Chapter 1 To 15test - Computer Security4e

Computer Security: Principles and Practice, 4th Edition Chapter 1
Chapter 1 – Computer Systems Overview
TRUE/FALSE QUESTIONS:
T F 1. Threats are attacks carried out.
T F 2. Computer security is protection of the integrity, availability, and
confidentiality of information system resources.
T F 3. Data integrity assures that information and programs are changed only
in a specified and authorized manner.
T F 4. Availability assures that systems works promptly and service is not

denied to authorized users.
T F 5. The “A” in the CIA triad stands for “authenticity”.
T F 6. The more critical a component or service, the higher the level of

availability required.
T F 7. Computer security is essentially a battle of wits between a perpetrator

who tries to find holes and the administrator who tries to close them.
T F 8. Security mechanisms typically do not involve more than one particular

algorithm or protocol.
T F 9. Many security administrators view strong security as an impediment to

efficient and user-friendly operation of an information system.
T F 10. In the context of security our concern is with the vulnerabilities of

system resources.
T F 11. Hardware is the most vulnerable to attack and the least susceptible to
automated controls.
T F 12. Contingency planning is a functional area that primarily requires

computer security technical measures.
T F 13. X.800 architecture was developed as an international standard and

focuses on security in the context of networks and communications.
T F 14. The first step in devising security services and mechanisms is to

develop a security policy.
T F 15. Assurance is the process of examining a computer product or system

with respect to certain criteria.
MULTIPLE CHOICE QUESTIONS:

1. __________ assures that individuals control or influence what information related
to them may be collected and stored and by whom and to whom that information
may be disclosed.
A. Availability B. System Integrity
C. Privacy D. Data Integrity
2. ________ assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the
system.
A. System Integrity B. Data Integrity
C. Availability D. Confidentiality
3. A loss of _________ is the unauthorized disclosure of information.
A. confidentiality B. integrity
C. authenticity D. availability
4. A ________ level breach of security could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or
individuals.
A. low B. normal
C. moderate D. high
5. A flaw or weakness in a system’s design, implementation, or operation and
management that could be exploited to violate the system’s security policy is
a(n) __________.
A. countermeasure B. vulnerability
C. adversary D. risk
6. An assault on system security that derives from an intelligent act that is a
deliberate attempt to evade security services and violate the security policy of a
system is a(n) __________.
A. risk B. asset
C. attack D. vulnerability
7. A(n) __________ is an action, device, procedure, or technique that reduces a

threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing
the harm it can cause, or by discovering and reporting it so that correct action can
be taken.
A. attack B. countermeasure
C. adversary D. protocol
8. A(n) _________ is an attempt to learn or make use of information from the system
that does not affect system resources.
A. passive attack B. inside attack
C. outside attack D. active attack
9. Masquerade, falsification, and repudiation are threat actions that cause
__________ threat consequences.
A. unauthorized disclosure B. deception
C. disruption D. usurpation
10. A threat action in which sensitive data are directly released to an unauthorized
entity is __________.
A. corruption B. disruption
C. intrusion D. exposure
11. An example of __________ is an attempt by an unauthorized user to gain access
to a system by posing as an authorized user.
A. masquerade B. interception
C. repudiation D. inference
12. The _________ prevents or inhibits the normal use or management of
communications facilities.
A. passive attack B. traffic encryption
C. denial of service D. masquerade
13. A __________ is any action that compromises the security of information owned
by an organization.
A. security mechanism B. security attack
C. security policy D. security service
14. The assurance that data received are exactly as sent by an authorized
entity is __________.
A. authentication B. data confidentiality
C. access control D. data integrity
15. __________ is the insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
A. Traffic padding B. Traffic routing
C. Traffic control D. Traffic integrity
SHORT ANSWER QUESTIONS

1. Computer Security is the protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources.
2. Confidentiality, Integrity, and Availability form what is often referred to as the CIA
tried
3. A loss of availability is the disruption of access to or use of information or an
information system.
4. In the United States, student grade information is an asset whose confidentiality is
regulated by the FERPA (Family Educational Rights and Privacy Act)
5. A(n) attack is a threat that is carried out and, if successful, leads to an undesirable
violation of security, or threat consequence.
6. A(n) countermeasure is any means taken to deal with a security attack.
7. Misappropriation and misuse are attacks that result in usurpation threat consequences.
8. The assets of a computer system can be categorized as hardware, software,
communication lines and networks, and data.
9. Release of message contents and traffic analysis are two types of passive attacks.
10. Replay, masquerade, modification of messages, and denial of service are example of
Active attacks.
11. Establishing, maintaining, and implementing plans for emergency response, backup
operations, and post disaster recovery for organizational information systems to ensure
the availability of critical information resources and continuity of operations in
emergency situations is a contingency plan.
12. A(n) risk assessment is periodically assessing the risk to organizational operations,
organizational assets, and individuals, resulting from the operation of organizational
information systems and the associated processing, storage, or transmission or
organizational information.
13. The OSI security architecture focuses on security attacks, mechanisms, and services.
14. A digital signature is data appended to, or a cryptographic transformation of, a data
unit that allows a recipient of the data unit to prove the source and integrity of the data
unit and protect against forgery.
15. Security implementation involves four complementary courses of action: prevention,
detection, response, and recovery.
.
Chapter 2 – Cryptographic Tools
T F 1. Symmetric encryption is used primarily to provide confidentiality.

T F 2. Two of the most important applications of public-key encryption are
digital signatures and key management.
T F 3. Cryptanalytic attacks try every possible key on a piece of ciphertext

until an intelligible translation into plaintext is obtained.
T F 4. The secret key is input to the encryption algorithm.
T F 5. Triple DES takes a plaintext block of 64 bits and a key of 56 bits to

produce a ciphertext block of 64 bits.
T F 6. Modes of operation are the alternative techniques that have been

developed to increase the security of symmetric block encryption for
large sequences of data.
T F 7. The advantage of a stream cipher is that you can reuse keys.
T F 8. A message authentication code is a small block of data generated by a

secret key and appended to a message.
T F 9. Like the MAC, a hash function also takes a secret key as input.
T F 10. The strength of a hash function against brute-force attacks depends

solely on the length of the hash code produced by the algorithm.
T F 11. Public-key cryptography is asymmetric.
T F 12. Public-key algorithms are based on simple operations on bit patterns.
T F 13. The purpose of the DSS algorithm is to enable two users to securely
reach agreement about a shared secret that can be used as a secret key
for subsequent symmetric encryption of messages.
T F 14. An important element in many computer security services and

applications is the use of cryptographic algorithms.
T F 15. Some form of protocol is needed for public-key distribution.

1. The original message or data that is fed into the algorithm is __________.
A. encryption algorithm B. secret key
C. decryption algorithm D. plaintext
2. The __________ is the encryption algorithm run in reverse.

A. decryption algorithm B. plaintext
C. ciphertext D. encryption algorithm
3. __________ is the scrambled message produced as output.

A. Plaintext B. Ciphertext
C. Secret key D. Cryptanalysis
4. On average, __________ of all possible keys must be tried in order to achieve

success with a brute-force attack.
A. one-fourth B. half
C. two-thirds D. three-fourths
5. The most important symmetric algorithms, all of which are block ciphers, are the
DES, triple DES, and the __________.
A. SHA B. RSA
C. AES D. DSS
6. If the only form of attack that could be made on an encryption algorithm is brute-
force, then the way to counter such attacks would be to __________ .
A. use longer keys B. use shorter keys
C. use more keys D. use less keys
7. __________ is a procedure that allows communicating parties to verify that received

or stored messages are authentic.
A. Cryptanalysis B. Decryption
C. Message authentication D. Collision resistance
8. The purpose of a __________ is to produce a “fingerprint” of a file, message, or

other block of data.
A. secret key B. digital signature
C. keystream D. hash function
9. __________ is a block cipher in which the plaintext and ciphertext are integers
between 0 and n-1 for some n.
A. DSS B. RSA
C. SHA D. AES
10. A __________ is created by using a secure hash function to generate a hash value
for a message and then encrypting the hash code with a private key.
A. digital signature B. keystream
C. one way hash function D. secret key
11. Transmitted data stored locally are referred to as __________ .

A. ciphertext B. DES
C. data at rest D. ECC
12. Digital signatures and key management are the two most important applications of
__________ encryption.
A. private-key B. public-key
C. preimage resistant D. advanced
13. A __________ is to try every possible key on a piece of ciphertext until an

intelligible translation into plaintext is obtained.
A. mode of operation B. hash function
C. cryptanalysis D. brute-force attack
14. Combined one byte at a time with the plaintext stream using the XOR operation, a
__________ is the output of the pseudorandom bit generator.
A. keystream B. digital signature
C. secure hash D. message authentication code
15. A _________ protects against an attack in which one party generates a message for
another party to sign.
A. data authenticator B. strong hash function
C. weak hash function D. digital signature
SHORT ANSWER QUESTIONS:

1. Also referred to as single-key encryption, the universal technique for providing
confidentiality for transmitted or stored data is symmetric encryption
2. There are two general approaches to attacking a symmetric encryption scheme:

cryptanalytic attacks and brute-force attacks.
3. The decryption algorithm takes the ciphertext and the secret key and produces
the original plaintext.
4. A cryptanalytic attack exploits the characteristics of the algorithm to attempt to

deduce a specific plaintext or to deduce the key being used.
5. A block cipher processes the plaintext input in fixed-size blocks and produces a
block of ciphertext of equal size for each plaintext block.
6. A stream cipher processes the input elements continuously, producing output one
element at a time.
7. Public-key encryption was first publicly proposed by Diffie and Hellman in 1976.
8. The two criteria used to validate that a sequence of numbers is random are
independence and uniform distribution.
9. A back-end appliance is a hardware device that sits between servers and storage
systems and encrypts all data going from the server to the storage system and
decrypts data going in the opposite direction.
10. In July 1998 the Electronic Frontier Foundation (EFF) announced that it had
broken a DES encryption using a special purpose “DES cracker” machine.
11. The simplest approach to multiple block encryption is known as electronic

codebook (ECB) mode, in which plaintext is handled b bits at a time and each
block of plaintext is encrypted using the same key.
12. A pseudorandom stream is one that is unpredictable without knowledge of the

input key and which has an apparently random character.
13. The public and private key is a pair of keys that have been selected so that if one
is used for encryption, the other is used for decryption.
14. library-based tape encryption is provided by means of a co-processor board

embedded in the tape drive and tape library hardware.
15. The purpose of the Diffie-Hellman Key Agreement algorithm is to enable two
users to securely reach agreement about a shared secret that can be used as a
secret key for subsequent symmetric encryption of messages.
Chapter 3 – User Authentication
T F 1. User authentication is the fundamental building block and the primary

line of defense.
T F 2. Identification is the means of establishing the validity of a claimed

identity provided by a user.
T F 3. Depending on the details of the overall authentication

system, the registration authority issues some sort of electronic
credential to the subscriber.
T F 4. Many users choose a password that is too short or too easy to guess.
T F 5. User authentication is a procedure that allows communicating parties to

verify that the contents of a received message have not been altered and
that the source is authentic.
T F 6. A good technique for choosing a password is to use the first letter of

each word of a phrase.
T F 7. User authentication is the basis for most types of access control and for
user accountability.
T F 8. Memory cards store and process data.
T F 9. Depending on the application, user authentication on a biometric

system involves either verification or identification.
T F 10. Enrollment creates an association between a user and the user’s

biometric characteristics.
T F 11. An individual’s signature is not unique enough to use in biometric

applications.
T F 12. Identifiers should be assigned carefully because authenticated

identities are the basis for other security services.
T F 13. A smart card contains an entire microprocessor.

