Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

This is the total body of knowledge you will be possibly tested upon for our midterm exam. I will be using this
document to randomly create three tests. Two tests will be used for the midterm and one will be held in reserve
for makeup tests etc. each version of the test will contain about half the information in this guide and will be
approximately 15 pages of questions. This study guide is the document you cannot use for the open book
midterm exam.
Part of what I am testing is your ability to recall security details in a time sensitive situation, basically time
management and your ability to work under pressure and keep your wits about you and make good choices
during stressful security events. Not only your recall but your accuracy and ability to pour through a large
amount of technical and make quick decisions about it is being assessed.
There are 4 kinds of questions True/False, Multiple choice, Short answer and Long answer.

TRUE/FALSE QUESTIONS:
1. T F Computer security is protection of the integrity, availability, and
confidentiality of information system resources.

2. T F Data integrity assures that information and programs are changed only
in a specified and authorized manner.

3. T F Availability assures that systems works promptly and service is not

denied to authorized users.

4. T F The “A” in the CIA triad stands for “authenticity”.

5. T F Many security administrators view strong security as an impediment to

efficient and user-friendly operation of an information system.

6. T F In the context of security our concern is with the vulnerabilities of

system resources.

7. T F Hardware is the most vulnerable to attack and the least susceptible to

automated controls.

8. T F Contingency planning is a functional area that primarily requires

computer security technical measures.

9. T F The first step in devising security services and mechanisms is to

develop a security policy.

10. T F User authentication is the fundamental building block and the primary
line of defense.

11. T F Identification is the means of establishing the validity of a claimed

Page 1
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
identity provided by a user.

12. T F Many users choose a password that is too short or too easy to guess.

13. T F User authentication is a procedure that allows communicating parties to

verify that the contents of a received message have not been altered and that the source is
authentic.

14. T F User authentication is the basis for most types of access control and for
user accountability.

15. T F Depending on the application, user authentication on a biometric

system involves either verification or identification.

16. T F Enrollment creates an association between a user and the user’s

biometric characteristics.

17. T F Identifiers should be assigned carefully because authenticated

identities are the basis for other security services.

18. T F Keylogging is a form of host attack.

19. T F In a biometric scheme some physical characteristic of the individual is

mapped into a digital representation.

20. T F Access control is the central element of computer security.

21.
22. T F The authentication function determines who is trusted for a given purpose.

23. T F Reliable input is an access control requirement.

24. T F A user may belong to multiple access control groups.

25. T F The default set of rights should always follow the rule of least privilege or
read-only access

26. T F A query language provides a uniform interface to the database.

27. T F A telephone directory is an example of a statistical database.

28. T F To create a relationship between two tables, the attributes that define the
primary key in one table must appear as attributes in another table, where they are
referred to as a foreign key.

29. T F The value of a primary key must be unique for each tuple of its table.

30. T F The database management system operates on the assumption that the
computer system has authenticated each user.

Page 2
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

31. T F The two commands that SQL provides for managing access rights are
ALLOW and DENY.

32. T F Fixed server roles operate at the level of an individual database.

33. T F SQL Server allows users to create roles that can then be assigned access
rights to portions of the database.

34. T F Encryption can be applied to the entire database, at the record level, at the
attribute level, or at the level of the individual field.

35. T F Keyware captures keystrokes on a compromised system.

36. T F A virus that attaches to an executable program can do anything that the
program is permitted to do.

37. T F. It is not possible to spread a virus via an USB stick.

38. T F A logic bomb is the event or condition that determines when the payload
is activated or delivered.

39. T F Many forms of infection can be blocked by denying normal users the right to
modify programs on the system.

40. T F A macro virus infects executable portions of code.

41. T F E-mail is a common method for spreading macro viruses.

42. T F In addition to propagating, a worm usually carries some form of payload.

43. T F A Trojan horse is an apparently useful program containing hidden code

that, when invoked, performs some harmful function.

44. T F A bot propagates itself and activates itself, whereas a worm is initially
controlled from some central facility.

45. T F A denial-of-service attack is an attempt to compromise availability by

hindering or blocking completely the provision of some service.

Page 3
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
46. T F A DoS attack targeting application resources typically aims to overload
or crash its network handling software.

47. T F The SYN spoofing attack targets the table of TCP connections on the
server.

48. T F Given sufficiently privileged access to the network handling code on a

computer system, it is difficult to create packets with a forged source
address.

49. T F SYN-ACK and ACK packets are transported using IP, which is an
unreliable network protocol.

50. T F Flooding attacks take a variety of forms based on which network

protocol is being used to implement the attack.

