Network Security Essentials Applications and Standards 5th Edition By Willaim Stallings – Test Bank



Sample  Questions



Chapter 1:  introduction



TRUE OR FALSE                                                                      


T          F          1.  With the introduction of the computer the need for automated

tools for protecting files and other information stored on the

computer became evident.


T          F          2.  There is a natural tendency on the part of users and system

managers to perceive little benefit from security investment until a

security failure occurs.


T          F          3.  There are clear boundaries between network security and internet



T          F          4.  The CIA triad embodies the fundamental security objectives for

both data and for information and computing services.


T          F          5.  In developing a particular security mechanism or algorithm one

must always consider potential attacks on those security features.


T          F          6.  A loss of confidentiality is the unauthorized modification or

destruction of information.


T          F          7.  Patient allergy information is an example of an asset with a

moderate requirement for integrity.


T          F          8.  The more critical a component or service, the higher the level of

availability required.


T          F          9.  Data origin authentication provides protection against the

duplication or modification of data units.


T          F          10. The emphasis in dealing with passive attacks is on prevention

rather than detection.


T          F          11. Data integrity is the protection of data from unauthorized



T          F          12.  Information access threats exploit service flaws in computers to

inhibit use by legitimate users.





T          F          13. Viruses and worms are two examples of software attacks.


T          F          14. A connection-oriented integrity service deals with individual

messages without regard to any larger context and generally

provides protection against message modification only.


T          F          15. Pervasive security mechanisms are not specific to any particular

OSI security service or protocol layer.






  1. _________ security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information.


  1. Computer B.  Internet


  1. Intranet D.  Network



  1. Verifying that users are who they say they are and that each input arriving at the system came from a trusted source.


  1. authenticity B.  accountability


  1. integrity 
 D.  confidentiality



  1. __________ assures that systems work promptly and service is not denied to authorized users.


  1. Integrity 
 B.  Availability


  1. System integrity 
 D.  Data confidentiality



  1. __________ assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.


  1. Data confidentiality 
 B.  Availability


  1. System integrity 
             D.  Privacy


  1. The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity is _________ .


  1. accountability 
 B.  authenticity


  1. privacy 
 D.  integrity



  1. __________ attacks attempt to alter system resources or affect their operation.


  1. Active 
 B.  Release of message content


  1. Passive 
 D.  Traffic analysis



  1. A __________ takes place when one entity pretends to be a different entity.


  1. passive attack 
             B.  masquerade


  1. modification of message 
             D.  replay



  1. 800 defines _________ as a service that is provided by a protocol layer of communicating open systems and that ensures adequate security of the systems or of data transfers.


  1. replay 
 B.  integrity


  1. authenticity 
 D.  security service



  1. _________ is a professional membership society with worldwide organizational and individual membership that provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the IETF and the IAB.


  1. ITU-T 
             B.  ISO


  1. FIPS 
             D.  ISOC







  1. The protection of data from unauthorized disclosure is _________ .


  1. access control 
             B.  authentication


  1. data confidentiality 
 D.  nonrepudiation



  1. __________ is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private sector innovation.


  1. ISO 


  1. ITU-T 



  1. The prevention of unauthorized use of a resource is __________ .


  1. access control 
             B.  authentication


  1. data confidentiality 
 D.  nonrepudiation



  1. The __________ service addresses the security concerns raised by denial-of-service attacks.


  1. event detection 
             B.  integrity


  1. availability 
 D.  routing control



  1. _________ is the insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.


  1. Notarization 
 B.  Authentication exchange


  1. Routing control 
             D.  Traffic padding



  1. _________ is a variety of mechanisms used to assure the integrity of a data unit or stream of data units.


  1. Data integrity 
             B.  Authentication exchange


  1. Trusted functionality 
 D.  Event detection






  1. _________ is defined as “the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources”.


  1. Three key objectives that are at the heart of computer security are: confidentiality, availability, and _________ .


  1. An intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is an __________ .


  1. A loss of _________ is the disruption of access to or use of information or an information system.


  1. __________ is the use of mathematical algorithms to transform data into a form that is not readily intelligible, in which the transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.


  1. Student grade information is an asset whose confidentiality is considered to be highly important by students and, in the United States, the release of such information is regulated by the __________.


  1. A possible danger that might exploit a vulnerability, a _________ is a potential for violation of security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.


