Tentafrågor

Question 1

Encryption is one way to protect confidentiality.

Answer 1

True

Question 2

The main security properties (CIA) are confidentiality, integrity, and authenticity.

Answer 2

False

Question 3

Eavesdropping is an attack on integrity.

Answer 3

False

Question 4

Authentication has two parts, identification (who is the subject, e.g., user id) and verification
(making sure they really are who they claim to be).

Answer 4

True

Question 5

Authentication always requires proving that you know a secret, e.g., a password.

Answer 5

False

Question 6

The reason for individual salts for hashing passwords is to compensate for different lengths of passwords, which would otherwise make them easier to guess.

Answer 6

False

Question 7

With symmetric encryption, the sender and receiver use the exact same secret key.

Answer 7

True

Question 8

For digital envelopes to work, the sender and receiver first need to agree on a shared key.

Answer 8

False

Question 9

If Alice sends a message to Bob using public-key cryptography, Bob needs to have both his own private key and Alice’s public key to decrypt the message and be sure that it is from Alice.

Answer 9

True

Question 10

Strong collision resistance means that a secure hash function withstands brute force attacks
to find a collision with a given hash value even from attackers with high computational power.

Answer 10

False

Question 11

If the interpreter or JIT is correct, the usage of memory safe languages (like Java) prevents buffer overflows.

Answer 11

True

Question 12

Functions check stack canaries (to be unmodified) just before they return.

Answer 12

True

Question 13

Stack canaries can be used to detect all possible buffer overflows.

Answer 13

False

Question 14

The main propagation strategy of a worm consists of exploiting vulnerabilities of remote
programs.

Answer 14

True

Question 15

The main propagation strategy of a virus consists of exploiting vulnerabilities of remote programs.

Answer 15

False

Question 16

An antivirus using generic description emulates the CPU, executes the virus in the interpreter, and waits that the virus decrypts itself to identify the malicious payload.

Answer 16

True

Question 17

Flooding (non-distributed) attacks like ICMP flood require that the attacker has more band- width than the victim.

Answer 17

True

Question 18

A successful DOS is a loss of confidentiality.

Answer 18

False

Question 19

In a TCP/IP SYN spoof attack the attacker attempts to fill the TCP connection table of the
victim.

Answer 19

True

Question 20

Guard pages are regions of virtual memory whose execution is forbidden, but writable accesses are permitted.

Answer 20

False

Question 21

Address space randomization counters buffer overflows because it prevents an attacker from knowing the size of the buffers.

Answer 21

False

Question 22

In case of executable address space protection, the heap is configured as writable and non- executable.

Answer 22

True

Question 23

In multi-level security, users (subjects) have clearance levels and resources (objects) have classification levels. What a user with a specific clearance can do to a resource with a specific classification depends on the security model.

Answer 23

True

Question 24

Discretionary access control means that it’s up to owner of a resource (e.g., a file) to decide whether an access request is checked.

Answer 24

False

Question 25

Role-based access control assigns rights to roles and maps users to roles. Roles can be hierarchical.

Answer 25

True

Question 26

White listing will let less bad traffic through than blacklisting.

Answer 26

True

Question 27

The two main approaches to intrusion detection are signature based (meaning only install pro- grams that are authentic, e.g., checked the message digest or digital signature) and anomaly based (meaning using a list of malicious programs that do not behave like normal programs and detecting if a program is on the list)

Answer 27

False

Question 28

DMZ (demilitarized zone) means that there is no firewall or intrusion detection system set up around it.

Answer 28

True

Question 29

A side-channel attack usually relies on a buffer overflow.

Answer 29

False

Question 30

Constant time programming is a programming technique guaranteeing that no condition of branches and no index of array depend on secret information.

Answer 30

True

Question 31

Cache partitioning prevents an attacker to extract secret information by analyzing execution time of the victim (time-driven attacks).

Answer 31

False

Question 32

A side-channel attack is based on information gained from the execution of a system, for instance by measuring its execution time.

Answer 32

True

Question 33

The GDPR (general data protection regulation) has one set of rules for all EU countries and it even applies to companies outside the EU if they offer services in the EU.