T F 14. Keylogging is a form of host attack.
T F 15. In a biometric scheme some physical characteristic of the individual is

mapped into a digital representation.
1. __________ defines user authentication as “the process of verifying an identity

claimed by or for a system entity”.
A. RFC 4949 B. RFC 2298
C. RFC 2493 D. RFC 2328
2. Presenting or generating authentication information that corroborates the binding

between the entity and the identifier is the ___________.
A. identification step B. verification step
C. authentication step D. corroboration step
3. Recognition by fingerprint, retina, and face are examples of __________.

A. face recognition B. dynamic biometrics
C. static biometrics D. token authentication
4. A __________ is a password guessing program.

A. password hash B. password cracker
C. password biometric D. password salt
5. The __________ strategy is when users are told the importance of using hard to
guess passwords and provided with guidelines for selecting strong passwords.
A. reactive password checking B. proactive password checking
C. computer-generated password D. user education
6. A __________ strategy is one in which the system periodically runs its own
password cracker to find guessable passwords.
A. user education B. proactive password checking
C. reactive password checking D. computer-generated password
7. The most common means of human-to-human identification are __________.

A. facial characteristics B. signatures
C. retinal patterns D. fingerprints
8. __________ systems identify features of the hand, including shape, and lengths
and widths of fingers.
A. Signature B. Hand geometry
C. Fingerprint D. Palm print
9. Each individual who is to be included in the database of authorized users must first
be __________ in the system.
A. verified B. authenticated
C. identified D. enrolled
10. To counter threats to remote user authentication, systems generally rely on some
form of ___________ protocol.
A. eavesdropping B. Trojan horse
C. challenge-response D. denial-of-service
11. A __________ is when an adversary attempts to achieve user authentication

without access to the remote host or to the intervening communications path.
A. client attack B. eavesdropping attack

C. host attack D. Trojan horse attack
12. A __________ is directed at the user file at the host where passwords, token
passcodes, or biometric templates are stored.
A. eavesdropping attack B. denial-of-service attack
C. client attack D. host attack
13. A __________ attack involves an adversary repeating a previously captured user

response.
A. client B. replay
C. Trojan horse D. eavesdropping
14. An institution that issues debit cards to cardholders and is responsible for the
cardholder’s account and authorizing transactions is the _________.
A. cardholder B. auditor
C. issuer D. processor
15. __________ allows an issuer to access regional and national networks that
connect point of sale devices and bank teller machines worldwide.
A. EFT B. POS
C. BTM D. ATF
1. An authentication process consists of the identification step and the verification step.
2. Voice pattern, handwriting characteristics, and typing rhythm are examples of
dynamic biometrics.
3. A shadow password file is a separate file from the user IDs where hashed passwords
are kept.
4. With the complex password policy a user is allowed to select their own password, but
the system checks to see if the password is allowable.
5. The technique for developing an effective and efficient proactive password checker
based on rejecting words on a list is based on the use of a Bloom filter.
6. Objects that a user possesses for the purpose of user authentication are called tokens
7. Authentication protocols used with smart tokens can be classified into three
categories: static, dynamic password generator, and challenge-response protocol.
8. A biometric authentication system attempts to authenticate an individual based on his
or her unique physical characteristics.
9. The retinal pattern is the pattern formed by veins beneath the retinal surface.
10. A host generated random number is often called a nonce
11. Eavesdropping, in the context of passwords, refers to an adversary’s attempt to learn
the password by observing the user, finding a written copy of the password, or some
similar attack that involves the physical proximity of user and adversary.
12. In a Trojan horse attack, an application or physical device masquerades as an
authentic application or device for the purpose of capturing a user password,
passcode, or biometric.
13. A denial of service attack attempts to disable a user authentication service by
flooding the service with numerous authentication attempts.
14. A cardholder is an individual to whom a debit card is issued.
15. The verification step is presenting or generating authentication information that
corroborates the binding between the entity and the identifier.
Chapter 4 – Access Control
T F 1. Access control is the central element of computer security.
T F 2. The authentication function determines who is trusted for a given
purpose.
T F 3. An auditing function monitors and keeps a record of user accesses to

system resources.
T F 4. External devices such as firewalls cannot provide access control

services.
T F 5. The principal objectives of computer security are to prevent

unauthorized users from gaining access to resources, to prevent
legitimate users from accessing resources in an unauthorized manner,
and to enable legitimate users to access resources in an authorized
manner.
T F 6. Security labels indicate which system entities are eligible to access

certain
resources.
T F 7. Reliable input is an access control requirement.
T F 8. A user may belong to multiple groups.
T F 9. An access right describes the way in which a subject may access an

object.
T F 10. The default set of rights should always follow the rule of least
privilege or
read-only access
T F 11. A user program executes in a kernel mode in which certain areas of

memory
are protected from the user’s use and certain instructions may not be
executed.
T F 12. Any program that is owned by, and SetUID to, the “superuser”
potentially
grants unrestricted access to the system to any user executing that
program.
T F 13. Traditional RBAC systems define the access rights of individual users
and
groups of users.
T F 14. A constraint is a defined relationship among roles or a condition

related to
roles.
T F 15. An ABAC model can define authorizations that express conditions on

properties of both the resource and the subject.
1. __________ implements a security policy that specifies who or what may have
access to each specific system resource and the type of access that is permitted in
each instance.
A. Audit control B. Resource control
C. System control D. Access control
2. __________ is verification that the credentials of a user or other system entity are
valid.
A. Adequacy B. Authentication
C. Authorization D. Audit
3. _________ is the granting of a right or permission to a system entity to access a
system resource.
A. Authorization B. Authentication
C. Control D. Monitoring
4. __________ is the traditional method of implementing access control.
A. MAC B. RBAC
C. DAC D. MBAC
5. __________ controls access based on comparing security labels with security
clearances.
A. MAC B. DAC
C. RBAC D. MBAC
6. A concept that evolved out of requirements for military information security is

______ .
A. reliable input B. mandatory access control
C. open and closed policies D. discretionary input
7. A __________ is an entity capable of accessing objects.
A. group B. object
C. subject D. owner
8. A(n) __________ is a resource to which access is controlled.

A. object B. owner
C. world D. subject
9. The final permission bit is the _________ bit.
A. superuser B. kernel
C. set user D. sticky
10. __________ is based on the roles the users assume in a system rather than the
user’s identity.
A. DAC B. RBAC
C. MAC D. URAC
11. A __________ is a named job function within the organization that controls this
computer system.
A. user B. role
C. permission D. session
12. __________ provide a means of adapting RBAC to the specifics of
administrative and security policies in an organization.
A. Constraints B. Mutually Exclusive Roles
C. Cardinality D. Prerequisites
13. __________ refers to setting a maximum number with respect to roles.
A. Cardinality B. Prerequisite
C. Exclusive D. Hierarchy
14. Subject attributes, object attributes and environment attributes are the three types
of attributes in the __________ model.
A. DSD B. RBAC
C. ABAC D. SSD
15. The __________ component deals with the management and control of the
ways entities are granted access to resources.
A. resource management B. access management
C. privilege management D. policy management
SHORT ANSWER QUESTIONS:¸
1. X.800 defines control access as the prevention of unauthorized use of a resource,

including the prevention of use of a resource in an unauthorized manner.
2. An independent review and examination of system records and activities in order

to test for adequacy of system controls, to ensure compliance with established policy
and operational procedures, to detect breaches in security, and to recommend any
indicated changes in control, policy and procedures is a(n) audit .
3. Role-based access control controls access based on the roles that users have
within the system and on rules stating what accesses are allowed to users in given
roles.
4. Discretionary access control controls access based on the identity of the requestor
and on access rules stating what requestors are or are not allowed to do.
5. The basic elements of access control are: subject, object and access right.
6. Basic access control systems typically define three classes of subject: owner,
group and world.
7. A discretionary access control scheme is one in which an entity may be granted
access rights that permit the entity, by its own volition, to enable another entity to
access some resource.
8. The super-user user ID is exempt from the usual file access control constraints
and has system wide access.
9. A session is a mapping between a user and an activated subset of the set of roles
to which the user is assigned.
10. Role hierarchies make use of the concept of inheritance to enable one role to
implicitly include access rights associated with a subordinate role.
11. A pre-request role dictates that a user can only be assigned to a particular role if
it is already assigned to some other specified role and can be used to structure the
implementation of the least privilege concept.
12. There are three key elements to an ABAC model: attributes which are defined
for entities in a configuration; a policy model, which defines the ABAC policies; and
the architecture model, which applies to policies that enforce access control.
13. The three types of attributes in the ABAC model are subject attributes, object
attributes, and environment attributes.
14. A credentials is an object or data structure that authoritatively binds an identity to
a token possessed and controlled by a subscriber.
15. In digital identity systems, a trust framework functions as a certification program.
Chapter 5 – Database and Cloud Security
T F 1. A query language provides a uniform interface to the database.

