MIS 4850 Systems Security - EIU
MIS 4850 Systems Security
Final Exam Review Questions
Access Control and Site Security
1. Which of the following operating systems does not provide RAM buffer protection?
a) Windows Vista
b) Windows XP Professional
c) Windows NT
d) Windows 2000
e) None of the above
Explanation: Win 95, Win 98, Win Me, Win XP Home do not provide RAM buffer protection
2. With which of the following operating systems the login password can be bypassed by hitting the escape key?
a) Windows Vista
b) Windows XP Professional
c) Windows NT
d) Windows 2000
e) None of the above
Explanation: With Win 95, Win 98, and Win Me, login password can be bypassed
3. Which of the following is true about Access cards that are designed for two-factor authentication?
a) their PINs are usually short like 4 characters for instance
b) a 4-character PIN is too risky for access cards
c) if an access card is lost, the best security measure is to cancel or disable it
d) None of the above
4. You need to implement a wireless network with 3 Access Points and 13 wireless laptops.
How many SSIDs need to be used in order to have all devices be part of the same WLAN?
a) Three different SSIDs
b) One same SSID
c) 16 different SSIDs
d) None of the above.
5. In a wireless network that uses WEP (Wired Equivalent Privacy) to provide wireless
security, which of the following may authenticate to an access point?
a) Only the administrator.
b) Only users with the correct WEP key.
c) Only users within the company.
d) Anyone can authenticate.
6. Users must type PINs when they use their access cards. This is an example of …
a) piggybacking
b) one-factor authentication
c) weak authentication
d) three-factor authentication
e) None of the above
7. A user walks up to a door, has his or her face scanned, and is admitted through the door. Assume nothing else. This is an example of...
a) verification
b) certification
c) None of the above
Explanation: verification or authentication is when a user provides his/her credentials (username, password) to the system for authentication purpose. The situation described is identification, usually used in biometric-based system where the user doesn’t provide his/her credentials. Instead, the system identifies the users’ physical features (face shape, etc.), and makes access decisions.
8. How could we prevent someone from installing a sniffer where wires connect to a switch?
a. Use newer switches
b. install sniffer detection systems
c. use switches with non-standard ports
d. use optical fiber instead of UTP
e. lock telecommunications closets
9. It may be possible to find media containing sensitive corporate data through...
a. Data digging
b. two-factor recognition
c. sensitivity analysis
d. Shredding
e. None of the above
Explanation: This is dumpster diving.
10. The network administrator created a group account. He added all employees with last name beginning with letter A, B, or C to the group. He then created another group account and added all the other employees to it. He finally assigned access rights to the groups. What access control strategy did he use?
a) Role Based Access Control
b) Discretionary Access Control
c) Logic Based Access Control
d) None of the above
Explanation: This is List-Based Access Control because the access right are based on lists of users with no regard of their role/function.
TCP/IP Internetworking
11. Which of the following is true in TCP/IP-based encapsulation?
a. Requests are encapsulated in TCP segments
b. Frames are encapsulated in packets
c. Neither a. nor b.
d. Both a and b.
12. During encapsulation, if Layer N creates a message, which layer encapsulates the message?
a. N+1
b. N
c. N-1
d. Any of the above
Explanation: With TCP/IP, if the Application (layer 5) creates an HTTP request, it is the Transport layer (layer 4) that encapsulates the HTTP request in a TCP segment.
13. Which of the following is connectionless?
a. IP
c. TCP
d. None of the above.
Explanation: IP is a connectionless. UDP is another connectionless protocol. They do not require a connection to be established and maintained between the two parties for the duration of the communication.
14. How many messages are sent in a TCP opening?
a. One
b. Two (the message and its acknowledgement)
c. Four
d. None of the above
Explanation: Three messages are sent altogether in a TCP opening
15. How many messages are sent in an abrupt TCP close, i.e. in a Reset?
a. Two (the message and its acknowledgement)
b. Three
c. Four
d. None of the above
Explanation: One. A single message is sent to abruptly close a connection.
16. What do we call messages at the Transport layer?
a. Frames
b. Packets
c. Both of the above.
d. Neither a. nor b.