51. T F The objective of the intruder is to gain access to a system or to increase

the range of privileges accessible on a system.

52. T F Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified.

53. T F The primary purpose of an IDS is to detect intrusions, log suspicious

events, and send alerts.

54. T F Signature-based approaches attempt to define normal, or expected,

behavior, whereas anomaly approaches attempt to define proper behavior.

55. T F To be of practical use an IDS should detect a substantial percentage of

intrusions while keeping the false alarm rate at an acceptable level.

56. T F A common location for a NIDS sensor is just inside the external
firewall.

57. T F The countermeasure to tiny fragment attacks is to discard packets with

an inside source address if the packet arrives on an external interface.

58. T F A traditional packet filter makes filtering decisions on an individual

packet basis and does not take into consideration any higher layer context.

59. T F A prime disadvantage of an application-level gateway is the additional

processing overhead on each connection.

60. T F A DMZ is one of the internal firewalls protecting the bulk of the
enterprise network.

61. T F Distributed firewalls protect against internal attacks and provide

Page 4
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
protection tailored to specific machines and applications.

62. T F The buffer overflow type of attack is one of the least commonly seen
attacks.

63. T F Buffer overflow attacks result from careless programming in

applications.

64. T F The only consequence of a buffer overflow attack is the possible

corruption of data used by the program.

65. T F To exploit any type of buffer overflow the attacker needs to understand
how that buffer will be stored in the processes memory.

66. T F A stack overflow can result in some form of denial-of-service attack on

a system.

67. T F Shellcode is not specific to a particular processor architecture.

68. T F Buffer overflows can be found in a wide variety of programs.

69. T F Many computer security vulnerabilities result from poor programming

practices.

70. T F Security flaws occur as a consequence of sufficient checking and

validation of data and error codes in programs.

71. T F Software security is closely related to software quality and reliability.

72. T F Programmers often make assumptions about the type of inputs a

program will receive.

73. T F Defensive programming requires a changed mindset to traditional

programming practices.

74. T F To counter XSS attacks a defensive programmer needs to explicitly

identify any assumptions as to the form of input and to verify that any
input data conform to those assumptions before any use of the data.

75. T F Injection attacks variants can occur whenever one program invokes the
services of another program, service, or function and passes to it
externally sourced, potentially untrusted information without sufficient
inspection and validation of it.

76. T F Cross-site scripting attacks attempt to bypass the browser’s security

checks to gain elevated access privileges to sensitive data belonging to
another site.

Page 5
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

77. T F To prevent XSS attacks any user supplied input should be examined
and any dangerous code removed or escaped to block its execution.

78. T F Without suitable synchronization of accesses it is possible that values

may be corrupted, or changes lost, due to over-lapping access, use, and replacement of
shared values.

79. T F It is possible for a system to be compromised during the installation

process.

80. T F 7. The default configuration for many operating systems usually

maximizes security.

81. T F A malicious driver can potentially bypass many security controls to

install malware.

82. T F Passwords installed by default are secure and do not need to be

changed.

83. T F Manual analysis of logs is a reliable means of detecting adverse

events.

84. T F Performing regular backups of data on a system is a critical control

that assists with maintaining the integrity of the system and user data.

85. T F To implement a physical security program an organization must

conduct a risk assessment to determine the amount of resources to devote to physical
security and the allocation of those resources against the various threats.

86. T F Physical security must also prevent any type of physical access or
intrusion that can compromise logical security..

87. T F Physical security must prevent misuse of the physical infrastructure

that leads to the misuse or damage of the protected information.

88. T F Misuse of the physical infrastructure includes vandalism, theft of

equipment, theft by copying, theft of services, and unauthorized entry.

89. T F High humidity does not pose a threat to electrical and electronic
equipment as long as the computer’s temperature stays within the optimal range.

90. T F A person that becomes statically charged can damage electronic

equipment by an electric discharge.

91. T F The direct flame is the only threat from fire.

Page 6
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

92. T F Low-intensity devices such as cellular telephones do not interfere with

electronic equipment.

93. T F Human-caused threats are less predictable than other types of physical
threats.

94. T F Unauthorized physical access can lead to other threats.

95. T F Physical access control should address not just computers and other IS
equipment but also locations of wiring used to connect systems, equipment and
distribution systems, telephone and communications lines, backup media, and documents.