  1. A __________ attack attempts to learn or make use of information from the system but does not affect system resources.


  1. The common technique for masking contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message is _________ .


  1. Active attacks can be subdivided into four categories: replay, modification of messages, denial of service, and __________ .


X.800 divides security services into five categories: authentication, access control, nonrepudiation, data integrity and __________ .


  1. In the context of network security, _________ is the ability to limit and control the access to host systems and applications via communications links.




  1. The __________ is a worldwide federation of national standards bodies that promote the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity.


  1. __________ prevents either sender or receiver from denying a transmitted message; when a message is sent the receiver can prove that the alleged sender in fact sent the message and when a message is received the sender can prove that the alleged receiver in fact received the message.


  1. A __________ is data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.



Chapter 3:  Public-Key Cryptography and Message Authentication







T          F          1.  Public key algorithms are useful in the exchange of conventional

encryption keys.


T          F          2.  Private key encryption is used to produce digital signatures which

provide an enhanced form of message authentication.


T          F          3.  
The strength of a hash function against brute-force attacks

depends solely on the length of the hash code produced by the



T          F          4.  The two important aspects of encryption are to verify that the

contents of the message have not been altered and that the source

is authentic.


T          F          5.  In the ECB mode of encryption if an attacker reorders the blocks of

ciphertext then each block will still decrypt successfully, however,

the reordering may alter the meaning of the overall data sequence.


T          F          6.  Message encryption alone provides a secure form of authentication.


T          F          7.  Because of the mathematical properties of the message

authentication code function it is less vulnerable to being broken

than encryption.


T          F          8.  In addition to providing authentication, a message digest also

provides data integrity and performs the same function as a frame

check sequence.


T          F          9.  Cryptographic hash functions generally execute slower in software

than conventional encryption algorithms such as DES.


T          F          10.  The main advantage of HMAC over other proposed hash based

schemes is that HMAC can be proven secure, provided that the

embedded hash function has some reasonable cryptographic





T          F          11.  Public key algorithms are based on mathematical functions rather

than on simple operations on bit patterns.


T          F          12.  The private key is known only to its owner.


T          F          13. 
The security of the Diffie-Hellman key exchange lies in the fact

that, while it is relatively easy to calculate exponentials modulo a

prime, it is very easy to calculate discrete logarithms.


T          F          14.  The key exchange protocol is vulnerable to a man-in-the-middle

attack because it does not authenticate the participants.


T          F          15.  Even in the case of complete encryption there is no protection of

confidentiality because any observer can decrypt the message by

using the sender’s public key.







  1. ________ protects against passive attacks (eavesdropping).


  1. Obfuscation 
 B.  Encryption


  1. SCR 
 D.  Message authentication



  1. The most important hash function is ________ .


  1. MAC 
 B.  SHA


  1. OWH 
 D.  ECB



  1. __________ is a procedure that allows communicating parties to verify that received messages are authentic.


  1. ECB 
             B.  Message authentication


  1. Passive attack 
             D.  Encryption





  1. If the message includes a _________ the receiver is assured that the message has not been delayed beyond that normally expected for network transit.


  1. sequence number 
 B.  shared key


  1. error detection code 
 D.  timestamp



  1. The purpose of a ___________ is to produce a “fingerprint” of a file, message, or other block of data.


  1. hash function 
             B.  public key


  1. message authentication 
             D.  cipher encryption



  1. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). A hash function with this property is referred to as __________ .


  1. collision resistant 
 B.  preimage resistant


  1. one-way 
             D.  weak collision resistant



  1. “It is easy to generate a code given a message, but virtually impossible to generate a message given a code” describes the __________ hash function property.


  1. second preimage resistant 
 B.  preimage resistant


  1. strong collision resistant 
 D.  collision resistant



  1. The __________ property protects against a sophisticated class of attack known as the birthday attack.


  1. preimage resistant 
 B.  one-way


  1. collision resistant 
 D. second preimage resistant








  1. Secure Hash Algorithms with hash value lengths of 256, 384, and 512 bits are collectively known as _________ .


  1. SHA-0 
 B.  SHA-3


  1. SHA-2 
 D.  SHA-1


  1. Public key cryptography is __________ .


  1. bit patterned 
 B.  one key


  1. symmetric 
 D.  asymmetric


  1. The readable message or data that is fed into the algorithm as input is the __________ .


  1. ciphertext 
 B.  plaintext


  1. encryption algorithm 
             D.  private key



  1. The key used in conventional encryption is typically referred to as a _________ key.


  1. secondary 
 B.  primary


  1. cipher 
 D.  secret



  1. The most widely accepted and implemented approach to public-key encryption, _________ is a block cipher in which the plaintext and ciphertext are integers between 0 and n – 1 for some n.


