UNIVERSITI SAINS MALAYSIA

Sessi Akademik 2015/2016

March, 2016

CYY503 Internet Security

QUIZ 1
(120 minutes )

Instruction:

Answer all questions!

Name:

Matric #:
IC#.:
Location: _______________________________
Date:

_______________________________

Time:

_______________________________

INTRODUCTION AND SECURITY TRENDS

1. Which threats are characterized by possibly long periods of preparation (years is not
uncommon), tremendous financial backing, a large and organized group of
attackers, and attempts to subvert insiders or to plant individuals inside a potential
target in advance of a planned attack?
A.)

Unstructured threats

B.)

Structured threats

C.)

Highly structured threats

D.)

Nation-state information warfare threats

2. Which of the following is an attempt to find and attack a site that has hardware or
software that is vulnerable to a specific exploit?
A.)

Target of opportunity attack

B.)

Targeted attack

C.)

Vulnerability scan attack

D.)

Information warfare attack

3. Which of the following threats has not grown over the last decade as a result of
increasing numbers of Internet users?
A.)

Viruses

B.)

Hackers

C.)

Denial-of-Service attacks

D.)

All of these have seen an increase over the last decade.

4. The rise of which of the following has greatly increased the number of individuals
who probe organizations looking for vulnerabilities to exploit?
A.)

Virus writers

B.)

Script kiddies

C.)

Hackers

D.)

Elite hackers

5. Which of the following is generally viewed as the first Internet worm to have
caused significant damage and to have brought the Internet down?
A.)

Melissa

B.)

The Love Bug

C.)

The Morris Worm

D.)

Code Red

6. Which of the following individuals convicted of various computer crimes was

known for his ability to conduct successful social engineering attacks?
A.)

Kevin Mitnick

B.)

Vladamir Levin

C.)

Timothy Lloyd

D.)

David Smith

7. According to the CSI/FBI survey, which of the following is the only statistic to have
shown a decrease in 2003?
A.)

The number of organizations reporting the Internet as a point of attack.

B.)

The number of organizations that have reported unauthorized use of their

systems.

C.)

The average loss as a result of theft of proprietary information.

D.)

Both B and C

8. Which virus/worm was credited with reaching global proportions in less than ten
minutes?
A.)

Code Red

B.)

The Morris Worm

C.)

Melissa

D.)

Slammer

9. The act of deliberately accessing computer systems and networks without

authorization is generally known as:
A.)

Computer intrusions

B.)

Hacking

C.)

Cracking

D.)

Probing

10. What is the most common problem/threat an organization faces?

A.)

Viruses/worms

B.)

Script kiddies

C.)

Hackers

D.)

Hacktivists

11. Warfare conducted against the information and information processing equipment
used by an adversary is known as:
A.)

Hacking

B.)

Cyber terrorism

C.)

Information warfare

D.)

Network warfare

12. An attacker who feels using animals to make fur coats is unethical and thus defaces
the Web site of a company that sells fur coats is an example of:
A.)

Information warfare

B.)

Hacktivisim

C.)

Cyber crusading

D.)

Elite hacking

13. Which of the following is not described as a critical infrastructure?

A.)

Electricity (power)

B.)

Banking and finance

C.)

Telecommunications

D.)

Retail stores

14. Criminal organizations would normally be classified as what type of threat?

A.)

Unstructured

B.)

Unstructured but hostile

C.)

Structured

D.)

Highly structured

15. Elite hackers don't account for more than what percentage of individuals conducting
intrusive activity on the Internet?
A.)

12 percent

B.)

35 percent

C.)

710 percent

D.)

1520 percent

GENERAL SECURITY CONCEPTS

16. What is the most common form of authentication used?
A.)

Smart card

B.)

Tokens

C.)

Username/password

D.)

Retinal scan

17. The CIA of security includes

A.)

Confidentiality, integrity, authentication

B.)

Confidentiality, integrity, availability

C.)

Certificates, integrity, availability

D.)

Confidentiality, inspection, authentication

18. The security principle used in the Bell-LaPadula security model that states that no
subject can read from an object with a higher security classification is the
A.)

Simple Security Rule

B.)

Ring policy

C.)

Mandatory access control

D.)

*-property

19. CHAP is the

A.)

Certificate Handling Application Program

B.)

Controlling Hierarchical Access Protocol

C.)

Confidentiality Handling Application Protocol

D.)

Challenge Handshake Authentication Protocol

20. Which of the following is true about multifactor authentication?

A.)

It incorporates both access-control and authentication mechanisms into a

single device.

B.)

It employs more than one method to verify authenticity.

C.)

It allows for multiple users to utilize the same account but with different user
IDs.

D.)

It bases access decisions on the role of the user, as opposed to using the
more common user ID/password combination.

21. The Bell-LaPadula security model is an example of a security model that is based
on:
A.)

The integrity of the data

B.)

The availability of the data

C.)

The confidentiality of the data

D.)

The authenticity of the data

22. What was described in the chapter as being essential in order to implement
mandatory access controls?
A.)

Smart cards

B.)

Certificates

C.)

Security classifications and labels

D.)

Mutual authentication mechanisms

23. In which access control mechanism does the operating system determine the access
control permissions for subjects?
A.)