T F 2. A single countermeasure is sufficient for SQLi attacks.
T F 3. To create a relationship between two tables, the attributes that define

the
primary key in one table must appear as attributes in another table,
where they are referred to as a foreign key.
T F 4. The value of a primary key must be unique for each tuple of its table.
T F 5. A foreign key value can appear multiple times in a table.
T F 6. A view cannot provide restricted access to a relational database so it

cannot
be used for security purposes.
T F 7. The database management system makes use of the database

description
tables to manage the physical database.
T F 8. Two disadvantages to database encryption are key management and

inflexibility.
T F 9. Fixed server roles operate at the level of an individual database.
T F 10. SQL Server allows users to create roles that can then be assigned
access
rights to portions of the database.
T F 11. A data center generally includes backup power supplies.
T F 12. Site security of the data center itself includes barriers to entry,
coupled with
authentication techniques for gaining physical access.
T F 13. Network security is extremely important in a facility in which such a

large
collection of assets is concentrated in a single place and accessible by
external network connections.
T F 14. Security specifically tailored to databases is an increasingly important

component of an overall organizational security strategy.
T F 15. Encryption becomes the last line of defense in database security.
1 A(n) __________ is a structured collection of data stored for use by one or more
applications.
A. attribute B. database
C. tuple D. inference
2. The basic building block of a __________ is a table of data, consisting of rows
and columns, similar to a spreadsheet.
A. relational database B. query set
C. DBMS D. perturbation
3. In relational database parlance, the basic building block is a __________, which is
a flat table.
A. attribute B. tuple
C. primary key D. relation
4. In a relational database rows are referred to as _________.
A. relations B. attributes
C. views D. tuples
5. A _________ is defined to be a portion of a row used to uniquely identify a row in
a table.
A. foreign key B. query
C. primary key D. data perturbation
6. A _________ is a virtual table.
A. tuple B. query
C. view D. DBMS
7. A(n) __________ is a user who has administrative responsibility for part or all of
the database.
A. administrator B. database relations manager

C. application owner D. end user other than application
owner
8. An end user who operates on database objects via a particular application but does
not own any of the database objects is the __________.
A. application owner B. end user other than application
owner
C. foreign key D. administrator
9. __________ is the process of performing authorized queries and deducing
unauthorized information from the legitimate responses received.
A. Perturbation B. Inference
C. Compromise D. Partitioning
10. A ___________ is the portion of the data center that houses data processing
equipment.
A. computer room B. main distribution area
C. entrance room D. horizontal distribution area
11. __________ houses cross-connects and active equipment for distributing cable
to the equipment distribution area.
A. Main distribution area B. Equipment distribution area
C. Horizontal distribution area D. Zone distribution area
12. __________ encompasses intrusion detection, prevention and response.
A. Intrusion management B. Security assessments
C. Database access control D. Data loss prevention
13. _________ is an organization that produces data to be made available for
controlled release, either within the organization or to external users.
A. Client B. Data owner
C. User D. Server
14. __________ is an organization that receives the encrypted data from a data
owner and makes them available for distribution to clients.
A. User B. Client
C. Data owner D. Server

15. __________ specifies the minimum requirements for telecommunications
infrastructure of data centers.
A. TIA-492 B. RFC-4949
C. NIST-7883 D. RSA-298
16. A database management system (DBMS) is a suite of programs for constructing

and maintaining the database and for offering ad hoc query facilities to multiple users
and applications.
17. In a relational database columns are referred to as attributes
18. A view is the result of a query that returns selected rows and columns from one or
more tables.
19. Structured query language (SQL) is a standardized language that can be used to
define schema, manipulate, and query data in a relational database.
20. With ownership-based administration the owner (creator) of a table may grant
and revoke access rights to the table.
21. In a centralized administration a small number of privileged users may grant and
revoke access rights.
22. In addition to granting and revoking access rights to a table, in a decentralized
administration the owner of the table may grant and revoke authorization rights to
other users, allowing them to grant and revoke access rights to the table.
23. In a discretionary access control environment database users are classified into
three broad categories: administrator, end user other than application owner, and
application owner
24. The information transfer path by which unauthorized data is obtained is referred
to as an inference channel.
25. The SQLi attack typically works by prematurely terminating a text string and
appending a new command.
26. The tautology form of attack injects code in one or more conditional statements
so they always evaluate to true.
27. A query language provides a uniform interface to the database for users and
applications.
28. Inband out-of-band, and inferential are the three main categories of SQLi attack
types.
29. A data center is an enterprise facility that houses a large number of servers,
storage devices, and network switches and equipment.
30. The Telecommunications Industry Association standard TIA-492 specifies the
minimum requirements for telecommunications infrastructure of data centers.
Chapter 6 – Malicious Software
T F 1. Malicious software aims to trick users into revealing sensitive personal

data.
T F 2. Keyware captures keystrokes on a compromised system.
T F 3. Metamorphic code is software that can be shipped unchanged to a
heterogeneous collection of platforms and execute with identical
semantics.
T F 4. A virus that attaches to an executable program can do anything that the

program is permitted to do.
T F. 5. It is not possible to spread a virus via a USB stick.
T F 6. A logic bomb is the event or condition that determines when the

payload is
activated or delivered.
T F 7. Many forms of infection can be blocked by denying normal users the

right to
modify programs on the system.
T F 8. A macro virus infects executable portions of code.
T F 9. E-mail is a common method for spreading macro viruses.
T F 10. In addition to propagating, a worm usually carries some form of

payload.
T F 11. A Trojan horse is an apparently useful program containing hidden

code that,
when invoked, performs some harmful function.
T F 12. Packet sniffers are mostly used to retrieve sensitive information like
usernames and passwords.
T F 13. A bot propagates itself and activates itself, whereas a worm is initially
controlled from some central facility.
T F 14. Every bot has a distinct IP address.
T F 15. Programmers use backdoors to debug and test programs.
1. A program that is covertly inserted into a system with the intent of compromising
the integrity or confidentiality of the victim’s data is __________.
A. Adobe B. Animoto
C. malware D. Prezi
2. __________ are used to send large volumes of unwanted e-mail.
A. Rootkits B. Spammer programs
C. Downloaders D. Auto-rooters
3. A __________ is code inserted into malware that lies dormant until a predefined
condition, which triggers an unauthorized act, is met.
A. logic bomb B. trapdoor
C. worm D. Trojan horse
4. The term “computer virus” is attributed to __________.
A. Herman Hollerith B. Fred Cohen
C. Charles Babbage D. Albert Einstein
5. Computer viruses first appeared in the early __________.
A. 1960s B. 1970s
C. 1980s D. 1990s
6. The __________ is what the virus “does”.
A. infection mechanism B. trigger
C. logic bomb D. payload
7. The __________ is when the virus function is performed.
A. dormant phase B. propagation phase
C. triggering phase D. execution phase

8. During the __________ the virus is idle.
A. dormant phase B. propagation phase
C. triggering phase D. execution phase
9. A __________ uses macro or scripting code, typically embedded in a document
and triggered when the document is viewed or edited, to run and replicate itself
into other such documents.
A. boot sector infector B. file infector
C. macro virus D. multipartite virus
10. __________ is the first function in the propagation phase for a network worm.
A. Propagating B. Fingerprinting
B. Keylogging D. Spear phishing
11. Unsolicited bulk e-mail is referred to as __________.
A. spam B. propagating
C. phishing D. crimeware
12. __________ is malware that encrypts the user’s data and demands payment in
order to access the key needed to recover the information.
A. Trojan horse B. Ransomware
C. Crimeware D. Polymorphic
13. A __________ attack is a bot attack on a computer system or network that causes
a loss of service to users.
A. spam B. phishing
C. DDoS D. sniff
14. The ideal solution to the threat of malware is __________.
A. identification B. removal
C. detection D. prevention
15. __________ will integrate with the operating system of a host computer and
monitor program behavior in real time for malicious actions.
A. Fingerprint-based scanners B. Behavior-blocking software
C. Generic decryption technology D. Heuristic scanners
31. A rootkit is a set of programs installed on a system to maintain covert access to

that system with administrator (root) privileges while hiding evidence of its presence.
32. A blended attack uses multiple methods of infection or propagation to maximize
the speed of contagion and the severity of the attack.
33. A computer virus is a piece of software that can “infect” other programs or any
type of executable content and tries to replicate itself.
34. Sometimes referred to as the “infection vector”, the infection mechanism is the
means by which a virus spreads or propagates.
35. Sometimes known as a “logic bomb”, the trigger is the event or condition that
determines when the payload is activated or delivered.
36. The four phases of a typical virus are: dormant phase, triggering phase, execution
phase and propagation phase.
37. During the triggering phase the virus is activated to perform the function for
which it was intended.
38. A stealth virus is explicitly designed to hide itself from detection by anti-virus
software.
39. Mobile code refers to programs that can be shipped unchanged to a heterogeneous
collection of platforms and execute with identical semantics.
40. A drive-by-download is when a user views a Web page controlled by the
attacker that contains a code that exploits the browser bug and downloads and installs
malware on the system without the user’s knowledge or consent.
41. A botnet is a collection of bots capable of acting in a coordinated manner.
42. A bot can use a keylogger to capture keystrokes on the infected machine to
retrieve sensitive information.
43. Countermeasures for malware are generally known as anti-virus mechanisms
because they were first developed to specifically target virus infections.
44. Because dynamic analysis software can block suspicious software in real time, it
has an advantage over such established anti-virus detection techniques as
fingerprinting or heuristics.
45. Two types of perimeter monitoring software are ingress monitoring and egress
monitoring.
Chapter 7 – Denial-of-Service Attacks
T F 1. A denial-of-service attack is an attempt to compromise availability by

hindering or blocking completely the provision of some service.
T F 2. DoS attacks cause damage or destruction of IT infrastructures.

T F 3. A DoS attack targeting application resources typically aims to overload
or crash its network handling software.
T F 4. The SYN spoofing attack targets the table of TCP connections on the
server.
T F 5. A cyberslam is an application attack that consumes significant

resources, limiting the server’s ability to respond to valid requests from
other users.
T F 6. The source of the attack is explicitly identified in the classic ping flood
attack.
T F 7. Given sufficiently privileged access to the network handling code on a

computer system, it is difficult to create packets with a forged source
address.
T F 8. SYN-ACK and ACK packets are transported using IP, which is an

unreliable network protocol.
T F 9. The attacker needs access to a high-volume network connection for a

SYN spoof attack.
T F 10. Flooding attacks take a variety of forms based on which network

protocol is being used to implement the attack.
T F 11. The best defense against being an unwitting participant in a DDoS

attack is to prevent your systems from being compromised.
T F 12. A SIP flood attack exploits the fact that a single INVITE request
triggers considerable resource consumption.
T F 13. Slowloris is a form of ICMP flooding.
T F 14. Reflector and amplifier attacks use compromised systems running the
attacker’s programs.
T F 15. There is very little that can be done to prevent a flash crowd.
1 ______ relates to the capacity of the network links connecting a server to the
wider Internet.
A. Application resource B. Network bandwidth
C. System payload D. Directed broadcast
2 A ______ triggers a bug in the system’s network handling software causing it to

crash and the system can no longer communicate over the network until this
software is reloaded.
A. echo B. reflection
C. poison packet D. flash flood
3. Using forged source addresses is known as _________.