  1. MD5 
 B.  RSA


  1. SHA 
 D.  CTR



  1. The purpose of the _________ algorithm is to enable two users to exchange a secret key securely that then can be used for subsequent encryption of messages and depends on the difficulty of computing discrete logarithms for its effectiveness.


  1. Diffie-Hellman 
 B.  RSA


  1. DSS 
 D.  Rivest-Adleman


  1. Based on the use of a mathematical construct known as the elliptic curve and offering equal security for a far smaller bit size, __________ has begun to challenge RSA.


  1. DSS 
 B.  TCB


  1. RIPE-160 
 D.  ECC







  1. Protection against active attacks (falsification of data and transactions) is known

as ___________ .


  1. The __________ property is the “one-way” property and is important if the

authentication technique involves the use of a secret value.


  1. The __________ approach has two advantages: it provides a digital signature as well

as message authentication and it does not require the distribution of keys to

communicating parties.


  1. Like the MAC, a __________ accepts a variable size message M as input and produces

a fixed size message digest H(M) as output.  Unlike the MAC, it does not take a

secret key as input.


  1. The __________ property guarantees that it is impossible to find an alternative

message with the same hash value as a given message, thus preventing forgery

when an encrypted hash code is used.


  1. As with symmetric encryption, there are two approaches to attacking a secure

hash function:  brute-force attack and ___________ .


  1. The two most widely used public key algorithms are RSA and _________ .


  1. The _________ was developed by NIST and published as a federal information

processing standard in 1993.


  1. __________ is a term used to describe encryption systems that simultaneously

protect confidentiality and authenticity (integrity) of communications.


  1. The key algorithmic ingredients of __________ are the AES encryption algorithm,

the CTR mode of operation, and the CMAC authentication algorithm.


  1. The __________ algorithm accepts the ciphertext and the matching key and

produces the original plaintext.


  1. A __________ is when the sender “signs” a message with its private key, which is

achieved by a cryptographic algorithm applied to the message or to a small

block of data that is a function of the message.


  1. A _________ is when two sides cooperate to exchange a session key.


  1. Using an algorithm that is designed to provide only the digital signature

function, the _________ makes use of the SHA-1 and cannot be used for encryption

or key exchange.


  1. Bob uses his own private key to encrypt the message. When Alice receives the

ciphertext she finds that she can decrypt it with Bob’s public key, thus proving

that the message must have been encrypted by Bob.  No one else has Bob’s

private key and therefore no one else could have created a ciphertext that could

be decrypted with Bob’s public key.  Therefore the entire encrypted message

serves as a _________ .


Chapter 5:  Network Access Control and Cloud Security



TRUE OR FALSE                                                                      



T          F          1.  Network access control authenticates users logging into the

network and determines what data they can access and actions

they can perform.


T          F          2.  Access requestors are also referred to as clients.


T          F          3.  A network access server does not include its own authentication



T          F          4.  VLANs are common NAC enforcement methods.


T          F          5.  The Extensible Authentication Protocol supports multiple

authentication methods.


T          F          6.  EAPOL operates at the network layers and makes use of an IEEE

802 LAN, such as Ethernet or Wi-Fi, at the link level.


T          F          7.  There is a decreasing trend in organizations to move information

technology operations to a cloud computing infrastructure.


T          F          8.  Cloud computing gives you the ability to expand and reduce

resources according to your specific service requirement.


T          F          9.  The cloud provider in a private cloud infrastructure is responsible

for both the infrastructure and the control.


T          F          10. The NIST cloud computing reference architecture focuses on the

requirements of “what” cloud services provide, not a “how to”

design solution and implementation.


T          F          11. A cloud broker is useful when cloud services are too complex for a

cloud consumer to easily manage.


T          F          12.  For many clients, the most devastating impact from a security

breach is the loss or leakage of data.


T          F          13.  In using cloud infrastructures, the client necessarily cedes control

to the CP on a number of issues that may affect security.


T          F          14.  The threat of data compromise decreases in the cloud.


