configuration involves stand alone firewall devices plus host based firewalls working together under a central administrative control.
487) Four types of firewalls are: Packet filtering, stateful inspection, circuit level proxy and _________ .
488) A _________ packet firewall tightens up the rules for TCP traffic by creating a directory of outbound TCP connections. There is an entry for each currently established connection and the packet filter will now allow incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory.
489) A _________ sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established TCP segments from one connection are relayed to the other without examining the contents.
490) Typically serving as a platform for an application level or circuit level gateway, a ________ is a system identified by the firewall administrator as a critical strong point in the network's security.
491) A ________ firewall controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side.
492) Between an internal firewall and an external firewall are one or more networked devices in a region referred to as a _________ . Systems that are externally accessible but need some protection are usually located in this area.
493) A _________ consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security.
494) _________ firewalls include personal firewall software and firewall software on servers. Such firewalls can be used alone or as part of an in-depth firewall deployment.
495) A ________ is a single firewall device between an internal and external router. The firewall may implement stateful filters and/or application proxies. This is the typical firewall appliance configuration for small to medium sized organizations.
Answer Key Testname: UNTITLED1
1) TRUE 2) TRUE 3) FALSE 4) TRUE 5) TRUE 6) FALSE 7) FALSE 8) TRUE 9) FALSE 10) TRUE 11) FALSE 12) FALSE 13) TRUE 14) FALSE 15) TRUE 16) A 17) B 18) A 19) A 20) C 21) A 22) A 23) B 24) B 25) B 26) A 27) C 28) B 29) B 30) A 31) Computer Security 32) integrity 33) attack 34) availability 35) Encipherment 36) Family Educational Rights and Privacy Act (FERPA) 37) threat 38) passive 39) encryption 40) masquerade 41) data confidentiality 42) access control 43) International Organization for Standardization (ISO) 44) Nonrepudiation 45) digital signature 46) FALSE 47) TRUE 48) TRUE 49) FALSE 50) TRUE 1
Answer Key Testname: UNTITLED1
51) TRUE 52) FALSE 53) TRUE 54) TRUE 55) FALSE 56) TRUE 57) FALSE 58) TRUE 59) TRUE 60) FALSE 61) B 62) D 63) A 64) B 65) A 66) B 67) A 68) A 69) A 70) C 71) B 72) D 73) D 74) D 75) B 76) decryption 77) block 78) key 79) Symmetric block ciphers 80) cryptanalysis 81) computationally secure 82) Data Encryption Standard (DES) 83) entropy 84) seed 85) RC4 86) cipher block chaining (CBC) 87) symmetric 88) encryption algorithm 89) substitution 90) Horst Feistel 91) TRUE 92) FALSE 93) TRUE 94) FALSE 95) TRUE 96) FALSE 97) TRUE 98) TRUE 99) FALSE 100) TRUE 2
Answer Key Testname: UNTITLED1
101) 102) 103) 104) 105) 106) 107) 108) 109) 110) 111) 112) 113) 114) 115) 116) 117) 118) 119) 120) 121) 122) 123) 124) 125) 126) 127) 128) 129) 130) 131) 132) 133) 134) 135) 136) 137) 138) 139) 140) 141) 142) 143) 144) 145) 146) 147) 148) 149) 150)
TRUE TRUE FALSE TRUE TRUE C C B B D A C A D A B B C B C message authentication preimage resistant public-key hash function second preimage resistant cryptanalysis Diffie-Hellman Secure Hash Algorithm (SHA) Authenticated encryption CCM decryption digital signature key exchange Digital Signature Standard (DSS) digital signature TRUE FALSE TRUE FALSE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE TRUE TRUE 3
Answer Key Testname: UNTITLED1
151) 152) 153) 154) 155) 156) 157) 158) 159) 160) 161) 162) 163) 164) 165) 166) 167) 168) 169) 170) 171) 172) 173) 174) 175) 176) 177) 178) 179) 180) 181) 182) 183) 184) 185) 186) 187) 188) 189) 190) 191) 192) 193) 194) 195) 196) 197) 198) 199) 200)
B A A C B D C A C B D D D D D key distribution lifetime session key key distribution center (KDC) Kerberos ticket-granting Kerberos realm Abstract Syntax Notation One (ASN.1) password attacks subkey (public-key) certificate X.509 policy mappings public-key infrastructure (PKI) Federation TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE TRUE FALSE FALSE TRUE TRUE TRUE A B A A D 4
