Study

Question 1

Give an example where increased security reduces usability, and suggest a balanced solution.

Answer 1

2FA with very complex password requirements. A solution is to have 2FA with normal requirements.

Question 2

What does the CIA triad stand for?

Answer 2

Confidentiality, integrity and Availability

Question 3

These tables store precomputed hash values and are used to speed up the process of reversing a hash to reveal a password?

Answer 3

Rainbow Tables

Question 4

What are the three RBAC extensions beyond RBAC0 (RBAC1, RBAC2, RBAC3), and how do they enhance access control?

Answer 4

RBAC1 - Hierarchy

RBAC2 - Constraints

RBAC3- Combined

Question 5

What is a Bloom filter, and how is it used in password security?

Answer 5

A Bloom filter is a data structure used to test whether an element is a member of a set. It is used in password security to efficiently check if a password is weak. However, it can produce false positives.

Question 6

What is the ciphertext of:

01000001 01001001 (Plaintext)

XOR

01000100 01000001 (Key)

Answer 6

00000101 00001000

Question 7

In Unix control what are the three types of user categories ?

Answer 7

Owner, group, world

Question 8

What is the Weakness of ECB mode in block cipher encryption ?

Answer 8

ECB (Electronic Codebook) mode is insecure because identical plaintext blocks are encrypted to the same ciphertext, revealing patterns that can be exploited. Large inputs are potentially more vulnerable.

Question 9

What is the difference between a threat and an attack?

Answer 9

A threat is a potential cause of harm, while an attack is an actual attempt to exploit a vulnerability.

Question 10

What is the formula for risk analysis?

Answer 10

Likelihood * Impact

Question 11

What does “psychological acceptability “ refer to in security design?

Answer 11

Psychological acceptability means designing security measures that do not unduly interfere with the user’s work.

Question 12

What is an attack tree, and what are the different parts of it.

Answer 12

An attack tree is a diagram used to model the different ways an attack can occur. It has a root (objective), leaf nodes (comprise the attack), sub nodes (attack events)

Question 13

What is the main difference between symmetric and asymmetric encryption?

Answer 13

Symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption uses a pair of keys (public and private)

Question 14

What is a hash function in cryptography and what is it’s main purpose?

Answer 14

A hash function takes an input and returns a fixed-size string of characters, typically used for integrity verification

Question 15

This code is used to verify the integrity and authenticity of a message.

Answer 15

What is a message authentication code (MAC)

Question 16

What is the purpose of access control in security?

Answer 16

Access control determines who can access what resources and ensures that only authorized individuals can perform certain actions.

Question 17

What are problems with passwords?

Answer 17

Passwords can be hard to remember, and can be cracked easier than other means.

Question 18

What are biometric authentication methods, how do they enhance security, and what is a problem with it.

Answer 18

Biometric authentication uses unique physiological characteristics (e.g., fingerprints, facial recognition) to verify identity, providing a higher level of security and convenience. Problems could be if someone lacks the biometric, and it is hard to change if compromised.

Question 19

In UNIX-based systems, this user has unrestricted access to all resources and can perform any administrative task.

Answer 19

Who is the superuser

Question 20

What is the purpose of an access control list (ACL)?

Answer 20

It defines permissions for users or groups on specific resources, determining who can read, write, or execute files.

Question 21

Explain the difference between identification, authentication, authorization, and auditing.

Answer 21

Identification is claiming an identity, authentication is verifying it, authorization determines what the authenticated user can do, and auditing tracks actions to ensure compliance.

Question 22

What are the key differences between DAC, MAC, and RBAC?

Answer 22

DAC (Discretionary Access Control) allows owners to set permissions, MAC (Mandatory Access Control) is based on predefined policies(often security clearances), and RBAC (Role-Based Access Control) grants access based on user roles.

Question 23

What is the difference between an insider and an outsider threat?

Answer 23

An insider threat comes from someone within the organization, while an outsider threat originates from someone external.

Question 24

What is the ciphertext of hello, caesar cipher with a shift of 7.

Answer 24

Olssv

Question 25

What is a digital envelope in the context of encryption, and what is its benefit.

Answer 25

A digital envelope is a cryptographic concept that combines the benefits of both symmetric and asymmetric encryption to securely transmit data. Usually the secret key is encrypted using asymmetric encryption, and the message is encrypted with the secret key.

Question 26

Give an example of a passive attack and an active attack.

Answer 26

A passive attack is eavesdropping on network traffic; an active attack is modifying or injecting data(DDOS).

Question 27

What is the difference between fail-safe and fail-secure mechanisms?

Answer 27

Fail-safe defaults to allowing access during failures, while fail-secure defaults to denying access.

Question 28

What is salting in password hashing, and why is it important?

