Quiz Questions

Question 1

1. Denial-of-Service attacks can only happen at the network layer.

Answer 1

False

Question 2

2.For DDoS traceback (Savage et al. ’00) a path can be reconstructed even if just one packet through the path is obtained.

Answer 2

False

Question 3

3. Denial-of-Service attacks always involve sending a very large amount of traffic.

Answer 3

False

Question 4

4. For DoS mitigation, a SYN Cookie ensures that a client is honest because it must ACK the SYN-ACK cookie from the server, and cannot reuse an old one.

Answer 4

True

Question 5

5. DoS attacks always use spoofed IP addresses.

Answer 5

False

Question 6

6. Everyone who frequents underground forums is cybercriminal or intends to be one.

Answer 6

False

Question 7

7. A lot of cybercrime contents on the web remain invisible to even a very powerful search engine like Google.

Answer 7

True

Question 8

8. If a botnet uses randomly generated domains each day for command-and-control (C&C), then there is no way to detect and block the C&C domains.

Answer 8

False

Question 9

9. Cyber frauds and scams such as on-line “pharmacy” can only fool the victims once - that is, no users will be their repeat “customers”.

Answer 9

False

Question 10

10. If I click on a phishing link and end up on a site, but I don’t provide valuable information such as my credit card number to the site, nothing bad can happen.

Answer 10

False

Question 11

Penetration testing is limited to only the technological security controls.

Answer 11

False

Question 12

A benefit of thorough penetration testing is the accurate accounting of network infrastructures and applications.

Answer 12

True

Question 13

A penetration test is always launched from outside the enterprise network being tested.

Answer 13

False

Question 14

Fake news can be considered as a social engineering attack.

Answer 14

True

Question 15

A penetration test can combine physical as well as cyber/network access to the organization being tested.

Answer 15

True

Question 16

The ads on a web page can be used to carry out malicious functions.

Answer 16

True

Question 17

Browser extensions and plugins available in an official store (e.g., the Chrome Web Store) can always be trusted for not containing malicious logics.

Answer 17

False

Question 18

The Same Origin Policy (SOP) for DOM and the SOP for cookies have different definitions of “origin”.

Answer 18

True

Question 19

A content security policy (CSP) specifies the allowable sources of web page contents. This is essentially a whitelist approach.

Answer 19

True

Question 20

HTTPS cookies are always secure and can be trusted

Answer 20

False

Question 21

When you connect to Gmail, the SSL/TLS handshake takes place after you have successfully logged in

Answer 21

False

Question 22

To securely log out a user, it is sufficient to delete the SessionToken on the client browser

Answer 22

False

Question 23

Suppose Georgia Tech owns both the www.gatech.edu and www.gatech.edu.uk domains, it must use two different certificates.

Answer 23

False

Question 24

Browsers typically accept certificates from only a handful of CAs.

Answer 24

False

Question 25

The random sequence number in the SYN/ACK packet can prevent an attacker from establishing a TCP session but cannot prevent him from launching a DoS

Answer 25

True

Question 26

Using ARP spoofing an attacker can cause traffic to a gateway to instead be sent to his machine (on the same LAN).

Answer 26

True

Question 27

Incorrect BGP advertisements by a node can be detected by other nodes and therefore the incorrect advertisements will not be propagated.

Answer 27

False

Question 28

In Kaminsky’s Poisoning attack, the attacker floods the local resolver with responses that point the name server of a domain (e.g., www.gatech.edu) to his machine.

Answer 28

True

Question 29

DNSSEC relies on a public-key infrastructure (PKI).

Answer 29

True

Question 30

If a program is packed (i.e., encrypted and compressed), it must be malware.

Answer 30

False

Question 31

It is impossible to achieve absolute, complete transparency in malware analysis because, e.g., malware can use network timing to detect the analyzer (because traffic goes through the analyzer, which can cause additional delay).

Answer 31

True

Question 32

If emulator-based obfuscation is in use, the system calls produced by running the “malware” are from the emulator program and cannot be easily analyzed to reveal the original malware logic.

