Uw madison information systems 365 information security exam - answer key presentation

Information Systems 365Exam Answers, Discussion and Class Project

Did You Vote? Flat Cow Did!

Flat Cow Gets His Ballot

Flat Cow Reads the Complex Instructions

Flat Cow’s Bovine Voice is “herd”…Check him out on

Facebook

Exam

• In general, they were pretty good

• The average, after curving, was a 91!!

• If you did not do as well as you had hoped, PLEASE come talk to me about EXTRA CREDIT

What are the Five Pillars of Information Security?

• Protection, Automation, Detection, Reaction, Prevention

• Detection, Integration, Globalization, Deletion, Operation

• Implementation, Protection, Dissemination, Interaction, Prevention

• Prevention, Protection, Communication, Obfuscation, Reaction

• Documentation, Protection, Reaction, Detection, Prevention

• Interaction, Prevention, Alteration, Reaction, Obliteration

• Documentation, Prevention, Reaction, Interpolation, Detection

In the course reading “How to Sell Security”, the author describes the idea of Prospect Theory. According to the article and lecture slides, which of the following responses best summarizes Prospect Theory?

• When presented with the potential opportunity for gain, people generally prefer to take risks. When presented with the potential for loss, people are less likely to embrace risk.

• When presented with the potential opportunity for gain, people generally behave randomly. When presented with the potential for loss, people are more likely to embrace risk.

• When presented with the potential opportunity for gain, people generally prefer not to take risks. When presented with the potential for loss, people are more likely to embrace risk.

• When presented with the potential opportunity for gain, people generally prefer not to take risks. When presented with the potential for loss, people are more likely to behave randomly.

• When presented with the potential opportunity for loss or gain, people generally behave randomly in both situations.

• When presented with the potential opportunity for loss or gain, people generally drive to closest casino and bet all their money at the Roulette Wheel.

• None of the above

Technical Controls are:

• Strong and consistent, treating everyone equally

• Usually outdated and unreliable• Can be audited with a high level of

assurance• Usually cheaper to implement in the

short term, when compared to equivalent Administrative Controls

• A and B• B and C• A and C

Technical Controls:

• Are usually more costly than equivalent Administrative Controls

• Can break, either failing open or failing closed, neither of which may be desirable in a given situation.

• Are what corporations implement when they want to engage in blame shifting.

• Are generally more complex than equivalent Administrative Controls

• All of the above• None of the above• A, B and D

Administrative Controls are usually:

• Less expensive than Technical Controls

• Sufficient to meet HIPAA and SOX compliance

• Easy to implement• Very flexible• Used in large enterprise

environments, but rarely in small businesses

• A, B, C, D• A, C and D

Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced,

stored, or transmitted. The classification of the data should then determine the extent to which the data needs to be secured. The

generic data classification grading scale outlined in the class handout and lecture slides included all of the following data

designations:

• Highly Confidential, Proprietary, Top Secret, Open Records, Physically Secured

• Internal Use Only, Semi-Secret, Highly Confidential, Proprietary, Top Secret

• Public Documents, Highly Confidential, Proprietary, Transport Limited, Semi-Secured

• Internal Use Only, Public Documents, Top Secret, Highly Confidential, Proprietary

• Top Secret, Highly Confidential, Open Records, Public Records, Management View Only

• Proprietary, Open Records, Top Secret, Destroy After Viewing, For Hannah Montana Only

• None of the above

Authentication is defined as the act of:

• Verifying a claim of identity• Determining which informational

resources a person or entity may be authorized to access

• Determining which actions a person or entity will be allowed to perform (read, write, delete, etc.)

• A and B• A and C• A, B and C• None of the above

Asymmetrically Encrypted data has which of the following properties?

• It transforms usable information into a form that renders it unusable by anyone other than an authorized user.

• Can be transformed back into its original usable form only by the original person who encrypted the data.

• It is used to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage.

• Can be transformed back into its original usable form by anyone who possesses the appropriate decryption key.

• Can’t be used as part of a Defense in Depth strategy for data protection

• A, C, D• A, C, D and E

If your organization engages in information systems outsourcing, which of the following outsourcing

security principles should be applied?