MULTIPLE CHOICE QUESTIONS:

1. __________ assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
A. Availability C. System Integrity
B. Privacy D. Data Integrity

2. ________ assures that a system performs its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the system.
A. System Integrity C. Data Integrity
B. Availability D. Confidentiality

3. A loss of _________ is the unauthorized disclosure of information.

A. confidentiality C. integrity
B. authenticity D. availability

4. A ________ level breach of security could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
A. low C. normal
B. moderate D. high

5. A flaw or weakness in a system’s design, implementation, or operation and management that could be
exploited to violate the system’s security policy is a(n) __________.
A. countermeasure C. vulnerability
B. adversary D. risk

6. An assault on system security that derives from an intelligent act that is a deliberate attempt to evade
security services and violate the security policy of a system is a(n) __________.
A. risk C. asset
B. attack D. vulnerability

Page 7
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
7. A(n) __________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or
an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and
reporting it so that correct action can be taken.
A. attack C. countermeasure
B. adversary D. protocol

8. A threat action in which sensitive data are directly released to an unauthorized entity is __________.
A. corruption C. disruption
B. intrusion D. exposure

9. An example of __________ is an attempt by an unauthorized user to gain access to a system by posing

as an authorized user.
A. masquerade C. interception
B. repudiation D. inference

10. A __________ is any action that compromises the security of information owned by an organization.
A. security mechanism C. security attack
B. security policy D. security service

11. The assurance that data received are exactly as sent by an authorized entity is __________.
A. authentication C. data confidentiality
B. access control D. data integrity

12. __________ is the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
A. Traffic padding C. Traffic routing
B. Traffic control D. Traffic integrity

13. Recognition by fingerprint, retina, and face are examples of __________.

A. face recognition C. dynamic biometrics
B. static biometrics D. token authentication

14. A __________ is a password guessing program.

A. password hash C. password cracker
B. password biometric D. password salt

15. A __________ strategy is one in which the system periodically runs its own password cracker to find
guessable passwords.
A. user education C. proactive password checking
B. reactive password checking D. computer-generated password

16. The most common means of human-to-human identification are __________.

A. facial characteristics C. signatures
B. retinal patterns D. fingerprints

17. __________ systems identify features of the hand, including shape, and lengths and widths of fingers.
A. Signature C. Hand geometry
B. Fingerprint D. Palm print
Page 8
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

18. To counter threats to remote user authentication, systems generally rely on some form of ___________
protocol.
A. A. eavesdropping C. Trojan horse
B. B. challenge-response D. denial-of-service

19. A __________ attack involves an adversary repeating a previously captured user response.
A. A. client C. replay
B. B. Trojan horse D. eavesdropping

20. A __________ is a separate file from the user IDs where hashed passwords are kept.
i. A. Host file C. Shadow file
ii. B. Config file D. Hidden file

21. Objects that a user possesses for the purpose of user authentication are called ______.
i. A. Keys C. Identifiers
ii. B. Tokens D. Authenticators

22. __________ implements a security policy that specifies who or what may have access to each specific
system resource and the type of access that is permitted in each instance.
A. A. Audit control B. Resource control
B. C. System control D. Access control

23. __________ is verification that the credentials of a user or other system entity are valid.
A. A. Adequacy B. Authentication
B. C. Authorization D. Audit

24. _________ is the granting of a right or permission to a system entity to access a system resource.
A. A. Authorization B. Authentication
B. C. Control D. Monitoring

25. __________ controls access based on comparing security labels with security clearances.
A. A. MAC B. DAC
B. C. RBAC D. MBAC

26. A __________ is an entity capable of accessing objects.

A. A. group B. object
B. C. subject D. owner

27. A(n) __________ is a resource to which access is controlled.

A. object B. owner
C. world D. subject

28. The final permission bit is the _________ bit.

A. superuser B. kernel
C. set user D. sticky

29. __________ is based on the roles the users assume in a system rather than the user’s identity.

Page 9
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
A. DAC B. RBAC
C. MAC D. URAC

30. An approval to perform an operation on one or more RBAC protected objects is _________ .
A. support B. prerequisite
C. permission D. exclusive role

31. A(n) __________ is a structured collection of data stored for use by one or more applications.
A. attribute B. database
C. tuple D. inference

32. The basic building block of a __________ is a table of data, consisting of rows and columns, similar to a
spreadsheet.
A. relational database B. query set
C. DBMS D. perturbation

33. In relational database parlance, the basic building block is a __________, which is a flat table.
A. attribute B. tuple
C. primary key D. relation

34. In a relational database rows are referred to as _________.

A. relations B. attributes
C. views D. tuples

35. A _________ is defined to be a portion of a row used to uniquely identify a row in a table.
A. foreign key B. query
C. primary key D. data perturbation

