1. Which of the following is NOT one of Shannon's Characteristics of Good Ciphers?
- The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption
- The size of the enciphered text should be much larger than the text of the original message to provide the greatest amount of confusion
- The set of keys and the enciphering algorithm should be free from complexity
- The implementation of the process should be as simple as possible
- Errors in ciphering should not propagate and cause corruption of further information in the message
Question 2. Name the three principle kinds of PROGRAMMING controls used to protect security of data and explain what each of them does:
Question 3. The eGovernment Act of 2002 requires private companies and corporations to post privacy policy notices on their web sites
Question 4. Your computer is going to transmit the letter "N" using ASCII encoding. The seven bit ASCII code for the letter N is 1001110. Your computer will add an eighth bit, and it is using even parity. Will it add a "1" or a "0"?
Question 5. Access control lists are seldom used on routers because of their potential to degrade router performance.
Question 6. Which of the following statements is correct (select all that apply)?
Packet Filtering Firewalls block packets from addresses known to be suspect or dangerous and may block certain protocols, such as FTP.
Stateful Inspection Firewalls keep track of information across multiple packets and shut down multi-packet penetration attempts
Application Proxies simulate the effect of packets addressed to various applications before actually passing the packets to the application layer
Question 7. What is the definition of privacy, as we discussed it in class
Question 8. A properly implemented firewall can keep all attacks out of a network
Question 9. The purpose of an Intrusion Detection System (IDS) is to cope with attacks that are already in progress
Question 10. According to the textbook, 87% of the population of the USA can likely be identified by linking which three attributes (select the correct 3 attributes)
Gender
Color of Eyes
Date of Birth
5-digit Zip code
Color of hair
Race
Question 11. What is the data inference problem? Name two kinds of controls you would implement to protect against data inference, and under what circumstances would you use each one?
Question 12. Name the seven different network security controls discussed in class and explain what each of them protects or enforces
Question 13. Name and explain the two different types of Intrusion Detection Systems:
Question 14. Which of the following in NOT a function of an Intrusion Detection System?
- Monitors users and system activity
- Protects the perimeter of a network
- Recognizes known attack patterns
- Installs and operates traps to record information about intruders
Question 15. Commercially available Intrusion Detection Systems are fairly good at detecting attacks
Question 16. One advantage of commercial Intrusion Detection Systems is that they run well with no human intervention
Question 17. The ISOC standard for secure e-mail enables the sending of security-enhanced messages through the existing Internet as ordinary messages.
Question 18. Who should decide whether private information is sensitive?
- Subject
- Holder
- Both subject and holder
Question 19. Explain the difference between the secure email requirements of sender authentication and non-repudiation
Question 20. The government agency that may sue if a company posts false statements about privacy protection is the _____________ ___________ ____________
Question 21. Many users (select one best answer):
- Do not realize they must assume a significant amount of responsibility for security
- Realize that personal computers have a great deal of power
- Are aware of security risks, but choose to ignore them
- All of the above
Question 22. The Security Requirements section is the heart of a security plan. It states what is to be accomplished, and how it is to be done
Question 23. Updates to a security plan should be triggered by:
- Time (e.g. annually, every two years, ...)
- An event (e.g. a new kind of attack)
- Either time or an event
Question 24. List and explain three ways to maintain privacy, as defined in class.
Question 25. Explain the difference between a Business Continuity Plan and an Incident Response Plan
Question 26. Effective security planning requires risk analysis
Question 27. Name the three issues addressed by the Security Policy section of the Security Plan:
Question 28. Good physical security should be concerned with (select all that apply):
- Malicious acts such as sabotage
- Natural disasters such as floods, fire, and earthquakes
- Power loss and major power fluctuations
Question 29. Under patent law, an algorithm can be legitimately classed as an invention
Question 30. Match the time period of protection with the legal method in the following:
Potential Matches:
1 : Indefinite
2 : 70 years or 95 years
3 : 20 years
Question 31. Computer crime has been difficult to prosecute because of
- Legal rules regarding tangible property
- Rules of evidence
- Chain of custody rules
- All of above
Question 32. Match the statute with the correct description or effect:
Potential Matches:
1 : Prohibits unauthorized access to national defense data, banking/financial information, accessing a protected computer without permission, and more.
2 : Protects privacy of personal data collected by US Government
3 : Strengthens 1984 Fraud & Abuse Act
4 : Outlaws espionage by computer
5 : Prohibits electronic wiretapping
Question 33. A user or company may become subject to the laws of another country, even if his/her/its data only passes through an intermediate Internet node, on its way to the receiver of the data
Question 34. US laws forbid companies to collect data on individuals that the US Government is prohibited from collecting
Question 35. Existing US privacy laws provide stronger data protection than European Union Directive 95/46/EC
Question 36. If two ethical principles conflict, the priority is determined by a (an):
- Court
- Philosopher
- Body of peers
- Individual
Question 37. Describe two kinds of content integrity controls for network security
Question 38. Penetration testing can be used to guarantee that a trusted system is fault-free
Question 39. Name three different things that can be authenticated. Which is the most difficult to authenticate?
Question 40. In analyzing your company's risk to a set of vulnerabilities, you determine that your risk exposure could be reduced from $35 million to $19 million. The cost of applying appropriate controls to achieve this reduction in risk exposure would be $4 million. What is the associated Risk Leverage?
Question 41. Match the statement with the correct kind of Intrusion Detection System (IDS)
Potential Matches:
1 : Signature Based IDS
2 : Heuristic IDS
3 : Signature Based IDS
4 : Heuristic IDS
Question 42. Explain the two phases of the two-phase update process for maintaining data base integrity
Question 43. After reading that second-hand smoke causes lung cancer in other people, Raj has decided that he will never smoke. Please circle which ethical theory he is following. In the following essay question, explain why you think he is following the ethical theory you have chosen
- Universal Deontology
- Rule Deontology
- Teleology - Egoism
- Teleology - Utilitarianism
Question 44. Explain your choice in the previous question.
Question 45. Estimate how long you need to make a password to make it secure from a brute force attack for one year using only upper case letters plus the numbers 0 through 9 plus the following nine special characters: !#$%^&*)(. Assume an attacker has a system that operates at 4 billion instructions per second, and that it takes 12 instructions to test each password? To simplify your calculation, assume the attacker only has to test the exact length password you estimate, but not all smaller lengths as well. You must show your calculations.
Question 46. The following ciphertext has been derived from a simple substitution cipher of the form Ci = Pi + N. Find the value of N that decrypts the ciphertext, decrypt it, and write the plaintext below. The numbers and letters below the ciphertext are there to make your task easier. You do not need to write down the value of N in your answer. Enter your answer using only upper case letters.
UNC CQN KJUUXXWB UXXBN BXXW
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 20 1 2 3 4 5 6
Question 47. Encrypt the phrase, "TELEOLOGICAL THEORY FOCUSES ON CONSEQUENCES", using a simple transposition cipher with eight rows and five columns. Type the resulting ciphertext in upper case letters only. Your result should contain 7 groups of five letters each and a final group of four letters and there should be a space between each group of letters in the ciphertext. Ignore the quote marks and ignore all spaces in the plaintext phrase.