Download D430 QUESTIONS WITH ACCURATE ANSWERS and more Exams Computer Science in PDF only on Docsity!
D430 QUESTIONS WITH ACCURATE
ANSWERS
2 ciphers of symmetric cryptography correct answer Block and stream 2 common uses of the confused deputy problem: ________ side attacks: ________ (...) _______ correct answer Client side attacks: CSRF (cross-site request forgery) Clickjacking 5 Access control models correct answer Discretionary Mandatory Rule-Based Role-Based Attribute-Based 5 factors of authentication correct answer Knowledge: something you know (usrname/psswrd/Pin) Ownership: something you have (ID badge/swipe card/OTP) Characteristics: something U R (fingerprint/iris-retina scan)
Action: something you do (handwriting/typing/walking) Location: somewhere you are (geolocation) A Block Cipher does what correct answer takes a block of plaintext and encrypts it A block is a correct answer A block is a predetermined number of bits (usually 64, but depends on the algorithm) A firewall will allow/block ________ based on the __, ____, and ________ being used correct answer packets IP, port, and protocol Acceptability correct answer A measure of how acceptable the particular characteristic is to the user of the system Access Control: 4 tasks correct answer Allowing: allows access to resource Denying: deny access Limiting: allow some access (sandbox) Revoking: takes access away (ex: termination or role transfer of user) Accountability is largely accomplished through the use of correct answer Auditing Accountability means you can ________ activities back to ______. It helps an org. maintain what correct answer Traces activities back to their source. This helps an organization maintain compliance with laws
AES correct answer uses three different ciphers w block of 128 bits 1)128, 192-bit key, and 256-bit key +replaced DES {+each bit increases by 64} After a user is 1) then 2) the next step is 3) correct answer 1) identified
- authenticated
- authorization Assess risks correct answer Once we have identified the threats and vulnerabilities for a given asset, we can assess the overall risk. Assess vulnerabilities correct answer When we look at assess vulnerabilities, we need to do so in the context of potential threats. Any given asset may have thousands or millions of threats that could impact it, but only a small fraction of these will actually be relevant. Assessments are an active way of ________ correct answer An active way of auditing Assets are protected by their value to the org. in what order? correct answer People Data HW/SW
Assymetric Key Algorithms correct answer RSA - (names after its creators/found in SSL protocol (prtcl in web/email traffics/most common) ECC - (elliptic curve cryptography/names after math equation crypts are based on) PGP - (pretty good privacy) TLS - (transport layer security) Asymmetric Cryptography uses a correct answer Public and Private key Attribute-based access control (ABAC) correct answer Based on context -attributes of user/resource/environment Auditing is when we check ________ is ________ correct answer Checking records are right (Making sure the who did what and when are accurate) Auditing makes sure actions are in ________w/_________ correct answer -in compliance with laws Authentication is correct answer The act of providing who are what we claim to be EX: password (authenticates user and allows access) authenticity (parkerian hexad) correct answer Allows you to say whether you've attributed the data in question to the proper owner or creator
Buffer overflows correct answer Our data is not properly stored due to its size and causes a vulnerability, application crash, and than an attack. capability-based security -alternate solution to? -the use of a _______ controls access correct answer Alternate solution/structure to ACL The use of a token controls access Certificates link what to what correct answer link a public key to a particular individual
- used as a form of electronic identification for that particular person Childrens' Online Privacy Protection Act (COPPA) - correct answer sets rules on data collection for children under 13 to protect their online privacy. CIA correct answer Confidentiality, Integrity, Availability Cipher text is correct answer Message data after it has been encrypted. Circumvention correct answer Describes the ease with which a system can be tricked by a falsified biometric identifier Clickjacking AKA U________ I________ R__d______
The attacker ________ a portion of the ________ and places an ________ ________ over something the client would normally clock on. This executes a command correct answer AKA user interface redressing -the attacker controls a portion of the website and places an invisible layer over something the client would normally click on, executing a command. Collectibility correct answer Measures how easy it is to acquire a characteristic with which we can later authenticate a user Compliance correct answer conforming to a rule, such as specification, policy, standard or law Compliance correct answer The requirements set by laws and industry regulations EX: HIPPA, FISMA Confidentiality correct answer Allowing only authorized users access to data confused deputy problem -what is the problem with the SW
- A type of attack in systems that use ________ rather than ________. correct answer - A type of attack in systems that use ACLs rather than capabilities. -SW has greater access to the resource than the user. The user tricks the SW into misusing its greater level of authority, to carry out an attack
Cryptology is the study of ___ ____ correct answer Cryptographic algorithms CSRF (Cross Site Request Forgery) Hacker ________ ________ on website user is already ________ on to ________ the user -misuses the authority of the ________ on users computer -hacker knows user is authenticated on it (ex:amazon) correct answer Hacker embeds link on website user is authenticated on to redirect the user -misuses the authority of the browser on the user's computer. DDOS is a type of _______ _______. During this what happens correct answer distributed denial-of-service (DDoS) a type of cyber attack where an attacker floods a website or network with so much traffic that it becomes unavailable to legitimate users. Deep packet inspection, analyzes [...]of the traffic flowing through it correct answer analyzing the actual content of the traffic that is flowing through them. Defense in depth correct answer Layering controls -an ancient concept applied to modern info systems. EX: using the 3 control types in multiple overlapping protections. Locks on hardware server/cabinets, multi layers of authentication and policies that control visitors in the building.