• A. Practice defense in depth• B. Follow the principle of least

privilege• C. Follow the principle of random

privilege• D. Compartmentalize• E. Promote privacy and accountability• F. Be reluctant to trust• G. A, B, D, E, F • H. All of the above• I. None of the above

In the reading “The Truth About Chinese Hackers”, which of the following viewpoints

were expressed by the author?

• Cyber Attacks originating in China don't seem to be coordinated by the Chinese military.

• The hackers in China perform hacking for two reasons: fame and glory, and as an attempt to make a living.

• The Chinese government knows the leaders of the hacker movement and chooses to look the other way.

• If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse.

• All of the above• None of the above• A, C and D

In the reading “Cyberwar: Myth or Reality”, which of the following viewpoints were

expressed by the author?

• The best thing to do if you are a Cyberwar hacker is to infiltrate enemy computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate.

• Within two days of the start of a war between the U.S. and Russia, the Internet will be totally unreliable.

• The idea of Cyberwar is a clever scare tactic that hardware and software vendors perpetuate in order to sell more security related technologies and make more profit.

• A and B• A and C• All of the above• None of the above

In the reading “Make Vendors Liable For Software Bugs”, which of the following

viewpoints were expressed by the author?

• Software vendors are in the best position to improve software security; as they have the capability.

• There is a general rule in security to align interest with capability.

• Interest must be aligned with capability, but you need to be careful how you generate interest.

• Software vendors sometimes purposely and intentionally create software code with bugs, just so they can look like they care when they distribute software patches to fix the security holes

• A, B, and C• A and D• All of the above

Which of the following statements does an accurate job of describing

Dual Factor Authentication?

• Providing proof of something you know and providing proof of something you have

• Providing proof of something you know and providing proof something you are (fingerprint, retina scan, etc.)

• Providing written proof of your age and providing written proof of your name

• Providing proof of something you have and providing proof of something you are (fingerprint, retina scan, etc.)

• Providing multiple passwords in order to gain access to a sensitive software application

• A, B and D• A, B, D and E• All of the above• None of the above

Which of the following guidelines should included when establishing a strong

password policy?• Passwords should be as long as possible (never shorter

than 6 characters)• Passwords should introduce the use of multiple blank

spaces in every password issued, if possible• Passwords should include mixed-case letters, if possible • Passwords should Include digits and punctuation marks, if

possible• Obligate all users to change their password on their

birthday and all non-religious holidays• Passwords should expire on a regular basis and may not be

re-used• Users should be encouraged to create passwords which

rhyme so that they are easy to remember• Passwords may not contain any portion of your name,

birthday, address or other publicly available information• All of the above should be included when establishing a

strong password policy• B, and on E only should be included when establishing a

strong password policy• A, C, D, F and H should be included when establishing a

strong password policy• A, B, C, D, F and H should be included when establishing a

strong password policy

In lecture, we discussed several specific technologies for strong authentication. Which of

the following authentication products can be beaten simply by using a photocopier to copy the

user’s credential?

• RSA SecurID One Time Password (OTP) device

• Initech brand facial recognition Intruder Gate

• Verisign brand personal digital certificates

• Any Biometric retina scanner• DigiVault brand Zoster Fingerprint

Assurance• Entrust brand Identity Guard• A, E and F• B and E• None of the above can be beaten simply

by using a photocopier to copy the credential

Which of the following is a true statement about digital

certificates?

• Digital certificates are ALWAYS used in as the core technology in SSL connections to secure websites

• A digital certificate can be thought of as a digital passport, which is either contained on a secure device, or on a hard disk

• A digital certificate secured with a password, which makes it a dual factor authentication solution

• A digital certificate can be used to authenticate machines as well as humans

• Digital certificates have a low variable cost to produce individually, but a high fixed cost to setup the supporting system infrastructure

• Can contain authorization data, such as birthday as well as authentication data, but this is rare

• B, D, F and G• All of the above are true statements• None of the above are true statements

Which of the following is a true statement about Knowledge Based Authentication?