Answer 28

Salting is the process of adding a random value (called a salt) to a password before hashing it. This ensures that even if two users have the same password, their hashed values will be different.

Question 29

You are designing a secure system for storing passwords. You have the option of using either a fast cryptographic hash function or a slower function. Which should you choose and why?

Answer 29

A slower hash function will produce a safer hash function for passwords.

Question 30

Given n = 45, e = 3, d= 11, m = 4 What is the ciphertext and what is the formula?

Answer 30

c= m^e mod n c = 19

Question 31

What is Confidentiality?

Answer 31

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Question 32

What is Integrity?

Answer 32

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity.

Question 33

What is Availability?

Answer 33

Ensuring timely and reliable access to and use of information. Assures that systems work promptly and service is not denied to authorized users.

Question 34

What is Authenticity?

Answer 34

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Question 35

What is Accountability?

Answer 35

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Question 36

What is an Adversary?

Answer 36

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

Question 37

What is a Countermeasure?

Answer 37

A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems.

Question 37

What is a Vulnerability?

Answer 37

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Question 38

Why should encryption algorithms be open to the public?

Answer 38

Open algorithms allow security experts worldwide to analyze and find vulnerabilities, leading to stronger, more resilient systems.

Question 39

What is Separation of Privilege?

Answer 39

When multiple privilege attributes are required to achieve access to a restricted resource.

Question 40

What is an example of Separation of Privilege?

Answer 40

Multifactor User Authentication.

Question 41

What is the Rule of Least Privilege?

Answer 41

Every user of the system should operate using the least set of privileges necessary to perform the task.

Question 42

What is the Rule of Layering?

Answer 42

Using multiple overlapping protection approaches to protect information.

Question 43

What is the Rule of Least Astonishment?

Answer 43

A program or user interface should always respond in the way that is least likely to astonish the user.

Question 44

What is an example of an Attack Surface?

Answer 44

Unpatched Software Open Ports & Exposed Services Stolen or Unsecured Devices Phishing Attacks

Question 45

For a ATM machine, what is the degree of importance of each CIA requirement?

Answer 45

1. Confidentiality 2. Integrity 3. Availability.

Question 46

What is Symmetric Encryption?

Answer 46

The universal technique for providing confidentiality for transmitted or stored data.

Question 47

What are the approaches to attacking a symmetric encryption?

Answer 47

Cryptanalysis and Brute-force attack.

Question 48

What is Cryptanalysis?

Answer 48

Analyzing only the encrypted text to find patterns or weaknesses.

Question 49

What is a Brute-force Attack?

Answer 49

Trying all possible keys until the correct one is found.

Question 50

On average, how many possible keys must be tried to achieve success?

Answer 50

Half of all possible keys.

Question 51

What are examples of Symmetric Block Encryption Algorithms?

Answer 51

* Data Encryption Standard (DES) * Advanced Encryption Standard (AES) * Triple DES

Question 52

How is a One-Way Hash Function used for message authentication?

Answer 52

Well the receiver can compare the message's hash to the original hash that was given with the message, and if they match, then we know that the message is authentic.

Question 53

Why are Hash Functions secure?

Answer 53

Because they cannot be decrypted or reversed.

Question 54

What are some examples of Secure Hash Algorithms?

Answer 54

SHA-1 SHA-2, SHA-256 SHA-3

Question 55

What are some other applications of Hash Functions?

Answer 55

- Storing hashed versions of passwords. - Intrusion Detection

Question 56

What is Public Key Encryption?

Answer 56

Public Key (🔓) – Used for encryption; can be shared with anyone. Private Key (🔑) – Used for decryption; must be kept secret.

Question 57

What are some examples of Public-Key Algorithm?

Answer 57

RSA, Diffie-Hellman, DSS, Elliptic Curve.

Question 58

What is the RSA decryption algorithm?

Answer 58

M=C^d mod n

Question 59

What are the 4 general means of authenticating a user's identity?

Answer 59

Something the individual knows, possesses, is (static biometrics) and does (dynamic biometrics)

Question 60

What are the levels of impact for risk analysis?

Answer 60

Low (limited adverse effects), Moderate (serious adverse affects) and High risk (severe/catastrophic effects)

Question 61

What is an offline dictionary attack?

Answer 61

Comparing password hashes from an obtained password file against hashes of commonly used passwords that are part of a dictionary

Question 62

What are the three types of memory that smart cards may contain?

Answer 62

Read-only memory (ROM), Electrically erasable programmable ROM (EEPROM) and Random Access Memory (RAM)

Question 63

What are the four countermeasures to remote user authentication threats?

Answer 63

Password Protocol, Token Protocol, Static Biometric Protocol, and Dynamic Biometric Protocol