Defense in-depth correct answer Multiple security measures that will not break if one of the measures fail DES -block or stream -how many bits -now considered? correct answer -block cipher based on symmetric key cryptography -uses a 56-bit key -Not that secured any more. detection and analysis phase correct answer Where the action begins to happen. We will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond appropriately Deterrence correct answer Telling users they're being tracked will deter them from breaking rules Digital Signatures do what 2 things correct answer 1)confirms authorship (authenticity) 2)non repudiation
Family Educational Rights and Priacy Act (FERPA) correct answer protects the privacy of students and their parents, regulating educational records, including educational information, personally identifiable information, and directory information. Federal Information Security Modernization Act (FISMA) correct answer protects the information, operations, and assets in the federal government Firewall correct answer naturally creating network segmentation when installed -the traffic that flows in and out of our networks Firewalls and DMZs correct answer First the Public-key encryption does what (asymmetric encryption) correct answer encrypts data from sender to the receiver and is shared with everyone FISMA - the FI stands for ". ." FERPA - the E stands for "." HIPPA - the HI stands for ". ." HITECH - TECH means "." PCI DSS - the C stands for ". ." COPPA - the CO stands for ". ." SOX - rhymes with ".", so think of. GLBA - this is the only one you would have to memorize correct answer federal information educational
health insurance technology credit card children online stocks... finance FISMA correct answer Federal government security requirements Fuzzers a tool that -tests the ________ of a system by sending it ___________ _____. -The goal is to find _________ in a system by causing it to ______ or behave in unexpected ways. correct answer -security / unexpected input. -vulnerabilities / crash or behave in unexpected ways. Gramm-Leach-Biley Act (GLBA) correct answer protects their customers' personal information Hardware tokens correct answer Something that you... HAVE. THEY::: Generate OTP HW or SW Hashes are very useful when distributing files or sending communications, as the hash can be correct answer sent with the message so that the receiver can verify its integrity
Identify assets correct answer One of the first and most important steps of the risk management process. Identifying and categorizing assets Identify threats correct answer Begin to identify and categorize threats that could harm our now organized assets Identity is correct answer Who or what we claim to be EX: username Identity verification is the Half step between correct answer identity and authentication -like showing 2 forms of ID for a service Impact correct answer Considered the cost of the asset In NW ACLs access is controlled by correct answer IP addresses, MAC (media access control), and ports The identifiers used for NW transactions (either allowing or denying them) Incident response 6 steps correct answer Preparation Detection/Analysis Containment Eradication Recovery
Post Incident Activity Incident Response happens when what fails correct answer Risk management fails causing an inconvenience or disastrous event. 6 steps Integrity correct answer Keeping data unaltered by accidental/malicious intent Interception correct answer Allows unauthorized users to access (intercept) our data/apps/environments. Confidentiality Interception is the ONLY attack that affects on _______________. Interruption, modification, and fabrication affects __________ and ____________ because most of the time they're impacting ______. correct answer confidentiality integrity and availability... data Interruption correct answer Makes assets unusable temporarily/permanently. Denial of service. Availability. Sometimes integrity Intrusion Detection System (IDS) correct answer monitors and alerts (that an attack/undesirable activity is happening) Intrusion Prevention System (IPS) correct answer Takes action (Deny traffic from source if attack)
Keyless cryptography uses what instead of a key (uses no keys) correct answer It uses mathematical algorithms to secure the information (hash functions) Levels of Authentication correct answer Single (1 factor) Dual (2 diff. factors) multi-factor (3+) *2 of the same factor don't count as 2 *Stacking these layers so access is as strong as we need it to be Logging looks at __________ While monitoring is more correct answer Logging : looks at history. Present/reactive Mandatory Access Control (MAC) correct answer Authorized group decides access MOST restrictive Found in military settings Manual Password Synchronization correct answer When a user synced passwords from different systems without a software application Mitigating risks correct answer In order to help us mitigate risk, we can put measures in place to help ensure that a given type of threat is accounted for. These measures are referred to as controls. Modification correct answer Tampers with assets Integrity. Sometimes availability
Multilevel Access Control correct answer combine several access control models Bell-LaPadula Biba Brewer and Nash Mutual Authentication is:____ __ ___ ______ /prevents: ______/ has: ______ ________/ example: correct answer Authentication on both ends. Prevents man in the middle attacks (attackers inserted into traffic flow) Has digital certificates EX: PC and server authenticate each other before data is sent either direction Nessus ______________ _____________ tool Does what ____ ________ on a system correct answer Vulnerability Assessment Tool port scanning (check for open ports on a system) Network intrusion detection system (NIDS) correct answer detects malicious network activities—EX: port scans and DoS attacks Network segmentation correct answer dividing a network into multiple smaller networks (subnet) Nikto/Wikto -checks for ______-____ vulnerabilities
