CSE 365: Final UPDATED ACTUAL Exam
Questions and CORRECT Answers
What does CIA stand for? - CORRECT ANSWER - Confidentiality, Integrity, Availability
A business has an old system that needs to be restarted every night at 3AM. During the six
minutes it takes to restart, there is no password required to log in. Since no one is in the office
and the system is not used remotely, they're not too worried about this. What security principle
does this violate? - CORRECT ANSWER - Open Design
Which of the following are mechanisms for enforcing confidentiality? - CORRECT
ANSWER - Access Control & Encryption
If a virus takes control of the microphone in your smartphone, and listens to conversations you
are having, what computer security goal has been compromised? - CORRECT ANSWER -
Integrity
Which is NOT an element of calculating risk? - CORRECT ANSWER - Cost
What is one way(s) you might decide what risks to address first? - CORRECT ANSWER -
Calculate ROI and Rank them by severity
If integrity is the primary goal of an access control system, which model is most appropriate? -
CORRECT ANSWER - Biba Model
The potential issue with Hibernation files can be mitigated by? - CORRECT ANSWER -
Whole disk encryption
Brute Force Attack (most effective) - CORRECT ANSWER - Large processing but limited
storage
,Dictionary Attack (most effective) - CORRECT ANSWER - Large Storage but limited
processing
Rainbow Tables (most effective) - CORRECT ANSWER - Balanced storage and processing
What was the underlying issue with the shellshock vulnerability? - CORRECT ANSWER -A
bug in the code and the fact that the system was unable to distinguish data from code
If you want a program to run as the owner without any other elevation of privilege, which
permissions would you set? - CORRECT ANSWER - chmod 7xxx
What ways do botnets evade detection? - CORRECT ANSWER - Rootkits, encryption, &
compression
Which place is the safest place to store authorization role information? - CORRECT
ANSWER - Server side database
Which of the following represents a cross site request? - CORRECT ANSWER - Clicking
"like us on facebook" from a band's website
What is the best countermeasure for CSRF? - CORRECT ANSWER - Using a secret token to
validate transactions
Which of the following are input channels that could lead to XSS vulnerabilities? - CORRECT
ANSWER - 1. A login form for a web application that displays the username after login
2. A file that is uploaded to a web application that displays a directory of uploaded files
3. A social media site post form that allows comments using HTML markup to post images and
rich text
,If DNS packets did not have a TTL flag in the DNS response, what problem(s) could be created?
- CORRECT ANSWER - 1. DNS entries could resolve incorrectly for an indefinite time if a
host's IP address changed
2. Spoofed entries could be cached forever, making it difficult to recover from a cache poisoning
attack
What is an attack that directs a DNS name to a malicious IP address that looks similar to site
hosted at the legitimate address called? - CORRECT ANSWER - Pharming
What is the best countermeasure for SQL Injection Attacks? - CORRECT ANSWER - Using
Prepared Statements
Stream Cipher - CORRECT ANSWER - Encrypted video, encrypted cell phone
communication
Block Cipher - CORRECT ANSWER - Secure web page request, encrypted email
If you sign a contract with an electronic signature, what is the most likely security concern you
might have? - CORRECT ANSWER - Hash collisions, which might mean I'm effectively
signing two contracts
Which type of encryption is a mono-alphabetic substitution cipher? What is one way to crack
such a cipher? - CORRECT ANSWER - The substitution/caeser cipher uses symmetric
encryption to encode messages. This cipher would encode the letters of the message you want to
send with the 3rd letter to the right of that plaintext letter.
You can decrypt this cipher by following the rotate-3 decryption method and changing each
letter in the encrypted message to a letter 3 from it.
What is the difference between a stream cipher and a block cipher? What's one example where
you would use each? - CORRECT ANSWER - Stream Cipher is faster, simpler and operates
on unknown sizes and the block cipher operates on fixed size blocks. An example of a stream
cipher would be streaming something and an example of a block cipher would be an email being
sent.
, Describe the four high level steps in establishing a SSH connection - CORRECT ANSWER -
1. Client initiates the connection by contacting server
2. Sends server public key
3. Negotiate parameters and open secure channel
4. User login to server host OS
Describe two real world uses of asymmetric encryption - CORRECT ANSWER - Securely
communicating with another party as well as buying something online. In both of these cases, the
message or your banking information is being encryped when its being sent to the other party
and decrypted when it arrives.
Why are Certificate Authorities necessary? - CORRECT ANSWER - The certificate authority
itself is trustworthy. This is necessary to have to deny any MITM attacks that uses its own
certificate to redirect you to a similar yet vulnerable site.
Describe the "same origin" policy. What is one attack we examined that it helps prevent, and
how? - CORRECT ANSWER - The same origin policy functionality controls interactions
between the sites and whats embedded in the urls, images, and other information on it. This
policy can prevent against CSRF as it will restrict going to a different site then it is currently on.