Explanation: They are called segments (i.e. TCP segments) or datagrams (i.e. UDP datagrams)
17. A host sends a TCP segment with source port number 25. Which of the following is true?
a) The source host is an email server
b) The destination host is a client computer
c) The destination host is a server computer
d) The source host is a web server
Explanation: TCP port 25 is a well-known port number for email server.
Attacks
18. In preparing his attack, the attacker used the ping command to determine whether or not a specific target computer is connected and responsive. Which of the following did the attacker do?
a) Network scanning
b) Port scanning
c) Fingerprinting
d) Host scanning
e) None of the above
Explanation: This is host scanning because ping is used to send out message through a network in an attempt to determine whether specific host computers as connected (or “live”).
19. In preparing his attack, the attacker used a IP Scanning software called fPing to determine whether or not computers with IP addresses in the range 220.35.36.1 to 220.35.36.20 are connected and responsive. Which of the following did the attacker do?
a) Network scanning
b) Port scanning
c) Fingerprinting
d) Host scanning
e) None of the above
Explanation: host scanning could be done for a single host or for multiple hosts using a range of IP addresses. In this case the fPing program is used instead of the ping command.
20. In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine the kind of software installed on the web server. Which of the following did the attacker do?
a) Active fingerprinting
b) Protocol fingerprinting
c) Passive fingerprinting
d) None of the above
21. An attacker is trying to guess a 4-character long password that is all numbers? What is the total number of combinations to guess?
a) 4000
b) 10000
c) 8000
d) None of the above
Explanation: 10ˆ4 =10000. The 10 is because there are 10 numbers in the decimal system (0 to 9).
22. Collecting information using the Government EDGAR system and by visiting a potential target organization’s web site is considered…
a) Passive fingerprinting
b) Random information gathering
c) Unobtrusive information gathering
d) None of the above
23. An attacker sends an attack message to a target computer using IP fragmentation. The attack message is about 80000 bytes. What kind of attack did the attacker attempted?
a) Teardrop attacks
b) Ping of Death attack
c) Land attack
d) None of the above
Explanation: Ping of Death occurs when an oversized packets (more than the 65000 bytes maximum allowed) is sent to a target in an attempt to create a DoS. This is typically done through IP fragmentation.
24. Which of the following do Denial of Service attacks primarily attempt to jeopardize?
a) confidentiality
b) integrity
c) availability
25. SYN flooding is effective because…...
a) of an asymmetry in the work that the sender and receiver must do.
b) the basic protocol is flawed
c) SYN messages are encapsulated and so cannot be traced back to the attacker
d) it is based on DDoS
26. Which of the following determines which operating system is installed on a system by analyzing its response to certain network traffic?
a) OS scanning.
b) Reverse engineering.
c) Fingerprinting
d) Host hijacking.
27. Which of the following is a DoS (Denial of Service) attack that exploits TCP's three-way handshake for new connections?
a. SYN flooding
b. Ping of death attack.
c. LAND attack.
d. Buffer overflow attack.
Firewalls
28. What does a firewall use to ensure that each packet is part of an established TCP (Transmission Control Protocol) session?
a) a packet filter.
b) a static filtering.
c) a stateful filtering.
d) a circuit level gateway.
29. Ingress filtering is used to filter packets...
a. coming into the network from an external network
b. going out of the network to an external network
c. Both a. and b.
30. Static packet filter firewalls examine...
a. IP headers
b. application messages
c. connections
d. All of the above.
Exhibit 1
Figure 1: Access Control List (ACL) for Ingress Filtering at a border firewall
[pic]
|1 |If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] |
|2 |If Source IP Address = 172.16.*.* to 172.31.*.*, DENY [Private IP Address Range] |
|3 |If Source IP Address = 192.168.*.*, DENY [Private IP Address Range] |
|4 |If source IP address = 60.47.*.*, DENY [internal address range] |
|5 |If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] |
|6 |If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS |
|7 |If TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection from the outside] |
|8 |If TCP Destination Port = 20, DENY |
|9 |If TCP Destination Port = 135 Trough 139, DENY |
|10 |If TCP destination port = 513, DENY [UNIX rlogin without password] |
|11 |If UDP Destination Port = 69, DENY [Trivial FTP; no login necessary] |
|12 |DENY ALL |
31. Given the Exhibit shown above, which of the following is true?
a) Rule 1 can be deleted without jeopardizing security because, anyway, the Deny All will stop any incoming message with a source IP address in the 10.*.*.* range.
b) Deleting Rule 1 would allow a packet with a source IP address in the 10.*.*.* range to pass in certain cases.
c) None of the above.