T          F          15.  Data must be secured while at rest, in transit, and in use, and

access to the data must be controlled.





  1. ___________ is an umbrella term for managing access to a network.


  1. NAS B.  ARC


  1. NAC D.  RAS


  1. The _________ is the node that is attempting to access the network and may be any device that is managed by the network access control system.


  1. AR B.  RAS


  1. IP D.  PS


  1. The __________ determines what access should be granted.


  1. authentication server B.  policy server


  1. supplicant D.  access requestor


  1. The __________ is an Internet protocol that enables dynamic allocation of IP addresses to hosts.


  1. VLAN B.  IEEE 802.1X


  1. EAPS D.  DHCP


  1. _________ is a client computer that is attempting to access a network.


  1. EAP peer B.  PSK


  1. NAC                                     D.  RAS


  1. Broad network access, measured service, resource pooling, and rapid elasticity are essential characteristics of ___________.


  1. PaaS B.  network access control


  1. cloud computing D.  EAP-TLS


  1. _________ saves the complexity of software installation, maintenance, upgrades, and patches.


  1. IaaS B.  SaaS


  1. EAP D.  DHCP


  1. In effect, ________ is an operating system in the cloud.


  1. IEEE 802.1X B.  PaaS


  1. IaaS D.  DHCP


  1. _________ enables customers to combine basic computing services, such as number crunching and data storage, to build highly adaptable computer systems.


  1. IaaS B.  EAP peer


  1. CP D.  SaaS


  1. With a _________ infrastructure, the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.


  1. hybrid cloud B.  private cloud


C  public cloud                                   D.  community cloud


  1. With a _________ infrastructure, the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns.


  1. community cloud B.  public cloud


  1. private cloud D.  hybrid cloud


  1. A _________ is a person or organization that maintains a business relationship with, and uses service from, cloud providers.


  1. cloud auditor B.  cloud broker


  1. cloud carrier D.  cloud consumer



  1. A ________ is a person, organization, or entity responsible for making a service available to interested parties.


  1. cloud broker B.  cloud auditor


  1. cloud provider D.  cloud carrier


  1. A ________ is a party that can conduct independent assessment of cloud service, information sytem operations, performance, and security of the cloud implementation.


  1. cloud auditor B.  cloud carrier


  1. cloud broker D.  all of the above


  1. _________ is the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems.


  1. IaaS B.  PaaS


  1. SaaS D.  SecaaS







  1. The ___________ functions as an access control point for users in remote locations connecting to an enterprise’s internal network.


  1. __________ methods are the actions that are applied to ARs to regulate access to the enterprise network.


  1. A __________ provides a form of NAC by allowing or denying network traffic between an enterprise host and an external user.


  1. An __________ is a server computer that negotiates the use of a specific EAP method with an EAP peer, validates the EAP peer’s credentials, and authorizes access to the network.


  1. A _________ is an entity at one end of a point-to-point LAN segment that seeks to be authenticated by an autheticator attached to the other end of that link.




  1. _________ is a model for enabling ubiquitous, convenient, on-demand network

access to a shared pool of configurable computing resources that can be

rapidly provisioned and released with minimal management effort or service

provider interaction.


  1. NIST defines three service models, which can be viewed as nested service alternatives: software as a service, platform as a service, and _________ as a service.


  1. With a ________ infrastructure, the cloud infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.


  1. A _________ in an intermediary that provides connectivity and transport of cloud services from CP’s to cloud consumers.


  1. ___________ includes people, processes, and systems that are used to manage access to enterprise resources by assuring that the identity of an entity is verified, and then granting the correct level of access based on this assured identity.


  1. __________ are third party audits of cloud services.


  1. _________ defines how the TLS protocol can be encapsulated in EAP messages.


  1. ____________ is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key.


  1. An _________ is an access point or NAS that requires EAP authentication prior to granting access to a network.


  1. The Cloud Security Alliance defines _______ as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems.





Chapter 7:  Wireless Network Security



TRUE OR FALSE                                                                      


T          F          1.  IEEE 802.11 is a standard for wireless LANs.


T          F          2.   Wireless networks, and the wireless devices that use them,

introduce a host of security problems over and above those found

in wired networks.


T          F          3.   Sensors and robots, are not vulnerable to physical attacks.


