Foundations of Information Security and Assurance Assignment

Part 1: True and False Questions.

1. A one-time pad is a safe house used only once by an undercover agent.  

2. AES uses the Indirect-Rijndael algorithm.

3. A hash algorithm uses a one-way cryptographic function, whereas both secret-key and public-key systems use two-way (i.e., reversible) cryptographic functions.         

4. In terms of privacy laws, companies have no advantage over the government in terms of the types of data that a company can collect. Public companies and governments are subject to the same laws and statues (i.e. HIPPA and GLBA) regarding data collection.

5. Consider data that is stored over time in a mandatory access control based system. The contents of files containing highly classified ("top secret") information are not necessarily more trustworthy than material stored in files marked unclassified.

6. 3DES (Triple DES) requires the use of three independent keys.

7. Deleting the browsing history and cookies in a computer system can completely delete the recently visited sites.  

8. A Denial-of-Service attack does not require the attacker to penetrate the target's security defenses.  

9. The biggest advantage of public-key cryptography over secret-key cryptography is in the area of key management/key distribution.

10. Packet filters protect networks by blocking packets based on the packets' contents.  

Part 2:  Multiple Choice Questions. 

1. Methods to avoid SQL injection include which of the following:

a. Providing functions to escape special characters.

b. Built-in functions that strip input of dangerous characters.

c. Techniques for the automatic detection of database language in legacy code.

d. Techniques for the automatic detection of SQL language in legacy code.

e. All of the above.

2. Protection of a software program that uses a unique, novel algorithm could be legally protected by:

a. A patent

b. A copyright

c. A notary

d. Ethical standards

e. All of the above.

3. If person A uses AES to transmit an encrypted message to person B, which key or keys will A have to use:

a. A's private key

b. A's public key

c. B's private key

d. B's public key

e. None of the keys listed above.

4. Choose the right statement(s):

a. On change-controlled system, you should run automatic updates to prevent security patches from introducing instability.

b. A malicious driver can potentially bypass many security controls to install malware.

c. It is critical that the operating system be kept as up to date as possible, with all critical security related patched installed.

d. The operating system planning process should consider the categories of users on the system, and the privileges they have.

e. All of the above.

5. Broad categories of payloads that malware may carry include which of the following:

a. Corruption of system or data files;

b. Theft of service in order to make the system a zombie agent of attack as part of a botnet;

c. Theft of information from the system, especially of logins, passwords or other personal details by key logging or spyware programs;

d. Stealthing where the malware hides it presence on the system from attempts to detect and block it;

e. All of the above.

6. SELinux implements different types of MAC: ________________________.

a. Role Based Access Controls and Type Enforcement

b. Multi Level Security

c. Multi Task Level Security                         

d. User Based Access Controls and Format Enforcement

e. None of the above.

7. Security threats include which of the following:

a. Hurricanes

b. Disgruntled employees

c. Unlocked doors

d. Un-patched software programs

e. All of the above.

8. The basic step(s) should be used to secure an operating system:

a. Install and register the operating system.

b. Harden and configure the operating system to adequately address the identified security needs of the system.

c. Installing and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection systems (IDS), if needed.

d. Test the security of the basic operating system to ensure that the steps taken adequately address its security needs.

e. All of the above.

9. Denial of service attacks include:

a. DNSspoofing

b. Smurf attack

c. Ping of death

d. SYN flood

e. All of the above.

10. Countermeasures against subdomain DNS cache poisoning include which of the following:

a. Firewalls

b. SPR

c. DNSSEC uses RRSIG and DNSKEY records

d. DNSSEC employing a chain of trust

e. All of the above.