36. A _________ is a virtual table.

A. tuple B. query
C. view D. DBMS

37. A(n) __________ is a user who has administrative responsibility for part or all of the database.
A. administrator B. database relations manager
C. application owner D. end user other than application owner

38. An end user who operates on database objects via a particular application but does not own any of the
database objects is the __________.
A. application owner B. end user other than application owner
C. foreign key D. administrator

39. __________ is the process of performing authorized queries and deducing unauthorized information
from the legitimate responses received.
A. Perturbation B. Inference
C. Compromise D. Partitioning

40. Statistics are derived from a database by means of a ___________.

Page 10
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
A. characteristic formula B. compromise
C. partition D. data perturbation

41. With __________ the records in the database are clustered into a number of mutually exclusive groups
and the user may only query the statistical properties of each group as a whole.
A. compromise B. inference
C. partitioning D. query restriction

42. __________ is when the data in the SDB can be modified so as to produce statistics that cannot be used
to infer values for individual records.
A. Data perturbation B. Inference channeling
C. Database access control D. Output perturbation

43. _________ is an organization that produces data to be made available for controlled release, either
within the organization or to external users.
A. Client B. Data owner
C. User D. Server

44. __________ is an organization that receives the encrypted data from a data owner and makes them
available for distribution to clients.
A. User B. Client
C. Data owner D. Server

45. The __________ cloud infrastructure is a composition of two or more clouds that remain unique entities
but are bound together by standardized or proprietary technology that enables data and application
portability.
A. hybrid B. community
C. private D. public

46. A program that is covertly inserted into a system with the intent of compromising the integrity or
confidentiality of the victim’s data is __________.
A. Adobe B. Animoto
C. malware D. Prezi

47. __________ are used to send large volumes of unwanted e-mail.

A. Rootkits B. Spammer programs
C. Downloaders D. Auto-rooter

48. A __________ is code inserted into malware that lies dormant until a predefined condition, which
triggers an unauthorized act, is met.
A. logic bomb B. trapdoor
C. worm D. Trojan horse

49. The __________ is what the virus “does”.

A. infection mechanism B. trigger
C. logic bomb D. payload

50. The __________ is when the virus function is performed.

Page 11
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
A. dormant phase B. propagation phase
C. triggering phase D. execution phase

51. During the __________ the virus is idle.

A. dormant phase B. propagation phase
C. triggering phase D. execution phase

52. A __________ uses macro or scripting code, typically embedded in a document and triggered when the
document is viewed or edited, to run and replicate itself into other such documents.
A. boot sector infector B. file infector
C. macro virus D. multipartite virus

53. Unsolicited bulk e-mail is referred to as __________.

A. spam B. propagating
C. phishing D. crimeware

54. __________ is malware that encrypts the user’s data and demands payment in order to access the key
needed to recover the information.
A. Trojan horse B. Ransomware
C. Crimeware D. Polymorphic

55. A __________ attack is a bot attack on a computer system or network that causes a loss of service to
users.
A. spam B. phishing
C. DDoS C. sniff

56. __________ will integrate with the operating system of a host computer and monitor program behavior
in real time for malicious actions.
A. Fingerprint-based scanners B. Behavior-blocking software
C. Generic decryption technology D. Heuristic scanners

57. ______ relates to the capacity of the network links connecting a server to the wider Internet.
A. Application resource B. Network bandwidth
C. System payload D. Directed broadcast

58. A ______ triggers a bug in the system’s network handling software causing it to crash and the system
can no longer communicate over the network until this software is reloaded.
A. echo B. reflection
C. poison packet D. flash flood

59. Using forged source addresses is known as _________.

A. source address spoofing B. a three-way address
C. random dropping D. directed broadcast

60. The ______ attacks the ability of a network server to respond to TCP connection requests by
overflowing the tables used to manage such connections.
A. DNS amplification attack B. SYN spoofing attack
C. basic flooding attack D. poison packet attack

Page 12
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

61. TCP uses the _______ to establish a connection.

A. zombie B. SYN cookie
C. directed broadcast D. three-way handshake

62. When a DoS attack is detected, the first step is to _______.

A. identify the attack B. analyze the response
C. design blocking filters D. shut down the network

63. _________ are among the most difficult to detect and prevent.
A. Organized groups of hackers B. Insider attacks
C. Outsider attacks D. Crackers

64. A _________ is a security event that constitutes a security incident in which an intruder gains access to a
system without having authorization to do so.
A. intrusion detection B. IDS
C. criminal enterprise D. security intrusion