T          F          4.  The integration service enables transfer of data between a station

on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x



T          F          5.  MAC spoofing occurs when an attacker is able to eavesdrop on

network traffic and identify the MAC address of a computer with

network privileges.


T          F          6.  The DS can be a switch, a wired network, or a wireless network.


T          F          7.  The pairwise master key is derived from the group key.


T          F          8.  IEEE 802.11 defines seven services that need to be provided by the

wireless LAN to achieve functionality equivalent to that which is

inherent to wired LANs.


T          F          9.  Handheld PDAs pose a security risk in terms of both eavesdropping

and spoofing.


T          F          10.  The actual method of key generation depends on the details of the

authentication protocol used.


T          F          11.  The use of 802.1X cannot prevent rogue access points and other

unauthorized devices from becoming insecure backdoors.


T          F          12.  The principal threats to wireless transmission are eavesdropping,

altering or inserting messages, and disruption.


T          F          13.  The use of encryption and authentication protocols is the

standard method of countering attempts to alter or insert



T          F          14.  You should allow only specific computers to access your wireless



T          F          15.  Security policies for mobile devices should assume that any

mobile device will not be stolen or accessed by a malicious party.






  1. The term used for certified 802.11b products is ___________ .


  1. WAP B.  Wi-Fi


  1. WEP D.  WPA



  1. The layer of the IEEE 802 reference model that includes such functions as encoding/decoding of signals and bit transmission/reception is the _________ .


  1. physical layer B.  control layer


  1. logical link layer D.  media access layer



  1. In a(n) __________ situation, a wireless device is configured to appear

to be a legitimate access point, enabling the operator to steal passwords

from legitimate users and then penetrate a wired network through a legitimate wireless access point.


  1. malicious association B.  identiy theft


  1. network injection D.  ad hoc network



  1. ___________ and links, such as personal network Bluetooth devices, barcode readers, and handheld PDAs, pose a security risk in terms of both eavesdropping and spoofing.


  1. DoS B.  Accidental association


  1. Nontraditional networks D.  Ad hoc networks








  1. The function of the __________ is to on transmission assemble data into a frame, on reception disassemble frame and perform address recognition and error detection, and govern access to the LAN transmission medium.


  1. transmission layer B.  logical layer


  1. media access control layer D.  physical layer



  1. The master session key is also known as the __________ key.


  1. AAA B.  GTK


  1. MIC             D.  STA



  1. The __________ is the information that is delivered as a unit between MAC users.


  1. MSDU B.  DS


  1. MPDU D.  BSS



  1. The __________ layer keeps track of which frames have been successfully received and retransmits unsuccessful frames.


  1. transmission B.  media access control


  1. logical link control D. physical layer



  1. The purpose of the discovery phase in the ___________ is for a STA and an AP to recognize each other, agree on a set of security capabilities, and establish an association for future communication using those security capabilities.


  1. WPA B.  RSN


  1. TKIP D.  WAE







  1. The specification of a protocol along with the chosen key length is known as a __________ .


  1. extended service             B.  distribution system


  1. cipher suite D.  RSN



  1. The _________ is used to ensure the confidentiality of the GTK and other key material in the 4-Way Handshake.


  1. MIC key B.  EAPOL-KEK





  1. The PMK is used to generate the _________ which consists of three keys to be used for communication between a STA and AP after they have been mutually authenticated.


  1. AAA Key B.  GTK


  1. PTK             D.  PSK



  1. A __________ is any device that contains an IEEE 802.11 conformant MAC and physical layer.


  1. station B.  MPU


  1. service data unit D.  MSDU



  1. The first 802.11 standard to gain broad industry acceptance was _________.


  1. 802.11i B.  802.11a


  1. 802.11g D.  802.11b







  1. ____________ can occur when a company’s wireless LAN or wireless access points to wired LANs in close proximity and may create overlapping transmission ranges. A user intending to connect to one LAN may unintentionally lock on to a wireless access point from a neighboring network.


  1. Network injection B.  Denial of service attacks


  1. Man-in-the-middle attacks D.  Accidental association






  1. In simple terms, the wireless environment consists of three components that

provide point of attack:  the endpoint, the ______________, and the access point.


  1. A __________ attack occurs when an attacker continually bombards a wireless access point or some other accessible wireless port with various protocol messages designed to consume system resources.


  1. __________ is the primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS.