A. source address spoofing B. a three-way address
C. random dropping D. directed broadcast
4. The ______ attacks the ability of a network server to respond to TCP connection
requests by overflowing the tables used to manage such connections.
A. DNS amplification attack B. SYN spoofing attack

C. basic flooding attack D. poison packet attack
5. TCP uses the _______ to establish a connection.

A. zombie B. SYN cookie
C. directed broadcast D. three-way handshake
6. _______ bandwidth attacks attempt to take advantage of the disproportionally large
resource consumption at a server.
A. Application-based B. System-based
C. Random D. Amplification
7. _______ is a text-based protocol with a syntax similar to that of HTTP.
A. RIP B. DIP
C. SIP D. HIP
8. Bots starting from a given HTTP link and then following all links on the provided
Web site in a recursive way is called _______.
A. trailing B. spidering
C. spoofing D. crowding
9. ______ attempts to monopolize all of the available request handling threads on the
Web server by sending HTTP requests that never complete.
A. HTTP B. Reflection attacks
C. SYN flooding D. Slowloris
10. A characteristic of reflection attacks is the lack of _______ traffic.
A. backscatter B. network
C. three-way D. botnet
11. In both direct flooding attacks and ______ the use of spoofed source addresses
results in response packets being scattered across the Internet and thus detectable.
A. SYN spoofing attacks B. indirect flooding attacks
C. ICMP attacks D. system address spoofing
12. In a _______ attack the attacker creates a series of DNS requests containing the
spoofed source address for the target system.
A. SYN flood B. DNS amplification
C. poison packet D. UDP flood
13. It is possible to specifically defend against the ______ by using a modified version of
the TCP connection handling code.
A. three-way handshake B. UDP flood
C. SYN spoofing attack D. flash crowd
14. Modifying the system’s TCP/IP network code to selectively drop an entry for an
incomplete connection from the TCP connections table when it overflows, allowing a
new connection attempt to proceed is _______.
A. poison packet B. slashdot
C. backscatter traffic D. random drop
15. When a DoS attack is detected, the first step is to _______.
A. identify the attack B. analyze the response
C. design blocking filters D. shut down the network

1. The ICMP echo response packets generated in response to a ping flood using
randomly spoofed source addresses is known as backscatter traffic.
2. Flooding attacks flood the network link to the server with a torrent of malicious
packets competing with valid traffic flowing to the server.
3. The standard protocol used for call setup in VoIP is the Session Initiation
Protocol.
4. Requests and responses are the two different types of SIP messages.
5. A HTTP flood refers to an attack that bombards Web servers with HTTP
requests.
6. During a reflection attack, the attacker sends packets to a known service on the
intermediary with a spoofed source address of the actual target system and when
the intermediary responds, the response is sent to the target.
7. In reflection attacks, the spoofed source address directs all the packets at the
desired target and any responses to the intermediary.
8. Amplification attacks are a variant of reflector attacks and also involve sending a
packet with a spoofed source address for the target system to intermediaries.
9. The best defense against broadcast amplification attacks is to block the use of IP-
directed broadcasts.
10. The four lines of defense against DDoS attacks are: attack prevention and
preemption, attack detection and filtering, attack source traceback and
identification and attack reaction
11. Since filtering needs to be done as close to the source as possible by routers or
gateways knowing the valid address ranges of incoming packets, an ISP is best
placed to ensure that valid source addresses are used in all packets from its
customers.
12. A captcha is a graphical puzzle used to attempt to identify legitimate human

initiated interactions.
13. To respond successfully to a DoS attack a good incident response plan is needed
that includes details of how to contact technical personal for your ISP(s).
14. If an organization is dependent on network services it should consider mirroring

and replicating these servers over multiple sites with multiple network
connections.
15. A denial-of-service (DoS) is an action that prevents or impairs the authorized use
of networks, systems, or applications by exhausting resources such as central
processing units, memory, bandwidth, and disk space.
Chapter 8 – Intrusion Detection
T F 1. An intruder can also be referred to as a hacker or cracker.
T F 2. Activists are either individuals or members of an organized crime
group with a goal of financial reward.
T F 3. Running a packet sniffer on a workstation to capture usernames and

passwords is an example of intrusion.
T F 4. Those who hack into computers do so for the thrill of it or for status.
T F 5. Intruders typically use steps from a common attack methodology.
T F 6. The IDS component responsible for collecting data is the user interface.
T F 7. Intrusion detection is based on the assumption that the behavior of the

intruder differs from that of a legitimate user in ways that can be
quantified.
T F 8. The primary purpose of an IDS is to detect intrusions, log suspicious

events, and send alerts.
T F 9. Signature-based approaches attempt to define normal, or expected,

behavior, whereas anomaly approaches attempt to define proper
behavior.
T F 10. Anomaly detection is effective against misfeasors.
T F 11. To be of practical use an IDS should detect a substantial percentage of

intrusions while keeping the false alarm rate at an acceptable level.
T F 12. An inline sensor monitors a copy of network traffic; the actual traffic
does not pass through the device.
T F 13. A common location for a NIDS sensor is just inside the external
firewall.
T F 14. Network-based intrusion detection makes use of signature detection

and anomaly detection.
T F 15. Snort can perform intrusion prevention but not intrusion detection.
1. _________ are either individuals or members of a larger group of outsider attackers

who are motivated by social or political causes.
A. State-sponsored organizations B. Activists
C. Cyber criminals D. Others
2. A _________ is a security event that constitutes a security incident in which an
intruder gains access to a system without having authorization to do so.
A. intrusion detection B. IDS
C. criminal enterprise D. security intrusion
3. A _________ monitors the characteristics of a single host and the events occurring
within that host for suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection
4. A ________ monitors network traffic for particular network segments or devices and
analyzes network, transport, and application protocols to identify suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection
5. The ________ is responsible for determining if an intrusion has occurred.
A. analyzer B. host
C. user interface D. sensor
6. __________ involves an attempt to define a set of rules or attack patterns that can be
used to decide if a given behavior is that of an intruder.
A. Profile based detection B. Signature detection
C. Threshold detection D. Anomaly detection
7. _________ involves the collection of data relating to the behavior of legitimate users
over a period of time.
A. Profile based detection B. Signature detection
C. Threshold detection D. Anomaly detection
8. A (n) __________ is a hacker with minimal technical skill who primarily uses existing
attack toolkits.
A. Master B. Apprentice
C. Journeyman D. Activist
9. The _________ module analyzes LAN traffic and reports the results to the central
manager.
A. LAN monitor agent B. host agent
C. central manager agent D. architecture agent
10. The purpose of the ________ module is to collect data on security related events on
the host and transmit these to the central manager.
A. central manager agent B. LAN monitor agent
C. host agent D. architecture agent
11. A(n) ________ is inserted into a network segment so that the traffic that it is
monitoring must pass through the sensor.
A. passive sensor B. analysis sensor
C. LAN sensor D. inline sensor
12. A(n) ________ event is an alert that is generated when the gossip traffic enables a
platform to conclude that an attack is under way.
A. PEP B. DDI
C. IDEP D. IDME
13. _________ is a document that describes the application level protocol for exchanging
data between intrusion detection entities.
A. RFC 4767 B. RFC 4766
C. RFC 4765 D. RFC 4764
14. The rule _______ tells Snort what to do when it finds a packet that matches the rule
criteria.
A. protocol B. direction
C. action D. destination port
15. The _______ is the ID component that analyzes the data collected by the sensor for
signs of unauthorized or undesired activity or for events that might be of interest to
the security administrator.
A. data source B. sensor
C. operator D. analyzer

1. The broad classes of intruders are: cyber criminals, state-sponsored
organizations, activists, and others.
2. A journeyman is a hacker with sufficient technical skills to modify and extend

attack toolkits to use newly discovered vulnerabilities.
3. The user interface to an IDS enables a user to view output from the system or
control the behavior of the system.
4. Intrusion Detection is a security service that monitors and analyzes system
events for the purpose of finding, and providing real-time warning of attempts to
access system resources in an unauthorized manner.
5. An IDS comprises three logical components: analyzers, user interface and

sensors
6. Copying a database containing credit card numbers, viewing sensitive data
without authorization, and guessing and cracking passwords are examples of
intrusion.
7. Profile-based anomaly detection focuses on characterizing the past behavior of
individual users or related groups of users and then detecting significant
deviations.
8. Signature detection techniques detect intrusion by observing events in the system
and applying a set of rules that lead to a decision regarding whether a given
pattern of activity is or is not suspicious.
9. Neural networks simulate human brain operation with neurons and synapse
between them that classify observed data
10. A net-work based (NIDS)IDS monitors traffic at selected points on a network or
interconnected set of networks.
11. The Intrusion Detection Message Exchange Requirements (RFC 4766)
document defines requirements for the Intrusion Detection Message Exchange
Format (IDMEF).
12. The functional components of an IDS are: data source, sensor, analyzer,
administration, manager, and operator.
13. The security policy is the predefined formally documented statement that defines
what activities are allowed to take place on an organization’s network or on
particular hosts to support the organization’s requirements.
14. Honeypots are decoy systems that are designed to lure a potential attacker away
from critical systems.
15. The administrator is the human with overall responsibility for setting the
security policy of the organization, and, thus, for decisions about deploying and
configuring the IDS.
Chapter 9 – Firewalls and Intrusion Prevention Systems
T F 1. The firewall may be a single computer system or a set of two or more

systems that cooperate to perform the firewall function.
T F 2. A firewall can serve as the platform for IPSec.
T F 3. The firewall can protect against attacks that bypass the firewall.
T F 4. A packet filtering firewall is typically configured to filter packets going

in both directions.
T F 5. One disadvantage of a packet filtering firewall is its simplicity.
T F 6. The countermeasure to tiny fragment attacks is to discard packets with

an inside source address if the packet arrives on an external interface.
T F 7. A traditional packet filter makes filtering decisions on an individual

packet basis and does not take into consideration any higher layer
context.
T F 8. A prime disadvantage of an application-level gateway is the additional

processing overhead on each connection.
T F 9. The primary role of the personal firewall is to deny unauthorized

remote access to the computer.
T F 10. A DMZ is one of the internal firewalls protecting the bulk of the
enterprise network.
T F 11. A logical means of implementing an IPSec is in a firewall.
T F 12. Distributed firewalls protect against internal attacks and provide

protection tailored to specific machines and applications.
T F 13. An important aspect of a distributed firewall configuration is security

monitoring.
T F 14. Unlike a firewall, an IPS does not block traffic.
T F 15. Snort Inline enables Snort to function as an intrusion prevention

capability.
1. _________ control determines the types of Internet services that can be accessed,
inbound or outbound.
A. Behavior B. Direction
C. Service D. User
2. _________ control controls how particular services are used.