Describe one countermeasure for cross-site request forgery. - CORRECT ANSWER - One
countermeasure to CSRF is using referrer headers which is a field in the HTTP request header
that tells us if the request is cross site forgery or not
Describe three different "input channels" into a web application that could be leveraged to
execute an XSS attack? - CORRECT ANSWER - URLs (Reflective), JS (Both), Forms
(Persistent)
One way to protect against cross-site request forgery would be not to submit cookies on cross
origin requests. What common functionality in websites would this break? - CORRECT
ANSWER - The same origin policy functionality would break this as its used to controls
interactions between the sites and its embedded images
Questions and CORRECT Answers
What does CIA stand for? - CORRECT ANSWER - Confidentiality, Integrity, Availability
A business has an old system that needs to be restarted every night at 3AM. During the six
minutes it takes to restart, there is no password required to log in. Since no one is in the office
and the system is not used remotely, they're not too worried about this. What security principle
does this violate? - CORRECT ANSWER - Open Design
Which of the following are mechanisms for enforcing confidentiality? - CORRECT
ANSWER - Access Control & Encryption
If a virus takes control of the microphone in your smartphone, and listens to conversations you
are having, what computer security goal has been compromised? - CORRECT ANSWER -
Integrity
Which is NOT an element of calculating risk? - CORRECT ANSWER - Cost
What is one way(s) you might decide what risks to address first? - CORRECT ANSWER -
Calculate ROI and Rank them by severity
If integrity is the primary goal of an access control system, which model is most appropriate? -
CORRECT ANSWER - Biba Model
The potential issue with Hibernation files can be mitigated by? - CORRECT ANSWER -
Whole disk encryption
Brute Force Attack (most effective) - CORRECT ANSWER - Large processing but limited
storage
,Dictionary Attack (most effective) - CORRECT ANSWER - Large Storage but limited
processing
Rainbow Tables (most effective) - CORRECT ANSWER - Balanced storage and processing
What was the underlying issue with the shellshock vulnerability? - CORRECT ANSWER -A
bug in the code and the fact that the system was unable to distinguish data from code
If you want a program to run as the owner without any other elevation of privilege, which
permissions would you set? - CORRECT ANSWER - chmod 7xxx
What ways do botnets evade detection? - CORRECT ANSWER - Rootkits, encryption, &
compression
Which place is the safest place to store authorization role information? - CORRECT
ANSWER - Server side database
Which of the following represents a cross site request? - CORRECT ANSWER - Clicking
"like us on facebook" from a band's website
What is the best countermeasure for CSRF? - CORRECT ANSWER - Using a secret token to
validate transactions
Which of the following are input channels that could lead to XSS vulnerabilities? - CORRECT
ANSWER - 1. A login form for a web application that displays the username after login
2. A file that is uploaded to a web application that displays a directory of uploaded files
3. A social media site post form that allows comments using HTML markup to post images and
rich text
,If DNS packets did not have a TTL flag in the DNS response, what problem(s) could be created?
- CORRECT ANSWER - 1. DNS entries could resolve incorrectly for an indefinite time if a
host's IP address changed
2. Spoofed entries could be cached forever, making it difficult to recover from a cache poisoning
attack
What is an attack that directs a DNS name to a malicious IP address that looks similar to site
hosted at the legitimate address called? - CORRECT ANSWER - Pharming
What is the best countermeasure for SQL Injection Attacks? - CORRECT ANSWER - Using
Prepared Statements
Stream Cipher - CORRECT ANSWER - Encrypted video, encrypted cell phone
communication
Block Cipher - CORRECT ANSWER - Secure web page request, encrypted email
If you sign a contract with an electronic signature, what is the most likely security concern you
might have? - CORRECT ANSWER - Hash collisions, which might mean I'm effectively
signing two contracts
Which type of encryption is a mono-alphabetic substitution cipher? What is one way to crack
such a cipher? - CORRECT ANSWER - The substitution/caeser cipher uses symmetric
encryption to encode messages. This cipher would encode the letters of the message you want to
send with the 3rd letter to the right of that plaintext letter.
You can decrypt this cipher by following the rotate-3 decryption method and changing each
letter in the encrypted message to a letter 3 from it.
What is the difference between a stream cipher and a block cipher? What's one example where
you would use each? - CORRECT ANSWER - Stream Cipher is faster, simpler and operates
on unknown sizes and the block cipher operates on fixed size blocks. An example of a stream
cipher would be streaming something and an example of a block cipher would be an email being
sent.
, Describe the four high level steps in establishing a SSH connection - CORRECT ANSWER -
1. Client initiates the connection by contacting server
2. Sends server public key
3. Negotiate parameters and open secure channel
4. User login to server host OS
Describe two real world uses of asymmetric encryption - CORRECT ANSWER - Securely
communicating with another party as well as buying something online. In both of these cases, the
message or your banking information is being encryped when its being sent to the other party
and decrypted when it arrives.
Why are Certificate Authorities necessary? - CORRECT ANSWER - The certificate authority
itself is trustworthy. This is necessary to have to deny any MITM attacks that uses its own
certificate to redirect you to a similar yet vulnerable site.
Describe the "same origin" policy. What is one attack we examined that it helps prevent, and
how? - CORRECT ANSWER - The same origin policy functionality controls interactions
between the sites and whats embedded in the urls, images, and other information on it. This
policy can prevent against CSRF as it will restrict going to a different site then it is currently on.
Describe one countermeasure for cross-site request forgery. - CORRECT ANSWER - One
countermeasure to CSRF is using referrer headers which is a field in the HTTP request header
that tells us if the request is cross site forgery or not
Describe three different "input channels" into a web application that could be leveraged to
execute an XSS attack? - CORRECT ANSWER - URLs (Reflective), JS (Both), Forms
(Persistent)
One way to protect against cross-site request forgery would be not to submit cookies on cross
origin requests. What common functionality in websites would this break? - CORRECT
ANSWER - The same origin policy functionality would break this as its used to controls
interactions between the sites and its embedded images