  1. To certify interoperability for 802.11b products an industry consortium named the __________ was formed.


  1. The __________ function is the logical function that determines when a station operating within a BSS is permitted to transmit and may be able to receive PDUs.


  1. Derived from the GMK, the _________ is used to provide confidentiality and integrity protection for multicast/broadcast user traffic.


  1. An __________ is a set of one or more interconnected BSSs and integrated LANs that appear as a single BSS to the LLC layer at any station associated with one of these BSSs.


  1. The __________ layer is responsible for detecting errors and discarding any frames that contain errors.


  1. The smallest building block of a wireless LAN is a __________ which consists of wireless stations executing the same MAC protocol and competing for access to the same shared wireless medium.


  1. In order to accelerate the introduction of strong security into WLANs, the Wi-Fi Alliance promulgated __________ as a set of security mechanisms for the Wi-Fi standard.


  1. The MPDU authentication phase consists of three phases.  They are:  connect to AS, EAP exchange and _________ .


  1. Forming a hierarchy beginning with a master key from which other keys are derived dynamically and used for a limited period of time, __________ are used for communication between a pair of devices typically between a STA and an AP.


  1. The MPDU exchange for distributing pairwise keys is known as the _________ which the STA and SP use to confirm the existence of the PMK, to verify the selection of the cipher suite, and to derive a fresh PTK for data sessions.


  1. The main threat involving wireless access points is unauthorized access to the network.  The principal approach for preventing success is the __________ standard for port-based network access control.


  1. The IEEE 802.11  protocol stack consists of the logical link control layer, the medium access control layer, and the _________ layer.Chapter 9:  IP Security 





    T          F          1.  IP security is a capability that can be added to either current

    version of the Internet Protocol by means of additional headers.


    T          F          2.  The principal feature of IPsec is that it can encrypt and/or

    authenticate all traffic at the IP level.


    T          F          3.  Transport mode provides protection to the entire IP packet.


    T          F          4.  Additional padding may be added to provide partial traffic flow

    confidentiality by concealing the actual length of the payload.


    T          F          5.  Authentication must be applied to the entire original IP packet.


    T          F          6.  An end user whose system is equipped with IP security protocols

    can make a local call to an ISP and gain secure access to a company



    T          F          7.  Both tunnel and transport modes can be accommodated by the

    encapsulating security payload encryption format.


    T          F          8.  An individual SA can implement both the AH and the ESP protocol.


    T          F          9.  By implementing security at the IP level an organization can ensure

    secure networking not only for applications that have security

    mechanisms but also for the many security ignorant applications.


    T          F          10. IPSec can guarantee that all traffic designated by the network

    administrator is authenticated but cannot guarantee that it is



    T          F          11.  Any traffic from the local host to a remote host for purposes of an

    IKE exchange bypasses the IPsec processing.


    T          F          12.  IPsec is executed on a packet-by-packet basis.


    T          F          13.  The Payload Data Field is designed to deter replay attacks.





    T          F          14.  The Security Parameters Index identifies a security association.


    T          F          15.  The default automated key management protocol for IPsec is

    referred to as ISAKMP/Oakley.






    1. Authentication applied to the entire original IP packet is _________ .


    1. A) security mode B) cipher mode


    1. C) tunnel mode D) transport mode



    1. _________ defines a number of techniques for key management.


    1. A) KEP B) KMP


    1. C) SKE D) IKE



    1. Authentication applied to all of the packet except for the IP header is _________ .


    1. A) tunnel mode B) transport mode


    1. C) association mode D) security mode



    1. The __________ mechanism assures that a received packet was in fact transmitted

    by the party identified as the source in the packet header and assures that the

    packet has not been altered in transit.


    1. A) confidentiality B) authentication


    1. C) security D) key management



    1. __________ provides the capability to secure communications across a LAN, across

    private and public WANs, and across the Internet.


    1. A) IKE B) ISA


    1. C) IAB D) IPsec
    2. The _________ facility enables communicating nodes to encrypt messages to

    prevent eavesdropping by third parties.


    1. A) security B) key management


    1. C) authentication D) confidentiality



    1. The key management mechanism that is used to distribute keys is coupled to the

    authentication and privacy mechanisms only by way of the _________ .


    1. A) IAB B) SPI


    1. C) ESP D) SPD



    1. A _________ is a one way relationship between a sender and a receiver that affords

    security services to the traffic carried on it.