• Knowledge Based Authentication authenticates the user via verification of life events, usually financial in nature

• Most of this Knowledge Based Authentication information is publicly available and can be easily stolen by an outsider

• The credit reports on which Knowledge Based Authentication is based often contain factual errors

• A and C are true statements about Knowledge Based Authentication

• B and C are true statements about Knowledge Based Authentication

• All of the above are true statements about Knowledge Based Authentication

• None of the above are true statements about Knowledge Based Authentication

In the reading entitled “Crypto AG, the NSA’s Trojan Whore”, in which country was Hans

Buehler (a top Crypto AG salesman) arrested in 1992, under suspicion of leaking encryption

codes to Western intelligence?

• Iraq• Iran• Russia• Syria• North Korea• Libya• Canada• None of the above

Which of the following is the correct definition for Symmetric Encryption?

• A. A single shared key is used for both encryption and decryption.

• B. A pair of related but different keys is used, one for Encryption and the other for Decryption.

• C. Both A and B are correct definitions for Symmetric Encryption

• D. None of the above are correct definitions for Symmetric Encryption

Which of the following is the correct definition for Asymmetric Encryption?

• A. A single shared key is used for both encryption and decryption.

• B. A pair of related but different keys is used, one for Encryption and the other for Decryption.

• C. Both A and B are correct definitions for Asymmetric Encryption

• D. None of the above are correct definitions for Asymmetric Encryption

Which of the following best describes Steganography?

• A. The process of protecting sensitive information in non-production databases from inappropriate visibility. After sanitization, the database remains perfectly usable. The look-and-feel is preserved, but the information content is secure.

• B. The study of the principles and techniques by which information is overtly converted into a version that is difficult (ideally, impossible) for any unauthorized person to convert to the original information, while still allowing the intended reader to do so.

• C. The art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a covert (hidden) message

• D. A and C• E. A and B• F. None of the above definitions describe Steganography• G. All of the above definitions describe Steganography

The three primary uses for personal digital certificates are:

• A. Authentication, Password Control, Shoulder Surfing

• B. Digital Signing, Authentication, Data Retention

• C. Encryption, Software Forensics, ISO Compliance

• D. Encryption, Outsourcing, Digital Signing

• E. Authentication, Digital Signing, Encryption

• F. All of the above• G None of the above• H. A, B and C, except in cases in which

the end user is a cow

Using the alphabet letter shifting method, decrypt the message below, using the following formula, in which "e" represents the encrypted letter and "d" represents the decrypted letter. "d" = "e" + 3Assume a 26 letter, circular alphabet in which the letter A=1, B=2, C=3, D=4, E=5, F=6, G=7, etc.

• The secret message is:ZLTP XOB PILT

• A. "COWS ARE COOL"• B. "COWS ARE FAST"• C. "COWS ARE SLOW"• D. "APES CAN WALK"• E. "COWS EAT APES"• F. None of the above

A Public Key Infrastructure (PKI) can perform which of the following

functions?

• A. Revoke digital certificates • B. Issue digital certificates• C. Distribute digital certificates• D. Make copies of digital

certificates issued by other organizations

• E. A, B and C• F. B, C and D• G. All of the above• H. None of the above

The relationship between Public Keys and Private Keys in a PKI is:

• A. The Public Key is used to both encrypt and decrypt data and the Private Key is used for creating a digital signature only.

• B. The Public Key is used for creating a digital signature only and the Private Key is used for both encrypting and decrypting data.

• C. The Public Key is used for encrypting data and the Private Key is used for creating a digital signature and for decrypting data.

• D. The Public Key is used for encrypting data and creating a digital signature and the Private Key is used for decrypting data and also for creating a digital signature

• E. The Public Key is used for encrypting data, the Private Key is used for decrypting data, and an Intermediary Key is used for creating a digital signature.

• F. A and E• G. All of the above are true.

The relationship between Public Keys and Private Keys in a PKI is:

• A. The Public Key is used to both encrypt and decrypt data and the Private Key is used for creating a digital signature only.

• B. The Public Key is used for creating a digital signature only and the Private Key is used for both encrypting and decrypting data.

• C. The Public Key is used for encrypting data and the Private Key is used for creating a digital signature and for decrypting data.