A. Service B. Behavior
C. User D. Direction
3. _________ control determines the direction in which particular service requests may
be initiated and allowed to flow through the firewall.
A. Behavior B. User
C. Direction D. Service
4. ________ control controls access to a service according to which user is attempting to

access it.
A. User B. Direction
C. Service D. Behavior
5. The _________ defines the transport protocol.

A. destination IP address B. source IP address
C. interface D. IP protocol field
6. A __________ gateway sets up two TCP connections, one between itself and a TCP
user on an inner host and one between itself and a TCP user on an outside host.
A. packet filtering B. stateful inspection
C. application-level D. circuit-level
7. An example of a circuit-level gateway implementation is the __________ package.

A. application-level B. SOCKS
C. SMTP D. stateful inspection
8. Typically the systems in the _________ require or foster external connectivity such as
a corporate Web site, an e-mail server, or a DNS server.
A. DMZ B. IP protocol field
C. boundary firewall D. VPN
9. A _________ consists of a set of computers that interconnect by means of a relatively

unsecure network and makes use of encryption and special protocols to provide security.
A. proxy B. UTM
C. VPN D. stateful inspection firewall
10. A _________ configuration involves stand-alone firewall devices plus host-based

firewalls working together under a central administrative control.
A. packet filtering firewall B. distributed firewall
C. personal firewall D. stateful inspection firewall
11. Typical for SOHO applications, a __________ is a single router between internal and
external networks with stateless or full packet filtering.
A. single bastion T B. double bastion inline
C. screening router D. host-resident firewall
12. __________ are attacks that attempt to give ordinary users root access.
A. Privilege-escalation exploits B. Directory transversals
C. File system access D. Modification of system resources
13. __________ scans for attack signatures in the context of a traffic stream rather than
individual packets.
A. Pattern matching B. Protocol anomaly
C. Traffic anomaly D. Stateful matching
14. __________ looks for deviation from standards set forth in RFCs.
A. Statistical anomaly B. Protocol anomaly
C. Pattern matching D. Traffic anomaly
15. The _________ attack is designed to circumvent filtering rules that depend on TCP
header information.
A. tiny fragment B. address spoofing
C. source routing D. bastion host
1. The firewall is inserted between the premises network and the Internet to
establish a controlled link and to erect an outer security wall or perimeter to
protect the premises network from Internet-based attacks.
2. A packet filtering firewall applies a set of rules to each incoming and outgoing
IP packet and then forwards or discards the packet.
3. The source IP address is the IP address of the system that originated the IP
packet.
4. An intruder transmitting packets from the outside with a source IP address field
containing an address of an internal host is known as IP address spoofing
5. The SOCKS protocol is an example of a circuit-level gateway implementation

that is conceptually a “shim-layer” between the application layer and the transport
layer and does not provide network-layer gateway services.
6. Identified as a critical strong point in the network’s security, the bastion host
serves as a platform for an application-level or circuit-level gateway.
7. A personal firewall controls the traffic between a personal computer or

workstation on one side and the Internet or enterprise network on the other side.
8. A VPN (virtual private network)uses encryption and authentication in the lower

protocol layers to provide a secure connection through an otherwise insecure
network, typically the Internet.
9. IPSec protocols operate in networking devices, such as a router or firewall, and

will encrypt and compress all traffic going into the WAN and decrypt and
uncompress traffic coming from the WAN.
10. A host-based IPS (HIPS)makes use of both signature and anomaly detection
techniques to identify attacks.
11. Pattern matching scans incoming packets for specific byte sequences (the
signature) stored in a database of known attacks.
12. Traffic anomaly watches for unusual traffic activities, such as a flood of UDP
packets or a new service appearing on the network.
13. Snort Inline adds three new rule types: drop, reject, and Sdrop
14. A single device that integrates a variety of approaches to dealing with network-
based attacks is referred to as a UTM (unified threat management)system.
15. The firewall follows the classic military doctrine of “defense in depth”because it
provides an additional layer of defense.
Chapter 10 – Buffer Overflow
T F 1. Buffer overflow attacks are one of the most common attacks seen.
T F 2. Buffer overflow exploits are no longer a major source of concern to

security practitioners.
T F 3. A buffer overflow error is not likely to lead to eventual program

termination.
T F 4. To exploit any type of buffer overflow the attacker needs to identify a

buffer overflow vulnerability in some program that can be triggered
using externally sourced data under the attackers control.
T F 5. At the basic machine level, all of the data manipulated by machine

instructions executed by the computer processor are stored in either the
processor’s registers or in memory.
T F 6. Even though it is a high-level programming language, Java still suffers

from buffer overflows because it permits more data to be saved into a
buffer than it has space for.
T F 7. Stack buffer overflow attacks were first seen in the Aleph One Worm.
T F 8. A stack overflow can result in some form of a denial-of-service attack

on a system.
T F 9. An attacker is more interested in transferring control to a location and

code of the attacker’s choosing rather than immediately crashing the
program.
T F 10. The potential for a buffer overflow exists anywhere that data is copied
or merged into a buffer, where at least some of the data are read from
outside the program.
T F 11. Shellcode is not specific to a particular processor architecture.
T F 12. There are several generic restrictions on the content of shellcode.
T F 13. An attacker can generally determine in advance exactly where the

targeted buffer will be located in the stack frame of the function in
which it is defined.
T F 14. Shellcode must be able to run no matter where in memory it is

located.
T F 15. Buffer overflows can be found in a wide variety of programs,

processing a range of different input, and with a variety of possible
responses.
1. The buffer overflow type of attack has been known since it was first widely used by
the __________ Worm in 1988.
A. Code Red B. Slammer
C. Morris Internet D. Alpha One
2. A buffer _________ is a condition at an interface under which more input can be

placed into a buffer or data holding area than the capacity allocated, overwriting
other information.
A. overflow B. overrun
C. overwrite D. all the above
3. A consequence of a buffer overflow error is __________ .
A. corruption of data used by the program
B. unexpected transfer of control in the program
C. possible memory access violation
D. all the above
4. A stack buffer overflow is also referred to as ___________ .

A. stack framing B. stack smashing
C. stack shocking D. stack running
5. The function of ________ was to transfer control to a user command-line interpreter,

which gave access to any program available on the system with the privileges of the
attacked program.
A. shellcode B. stacking
C. no-execute D. memory management
6. The Packet Storm Web site includes a large collection of packaged shellcode,
including code that can:
A. create a reverse shell that connects back to the hacker
B. flush firewall rules that currently block other attacks
C. set up a listening service to launch a remote shell when connected to
D. all the above
7. __________ aim to prevent or detect buffer overflows by instrumenting programs

when they are compiled.
A. Compile-time defenses B. Shellcodes
C. Run-time defenses D. All the above
8. __________ can prevent buffer overflow attacks, typically of global data, which
attempt to overwrite adjacent regions in the processes address space, such as the
global offset table.
A. MMUs B. Guard pages
C. Heaps D. All the above
9. _________ is a form of overflow attack.

A. Heap overflows B. Return to system call
C. Replacement stack frame D. All the above
10. The __________ used a buffer overflow exploit in “fingerd” as one of its attack
mechanisms.
A. Code Red Worm B. Sasser Worm
C. Morris Internet Worm D. Slammer Worm
11. In 2003 the _________ exploited a buffer overflow in Microsoft SQL Server 2000.
A. Slammer worm B. Morris Internet Worm
C. Sasser worm D. Code Red worm
12. A buffer overflow in MicroSoft Windows 2000/XP Local Security Authority

Subsystem Service was exploited by the _________ .
A. Aleph One B. Sasser worm
C. Slammer worm D. none of the above
13. The buffer is located __________ .

A. in the heap B. on the stack
C. in the data section of the process D. all the above
14. _________ is a tool used to automatically identify potentially vulnerable programs.

A. Slamming B. Sledding
C. Fuzzing D. All the above
15. Traditionally the function of __________ was to transfer control to a user

command-line interpreter, which gave access to any program available on the
system with the privileges of the attacked program.
A. shellcode B. C coding
C. assembly language D. all the above

1. A ___Buffer overflow (can also accept buffer overrun or buffer overwrite as
theanswer)_______ can occur as a result of a programming error when a process
attempts to store data beyond the limits of a fixed-size buffer and consequently
overwrites adjacent memory locations.
2. Data is simply an array of ____bytes_____ .
3. A ___stack buffer________ overflow occurs when the targeted buffer is located

on the stack, usually as a local variable in a function’s stack frame.
4. “Smashing the Stack for Fun and Profit” was a step by step introduction to
exploiting stack-based buffer overflow vulnerabilities that was published in
Phrack magazine by ____Aleph One_____ .
5. An essential component of many buffer overflow attacks is the transfer of

execution to code supplied by the attacker and often saved in the buffer being
overflowed. This code is known as __shellcode_______ .
6. Shellcode has to be ___position independent_______, which means it cannot

contain any absolute address referring to itself.
7. Compile-time defenses aim to harden programs to resist attacks in new programs.
8. Run-time defenses aim to detect and abort attacks in existing programs.
9. The OpenBSD project produces a free, multiplatform 4.4BSD-based UNIX-like

operating system.
10. Stackguard is one of the best known protection mechanisms that is a GCC
compiler extension that inserts additional function entry and exit code.
11. A canary value is named after the miner’s bird used to detect poisonous air in a
mine and warn miners in time for them to escape.
12. Off-by-one attacks can occur in a binary buffer copy when the programmer has
included code to check the number of bytes being transferred, but due to a coding
error, allows just one more byte to be copied than there is space available.
13. The heap is typically located above the program code and global data and grows
up in memory (while the sack grows down toward it).
14. Gaps, or guard pages, are flagged in the MMU as illegal addresses, and any
attempt to access them results in the process being aborted.
15. In the classic stack buffer overflow, the attacker overwrites a buffer located in the
local variable area of a stack frame and then overwrites the saved frame pointer
and return address.
Chapter 11 – Software Security
T F 1. Many computer security vulnerabilities result from poor programming

