Deck 19: Security Threats and Solutions in Cryptography and Access Control

A) changes the order of the letters in the message
B) changes a message such that every occurrence of a particular letter is replaced by a different letter
C) uses a secret key to encrypt the bits of a message.
D) none of the above

A) protects system components from malicious users
B) encodes and decodes messages so that it can be interpreted only by the intended recipients
C) restricts the capabilities of untrusted users of a system
D) protects a network from intruders

A) It requires a large amount of processing time and complexity to implement.
B) Two parties must find a secure way to exchange the key.
C) A sender needs a different key for each receiver.
D) If the key is intercepted, a third party could pose as either host in the communication.

A) the component that actually performs the encryption and decryption
B) a central authority that shares a different key with each user
C) an organization that develops and supports security algorithms
D) a system that transfers keys between hosts

A) it decrypts messages using the same key it uses to encrypt
B) both the sender and the receiver use the same key
C) it employs two inversely related keys
D) either host can create a key and both hosts can use it

A) It is a public-key encryption system that encrypts e-mail and files.
B) It can provide digital signatures.
C) It is based on a "web of trust."
D) It authenticates all users of PGP to all other users.

A) user knowledge, such as passwords, PINs and lock combinations
B) ownership of an item, such as badges, keys and smart cards
C) a unique characteristic such as a fingerprint
D) all of the above

A) scripting
B) dictionary attacking
C) brute-force cracking
D) trial and error

A) Encouraging users not to write down their passwords.
B) Using password salting.
C) Limiting the number of failed attempts to access a user's account.
D) Encouraging users to change their passwords often.

A) unique personal characteristic
B) a program that validates a user's identification.
C) an encrypted password.
D) a card containing a microprocessor used to perform authenticiation.

A) It often is designed to resemble a credit card.
B) It requires physical contact between the user and the card.
C) It can store private keys or digital certificates.
D) It can store credit card numbers or contact information.

A) With a key distribution center (KDC).
B) With a two-factor authentication service.
C) With an authentication server and a ticket granting service (TGS).
D) all of the above

A) 0%
B) 25%
C) 50%
D) 75%

A) a single login allows a user access to multiple applications
B) user passwords are encrypted to hide them from other users
C) passwords are maintained in only one (typically secure) location
D) none of the above

A) A workstation login script
B) An authentication server script
C) Token-based authentication
D) none of the above

A) subjects, objects
B) processes, resources
C) users, software
D) all of the above

A) Remove
B) Read
C) Write
D) Execute

A) privileges
B) resource types
C) subjects
D) both a and c

A) it allows users to belong to multiple roles
B) it assigns relationships between subjects and objects that are not limited to classes such as owners and groups
C) administrators only need to define specifics roles and assign users to those roles rather than defining specific privileges for each user
D) none of the above

A) whether a resource can be accessed by any user
B) the actions that a subject can perform on an object
C) whether a user belongs to a particular group
D) whether a group has access to a resource

A) A capability can be created or discarded at will by the holder of the capability.
B) It is often implemented as a unique object identifier.
C) It is a pointer or token that grants privileges to the subject that possesses it.
D) Systems that employ capabilities can suffer from the lost object problem.

A) It uses brute force to decrypt a message.
B) It uses a public key to determine information about the private key.
C) It exploits weak statistical trends between the key and the ciphertext to gain knowledge about the key.
D) It overloads the receiver so that legitimate messages cannot be received.

A) they hide within the system until a certain time or condition is met
B) they allow a malicious user access to the system
C) they do not require any user action to be activated
D) they appear to be legitimate programs

A) infects a system and spreads over a network to other systems.
B) infects the boot sector of a computer's hard disk.
C) enters a system hidden within a legitimate application.
D) that operates until the computer is powered down.

A) an attack in which requests are sent from multiple sources to overload a system.
B) an attack on a distributed system that overloads its network communications.
C) a means to counteract the security provided by a firewall.
D) none of the above

A) buffer overflow attack
B) denial-of-service attack
C) cryptanalytic attack
D) brute-force attack

A) Every system penetration is potentially dangerous.
B) It is a successful breach of a system's security.
C) It leads to denial of service.
D) Many attacks rely on a successful system penetration.

A) They do not protect against brute-force attacks.
B) They consider only the source of data packets, not the attached data.
C) It does not police inbound traffic, only outbound traffic.
D) They are not scalable to large businesses.

A) brute-force attacks
B) cryptanalytic attacks
C) denial-of-service attacks
D) Trojan horse attacks

A) building a model of an application's expected behavior
B) monitoring an application's system calls
C) identifying vulnerabilities in an application
D) developing a security plan

A) variants and polymorphic viruses can slip through undetected
B) it can introduce false positives and false negatives
C) virus lists can become prohibitively large as viruses proliferate
D) all of the above

A) It is susceptible to false reporting.
B) It can detect viruses that have not yet been identified.
C) It searches for common virus behavior.
D) all of the above

A) Developing and releasing patches for flaws.
B) Discovering previously undetected flaws.
C) Communicating with users.
D) all of the above

A) Authorization
B) Authentication
C) Digital signatures
D) Privacy

A) How do you ensure that the information you transmit has not been compromised?
B) How do you ensure that the information you transmit has not been captured?
C) How do you prove that a message was sent or received?
D) How do the sender and receiver verify their identities?

A) Secret key
B) Digital envelope
C) Session key
D) Triple DES

A) privacy
B) authorization
C) authentication
D) nonrepudiation

A) repository for digital certificates.
B) digital document that identifies a user.
C) organization that sets policies for obtaining digital certificates.
D) trusted third party that issues a digital certificate.

A) So that if the certificate is compromised it can be cancelled.
B) To force users to refresh their certificate regularly.
C) So that if a certificate is issued incorrectly, it will eventually expire.
D) none of the above

A) require client authentication
B) secure communication between two computers on the Internet
C) determine whether packets have been maliciously altered during transmission.
D) implement public-key cryptography using the RSA algorithm

A) A denial-of-service attack that uses a single IP address.
B) Simulating the IP address of an authorized user to gain access to a system.
C) A means of filtering packets by testing their source IP address.
D) A secure means of transmitting data over the Internet.

A) Unstable connections can cause a secure connection to fail, requiring it to be reinitiated.
B) Low bandwidth and processing power limit the ability to implement complex security mechanisms.
C) Accessing transmitted data does not require physically tapping into a wire.
D) all of the above

A) Developers are sometimes unwilling to disclose security flaws.
B) They are not always interoperable with other security programs.
C) They use security by obscurity.
D) They cannot be, in general, as secure as open-source software security implementations.

A) imitation password file used by the system to trick malicious users
B) false password file that is placed on a system by a malicious user
C) password file that is accessible only by users with root privileges
D) deleted password file that is still stored in memory