• D. The Public Key is used for encrypting data and creating a digital signature and the Private Key is used for decrypting data and also for creating a digital signature

• E. The Public Key is used for encrypting data, the Private Key is used for decrypting data, and an Intermediary Key is used for creating a digital signature.

• F. A and E• G. All of the above are true.

The term “Key Escrow” refers to:

• The location where public and private keys are grown before they are distributed to users.

• The ISO-9000 compliant method by which encryption, decryption and digital signing take place.

• An arrangement in which the keys needed to decrypt encrypted data are copied and securely held in storage so that, under certain circumstances, an authorized third party may gain access to those keys.

• A place where digital certificates go to retire when they get old.

• C and D• A and B• All of the above• None of the above

Digital certificates all have expiration dates. Select the statement which best describes the

benefits and drawbacks of short and long certificate lifetimes.

• Certificates with short lifetimes provide a greater assurance of validity, but create greater operational difficulties in terms of renewal due to their need to be renewed on a more frequent basis. Certificates with long lifetimes provide less assurance of validity, but from an operational standpoint are easier to manage because they require less frequent renewal.

• Certificates with long lifetimes provide a greater assurance of validity, but create greater operational difficulties in terms of renewal due to their need to be renewed on a less frequent basis. Certificates with short lifetimes provide less assurance of validity, but from an operational standpoint are easier to manage because they require more frequent renewal.

• The length of a certificate lifetime, whether it is short or long has no impact on the operational support required to manage a PKI, because digital certificates renew automatically by using a Certificate Revocation List (CRL).

• Certificates with short lifetimes are easier to renew than certificates with long lifetimes because certificates with short lifetimes are fresher and not as entrenched in the end user’s computer.

• None of the above is true.• All of the above are true.

Which of the following is true in relation to Trusted

Root Authorities?• A Trusted Root Authority is a digital certificate issuer

recognized by all computers around the globe.• Root Certificates from Trusted Root Authorities are stored

in each computer’s central certificate store.• To become a Trusted Root Authority in an Operating

System or Internet Browser, your organization must undergo a stringent audit and pay a substantial sum of money, in most cases.

• Users should remove Trusted Root Authorities from their computer at least once per year because Trusted Root Authorities digitally degrade over time and lose reliability after 14 months, in most cases.

• Verisign is a well known Trusted Root Authority.• Your UW-Madison digital certificate is chained to a Root

Authority which is not trusted outside of the University of Wisconsin System.

• A, B, C, and D• A, B, C, and E• A, B, C, E and F• All of the above are true.• None of the above is true.

A digital signature on an email provides proof of which of the

following:

• That the email did indeed come from the purported (claimed) author, invalidating plausible denial.

• That the email was sent at the time and date indicated within the email.

• That the contents of the email have not been altered from the original form.

• A and B• B and C• A and C• All of the above• None of the above

The following statements about Social Engineering is/are true:

• Social Engineering involves the use of psychological tricks in order to get useful information about a system.

• Social Engineering involves using psychological tricks to build inappropriate trust relationships with insiders

• Kevin Mitnick is one of the world’s best known Social Engineers, and he has been quoted as saying “The weakest link in the security chain is the human element”

• Social Engineering is successful because people are generally helpful, especially to those who are nice, knowledgeable and/or insistent.

• The primary methods of Social Engineering are: flattery, authority Impersonation and threatening behavior.

• A well known Social Engineering technique involves using financial bribery to get the information desired by the Social Engineer.

• A, B and C• A, B, D and E• A, B, C, D and E• All of the above• Non of the above

Which of the following defense techniques should Administrators use

to keep Social Engineering from working?

• Train employees to recognize situations in which they are being Socially Engineered.

• Teach employees to use Pretexting as a counter measure against suspected Social Engineers.

• Train employees to punch suspected Social Engineers in the face

• Perform Social Engineering role playing drills with employees

• Train employees on how to follow policies so that they will not become victims of Social Engineering.

• A, D and E• A, B, D and E• All of the above• None of the above

Which of the following is/are true statement(s) about Road

Apples?

• A Road Apple uses physical media and relies on the curiosity or greed of the victim.