practices.
T F 2. Security flaws occur as a consequence of sufficient checking and

validation of data and error codes in programs.
T F 3. Software security is closely related to software quality and reliability.
T F 4. A difference between defensive programming and normal practices is

that everything is assumed.
T F 5. Programmers often make assumptions about the type of inputs a

program will receive.
T F 6. Defensive programming requires a changed mindset to traditional

programming practices.
T F 7. To counter XSS attacks a defensive programmer needs to explicitly

identify any assumptions as to the form of input and to verify that any
input data conform to those assumptions before any use of the data.
T F 8. Injection attacks variants can occur whenever one program invokes the
services of another program, service, or function and passes to it
externally sourced, potentially untrusted information without sufficient
inspection and validation of it.
T F 9. Cross-site scripting attacks attempt to bypass the browser’s security

checks to gain elevated access privileges to sensitive data belonging to
another site.
T F 10. To prevent XSS attacks any user supplied input should be examined
and any dangerous code removed or escaped to block its execution.
T F 11. An ASCII character can be encoded as a 1 to 4 byte sequence using

the UTF-8 encoding.
T F 12. There is a problem anticipating and testing for all potential types of
non-standard inputs that might be exploited by an attacker to subvert a
program.
T F 13. Key issues from a software security perspective are whether the
implemented algorithm correctly solves the specified problem,
whether the machine instructions executed correctly represent the
high level algorithm specification, and whether the manipulation of
data values in variables is valid and meaningful.
T F 14. Without suitable synchronization of accesses it is possible that values

may be corrupted, or changes lost, due to over-lapping access, use,
and replacement of shared values.
T F 15. The correct implementation in the case of an atomic operation is to

test separately for the presence of the lockfile and to not always
attempt to create it.
13. “Incorrect Calculation of Buffer Size” is in the __________ software error category.
A. Porous Defenses
B. Allocation of Resources
C. Risky Resource Management
D. Insecure Interaction Between Components
14. “Improper Access Control (Authorization)” is in the _________ software error

category.
A. Porous Defenses
B. Allocation of Resources
C. Risky Resource Management
D. Insecure Interaction Between Components
15. Defensive programming is sometimes referred to as _________.

A. variable programming B. secure programming
C. interpretive programming D. chroot programming
16. Incorrect handling of program _______ is one of the most common failings in
software security.
A. lines B. input
C. output D. disciplines
17. _________ is a program flaw that occurs when program input data can accidentally
or deliberately influence the flow of execution of the program.
A. PHP attack B. Format string injection attack
C. XSS attack D. Injection attack
18. A _________ attack occurs when the input is used in the construction of a command
that is subsequently executed by the system with the privileges of the Web server.
A. command injection B. SQL injection
C. code injection D. PHP remote code injection
19. A _______ attack is where the input includes code that is then executed by the
attacked system.
A. SQL injection B. cross-site scripting
C. code injection D. interpreter injection
20. Blocking assignment of form field values to global variables is one of the defenses
available to prevent a __________ attack.
A. PHP remote code injection B. mail injection
C. command injection D. SQL injection
21. __________ attacks are vulnerabilities involving the inclusion of script code in the
HTML content of a Web page displayed by a user’s browser.
A. PHP file inclusion B. Mail injection
C. Code injection D. Cross-site scripting
22. A ________ is a pattern composed of a sequence of characters that describe

allowable input variants.
A. canonicalization B. race condition
C. regular expression D. shell script
23. The intent of ________ is to determine whether the program or function correctly
handles all abnormal inputs or whether it crashes or otherwise fails to respond
appropriately.
A. shell scripting B. fuzzing
C. canonicalization D. deadlocking
24. A stead reduction in memory available on the heap to the point where it is
completely exhausted is known as a ________.
A. fuzzing B. deadlock
C. memory injection D. memory leak
25. The most common technique for using an appropriate synchronization mechanism to
serialize the accesses to prevent errors is to acquire a _______ on the shared file,
ensuring that each process has appropriate access in turn.
A. lock B. code injection
C. chroot jail D. privilege escalation
14. _________ are a collection of string values inherited by each process from its parent
that can affect the way a running process behaves.
A. Deadlocks B. Privileges
C. Environment variables D. Race conditions
15. The most common variant of injecting malicious script content into pages returned to
users by the targeted sites is the _________ vulnerability.
A. XSS reflection B. chroot jail
C. atomic bomb D. PHP file inclusion
16. “Failure to Preserve SQL Query Structure” is in the Insecure Interaction Between
Components CWE/SANS software error category.
17. Defensive programming is a form of design intended to ensure the continuing

function of a piece of software despite unforeseeable usage of the software.
18. Program input refers to any source of data that originates outside the program and
whose value is not explicitly known by the programmer when the code was
written.
19. Two key areas of concern for any input are the _ size _ of the input and the
meaning and interpretation of the input.
20. A number of widely used standard C library routines compound the problem of
buffer overflow by not providing any means of limiting the amount of data
transferred to the space available in the buffer.
21. Program input data may be broadly classified as textual or binary
22. In the SQL injection attack the user supplied input is used to construct a SQL
request to retrieve information from a database.
23. Cross-site scripting attacks are most commonly seen in scripted Web applications.
24. A variant where the attacker includes malicious script content in data supplied to
a site is the XSS reflection vulnerability.
25. The process of transforming input data that involves replacing alternate,
equivalent encodings by one common value is called canonicalization
26. The major advantage of fuzzing is its simplicity and its freedom from assumptions
about the expected input to any program, service, or function.
27. A race condition occurs when multiple processes and threads compete to gain
uncontrolled access to some resource.
28. UNIX related systems provide the chroot system function to limit a program’s
view of the file system to just one carefully configured section that is known as a
chroot jail
29. If privileges are greater than those already available to the attacker the result is a
privilege escalation
30. The principle of least privilege strongly suggests that programs should execute
with the least amount of privileges needed to complete their function.
Chapter 12 – Operating System Security
T F 1. Most large software systems do not have security weaknesses.
T F 2. Each layer of code needs appropriate hardening measures in place to
provide appropriate security services.
T F 3. Lower layer security does not impact upper layers.

T F 4. It is possible for a system to be compromised during the installation
process.
T F 5. A plan needs to identify appropriate personnel to install and manage

the system, noting any training needed.
T F 6. The purpose of the system does not need to be taken into consideration
during the system security planning process.
T F 7. The default configuration for many operating systems usually

maximizes security.
T F 8. Ideally new systems should be constructed on an unprotected network

in order to prevent installation restrictions.
T F 9. A malicious driver can potentially bypass many security controls to

install malware.
T F 10. You should run automatic updates on change-controlled systems.
T F 11. Passwords installed by default are secure and do not need to be

changed.
T F 12. A very common configuration fault seen with Web and file transfer
servers is for all the files supplied by the service to be owned by the
same “user” account that the server executes as.
T F 13. Manual analysis of logs is a reliable means of detecting adverse

events.
T F 14. Performing regular backups of data on a system is a critical control

that assists with maintaining the integrity of the system and user data.
T F 15. Backup and archive processes are often linked and managed together.

1. The first step in deploying new systems is _________.
A. security testing B. installing patches
C. planning D. secure critical content
2. Which of the following need to be taken into consideration during the system
security planning process?
A. how users are authenticated

B. the categories of users of the system
C. what access the system has to information stored on other hosts
D. all of the above
3. The first critical step in securing a system is to secure the __________.
A. base operating system
B. system administrator
C. malware protection mechanisms
D. remote access privileges
4. The following steps should be used to secure an operating system:
A. test the security of the basic operating system

B. remove unnecessary services
C. install and patch the operating system
D. all of the above
5. __________ applications is a control that limits the programs that can execute on
the system to just those in an explicit list.
A. Virtualizing B. White listing
C. Logging D. Patching
6. Cryptographic file systems are another use of _______.
A. encryption B. testing
C. virtualizing D. acceleration
7. Once the system is appropriately built, secured, and deployed, the process of
maintaining security is ________.
A. complete B. no longer a concern
C. continuous D. sporadic
8. The range of logging data acquired should be determined _______.

A. during security testing
B. as a final step
C. after monitoring average data flow volume
D. during the system planning stage
9. The ______ process makes copies of data at regular intervals for recovery of lost or
corrupted data over short time periods.
A. logging B. backup
C. hardening D. archive
10. The ______ process retains copies of data over extended periods of time in order to
meet legal and operational requirements.
A. archive B. virtualization
C. patching D. backup
11. The needs and policy relating to backup and archive should be determined ______.
A. as a final step
B. during the system planning stage
C. during security testing
D. after recording average data flow volume
12. ______ are resources that should be used as part of the system security planning
process.
A. Texts
B. Online resources
C. Specific system hardening guides
D. All of the above
13. ______ systems should not run automatic updates because they may possibly
introduce instability.
A. Configuration controlled B. Policy controlled
C. Change controlled D. Process controlled
14. The most important changes needed to improve system security are to ______.
A. disable remotely accessible services that are not required
B. ensure that applications and services that are needed are appropriately configured
C. disable services and applications that are not required
D. all of the above
15. Security concerns that result from the use of virtualized systems include ______.
A. guest OS isolation
B. guest OS monitoring by the hypervisor
C. virtualized environment security
D. all of the above