65. 3. A _________ monitors the characteristics of a single host and the events occurring within that host
for suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection

66. A ________ monitors network traffic for particular network segments or devices and analyzes network,
transport, and application protocols to identify suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection

67. __________ are attacks that attempt to give ordinary users root access.
A. Privilege-escalation exploits B. Directory transversals
C. File system access D. Modification of system resources

68. The first widely used occurrence of the buffer overflow attack was the _______.
A. Code Red Worm B. Morris Internet Worm
C. Sasser Worm D. Slammer Worm

69. A _______ can occur as a result of a programming error when a process attempts to store data
beyond the limits of a fixed-size buffer.
A. shellcode B. program overflow
C. buffer overflow D. library function

70. A stack buffer overflow attack is also referred to as ______.

A. stack smashing B. stack framing
C. buffer overrunning D. heap overflowing

71. An essential component of many buffer overflow attacks is the transfer of execution to code, known as
_______, supplied by the attacker and often saved in the buffer being overflowed.
Page 13
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
A. NOP code B. stack code
C. heap code D. shellcode

72. Incorrect handling of program _______ is one of the most common failings in
software security.
A. lines B. input
C. output D. disciplines

73. A _________ attack occurs when the input is used in the construction of a command that is subsequently
executed by the system with the privileges of the Web server.
A. A. command injection B. SQL injection
B. C. code injection D. PHP remote code injection

74. The intent of ________ is to determine whether the program or function correctly handles all abnormal
inputs or whether it crashes or otherwise fails to respond appropriately.
A. A. shell scripting B. fuzzing
B. C. canonicalization D. deadlocking

75. The first step in deploying new systems is _________.

A. security testing B. installing patches
C. planning D. secure critical content

76. Which of the following need to be taken into consideration during the system
security planning process?

A. how users are authenticated

B. the categories of users of the system
C. what access the system has to information stored on other hosts
D. all of the above

77. The following steps should be used to secure an operating system:

A. test the security of the basic operating system

B. remove unnecessary services
C. install and patch the operating system
D. all of the above
78. __________ applications is a control that limits the programs that can execute on the system to just
those in an explicit list.
i. A. Virtualizing B. White listing
ii. C. Logging D. Patching
Page 14
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

79. Once the system is appropriately built, secured, and deployed, the process of maintaining security is
________.
1. A. complete B. no longer a concern
2. C. continuous D. sporadic
3.
80. The ______ process makes copies of data at regular intervals for recovery of lost or corrupted data over
short time periods.
A. logging B. backup
C. hardening D. archive

81. The ______ process retains copies of data over extended periods of time in order to meet legal and
operational requirements.
A. archive B. virtualization
C. patching D. backup

82. 14. The most important changes needed to improve system security are to ______.
A. Assure the principle of least privilege is being applied whenever possible
B. disable remotely accessible services that are not required ensure that applications and
services that are needed are appropriately configured
C. disable services and applications that are not required
D. all of the above

83. Security concerns that result from the use of virtualized systems include ______.
A. guest OS isolation
B. guest OS monitoring by the hypervisor
C. virtualized environment security
D. all of the above

84. 6. A prevalent concern that is often overlooked is ________.

A. overvoltage B. undervoltage
C. dust D. noise

85. 8. Eavesdropping and wiretapping fall into the ________ category.

A. theft B. vandalism
C. misuse D. unauthorized physical access

86. 9. _______ includes destruction of equipment and data.

A. Misuse B. Vandalism
C. Theft D. Unauthorized physical access

87. 10. _______ should be located on the floor of computer rooms as well as under raised floors, and
should cut off power automatically in the event of a flood.
A. Smoke detectors B. UPS
C. Water sensors D. Equipment power off switches

SHORT ANSWER QUESTIONS:

Page 15
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

1. A(n) _________ is any means taken to deal with a security attack.

2. The assets of a computer system can be categorized as hardware, software, communication lines and
networks, and _________.

3. Establishing, maintaining, and implementing plans for emergency response, backup operations, and post
disaster recovery for organizational information systems to ensure the availability of critical information
resources and continuity of operations in emergency situations is a __________ plan.

4. A(n) _________ assessment is periodically assessing the risk to organizational operations,

organizational assets, and individuals, resulting from the operation of organizational information
systems and the associated processing, storage, or transmission or organizational information.

5. Security implementation involves four complementary courses of action: prevention, detection,

response, and _________.

6. A __________ authentication system attempts to authenticate an individual based on his or her unique
physical characteristics.