32. Given the Exhibit, what specific service could someone using the source IP address 192.168.3.7 get access to in case Rule 3 is removed from the ACL? (Circle all correct answers).
a) email service
b) HTTP webservice
c) ftp service
d) secure HTTP webservice
e) All of the above
33. What is the purpose of Rule 4 in the ACL shown in the Exhibit?
a) to prevent messages with source IP address in the internal address range from passing
b) to deny access to any incoming packet destined to any internal server computer
c) to prevent outsiders from using internal IP addresses in spoofing attacks
d) None of the above.
34. As the network administrator in charge of configuring the company’s firewall, you have to change the ACL in the Exhibit to add a rule that allows packet destined to a an internal secured web server (HTTPS) that has the 60.47.3.7 IP address to pass. (Note: the Appendix list TCP/UDP ports for common services). Write down the rule: ______________________________________________________________________________
35. Where the rule you wrote down should be inserted in the ACL?
a) Anywhere before Rule 7
b) between Rule 5 and Rule 6
c) between Rule 4 and Rule 5
Host Hardening
TheSE ARE THE SAME QUESTION AS THE ONEs FOR THE review for Exam 3 Review posted to the Review section under HOST HARDENING.
36. To know how to install an operating system with secure configuration options, you would use a...
a. security baseline
b. standard
c. security template
d. wizard
37. A systems administrator’s main role is to…
a. manage a network
b. implement security baseline on servers
c. None of the above
38. In a Windows network, which of the following could be used to implement security measures on multiple computers through a domain?
a. Policy Maker
b. Group policies
c. Domain Access Control Lists
39. UNIX command-line interfaces are called _____.
a. versions
b. distributions
c. GUIs
d. shells
e. windows
40. Traditionally, default installations of operating systems _____.
a. turn off most infrequently used services to reduce RAM and processing requirements
b. turn on many infrequently used services to ease management labor
41. In _____, the ps command is used to learn what services are running.
a. Microsoft Windows
b. UNIX/Lunix
c. Novell NetWare
d. None of the above
42. In UNIX, to know what port each connection is using, you would use _____.
a. ps
b. Inetd
c. Rc script
d. netstat
43. In UNIX, infrequently used services are started when users send service requests. Which of the following program starts the services?
a. ps
b. inetd
c. rc scripts
d. TCP wrappers
e. netstat
44. In Windows, when files are encrypted using Encrypted File System, an attacker who breaks in can still get a copy of the files.
a. True
b. False
45. Tripwire is a(n) _____
a. IDS
b. host firewall
c. event logger
d. file integrity checker
e. All of the above.
46. Microsoft’s vulnerability checker is _____.
a. Tripwire
b. MBSA
c. tar
d. the Audit MMC
e. Bloodhound
47. Which of the following is true about installing and configuring software programs?
a) Use different security baselines for different OS and OS versions
b) Use different security baselines for different types of server applications (web service, email service, etc.)
c) Use different security baselines for different types of client applications
d) All of the above
48. You want to know whether a Windows’ system is properly configured or has some vulnerability configurations. What tool can use?
Answer: __MBSA____
49. As a systems administrator, you realized that a couple of services that are not needed at this point by your organization are running on one of the server computers. The services include telnet and Network Dynamic Data Exchange. What should you do?
a) Remove the services in questions from the server computer
b) Turn off the services in question from the server computer
c) None of the above
50. As a systems administrator, you realized that a couple of user accounts belonging to employees who have been suspended are active on the system. What should you do?