1. The three operating system security layers are: physical hardware, operating
system kernel, and user applications and utilities .
2. The aim of the specific system installation planning process is to maximize

security while minimizing costs.
3. System security begins with the installation of the operating system
4. The final step in the process of initially securing the base operating system is
security testing
5. Logging is a reactive control that can only inform you about bad things that have
already happened.
6. Backup is the process of making copies of data at regular intervals allowing the
recovery of lost or corrupted data over relatively short time periods of a few hours
to some weeks.
7. Archive is the process of retaining copies of data over extended periods of time,
being months or years, in order to meet legal and operational requirements to
access past data.
8. Change controlled systems should validate all patches on test systems before
deploying them to production systems.
9. Unix and Linux systems grant access permissions for each resource using the
chmod command.
10. Unix and Linux systems use a chroot jail which restricts the server’s view of the
file system to just a specified portion.
11. Configuration information in Windows systems is centralized in the Registry,

which forms a database of keys and values.
12. Virtualization refers to a technology that provides an abstraction of the computing

resources that run in a simulated environment.
13. Guest OSs are managed by a hypervisor or VMM, that coordinates access
between each of the guests and the actual physical hardware resources.
14. Hosted virtualization systems are more common in clients, where they run along
side other applications on the host OS, and are used to support applications for
alternate operating system versions or types.
15. Native virtualization systems are typically seen in servers, with the goal of
improving the execution efficiency of the hardware.
Chapter 13 – Cloud and IoT Security
T F 1. Cloud computing gives you the ability to expand and reduce resources
according to your specific service requirement.
T F 2. IaaS provides service to customers in the form of software, specifically

application software, running on and accessible in the cloud.
T F 3. There is an increasingly prominent trend in many organizations to

move a substantial portion or even all IT operations to enterprise cloud
computing.
T F 4. In a public cloud model the provider is responsible both for the cloud
infrastructure and for the control of data and operations within the
cloud.
T F 5. The major advantage of the public cloud is cost.
T F 6. A CSC can provide one or more of the cloud services to meet IT and
business requirements of a CSP.
T F 7. The three areas of support that a cloud broker can offer are service
intermediation, service aggregation and service arbitrage.
T F 8. NIST recommends selecting cloud providers that support strong

encryption, have appropriate redundancy mechanisms in place, employ
authentication mechanisms, and offer subscribers sufficient visibility
about mechanisms used to protect subscribers from other subscribers
and the provider.
T F 9. Data must be secured while in transit, but not while in use or at rest.
T F 10. The term platform as a service has generally meant a package of

security services offered by a service provider that offloads much of
the security responsibility from an enterprise to the security service
provider.
T F 11. Security assessments are third-part audits of cloud services.
T F 12. An IPS is a set of automated tools designed to detect unauthorized

access to a host system.
T F 13. The security module for OpenStack is Keystone.
T F 14. The “smart” in a smart device is provided by a deeply embedded

actuator.
T F 15. A key element in providing security in an IoT deployment is the

gateway.
26. Measured service and rapid elasticity are essential characteristics of _________.
A. resource pooling B. cloud computing
C. broad network access D. resource pooling
27. A __________ cloud provides service to customers in the form of a platform on

which the customer’s applications can run.
A. broad network access B. infrastructure as a service
C. platform as a service D. resource pooling
28. The use of __________ avoids the complexity of software installation, maintenance,
upgrades, and patches.
A. SaaS B. MaaS
C. PaaS D. IaaS
29. A __________ infrastructure is made available to the general public or a large
industry group and is owned by an organization selling cloud services.
A. community cloud B. private cloud

C. hybrid cloud D. public cloud
30. Examples of services delivered through the __________ include database on
demand, e-mail on demand, and storage on demand.
A. hybrid cloud B. public cloud

C. private cloud D. community cloud
31. The _________ cloud deployment model is the most secure option.
A. public B. private
C. community D. hybrid
32. A __________ is an entity that manages the use, performance and delivery of cloud
services, and negotiates relationships between CSPs and cloud consumers.
A. cloud broker B. cloud carrier

C. cloud auditor D. cloud provider
33. A __________ is a person or organization that maintains a business relationship

with, and uses service from, cloud providers.
A. loud auditor B. cloud service consumer

C. cloud broker D. cloud carrier
34. __________ is the monitoring, protecting, and verifying the security of data at rest,
in motion, and in use.
A. Web security B. Security assessments

C. Intrusion management D. Data loss prevention
35. The core of ___________ is the implementation of intrusion detection systems and
intrusion prevention systems at entry points to the cloud and on servers in the cloud.
A. Intrusion management B. SIEM

C. security assessments D. web security
36. __________ comprise measures and mechanisms to ensure operational resiliency in

the event of any service interruptions.
A. Data loss prevention

B. Security information and event management
C. Network security
D. Business continuity and disaster recovery
37. _________ is the management software module that controls VMs within the IaaS
cloud computing platform.
A. Glance B. Nova
C. Swift D. Object
38. A __________ interconnects the IoT-enabled devices with the higher-level

communication networks.
A. microcontroller B. gateway
C. carrier D. sensor
39. The most vulnerable part of an IoT is the __________ .
A. smart objects/embedded systems B. fog/edge network

C. core network D. data center/cloud
40. __________ has two operating modes, one tailored for single-source
communication, and another tailored for multi-source broadcast communication.
A. Edge B. Keystone
C. OpenSource D. MiniSec

31. Cloud computing is defined as “a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing resources that
can be rapidly provisioned and released with minimal management effort or
service provider interaction”.
32. NIST SP 800-145 defines three service models: software as a service, platform as
a service, and infrastructure as a service.
33. The four most prominent deployment models for cloud computing are public
cloud, community cloud, hybrid cloud and private cloud.
34. The hybrid cloud infrastructure is a composition of two or more clouds that
remain unique entities but are bound together by standardized or proprietary
technology that enables data and application portability.
35. A cloud auditor is a party that can conduct independent assessment of cloud
services, information system operations, performance, and security of the cloud
implementation.
36. A cloud carrier is a networking facility that provides connectivity and transport of
cloud services between cloud consumers and cloud service providers.
37. Identity and access management (IAM) includes people, processes and systems
that are used to manage access to enterprise resources by assuring that the identity
of an entity is verified, then granting the correct level of access based on this
assured identity.
38. Security information and event management (SIEM) aggregates log and event
data from virtual and real networks, applications, and systems. This information
is then correlated and analyzed to provide real-time reporting and alerting on
information/events that may require intervention or other type of response.
39. OpenSource is an open-source software project of the OpenStack Foundation that

aims to produce an open-source cloud operating system.
40. The Internet of things (IoT) is a term that refers to the expanding interconnection
of smart devices, ranging from appliances to tiny sensors.
41. With reference to the end systems supported, the Internet has gone through
roughly four generations of deployment culminating in the IoT: information
technology, operational technology, personal technology and sensor/actuator
technology.
42. The key components of an IoT-enabled device are: sensor, actuator,

microcontroller transceiver and radio-frequency identification.
43. The core network, also referred to as a backbone network, connects

geographically dispersed fog networks as well as provides access to other
networks that are not part of the enterprise network.
44. MiniSec is an open-source security module that is part of the TinyOS operating
system.
45. MiniSec is designed to meet the following requirements: data authentication,

confidentiality replay protection, freshness, low energy overhead and resilient to
lost messages.
Chapter 14 – IT Security Management and Risk Assessment
T F 1. IT security management consists of first determining a clear view of an

organization’s IT security objectives and general risk profile.
T F 2. IT security management has evolved considerably over the last few

decades due to the rise in risks to networked systems.
T F 3. Detecting and reacting to incidents is not a function of IT security

management.
T F 4. IT security needs to be a key part of an organization’s overall

management plan.
T F 5. Once the IT management process is in place and working the process

never needs to be repeated.
T F 6. Organizational security objectives identify what IT security outcomes

should be achieved.
T F 7. The assignment of responsibilities relating to the management of IT

security and the organizational infrastructure is not addressed in a
corporate security policy.
T F 8. Organizational security policies identify what needs to be done.
T F 9. It is not critical that an organization’s IT security policy have full

approval or buy-in by senior management.
T F 10. Because the responsibility for IT security is shared across the

organization, there is a risk of inconsistent implementation of security
and a loss of central monitoring and control.
T F 11. Legal and regulatory constraints may require specific approaches to

risk assessment.
T F 12. A major advantage of the informal approach is that the individuals

performing the analysis require no additional skills.
T F 13. A major disadvantage of the baseline risk assessment approach is the

significant cost in time, resources, and expertise needed to perform
the analysis.
T F 14. One asset may have multiple threats and a single threat may target
multiple assets.
T F 15. A threat may be either natural or human made and may be accidental
or deliberate.
2. __________ ensures that critical assets are sufficiently protected in a cost-effective

manner.
A. IT control B. IT security management
C. IT discipline D. IT risk implementations
2. The ________ has revised and consolidated a number of national and international
standards into a consensus of best practice.
A. ISO B. CSI
C. VSB D. DBI
3. IT security management functions include:

A. determining organizational IT security objectives, strategies, and policies
B. detecting and reacting to incidents
C. specifying appropriate safeguards
D. all of the above
4. Implementing the risk treatment plan is part of the ______ step.

A. check B. act
C. do D. plan
5. Maintaining and improving the information security risk management process

in response to incidents is part of the _________ step.
A. act B. plan
C. check D. do
6. Establishing security policy, objectives, processes and procedures is part of the

______ step.
A. plan B. check
C. act D. none of the above
7. The intent of the ________ is to provide a clear overview of how an organization’s IT

infrastructure supports its overall business objectives.
A. risk register B. corporate security policy
C. vulnerability source D. threat assessment
8. The advantages of the _________ approach are that it doesn’t require the expenditure
of additional resources in conducting a more formal risk assessment and that the same
measures can be replicated over a range of systems.
A. combined B. informal
C. baseline D. detailed
9. The _________ approach involves conducting a risk analysis for the organization’s IT
systems that exploits the knowledge and expertise of the individuals performing the
analysis.
A. baseline B. combined
C. detailed D. informal
10. A ________ is anything that might hinder or present an asset from providing
appropriate levels of the key security services.
A. vulnerability B. threat
C. risk D. control
11. _________ include management, operational, and technical processes and

procedures that act to reduce the exposure of the organization to some risks by reducing
the ability of a threat source to exploit some vulnerabilities.
A. Security controls B. Risk appetite
C. Risk controls D. None of the above
12. The results of the risk analysis should be documented in a _________.