7. The basic elements of access control are: subject, __________, and access right.

8. Basic access control systems typically define three classes of subject: owner, __________ and world.

9. The __________ user ID is exempt from the usual file access control constraints and has system wide
access.

10. A _________ is a set of programs installed on a system to maintain covert access to that system with
administrator (root) privileges while hiding evidence of its presence.

11. A computer __________ is a piece of software that can “infect” other programs or any type of
executable content and tries to replicate itself.

12. Sometimes known as a “logic bomb”, the __________ is the event or condition that determines when
the payload is activated or delivered.

13. During the __________ phase the virus is activated to perform the function for which it was intended.

14. A __________ is a collection of bots capable of acting in a coordinated manner.

15. A bot can use a __________ to capture keystrokes on the infected machine to retrieve sensitive
information.

16. Countermeasures for malware are generally known as _________ mechanisms because they were first
developed to specifically target virus infections.
Page 16
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
17. __________ technology is an anti-virus approach that enables the anti-virus program to easily detect
even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds.

18. The ICMP echo response packets generated in response to a ping flood using randomly spoofed source
addresses is known as _______ traffic.

19. A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by
exhausting resources such as central processing units, memory, bandwidth, and disk space.

20. ________ are decoy systems that are designed to lure a potential attacker away from critical systems.

21. In 1996 ________ published “Smashing the Stack for Fun and Profit” in Phrack magazine, giving a
step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.

22. A _________ can occur as a result of a programming error when a process attempts to store data beyond
the limits of a fixed-sized buffer and consequently overwrites adjacent memory locations.

23. The principle of ________ strongly suggests that programs should execute with the least amount of
privileges needed to complete their function.

24. _______ is the process of making copies of data at regular intervals allowing the recovery of lost or
corrupted data over relatively short time periods of a few hours to some weeks.

25. __________ is a standardized language that can be used to define schema, manipulate, and query data in
a relational database.

26. The information transfer path by which unauthorized data is obtained is referred to as an ___________
channel.

27. ______ is the process of retaining copies of data over extended periods of time, being months or years,
in order to meet legal and operational requirements to access past data.

28. Tornados, tropical cyclones, earthquakes, blizzards, lightning, and floods are all types of ________
disasters.

29. An _______ condition occurs when the IS equipment receives less voltage than is required for normal
operation.

30. Human-caused threats can be grouped into the following categories: unauthorized physical access, theft,
_________ and misuse.

31. Noise along a power supply line, motors, fans, heavy equipment, microwave relay antennas, and other
computers are all sources of _________.

32. To deal with the threat of smoke, the responsible manager should install _______ in every room that
contains computer equipment as well as under raised floors and over suspended ceilings.

Page 17
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
33. A(n) ________ is a battery backup unit that can maintain power to processors, monitors, and other
equipment and can also function as a surge protector, power noise filter, and an automatic shutdown
device.

34. The most essential element of recovery from physical security breaches is ____.

LONG ANSWER QUESTIONS:

Define computer security.

The protection afforded to an automated information system in order to attain the

applicable objectives of preserving the integrity, availability and confidentiality of
information system resources (includes hardware, software, firmware,
information/data, and telecommunications).

What is the difference between passive and active security threats?

Passive attacks have to do with eavesdropping on, or monitoring, transmissions.

Electronic mail, file transfers, and client/server exchanges are examples of
transmissions that can be monitored. Active attacks include the modification of
transmitted data and attempts to gain unauthorized access to computer systems.

List and briefly define samples of passive and active network security attacks.

Passive attacks: release of message contents and traffic analysis.

Active attacks: masquerade, replay, modification of messages, and denial of service.

In general terms, what are four means of authenticating a user's identity?

Page 18
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

Something the individual knows: Examples includes a password, a personal

identification number (PIN), or answers to a prearranged set of questions.

Something the individual possesses: Examples include electronic keycards, smart

cards, and physical keys. This type of authenticator is referred to as a token.

Something the individual is (static biometrics): Examples include recognition by

fingerprint, retina, and face.

Something the individual does (dynamic biometrics): Examples include recognition by

voice pattern, handwriting characteristics, and typing rhythm.

List and briefly describe the principal threats to the secrecy of passwords.

We can identify the following attack strategies and countermeasures:

Offline dictionary attack: Typically, strong access controls are used to protect the
system's password file. However, experience shows that determined hackers can
frequently bypass such controls and gain access to the file. The attacker obtains
the system password file and compares the password hashes against hashes of commonly
used passwords. If a match is found, the attacker can gain access by that
ID/password combination.

