Part 1: True or False Questions (2 points each).
1. The advantage of a stream cipher is that you can reuse keys.
2. A message authentication code is a small block of data generated by a public key and appended to a message.
3. The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
4. Public-key algorithms are based on simple operations on bit patterns.
5. User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
6. Depending on the application, user authentication on a biometric system involves either verification or identification.
7. In a biometric scheme some physical characteristic of the individual is mapped into a digital representation.
8. Any program that is owned by the "superuser" potentially grants unrestricted access to the system to any user executing that program.
9. Security labels indicate which system entities are eligible to access certain resources.
10. Reliable input is an access control requirement.
Part 2: Multiple Choice Questions
1. A(n) _________ is an attempt to learn or make use of information from the system that does not affect system resources.
A. passive attack
B. outside attack
C. inside attack
D. active attack
2. The _________ prevents the normal use or management of communications facilities.
A. passive attack
B. denial of service
C. traffic encryption
D. masquerade
3. Maintaining and improving the information security risk management process in response to incidents is part of the _________ step.
A. check
C. act
B. do
D. plan
4. The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives.
A. risk register
C. vulnerability source
B. corporate security policy
D. threat assessment
5. The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis.
A. baseline
C. detailed
B. combined
D. informal
6. _______ controls are pervasive, generic, underlying technical IT security capabilities that are interrelated with many other controls.
A. Preventative
C. Operational
B. Supportive
D. Detection and recovery
7. Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources.
A. cost analysis
C. benefit analysis
B. business analysis
D. none of the above
8. Maintenance of security controls, security compliance checking, change and configuration management, and incident handling are all included in the followup stage of the _________ process.
A. management
C. maintenance
B. security awareness and training
D. all of the above
9. The ________ access mode allows the subject only write access to the object.
A. read
B. append
C. write
D. execute
10. "An individual (or role) may grant to another individual (or role) access to a document based on the owner's discretion, constrained by the MAC rules" describes the _________.
A. ss-property
C. *-property
B. ds-property
D. cc-property
11. Inserting a new row at a lower level without modifying the existing row at the higher level is known as ________.
A. polyinstantiation
C. trust
B. ds-property
D. MAC
12. The __________ is the encryption algorithm run in reverse.
A. cryptanalysis
C. ciphertext
B. plaintext
D. none of the above
13. __________ is a block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n.
A. DSS
C. SHA
B. RSA
D. AES
14. A _________ protects against an attack in which one party generates a message for another party to sign.
A. data authenticator
C. secure hash
B. strong hash function
D. digital signature
15. Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the ___________.
A. identification step
B. authentication step
C. verification step
D. corroboration step
16. A __________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.
A. reactive password checking
B. computer-generated password
C. proactive password checking
D. user education
17. A __________ attack is directed at the user file at the host where passwords are stored.
A. eavesdropping
B. client
C. denial-of-service
D. host
18. __________ is the traditional method of implementing access control.
A. MAC
C. DAC
B. RBAC
D. MBAC
19. A __________ is a named job function within the organization that controls this computer system.
A. user
C. permission
B. role
D. session
20. An approval to perform an operation on one or more RBAC protected objects is _________.
A. support
C. exclusive role
B. prerequisite
D. none of the above
Part 3: Short Answers
1. Also referred to as single-key encryption, the universal technique for providing confidentiality for transmitted or stored data is __________.
2. A __________ exploits the characteristics of the algorithm to attempt to deduce the key being used.
3. A __________ processes the input elements continuously, producing output one element at a time.
4. A __________ is one that is unpredictable without knowledge of the input key and which has an apparently random character.
5. With the __________ strategy a user is allowed to select their own password, but the system checks to see if the password is allowable.
6. Objects that a user possesses for the purpose of user authentication are called __________.
7. A __________ attempts to authenticate an individual based on his or her unique physical characteristics.
8. Basic access control systems typically define three classes of subject: ________ .
9. The __________ is exempt from the usual file access control constraints and has system wide access.
10. __________ enables the definition of a set of mutually exclusive roles, such that if a user is assigned to one role in the set, the user may not be assigned to any other role in the set.