Answer 33

True

Question 34

Purpose binding means that once a user (data subject) has consented to their data being analyzed and used by an organization or company (data controller , data processor) for a given purpose, they have no right to get their data deleted.

Answer 34

False

Question 35

Privacy concerns not only the data itself (e.g., contents of files or messages) but also metadata, meaning data about the data.

Answer 35

True

Question 36

One way to prevent SQL injection is to use parameterized queries.

Answer 36

True

Question 37

Cross-site scripting takes advantage of a user being authenticated for a session with a server and makes it look like a transaction was initiated by the authenticated user.

Answer 37

False

Question 38

One of the OWASP Top 10 most critical web application security risks is broken access control. There are many ways to bypass access control, such as by manipulating things like the URL, request parameters or cookies.

Answer 38

True

Question 39

Social engineering exploits often positive human traits, not lack of intelligence.

Answer 39

True

Question 40

The security policy is best developed by one or two security experts, as users or managers usu- ally do not know enough about security and tend to increase the complexity of the document which in turn increases the probability of errors.

Answer 40

False

Question 41

An organizational security policy is a formal statement of rules by which people given access to the organization’s technology and information assets must abide.

Answer 41

True

Question 42

Blockchains rely on consensus (a majority must agree on something) and on proof of work (proving that one has dedicated processing power, although there are alternative proposals for proofs).

Answer 42

True

Question 43

DevOps security defines the set of options developers need to integrate into programs so that users can configure the program settings in a secure way.

Answer 43

False

Question 44

Mobile network security in 4G/5G is about securing the access to the radio network, all other functions, such as identity management, privacy, or confidentiality and integrity on the wired network (core network or Internet) are done by the application (banking, social networks, etc.).

Answer 44

False

Question 45

􏰀When some unauthorized entity reads my secret file, it is a violation of integrity.

Answer 45

False

Question 46

Availability is only threatened when a server is under a DoS attack. Preventing an individ- ual person from accessing their account by, e.g., changing the password, does not qualify.

Answer 46

False

Question 47

The principle of least privilege means only those permissions that are needed to carry out the task should be granted, for example, do not grant write access to files that need only b􏰀e read. 􏰀

Answer 47

True

Question 48

The principle of complete mediation means that every single request for access is checked.

Answer 48

True

Question 49

Confidentiality means only authorized entities can read a resource.

Answer 49

True

Question 50

The principle of psychological acceptability means that if access to a resource, e.g., a file, is refused, the requesting user needs to be notified in a polite way or they could threaten the system.

Answer 50

False

Question 51

The GDPR is a recommendation for EU member countries for how to change their privacy laws from May 25, 2018.

Answer 51

False, not just recommendation

Question 52

The GDPR extends to all foreign companies processing data of EU residents. 􏰀

Answer 52

True

Question 53

􏰀 Important principles of the EU data protection directive 95/46/EC were data minimization, anonymity, unlinkability, purpose specification, and purpose binding.

Answer 53

False, (anonymity, unlinkability)

Question 54

Privacy by Design is a set of principles that prioritizes privacy over security once a minimum level of security is reached.

Answer 54

False (zero-sum)

Question 55

For privacy, data confidentiality is not enough; much information can be inferred from metadata.

Answer 55

True

Question 56

Transparency-enhancing technologies include both tools that show what would happen before an action is taken and those that show how data was handled after the fact.

Answer 56

True

Question 57

In discretionary access control, anyone who has access rights to a resource (e.g., a file) can change the permissions to give access rights to others.

Answer 57

False

Question 58

Role based access rights follow the hierarchy of the organization, for example, if an employee has access to file X, her manager also has access to file X, all the way up to the CEO.

Answer 58

False

Question 59

Mandatory access control means every access request is checked, whereas in discretionary access control it is up to the administrator to decide which requests are checked.

Answer 59

False

Question 60

In mandatory access control, whether access is granted depends on the requested access (read, write, or execute), security levels of the subject (requester) and the object (requested resource), and the policy that says which level needs to be greater than or equal to the other.

Answer 60

True

Question 61

In discretionary access control, the owner of a resource (e.g., a file) can give access rights to others.

Answer 61

True

Question 62

In role-based access control, the user’s identity is not as important as what role they have at the moment. Users can have several roles and switch between them.

Answer 62

True