• Using a Road Apple to infiltrate a company’s systems is also known as “Baiting”.

• An example of a Road Apple is a USB drive or CD found in the parking lot, labeled with information which makes the potential victim curious about what is contained on the media.

• A Road Apple which does not function as intended, is commonly referred to as a “Rotten Road Apple”

• One way to partially combat Road Apples is to disable the “Autorun on inserted media” function on all corporate computers, although this method may not be 100% effective.

• “Apple Seeding” is a term commonly used for viruses that spread across organizational boundaries, caused by Road Apples.

• A, B, and C• A, B, C, D and F• A, B, C, and E• All of the above• None of the above

Which of the following statements are false, in relation to Digital Forensics?

• A. Digital Forensics can pertain to legal evidence found in computers, digital storagedevices and media.

• B. The goal of Digital Forensics is to explain the current state of a “digital artifact.”

• C. In the realm of Digital Forensics, a digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.

• D. Digital Forensics tools can be used to recover data in the event of a hardware or software failure.

• E. Digital Forensics can be used to analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.

• F. Digital Forensics can be used to gather evidence against an employee that an organization wishes to terminate.

• G. Digital Forensics can be used to gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

• I. All of the above are false.• J. None of the above are false.

What does the term "Chain of Custody" mean?

• A. The organizational management and reporting structure of an information systems organization

• B. The statistical method used to determine who is to blame for a security breach in an organization

• C. The ability to demonstrate who has had access to the digital information being used as evidence

• D. The ISO-9000 endorsed method for tracking down how a virus was introduced into a secured network.

• E. The method used to covertly install malicious software within a network, by using a Trojan or Worm.

• F. The method used by Superhacker Kevin Mitnick, to hack mainframe computers in Malaysia.

• G. C and D• H. None of the above

What are the five generic steps used in the Digital Forensics process?

• A. Preparation of the investigator, Staging of the crime scene, Examination, Analysis, Reporting

• B. Preparation of the investigator, Collection of data, Examination, Fortification of data, Analysis

• C. Preparation of the investigator, Creation of data, Manipulation of data, Examination, Reporting

• D. Preparation of the investigator, Creation of data, Examination, Analysis, Reporting

• E. Preparation of the investigator, Collection of data, Examination, Analysis, Reporting

• F. Preparation of the investigator, Collection of data, Alteration of data, Analysis, Examination

• G. Preparation of the investigator, Collection of data, Examination, Analysis, Reporting

• H. None of the above

Which of the following are important data handling processes?

• A. Establish and maintain the chain of custody.• B. Handle the original evidence as little as possible to avoid

changing the data. • C. If important data is missing, do your best to re-create it

using an educated guess, based on everything you know about the situation and your experience in similar situations.

• D. Document everything that has been done. • E. Only use tools and methods that have been tested and

evaluated to validate their accuracy and reliability.• F. Wash your hands thoroughly before handling any internal

hard disks.• G. Your first priority should be to immediately make two

backup copies of the data, regardless of the situation.• H. Turn off the computer containing the important data as

soon as you arrive on the scene, to avoid any potential further loss of data.

• I. All of the above are important data handling processes.• J. None of the above are important data handling processes.• J. A, B, C, D, and E• K. A, B, D, and E• L. A, B, D, E, and H

What makes Knoppix a good tool for use in Digital Forensics collection

situations?

• A. Knoppix can be loaded directly from a CD.• B. Knoppix can be loaded from a USB flash

drive.• C. Knoppix already comes pre-loaded on most

machines, and can be loaded directly from where it resides in the boot sector of the hard disk.

• D. Knoppix will not alter data on the hard disk• E. A, B and D• F. All of the above are things which make

Knoppix a good tool for use in Digital Forensics collection situations.

• G. None of the above are things which make Knoppix a good tool for use in Digital Forensics collection situations because Knoppix is fake vaporware, which does not even exist!!!

Which piece of Digital Forensics evidence was critical in the capture of the BTK Killer?

• A. Fingerprints left on a floppy disk, which was sent to the police by the suspect.

• B. A digital photograph taken with a hidden camera setup in the suspect's home.

