Exam Questions
Part 1: True or False Questions (2 points each).
1.T F The advantage of a stream cipher is that you can reuse keys.
Answer: _____
2.T F A message authentication code is a small block of data generated by apublic key and appended to a message. Answer: ____
3.T F The strength of a hash function against brute-force attacks depends solelyon the length of the hash code produced by the algorithm.
Answer: _____
4.T F Public-key algorithms are based on simple operations on bit patterns.
Answer: _____
5.T F User authentication is a procedure that allows communicating parties toverify that the contents of a received message have not been altered and that thesource is authentic. Answer: _____
6.T F Depending on the application, user authentication on a biometric systeminvolves either verification or identification. Answer: _____
7.T F In a biometric scheme some physical characteristic of the individual ismapped into a digital representation. Answer: _____
8.T F Any program that is owned by the “superuser” potentially grantsunrestricted access to the system to any user executing that program.Answer: _____
9.TF
10.T F Security labels indicate which system entities are eligible to access certainresources.
Answer: _____
Reliable input is an access control requirement. Answer: _____
Part 2: Multiple Choice Questions (3 points each).
1. A(n) _________ is an attempt to learn or make use of information from thesystem that does not affect system resources.
A. passive attack
B. outside attack
C. inside attack
D. active attack
Answer: _____
2. The _________ prevents the normal use or management of communicationsfacilities.
A. passive attack
B. denial of service
C. traffic encryption
D. masquerade
Answer: _____
3. Maintaining and improving the information security risk management process inresponse to incidents is part of the _________ step.
A. check
C. act
B. do
D. plan
Answer: _____
4. The intent of the ________ is to provide a clear overview of how an
organization’s IT infrastructure supports its overall business objectives.
A. risk register
C. vulnerability source
B. corporate security policy
D. threat assessment
Answer: _____
5. The _________ approach involves conducting a risk analysis for theorganization’s IT systems that exploits the knowledge and expertise of theindividuals performing the analysis.
A. baseline
C. detailed
B. combined
D. informal
6. _______ controls are pervasive, generic, underlying technical IT securitycapabilities that are interrelated with many other controls.
A. Preventative
C. Operational
B. Supportive
D. Detection and recovery
Answer: _____
7. Management should conduct a ________ to identify those controls that are mostappropriate and provide the greatest benefit to the organization given the availableresources.
A. cost analysis
C. benefit analysis
B. business analysis
D. none of the above
Answer: _____
8. Maintenance of security controls, security compliance checking, change andconfiguration management, and incident handling are all included in the followup stage of the _________ process.
A. management
C. maintenance
B. security awareness and training
D. all of the above
Answer: _____
9. The ________ access mode allows the subject only write access to the object.
A. read
B. append
C. write
D. execute
Answer: _____
10. “An individual (or role) may grant to another individual (or role) access to adocument based on the owner’s discretion, constrained by the MAC rules”describes the _________.
A. ss-property
C. *-property
B. ds-property
D. cc-property
11. Inserting a new row at a lower level without modifying the existing row at thehigher level is known as ________.
A. polyinstantiation
C. trust
B. ds-property
D. MAC
Answer: _____
12. The __________ is the encryption algorithm run in reverse.
A. cryptanalysis
C. ciphertext
B. plaintext
D. none of the above
Answer: _____
13. __________ is a block cipher in which the plaintext and ciphertext are integersbetween 0 and n-1 for some n.
A. DSS
C. SHA
B. RSA
D. AES
Answer: _____
14. A _________ protects against an attack in which one party generates a messagefor another party to sign.
A. data authenticator
C. secure hash
B. strong hash function
D. digital signature
Answer: _____
15. Presenting or generating authentication information that corroborates the bindingbetween the entity and the identifier is the ___________.
A. identification step
B. authentication step
C. verification step
D. corroboration step
16. A __________ strategy is one in which the system periodically runs its ownpassword cracker to find guessable passwords.
A. reactive password checking
B. computer-generated password
C. proactive password checking
D. user education
Answer: _____
17. A __________ attack is directed at the user file at the host where passwords arestored.
A. eavesdropping
B. client
C. denial-of-service
D. host
Answer: _____
18. __________ is the traditional method of implementing access control.
A. MAC
C. DAC
B. RBAC
D. MBAC
Answer: _____
19. A __________ is a named job function within the organization that controls thiscomputer system.
A. user
C. permission
B. role
D. session
Answer: _____
20. An approval to perform an operation on one or more RBAC protected objects is_________.
A. support
C. exclusive role
B. prerequisite
D. none of the above
Part 3: Short Answers (2 points each).
1. Also referred to as single-key encryption, the universal technique for providingconfidentiality for transmitted or stored data is __________.
Answer:
2. A __________ exploits the characteristics of the algorithm to attempt to deduce the key being used.
Answer:
3. A __________ processes the input elements continuously, producing output oneelement at a time.
Answer:
4. A __________ is one that is unpredictable without knowledge of the input keyand which has an apparently random character.
Answer:
5. With the __________ strategy a user is allowed to select their own password, butthe system checks to see if the password is allowable.
Answer:
6. Objects that a user possesses for the purpose of user authentication are called__________.
Answer:
7. A __________ attempts to authenticate an individual based on his or her uniquephysical characteristics.
Answer:
8. Basic access control systems typically define three classes of subject: ________ .
Answer:
9. The __________ is exempt from the usual file access control constraints and hassystem wide access.
Answer:
10. __________ enables the definition of a set of mutually exclusive roles, such thatif a user is assigned to one role in the set, the user may not be assigned to anyother role in the set.