Mandatory

B.)

Role-based

C.)

Discretionary

D.)

Token-based

24. The problem with the Low-Water-Mark policy is that it

A.)

Is aimed at ensuring confidentiality and not integrity

B.)

Could ultimately result in all subjects having the integrity level of the least
trusted object on the system

C.)

Could result in the unauthorized modification of data

D.)

Does not adequately prevent users from viewing files they are not entitled to

25. What was the basis for authentication used in Kerberos?

A.)

Ticket

B.)

Token

C.)

Certificate

D.)

Biometrics

26. The alternative proposed by some to replace the term hacker (a reference to
individuals who attempt to gain unauthorized access to computer systems or
networks) is
A.)

Lamer

B.)

Phreaker

C.)

Script kiddie

D.)

Cracker

27. The ability of a subject to interact with an object describes

A.)

Availability

B.)

Access

C.)

Integrity

D.)

Role-based authentication

28. Information security places the focus of security efforts on:

A.)

The operating system and hardware it runs on

B.)

The application programs interacting with the user

C.)

The system (or security) administrators

D.)

The data the systems store and process

29. In role-based access control:

A.)

The user is responsible for providing both a password and a digital

certificate in order to access the system or network.

B.)

A set of roles that the user may perform will be assigned to each user, thus
controlling what the user can do and what information they may access.

C.)

The focus is on the confidentiality of the data the system protects and not its
integrity.

D.)

Authentication and nonrepudiation are the central focus.

30. The security principle whose goal it is to ensure that information is only modified
by those who have authority to change it is called
A.)

Authenticity

B.)

Availability

C.)

Integrity

D.)

Confidentiality

THE ROLE OF PEOPLE IN SECURITY

31. Which of the following are considered good practices for password security?
A.)

Using a combination of upper- and lower-case characters, a number, and a

special character in the password itself

B.)

Not writing the password down

C.)

Changing the password on a regular basis

D.)

All of the above

32. The password dilemma refers to the fact that:

A.)

Passwords that are easy for users to remember are also easy for attackers to
guess.

B.)

The more difficult we make it for attackers to guess our passwords, and the
more frequently we force password changes, the more difficult the
passwords are for authorized users to remember and the more likely they are
to write them down.

C.)

Users will invariably attempt to select passwords that are words they can
remember. This means they may select things closely associated with them,
such as their spouse's or child's name, a beloved sports team, or a favorite
model of car.

D.)

Passwords assigned by administrators are usually better and more secure, but
are often harder for users to remember.

33. The simple tactic of following closely behind a person who has just used their own
access card or PIN to gain physical access to a room or building is called:
A.)

Shoulder surfing

B.)

Tagging-along

C.)

Piggybacking

D.)

Access drafting

34. The process of going through a target's trash in hopes of finding valuable
information that might be used in a penetration attempt is known as:
A.)

Dumpster diving

B.)

Trash trolling

C.)

Garbage gathering

D.)

Refuse rolling

35. A mechanism that is used to circumvent a target's security mechanisms in order to

gain unauthorized access to the network is known as a:
A.)

Master-key code

B.)

Secret door

C.)

Backdoor

D.)

Covert channel

36. Reverse social engineering involves

A.)

Contacting the target, eliciting some sensitive information, and convincing

them that nothing out of the ordinary has occurred.

B.)

Contacting the target in an attempt to obtain information that can be used in

a second attempt with a different individual.

C.)

An individual lower in the chain of command convincing somebody at a

higher level to divulge information that the attacker was not authorized to
have.

D.)

An attacker attempting to somehow convince the target to initiate contact in

order to avoid questions about authenticity.

37. The reason for not allowing users to install new hardware or software without the
knowledge of security administrators is
A.)

They may not complete the installation correctly and the administrator will
have to do more work, taking them away from more important security
tasks.

B.)

They may inadvertently install more than just the hardware or software; they
may accidentally install a backdoor into the network.

C.)

They may not have paid for it and thus may be opening the organization up
to civil penalties.

D.)

Unauthorized hardware and software are usually for leisure purposes and
will distract employees from the job they were hired to perform.

38. Once an organization's security policies have been established, the single most
effective method of countering potential social engineering attacks is
A.)

An active security awareness program

B.)

A separate physical access control mechanism for each department in the

organization

C.)

Frequent testing of both the organization's physical security procedures and

employee telephone practices

D.)

Implementing access control cards and the wearing of security identification

badges

39. Security administrators should be concerned about security guards and custodial
crews because:
A.)

These individuals may not have had a thorough background investigation.

B.)

These individuals have access to facilities at times when nobody else is

around to view their activities.

C.)

These individuals are frequently paid minimal salaries.

D.)

These individuals are frequently contracted and are not actually employees
of the company.

40. In what ways are PINs similar to passwords? (Choose all that apply.)
A.)

Users will normally pick ones that are easy to remember, such as dates or
specific patterns.

B.)

Attackers know common PINs and will try to use them or will attempt to
learn more about the user in order to make an educated guess as to what the
PIN might be.

C.)

Users may write them down to remember them.

D.)

All of the above

- oooOooo -

10