• C. Data gathered from the suspect's MySpace webpage.

• D. Emails from the suspect which were collected by AT&T's NARUS device, based on keyword filtering, which were then turned over to the FBI for analysis.

• E. Metadata which was unknowingly included in a Microsoft Word document, which was sent on a floppy disk to the police, by the suspect.

• F. A, and E• G. All of the above• H. None of the above

Which of the following could an Intrusion Detection System (IDS) detect?

• A. Employees photocopying information at Kinko's, against company policy.

• B. Which files have been backed up onsite and which files have been backed up offsite.

• C. When sensitive information leaves the building on CD-ROM or USB drive.

• D. Host Based Attacks (privilege escalation)• E. Malware, Viruses, Trojan Horses and Worm related

activities on the network• F. Attacks against a specific service, such as File Transfer

Protocol (FTP)• G. Data driven attacks at the application layer. For example,

an SQL injection error is a data driven attack.• H. A, B, and C• I. D, E, F, and G• J. All of the above can be detected by an Intrusion Detection

system.• K. None of the above can be detected by an in Intrusion

Detection system.

Which of the following correctly defines each of the three components of an Intrusion Detection System (Sensors, Console and

Engine)?

• A. Sensors = Monitors events, alerts and controls sensors

• Console = Generate security events such as log files

• Engine = Analyzes the data using artificial Intelligence to generate alerts from the events received

• B. Sensors = Analyzes the data using artificial intelligence to generate alerts from the events received

• Console = Monitors events, alerts and controls sensors

• Engine = Generate security events such as log files

• C. Sensors = Generate security events such as log files• Console = Monitors events, alerts and controls

sensors• Engine = Analyzes the data using artificial

intelligence to generate alerts from the events received

• None

Which of the following is/are type(s) of Intrusion Detection Systems described in the

lecture slides on Intrusion Detection Systems?

• A. Network Based Intrusion Detection System (NDS)• B. Protocol Based Intrusion Detection System (PIDS)• C. Language Based Intrusion Detection System (LIDS)• D. Stationary Based Intrusion Detection System (SIDS)• E. Platform Based Intrusion Detection System (PIDS)• F. Laptop Based Intrusion Detection System (LIDS)• G. Centralized Output Workflow System (COWS)• H. Stand Alone Storage Intrusion Detection System (SASIDS)• I. Application Protocol Based Intrusion Detection System (APIDS)• J. Host Based Intrusion Detection System (HIDS)• K. Hybrid System• L. A, B, I, J, K• M. A, B, C, D, E, F, I, J• N. A, B, D, F, G, H• O. A, B, D, E, F, G, I, J,• P. All of the above is/are type(s) of Intrusion Detection Systems

described in the lecture slides on Intrusion Detection Systems?• Q. None of the above is/are type(s) of Intrusion Detection Systems

described in the lecture slides on Intrusion Detection Systems?

How is a Firewall different from an Intrusion Detection System (IDS)?

• A. Firewalls look outwardly and protect from external attacks

• B. An IDS evaluates a suspected intrusion after it has taken place and signals an alarm.

• C. An IDS also watches for attacks that originate from within a system.

• D. A Firewall is hot to the touch (that is why it is called a Firewall), and IDS systems are always cold to the touch.

• E. A and B • F. A, B, and C• G. All of the above• H. None of the above

A Unified Threat Management (UTM) appliance can perform which of the following functions?

• A. Firewall• B. Spell checking• C. Provide emergency power to servers, from its

internal backup batteries• D. Detect software logic bugs• E. Virus Scanning• F. Content Filtering• G. VPN• H. Anti-Spam• I. Intrusion Detection and Prevention• J. A, C, E, F, G, H and I• K. A, D, E, F, G, H and I• L. A, E, F, G, H, and I.• M. All of the above• N. None of the above

HIPAA, SOX and GLB all require similar mechanisms for protection of data. These

data protection mechanisms are:

• A. Authentication of sender and receiver of data• B. Recreation of missing data• C. Auditing of data• D. Protection of data, usually involving the use

of encryption• E. Deletion of any data which contains personal

information about customers.• F. Data Integrity Proof, usually involving use of

digital signatures• G. A, C, D• H. A, C, D and F• I. A, C, D, E and F• J. A, C, D and E• K. All of the above• L. None of the above

Which of the following accurately define the terms vulnerability and

exploit?