Specific account attack: The attacker targets a specific account and submits password
guesses until the correct password is discovered.

Popular password attack: A variation of the preceding attack is to use a popular

password and try it against a wide range of user IDs. A user's tendency is to choose
a password that is easily remembered; this unfortunately makes the password easy to
guess.

Password guessing against single user: The attacker attempts to gain knowledge about
the account holder and system password policies and uses that knowledge to guess the
password.

Workstation hijacking: The attacker waits until a logged-in workstation is

unattended.

Exploiting user mistakes: If the system assigns a password, then the user is more
likely to write it down because it is difficult to remember. This situation creates
the potential for an adversary to read the written password. A user may
intentionally share a password, to enable a colleague to share files, for example.

Page 19
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Also, attackers are frequently successful in obtaining passwords by using social
engineering

tactics that trick the user or an account manager into revealing a password. Many
computer systems are shipped with preconfigured passwords for system administrators.
Unless these preconfigured passwords are changed, they are easily guessed.

Exploiting multiple password use. Attacks can also become much more effective or
damaging if different network devices share the same or a similar password for a
given user.

Electronic monitoring: If a password is communicated across a network to log on to a

remote system, it is vulnerable to eavesdropping. Simple encryption will not fix
this problem, because the encrypted password is, in effect, the password and can be
observed and reused by an adversary.

List and briefly describe the principal physical characteristics used for biometric
identification.

Facial characteristics: Facial characteristics are the most common means of human to-
human identification; thus it is natural to consider them for identification by
computer. The most common approach is to define characteristics based on relative
location and shape of key facial features, such as eyes, eyebrows, nose, lips, and
chin shape. An alternative approach is to use an infrared camera to produce a face
that correlates with the underlying vascular system in the human face.

Fingerprints: Fingerprints have been used as a means of identification for centuries,

and the process has been systematized and automated particularly for law enforcement
purposes. A fingerprint is the pattern of ridges and furrows on the surface of the
fingertip. Fingerprints are believed to be unique across the entire human
population. In practice, automated fingerprint recognition and matching system
extract a number of features from the fingerprint for storage as a numerical
surrogate for the full fingerprint pattern.

Hand geometry: Hand geometry systems identify features of the hand, including
shape, and lengths and widths of fingers.

Retinal pattern: The pattern formed by veins beneath the retinal surface is unique
and therefore suitable for identification. A retinal biometric system obtains a
digital image of the retinal pattern by projecting a low-intensity beam of visual or
infrared light into the eye.

Page 20
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Iris: Another unique physical characteristic is the detailed structure of the iris.

Signature: Each individual has a unique style of handwriting and this is reflected
especially in the signature, which is typically a frequently written sequence.
However, multiple signature samples from a single individual will not be identical.
This complicates the task of developing a computer representation of the signature
that can be matched to future samples.

Voice: Whereas the signature style of an individual reflects not only the unique
physical attributes of the writer but also the writing habit that has developed,
voice patterns are more closely tied to the physical and anatomical characteristics
of the speaker. Nevertheless, there is still a variation from sample to sample over
time from the same speaker, complicating the biometric recognition task.

Briefly define the difference between DAC and MAC.

Discretionary access control (DAC) controls access based on the identity of the
requestor and on access rules (authorizations) stating what requestors are (or are
not) allowed to do. This policy is termed discretionary because an entity might have
access rights that permit the entity, by its own volition, to enable another entity
to access some resource.

Mandatory access control (MAC) controls access based on comparing security labels
(which indicate how sensitive or critical system resources are) with security
clearances (which indicate system entities are eligible to access certain
resources). This policy is termed mandatory because an entity that has clearance to
access a resource may not, just by its own volition, enable another entity to access
that resource.

List and define the three classes of subject in an access control system

Owner: This may be the creator of a resource, such as a file. For system resources,
ownership may belong to a system administrator. For project resources, a project
administrator or leader may be assigned ownership.

Page 21
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Group: In addition to the privileges assigned to an owner, a named group of users
may also be granted access rights, such that membership in the group is sufficient
to exercise these access rights. In most schemes, a user may belong to multiple
groups.

World: The least amount of access is granted to users who are able to access the
system but are not included in the categories owner and group for this resource.

In the context of access control, what is the difference between a subject and an object?

A subject is an entity capable of accessing objects. Generally, the concept of

subject equates with that of process. Any user or application actually gains access
to an object by means of a process that represents that user or application.

An object is anything to which access is controlled. Examples include files,

portions of files, programs, and segments of memory.