Answer Key Testname: UNTITLED1
201) 202) 203) 204) 205) 206) 207) 208) 209) 210) 211) 212) 213) 214) 215) 216) 217) 218) 219) 220) 221) 222) 223) 224) 225) 226) 227) 228) 229) 230) 231) 232) 233) 234) 235) 236) 237) 238) 239) 240) 241) 242) 243) 244) 245) 246) 247) 248) 249) 250)
D A B B D B B D D C Secure Socket Layer (SSL) Handshake Passive SSL/TLS SSl Record Protocol HTTPS connection SSH Alert Protocol Ephemeral Diffie-Hellman private key 4 CipherSpecs Pseudorandom Function (PRF) Local forwarding TRUE TRUE FALSE FALSE TRUE TRUE FALSE FALSE TRUE TRUE FALSE TRUE TRUE TRUE FALSE B D D A A D D D D A 5
Answer Key Testname: UNTITLED1
251) 252) 253) 254) 255) 256) 257) 258) 259) 260) 261) 262) 263) 264) 265) 266) 267) 268) 269) 270) 271) 272) 273) 274) 275) 276) 277) 278) 279) 280) 281) 282) 283) 284) 285) 286) 287) 288) 289) 290) 291) 292) 293) 294) 295) 296) 297) 298) 299) 300)
B A D D C IEEE 802.11i Wireless Application Protocol (WAP) Distribution Wireless Ethernet Compatibility Alliance (WECA) coordination Group Temporal Key (GTK) extended service set (ESS) media access control (MAC) basic service set (BSS) Wi-Fi Protected Access (WPA) secure key delivery pairwise keys 4-way handshake Wireless Application Environment (WAE) gateway TRUE FALSE TRUE TRUE FALSE FALSE FALSE TRUE FALSE TRUE FALSE TRUE FALSE TRUE FALSE D D A B A D A B B D D B C B B 6
Answer Key Testname: UNTITLED1
301) 302) 303) 304) 305) 306) 307) 308) 309) 310) 311) 312) 313) 314) 315) 316) 317) 318) 319) 320) 321) 322) 323) 324) 325) 326) 327) 328) 329) 330) 331) 332) 333) 334) 335) 336) 337) 338) 339) 340) 341) 342) 343) 344) 345) 346) 347) 348) 349) 350)
Pretty Good Privacy (PGP) trust flag byte ZIP radix-64 passphrase-based key legitimacy Secure/Multipurpose Internet Mail Extension (S/MIME) Content-Type application quoted-printable base64 digital signature signed and enveloped data DomainKeys Identified Mail (DKIM) Domain Name System (DNS) TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE TRUE D B B C C B D C C D D A A A A confidentiality Tunnel security association database (SAD) encapsulating security payload replay 7
Answer Key Testname: UNTITLED1
351) 352) 353) 354) 355) 356) 357) 358) 359) 360) 361) 362) 363) 364) 365) 366) 367) 368) 369) 370) 371) 372) 373) 374) 375) 376) 377) 378) 379) 380) 381) 382) 383) 384) 385) 386) 387) 388) 389) 390) 391) 392) 393) 394) 395) 396) 397) 398) 399) 400)
HMAC Security Parameters Index (SPI) key management Encapsulating Security Payload IP Local IP Address security association bundle Oakley Key Determination Protocol digital signatures Certificate Request TRUE FALSE TRUE FALSE TRUE TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE B D A A D A C A A D B D C B B Intrusion detection Statistical anomaly Clandestine user Access control interval timer Intrusion detection Native Rule-based honeypots IETF Intrusion Detection Working Group 8
Answer Key Testname: UNTITLED1
401) 402) 403) 404) 405) 406) 407) 408) 409) 410) 411) 412) 413) 414) 415) 416) 417) 418) 419) 420) 421) 422) 423) 424) 425) 426) 427) 428) 429) 430) 431) 432) 433) 434) 435) 436) 437) 438) 439) 440) 441) 442) 443) 444) 445) 446) 447) 448) 449) 450)
reactive password checking audit Counter Rule-based penetration Bayes' theorem TRUE FALSE TRUE TRUE FALSE TRUE TRUE FALSE TRUE TRUE FALSE TRUE FALSE TRUE TRUE D A D C D A A C A D B B D D D Malicious software independent denial of service (DoS) Parasitic logic bomb adware E-mail payload Generic decryption (GD) mobile program Behavior blocking triggering DDoS Attack detection and filtering Threshold random walk scan detection (TRW) 9
Answer Key Testname: UNTITLED1
451) 452) 453) 454) 455) 456) 457) 458) 459) 460) 461) 462) 463) 464) 465) 466) 467) 468) 469) 470) 471) 472) 473) 474) 475) 476) 477) 478) 479) 480) 481) 482) 483) 484) 485) 486) 487) 488) 489) 490) 491) 492) 493) 494) 495)
TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE TRUE FALSE TRUE TRUE FALSE B C C D C B B D C B B C B D C firewall behavior double bastion inline forward source routing distributed application proxy stateful inspection circuit level gateway bastion host personal DMZ (demilitarized zone) virtual private network (VPN) Host resident single bastion inline