Answer 32

True

Question 33

If you download apps from only the official app store, your phone will be free of mobile malware.

Answer 33

False

Question 34

In malware analysis, dynamic fuzzing is useful when symbolic execution fails to yield results quickly.

Answer 34

True

Question 35

All data privacy issues in cloud computing can be solved by just encrypting data in transmission (over the Internet) and at rest (storage in the Cloud).

Answer 35

False

Question 36

A main challenge in virtual machine monitoring is the need to understand the memory layouts of data structures of the operating system and applications in the guest virtual machine.

Answer 36

True

Question 37

A drawback of virtual machine monitoring is the high time overhead.

Answer 37

True

Question 38

The use of property-preserving encryption can lead to privacy leakage (e.g., revealing a user’s gender and even identity).

Answer 38

True

Question 39

If we don’t trust the cloud provider, e.g., we believe it will observe our data access patterns to find out what we are doing, then there is nothing we can do other than not using the cloud provider.

Answer 39

False

Question 40

If a computer sends a heartbeat message to an Internet site and receives some command and data from the site every day, it must be a (malicious) bot (of a botnet).

Answer 40

False

Question 41

If a computer sends out scanning traffic, it must be a (malicious) bot (of a botnet).

Answer 41

False

Question 42

If a domain name is random looking (e.g., we can’t find any part of it in a dictionary), it must be the domain name of a botnet C&C server.

Answer 42

False

Question 43

An important benefit of directing botnet C&C traffic to a DNS sinkhole is the capturing of bot IP addresses.

Answer 43

True

Question 44

BotMiner can detect botnets that use centralized C&C servers as well as botnets that use P2P for C&C.

Answer 44

True

Question 45

When scanning the IPv4 space using a tool such as Zmap, every scan (with the same parameters) should return the same results.

Answer 45

False

Question 46

Zmap uses widely (and randomly) dispersed scanning targets to achieve high speed.

Answer 46

True

Question 47

The goal of a domain reputation system such as Notos is to identify newly created or previously unclassified malicious domains.

Answer 47

True

Question 48

If an IP address (i.e., an Internet host) is known to have hosted malicious domains, then the reputation of any domain that is resolved to (i.e., hosted by) this IP address is also tainted (i.e., more likely than others to be malicious).

Answer 48

True

Question 49

Before we attempt a botnet takedown, we need to first investigate its infrastructure, and so all we need to do is to run the bot malware in a sandbox environment for a few minutes and observe the domain(s) that it uses.

Answer 49

False

Question 50

The use of machine learning (ML) in security is a very recent development (i.e., only started in the last few years).

Answer 50

False

Question 51

A bot sends spam only during the day because the attacker has learned that sending spam during the night results in an anomaly by a ML-based detection system. This is called an evasion attack on machine learning.

Answer 51

True

Question 52

To make a causative (or, poisoning) attack on machine learning successful, an attacker just needs to inject random noise into the training data.

Answer 52

False

Question 53

One of the reasons why PAYL can be evaded is that it is very simple: the features are very simple and the anomaly detection model is also very simple.

Answer 53

True

Question 54

It is very hard to prevent poisoning attack when we don’t have complete control of the process of generating or collecting training data (and hence can’t ascertain the authenticity and integrity of training data).

Answer 54

True

Question 55

If we replicate our valuable data and store the copies in multiple servers, we can improve (or, at the least, not weaken) its availability, integrity, and confidentiality.

Answer 55

False

Question 56

In Secret Sharing, one can create as many shares as he desires (i.e., n can be arbitrarily large), but having too many shares increases the chance of an attacker acquiring enough (i.e., at least k) shares to obtain the original secret.

Answer 56

True

Question 57

In the Byzantine Fault-Tolerance model discussed in the lecture, it is assumed that a replica can be faulty (e.g., gives a wrong answer) or simply not responding (e.g., has crashed).

Answer 57

True

Question 58

To improve the tolerance against cyberattacks, we can use several replicated systems (with the same hardware and software) instead of just one.

Answer 58

False