List and define the four types of entities in a base model RBAC system.

User: An individual that has access to this computer system. Each individual has an
associated user ID.

Role: A named job function within the organization that controls this computer
system. Typically, associated with each role is a description of the authority and
responsibility conferred on this role, and on any user who assumes this role.

Permission: An approval of a particular mode of access to one or more objects.

Equivalent terms are access right, privilege, and authorization.

Session: A mapping between a user and an activated subset of the set of roles to
which the user is assigned.

Describe the difference between a host based IDS and network IDS

Host-based IDS: Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity
Network-based IDS: Monitors network traffic for particular network segments
Page 22
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Or devices and analyzes network, transport, and application protocols to identify
suspicious activity

Describe the three logical components of an IDS.

Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a
system that could contain evidence of an intrusion. Types of input to a sensor include network
packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.
Analyzers: Analyzers receive input from one or more sensors or from other
analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this
component is an indication that an intrusion has occurred. The output may include evidence
supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what
actions to take as a result of the intrusion.
User interface: The user interface to an IDS enables a user to view output from the system or control
the behavior of the system. In some systems, the user interface may equate to a manager, director,
or console component.

What are the three benefits that can be provided by an IDS?

1. If an intrusion is detected quickly enough, the intruder can be identified and

ejected from the system before any damage is done or any data are compromised. Even if the
detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the
less the amount of damage and the more quickly that recovery can be achieved.

2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques that can be
used to strengthen the intrusion prevention facility.

What is the difference between anomaly detection and signature intrusion detection?

Page 23
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Statistical anomaly detection involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are applied to observed
behavior to determine with a high level of confidence whether that behavior is not legitimate user
behavior. Signature intrusion detection involves an attempt to define a set of rules that can be used to
decide that a given behavior is that of an intruder.

What are possible locations for NIDS sensors?

(1) just inside the external firewall;

(2) between the external firewall and the Internet or WAN;
(3) at the entrance to major backbone networks; to support workstation LANs.

What is a honeypot?

Honeypots are decoy systems that are designed to lure a potential attacker away
from critical systems.

What is the difference between a bot and a rootkit?

A bot (robot), also known as a zombie or drone, is a program that secretly takes
over another Internet-attached computer and then uses that computer to launch
attacks that are difficult to trace to the bot's creator.
A rootkit is a set of programs installed on a system to maintain administrator (or root) access to that
system. Root access provides access to all the functions and services of the operating system. The
rootkit alters the host's standard functionality in a malicious and stealthy way.

What are the #1 and #2 web application vulnerabilities?

Page 24
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

#1 Cross Site Scripting (XSS) Flaws

XSS flaws occur whenever an application takes user supplied data and sends
it to a web browser without first validating or encoding that content.
XSS allows attackers to execute script in the victim's browser which can
hijack user sessions, deface web sites, possibly introduce worms, etc.

#2 Injection Flaws
Injection flaws, particularly SQL injection, are common in web applications.
Injection occurs when user-supplied data is sent to an interpreter as part of a
command or query. The attacker's hostile data tricks the interpreter into
executing unintended commands or changing data.

List three design goals for a firewall

1. All traffic from inside to outside, and vice versa, must pass through the
firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed
to pass.

3. The firewall itself is immune to penetration.

What information is used by a typical packet filtering firewall?

Source IP address: The IP address of the system that originated the IP packet.

Destination IP address: The IP address of the system the IP packet is trying to

reach.

Source and destination transport-level address: The transport level (e.g., TCP or
UDP)

port number, which defines applications such as SNMP or TELNET.

IP protocol field: Defines the transport protocol.

Page 25
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________
Interface: For a router with three or more ports, which interface of the router the
packet came

from or which interface of the router the packet is destined for.

What is the difference between a packet filtering firewall and a stateful inspection firewall?

A traditional packet filter makes filtering decisions on an individual packet basis and does
not take into consideration any higher layer context. A stateful inspection packet filter
tightens up the rules for TCP traffic by creating a directory of outbound TCP connections

What is a DMZ network and what types of systems would you expect to find in such
networks?

Between internal and external firewalls are one or more networked devices in a

region referred to as a DMZ (demilitarized zone) network. Systems that are

externally accessible but need some protections are usually located on DMZ

networks. Typically, the systems in the DMZ require or foster external

connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain

name system) server.

Define the principle of least privilege.

The principle of least privilege states that programs should execute with the least amount
of privileges needed to complete their function.

Page 26
Security IT 2910 Midterm Study GuideSP2013 Name:_____________________________

Page 27