A. journal B. consequence
C. risk register D. none of the above
13. ________ specification indicates the impact on the organization should the particular
threat in question actually eventuate.
A. Risk B. Consequence
C. Threat D. Likelihood
14. The purpose of ________ is to determine the basic parameters within which the risk
assessment will be conducted and then to identify the assets to be examined.
A. establishing the context B. control
C. risk avoidance D. combining
15. _________ is choosing to accept a risk level greater than normal for business
reasons.
A. Risk avoidance B. Reducing likelihood
C. Risk transfer D. Risk acceptance
16. IT security management is a process used to achieve and maintain appropriate

levels of confidentiality, integrity, availability, accountability, authenticity, and
reliability.
17. ISO details a model process for managing information security that comprises the
following steps: plan, do, check and act.
18. The term security policy refers to a document that details not only the overall
security objectives and strategies, but also procedural policies that define
acceptable behavior, expected practices, and responsibilities.
19. The aim of the risk assessment process is to provide management with the
information necessary for them to make reasonable decisions on where available
resources will be deployed.
20. The four approaches to identifying and mitigating risks to an organization’s IT

infrastructure are: baseline approach, detailed risk analysis, combined approach,
and informal approach.
21. The baseline approach to risk assessment aims to implement a basic general level
of security controls on systems using baseline documents, codes of practice, and
industry best practice.
22. The use of the informal approach would generally be recommended for small to
medium-sized organizations where the IT systems are not necessarily essential to
meeting the organization’s business objectives and additional expenditure on risk
analysis cannot be justified.
23. The advantages of the detailed risk assessment approach are that it provides the
most detailed examination of the security risks of an organization’s IT system and
produces strong justification for expenditure on the controls proposed.
24. A(n) vulnerability is a weakness in an asset or group of assets that can be

exploited by one or more threats.
25. A(n) asset is anything that has value to the organization.
26. The level of risk the organization views as acceptable is the organization’s risk
appetite
27. Risk transfer is sharing responsibility for the risk with a third party.
28. Not proceeding with the activity or system that creates the risk is risk avoidance
29. The combined approach combines elements of the baseline, informal, and
detailed risk analysis approaches.
30. The detailed security risk analysis approach provides the most accurate evaluation
of an organization’s IT system’s security risks.
Chapter 15 – IT Security Controls, Plans, and Procedures
T F 1. To ensure that a suitable level of security is maintained, management

must follow up the implementation with an evaluation of the
effectiveness of the security controls.
T F 2. Management controls refer to issues that management needs to address.
T F 3. Operational controls range from simple to complex measures that work

together to secure critical and sensitive data, information, and IT
systems functions.
T F 4. Detection and recovery controls provide a means to restore lost

computing resources.
T F 5. Water damage protection is included in security controls.
T F 6. All controls are applicable to all technologies.
T F 7. Physical access or environmental controls are only relevant to areas

housing the relevant equipment.
T F 8. Once in place controls cannot be adjusted, regardless of the results of

risk assessment of systems in the organization.
T F 9. Controls may vary in size and complexity in relation to the

organization employing them.
T F 10. It is likely that the organization will not have the resources to
implement all the recommended controls.
T F 11. The selection of recommended controls is not guided by legal

requirements.
T F 12. The recommended controls need to be compatible with the

organization’s systems and policies.
T F 13. The implementation phase comprises not only the direct

implementation of the controls, but also the associated training and
general security awareness programs for the organization.
T F 14. Appropriate security awareness training for all personnel in an

organization, along with specific training relating to particular
systems and controls, is an essential component in implementing
controls.
T F 15. The IT security management process ends with the implementation of

controls and the training of personnel.

1. _________ is a formal process to ensure that critical assets are sufficiently
protected in a cost-effective manner.
A. Configuration management control

B. IT security management
C. Detection and recovery control
D. Security compliance
2. An IT security ________ helps to reduce risks.
A. control B. safeguard
C. countermeasure D. all of the above
3. _______ controls focus on security policies, planning, guidelines, and standards that
influence the selection of operational and technical controls to reduce the risk of loss and
to protect the organization’s mission.
A. Management B. Technical
C. Preventative D. Supportive
4. _______ controls are pervasive, generic, underlying technical IT security capabilities
that are interrelated with, and used by, many other controls.
A. Preventative B. Supportive
C. Operational D. Detection and recovery
5. ________ controls focus on the response to a security breach, by warning of violations
or attempted violations of security policies.
A. Technical B. Preventative
C. Detection and recovery D. Management
6. A contingency plan for systems critical to a large organization would be _________

than that for a small business.
A. smaller, less detailed B. larger, less detailed
C. larger, more detailed D. smaller, more detailed
7. Management should conduct a ________ to identify those controls that are most
appropriate and provide the greatest benefit to the organization given the available
resources.
A. cost analysis B. cost-benefit analysis
C. benefit analysis D. none of the above
8. An IT security plan should include details of _________.
A. risks B. recommended controls
C. responsible personnel D. all of the above
9. The implementation process is typically monitored by the organizational ______.
A. security officer B. general counsel
C. technology officer D. human resources
10. The follow-up stage of the management process includes _________.
A. maintenance of security controls
B. security compliance checking
C. incident handling
D. all of the above
11. The objective of the ________ control category is to avoid breaches of any law,
statutory, regulatory, or contractual obligations, and of any security requirements.
A. access B. asset management
C. compliance D. business continuity management
12. The objective of the ________ control category is to counteract interruptions to

business activities and to protect critical business processes from the effects of major
failures of information systems or disasters and to ensure their timely resumption.
A. asset management
B. business continuity management
C. information security incident management
D. physical and environmental security
13. Identification and authentication is part of the _______ class of security controls.
A. technical B. operational
C. management D. none of the above
14. Maintenance of security controls, security compliance checking, change and
configuration management, and incident handling are all included in the follow-up stage
of the _________ process.
A. management B. security awareness and training
C. maintenance D. all of the above
15. Periodically reviewing controls to verify that they still function as intended,
upgrading controls when new requirements are discovered, ensuring that changes to
systems do not adversely affect the controls, and ensuring new threats or vulnerabilities
have not become known are all ________ tasks.
A. security compliance B. maintenance
C. incident handling D. program management

1. A risk assessment on an organization’s IT systems identifies areas needing
treatment.
2. Control is a means of managing risk, including policies, procedures, guidelines,

practices, or organizational structures.
3. The three steps for IT security management controls and implementation are:
prioritize risks, respond to risks, and monitor risks.
4. Technical controls involve the correct use of hardware and software security
capabilities in systems.
5. The IT security plan documents what needs to be done for each selected control,
along with the personnel responsible, and the resources and time frame to be used.
6. When the implementation is successfully completed, management needs to

authorize the system for operational use.
7. Security compliance checking is an audit process to review the organization’s

security processes.
8. Change management is the process used to review proposed changes to systems

for implications on the organization’s systems and use.
9. Configuration management is concerned with specifically keeping track of the

configuration of each system in use and the changes made to each.
10. The detection and recovery controls focus on the response to a security breach,
by warning of violations or attempted violations of security policies or the
identified exploit of a vulnerability and by providing means to restore the
resulting lost computing resources.
11. Contingency planning falls into the operational class of security controls.
12. Preventative controls focus on preventing security beaches from occurring by

inhibiting attempts to violate security policies or exploit a vulnerability.
13. The security compliance audit process should be conducted on new IT systems
and services once they are implanted; and on existing systems periodically, often
as part of a wider, general audit of the organization or whenever changes are
made to the organization’s security policy.
14. Controls can be classified as belonging to one of the following classes:

management controls, operational controls, technical controls, detection and
recovery controls, preventative controls, and supportive controls.
15. Incident response is part of the operational class of security controls.

Chapter 1 To 15test - Computer Security4e

Uploaded by

Copyright:

Available Formats

Chapter 1 To 15test - Computer Security4e

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 To 15test - Computer Security4e

Uploaded by

Copyright:

Available Formats

Computer Security: Principles and Practice, 4th Edition Chapter 1

Chapter 1 – Computer Systems Overview

T F 4. Availability assures that systems works promptly and service is not

T F 5. The “A” in the CIA triad stands for “authenticity”.

T F 6. The more critical a component or service, the higher the level of

T F 7. Computer security is essentially a battle of wits between a perpetrator

T F 8. Security mechanisms typically do not involve more than one particular

T F 9. Many security administrators view strong security as an impediment to

T F 10. In the context of security our concern is with the vulnerabilities of

T F 12. Contingency planning is a functional area that primarily requires

T F 13. X.800 architecture was developed as an international standard and

T F 14. The first step in devising security services and mechanisms is to

T F 15. Assurance is the process of examining a computer product or system

MULTIPLE CHOICE QUESTIONS:

7. A(n) __________ is an action, device, procedure, or technique that reduces a

SHORT ANSWER QUESTIONS

Chapter 2 – Cryptographic Tools

T F 1. Symmetric encryption is used primarily to provide confidentiality.

T F 3. Cryptanalytic attacks try every possible key on a piece of ciphertext

T F 4. The secret key is input to the encryption algorithm.

T F 5. Triple DES takes a plaintext block of 64 bits and a key of 56 bits to

T F 6. Modes of operation are the alternative techniques that have been

T F 7. The advantage of a stream cipher is that you can reuse keys.

T F 8. A message authentication code is a small block of data generated by a

T F 10. The strength of a hash function against brute-force attacks depends

T F 11. Public-key cryptography is asymmetric.

T F 12. Public-key algorithms are based on simple operations on bit patterns.

T F 14. An important element in many computer security services and

T F 15. Some form of protocol is needed for public-key distribution.

MULTIPLE CHOICE QUESTIONS:

2. The __________ is the encryption algorithm run in reverse.

3. __________ is the scrambled message produced as output.

4. On average, __________ of all possible keys must be tried in order to achieve

7. __________ is a procedure that allows communicating parties to verify that received

8. The purpose of a __________ is to produce a “fingerprint” of a file, message, or

11. Transmitted data stored locally are referred to as __________ .

13. A __________ is to try every possible key on a piece of ciphertext until an

SHORT ANSWER QUESTIONS:

2. There are two general approaches to attacking a symmetric encryption scheme:

4. A cryptanalytic attack exploits the characteristics of the algorithm to attempt to

11. The simplest approach to multiple block encryption is known as electronic

12. A pseudorandom stream is one that is unpredictable without knowledge of the

14. library-based tape encryption is provided by means of a co-processor board

Chapter 3 – User Authentication

T F 1. User authentication is the fundamental building block and the primary

T F 2. Identification is the means of establishing the validity of a claimed

T F 3. Depending on the details of the overall authentication

T F 5. User authentication is a procedure that allows communicating parties to

T F 6. A good technique for choosing a password is to use the first letter of

T F 8. Memory cards store and process data.

T F 9. Depending on the application, user authentication on a biometric

T F 10. Enrollment creates an association between a user and the user’s

T F 11. An individual’s signature is not unique enough to use in biometric

T F 12. Identifiers should be assigned carefully because authenticated

T F 13. A smart card contains an entire microprocessor.

T F 14. Keylogging is a form of host attack.

T F 15. In a biometric scheme some physical characteristic of the individual is

MULTIPLE CHOICE QUESTIONS:

1. __________ defines user authentication as “the process of verifying an identity