Answer: ____disable the accounts____________________
51. Which of the following is not true about having services that are not needed running on a server computer?
a) It give attackers less attack opportunities
b) More services can increase host load
c) More services can decrease the performance of the host computer
d) Reducing services reduces logs and makes detection of intrusion easier
e) None of the above
52. File integrity checkers like Tripwire and AFICK are meant to be used in order to determine what files have been compromised after attacks. But they can lead to false positives. How so? Explain.
Hackers are not the only reason why files are altered. Files’ content and size change for various reasons including editing and saving files by legitimate users. Therefore, comparing files’ Tripwire hashes or AFICK hashes of files’ hashes before and after attacks could lead to false positives meaning that the difference between the BEFORE and the AFTER hashes could be misinterpreted as the result of alteration by hackers when it is the result of legitimate users’ activities.
Elements of Cryptography
TheSE ARE THE SAME QUESTION AS THE ONEs FOR THE review for Exam 3 Review posted to the Review section under Elements of cryptography.
53. Jason sends a message to Kristin using public key encryption for confidentiality. What key will Jason use to encrypt the message?
a. Jason’s private key
b. Jason’s public key
c. Kristin’s Public key
d. None of the above
54. Which of the following is needed in order to encrypt the following message that you want to send to a business partner? The total amount to be paid for order #C1222 is $23,000.00 (Circle all that apply)
b. a ciphertext
c. a key
d. an authenticator
e. an encryption method or algorithm
55. Encryption is used for _____.
a. confidentiality
b. authentication
c. Both of the above.
56. In symmetric encryption in a two-way dialog, how many keys are used in total for confidentiality?
a. one
b. two
c. four
57. Which of the following do cryptographic systems protect?
a) Data stored on local storage media (like hard drives) from access by unauthorized users
b) Data being transmitted from point A to point B in a network
c) Both a and b
58. Based on how encryption systems work, which of the following is the worst thing that
could happen?
a) An attacker gets a copy of the encryption and decryption algorithms
b) An attacker gets the decryption key
c) a and b are equally damaging
59. Which of the following is true about the difference between hashing and encryption?
(Choose all the apply)
a) In encryption, the output is similar in length to the input
b) In hashing, the output is similar in length to the input
c) In encryption, the output is of a fixed short length, regardless of input
d) In hashing, the output is of a fixed short length, regardless of the input
60. Which of the following could be done to make it harder for attackers to crack encryption keys?
a) Use 8-bits keys
b) Change encryption keys very often
c) Use complex encryption algorithms
d) All of the above
61. Based on the way DES and 3DES work, which of the following is true?
a) 3DES requires more processing time than DES
b) Compared to 3DES, DES requires more RAM
c) Both a and b
62. Which of the following security issues is NOT addressed by cryptographic systems?
a) Confidentiality; i.e. protection against eavesdropping
b) Authentication; i.e. assurance that sending parties are who they claim to be
c) Message integrity; i.e. assurance that messages are not altered en route
d) Availability; i.e. making sure that communication systems are not shut down by intruders.
e) All of the above
63. You want to use symmetric encryption to send the following message to one of your business partners: The account balance is three thousand dollars
Which of the following is needed in order to encrypt the message? (Choose all that apply)
a) a plaintext
b) a ciphertext
c) a key
d) an encryption algorithm
e) None of the above
64. assume that a substitution algorithm is used to encrypt the following message: The account balance is three thousand dollars
a) What would be the size of the ciphertext in terms of number of characters?
Answer: ______
Explain: _______________________________________________________________________
________________________________________________________________________
________________________________________________________________________
b) What would be the size of the ciphertext in terms of number of bits?
Answer: ______
Explain: _______________________________________________________________________
________________________________________________________________________
________________________________________________________________________
67. Imagine that a 512-byte text file is used as input with the MD5 hash function. Which of the following could be the size of the checksum?
a) 512 bits
b) 256 bytes
c) 128 bits
d) None of the above
68. Imagine that a 512-byte text file is used as input with the SHA1 hash function. Which of the following could be the size of the checksum?
a) 512 bits
b) 256 bytes
c) 128 bits
d) None of the above
69. Assume that a 10-bit key is used for encryption/decryption. What is the maximum number of keys an attacker who captures enough ciphertext will has to try in order to decipher the captured ciphertext using the appropriate algorithm? Answer: ______________________________
70. Assume that it takes 10 days to try all possible combinations of a 16-bit key. How much time it would take to try all the key combinations when the key length is increased to 18 bits?