• A. A security risk with one or more known instances of working and fully-implemented attacks is classified as an exploit.

• B. A security risk is classified as a vulnerability if it is recognized as a possible means of attack.

• C. A security risk with one or more known instances of working and fully-implemented attacks is classified as a vulnerability.

• D. A security risk is classified as an exploit if it is recognized as a possible means of attack.

• E. A and B accurately define and describe vulnerabilities and exploits

• F. C and D accurately define and describe vulnerabilities and exploits

• E. All of the above accurately define and describe vulnerabilities and exploits

• F. None of the above accurately define and describe vulnerabilities and exploits

The difference between Limited Disclosure and

Responsible Disclosure is:

• A. Limited Disclosure means that full details of a vulnerability and/or exploit should go to a restricted community of developers and vendors, and only information about the general existence of the problem is released to the public, while Responsible Disclosure advocates that full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround.

• B. Responsible Disclosure means that full details of a vulnerability and/or exploit should go to a restricted community of developers and vendors, and only information about the general existence of the problem is released to the public, while Limited Disclosure advocates that full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround.

• C. Neither of the above statements correctly describe the difference between Limited Disclosure and Responsible Disclosure.

What happens in a Buffer Overflow exploit?

• A. A process attempts to store data beyond the boundaries of a fixed-length storage area in memory.

• B. User input is either incorrectly filtered for string literal escape characters embedded in

SQL statements or user input is not strongly typed and thereby unexpectedly executed.

• C. An application is ordered to access a computer file in hard disk storage that is not intended to be accessible.

• D. Web applications unintentionally allow code injection by malicious web users into the web pages viewed by other users

• E. A and B• F. C and sometimes D• G. All of the above• H. None of the above

Which of the following are not classified as elements of Physical

Security?

• A. Material obstacles such as walls and fences are put in place, to frustrate trivial attackers and delay serious ones.

• B. Alarms, security lighting, and security guard patrols are used and closed-circuit television cameras are viewed by guards, to make it likely that attacks will be noticed.

• C. Network traffic is monitored by an automated Intrusion Detection System, for potential Denial of Service attacks.

• D. Security forces (guards) respond to alarms, to repel, catch or frustrate attackers when an attack is detected.

• E. A and B are not elements of Physical Security.

• F. All of the above are not elements of Physical Security.

How are "Honeypots" used as part of a network security strategy?

• A. "Honeypots" are essentially decoy network-accessible resources, purposely designed and deployed with known vulnerabilities, to attract attackers. A Honeypot computer could be deployed in a network as surveillance and/or early-warning tool to warn that someone is snooping or probing the network for vulnerabilities.B. "Honeypot" is a 100% imaginary made-up term that means nothing at all. We never studied "Honeypots" in class.

• C. “Honeypots” are essentially computers which are designed to trap hackers in a data hive and disable the attacking machine through intrusion quarantine so that the hacker can’t attack other machines on the network.

• D. A and C• E. None of the above

The generic Change Control process we studied in class consists of how many discrete

steps?

• A. 4• B. 7• C. 3• D. 5• E. 8• F. 6• G. None of the above

Class Project

• Pick a public traded company or organization with international as well as domestic operations

• Fill out Security Audit Template (by hand is fine, but please print carefully, so I can read it.)

• Write a five page Executive Summary

• Prepare a 20-25 Powerpoint presentation and prepare for 5 minutes of questions

Rest of Today and Thursday• Meet with your team member today. • Pick company or organization and send to

Nick via email• Read through template today, together• Thursday, we will cover entire template in

class• Next Tuesday, Nick will give a presentation

of Coca-Cola as an example, along with an Executive Summary.

• Thursday the 13th of November will be a group work day…I’ll be in class to answer questions

• Tuesday the 18th will be current events in IT Security, class day

• Thursday the 20th of November will be a group work day…I’ll be in class to answer questions

• First presentations will be the 25th of November