Answer: ________________________________________
For their private communications, Bill and Joe use an 8-bit key for symmetric encryption. A cryptanalyst has captured a large amount of ciphertext being sent to Joe. Answer Q.71-72.
71. What is the maximum number of keys that the cryptanalyst using the correct algorithm will have to try in order to decrypt the ciphertext and crack the key?
Answer: ___________________
72. What is the likelihood (in percentage) that the cryptanalyst cracks the key in 128 tries.
Answer: ____________________
73. Which of the following refers to the output of hashing?
a) hash
b) message digest
c) checksum
d) All of the above
74. You can generate an MD5 hash using a character string as the input. T F
75. You cannot generate a SHA1 hash using a character string as the input. T F
76. You cannot generate a SHA1 hash using a .rtf file as the input. T F
77. You cannot generate a SHA1 hash using an executable file as the input. T F
Applications Security
TheSE ARE THE SAME QUESTION AS THE ONEs FOR THE review for Exam 3 Review posted to the Review section under Applications security.
78. Which of the following used to be an effective technique for IIS directory traversal attacks?
a) Adding “traverse” to the beginning of the URL
b) Typing in URLs that include “../”
c) Typing in the home directory in the URL instead of the name registered in DNS
d) None of the above
79. You discovered that ABC Inc. is using Microsoft’s IIS 5.0 web server software to provide Internet printing service to its employees so they can send their print jobs to the company’s printers over the Internet using a web browser.
a. What tool may attackers use to launch a buffer overflow attack again the server?
Answer: __________________________________
b. Explain how the tool you mentioned when answering Question 3.a works and what may be the consequences of the attacker succeeding.
80. Imagine a company located in Charleston, IL has developed an extranet that allows its registered customers all over the world to log in and perform transactions online. For security reasons, the Intranet is configured to be available from Monday 12:00 AM EST until Friday 11:59 PM EST. You have properly configured the user accounts. You also have configured the time tracking feature as follow:
1. Can any registered customer be able to log in and perform transactions on a Saturday at 1:00 AM EST? Explain.
2. What (if anything) can be done to prevent customers from logging in from Saturday 12:00 AM EST until Sunday 11:59 PM EST?
81. Most applications are written to get inputs from users, process them, and generate outputs. The number one rule for writing application programs in a secure way is “Never Trust User Input”.
a. Explain why user input may cause a security breach and what kind of security breach may result from trusting user input?
b. What can/should be done to comply with the “Never Trust User Input” rule when writing application programs?
82. You opened your web browser and typed . You get the page shown in Exhibit 1. You deleted Case1 from the URL and get the page shown in Exhibit 2
What misconfigration problem allows you to see the content? Explain.
|83. |Typically, using low level programming languages like C and the Assembly help prevent buffer overflow occurrences | | |
| |because they provide automatic bounds’ checking for memory buffer. |T |F |
|84. |Using source code scanning tools like PurifyPlus can help detect and fix statements that reference buffers with no |T |F |
| |bounds’ checking in C and C++ source code. | | |
85. When the Hide Extension For Known File Types is set in Windows, malicious.jpg.exe will appear to be a …
a) text (txt) file
b) executable (exe) file
c) image (jpg) file
d) None of the above
86. Which of the following is used to track users at a website to see what pages they view?
a) cookies.
b) web bugs.
c) Both a. and b.
d) Neither a. nor b.
-----------------------
60.47.3.1
Firewall
Trusted network
Untrusted network
60.47.3.5
60.47.3.9
60.47.3.2
Monday
2:00 AM
Beijing, China
Sunday
1:00 PM
Charleston, IL
[pic]
[pic]
Ehibit 2
[pic]
Ehibit 1
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.