    1. A) SAD B) SPD


    1. C) SA D) SPI



    1. The means by which IP traffic is related to specific SAs is the _________ .


    1. A) TRS B) SPD


    1. C) SAD D) SPI



    1. _________ consists of an encapsulating header and trailer used to provide

    encryption or combined encryption/authentication. The current specification is

    RFC 4303.


    1. A) SPI B) ESP


    1. C) ISA D) IPsec



    1. _________ identifies the type of data contained in the payload data field by

    identifying the first header in that payload.


    1. A) Security Parameters Index B) Next Header


    1. C) Sequence Header D) Payload Data
    2. A value chosen by the responder to identify a unique IKE SA is a _________ .


    1. A) Initiator SPI B) Responder Cookie


    1. C) Flag D) Message ID



    1. IKE key determination employs __________ to ensure against replay attacks.


    1. A) cookies B) groups


    1. C) flags D) nonces



    1. The __________ payload contains either error or status information associated

    with this SA or this SA negotiation.


    1. A) Encrypted B) Notify


    1. C) Configuration D) Nonce



    1. The _________ payload allows peers to identify packet flows for processing by

    IPsec services.


    1. A) Configuration B) Vendor ID


    1. C) Traffic Selector D) Extensible Authentication Protocol







    1. IPsec encompasses three functional areas: authentication, key management, and

    __________ .


    1. _________ mode is used when one or both ends of an SA are a security gateway,

    such as a firewall or router that implements IPsec.


    1. IPsec policy is determined primarily by the interaction of two databases: The

    security policy database and the __________ .


    1. Confidentiality is provided by an encryption format known as __________ .



    1. A __________ attack is one in which an attacker obtains a copy of an authenticated

    packet and later transmits it to the intended destination.


    1. Authentication makes use of the _________ message authentication code.


    1. A security association is uniquely identified by three parameters: Security

    Protocol Identifier, IP Destination Address, and ________ .


    1. The __________ facility is concerned with the secure exchange of keys.


    1. _________ can be used to provide confidentiality, data origin authentication,

    connectionless integrity, an anti-replay service, and traffic flow confidentiality.


    1. IPsec provides security services at the ________ layer by enabling a system to

    select required security protocols, determine the algorithms to use for the

    services and put in place any cryptographic keys required to provide the

    requested services.


    1. The selectors that determine a Security Policy Database are: Name, Local and

    Remote Ports, Next Layer Protocol, Remote IP Address, and _________ .


    1. The term _________ refers to a sequence of SAs through which traffic must be

    processed to provide a desired set of IPsec services.


    1. Generic in that it does not dictate specific formats, the _________ is a key exchange

    protocol based on the Diffie-Hellman algorithm with added security.


    1. Three different authentication methods can be used with IKE key determination:

    Public key encryption, symmetric key encryption, and _________ .


    1. At any point in an IKE exchange the sender may include a _________ payload to

    request the certificate of the other communicating entity.


Chapter 11:  INTRUDERS






T          F          1.  Unauthorized intrusion into a computer system or network is one

of the most serious threats to computer security.


T          F          2.  Trojan horses and viruses are confined to network based attacks.


T          F          3.  
Intrusion detection involves detecting unusual patterns of activity

or patterns of activity that are known to correlate with intrusions.


T          F          4.  Statistical approaches attempt to define proper behavior and rule-

based approaches attempt to define normal or expected behavior.


T          F          5.  

The main advantage of the use of statistical profiles is that a prior

knowledge of security flaws is not required.


T          F          6.  One important element of intrusion prevention is password



T          F          7.  
The ID determines the privileges accorded to the user.


T          F          8.  
Insider attacks are among the easiest to detect and prevent.


T          F          9.  The hacking community is a strong meritocracy in which status is

determined by level of competency.


T          F          10.  
Penetration identification is an approach developed to detect

deviation from previous usage patterns.


T          F          11.  A weakness of the IDES approach is its lack of flexibility.


T          F          12.  To be of practical use an intrusion detection system should detect

a substantial percentage of intrusions while keeping the false

alarm rate at an acceptable level.


T          F          13. 
System administrators can stop all attacks and hackers from

penetrating their systems by installing software patches



T          F          14.  Password crackers rely on the fact that some people choose easily

guessable passwords.


T          F          15.  
Traditional hackers usually have specific targets, or at least

classes of targets in mind.







  1. Software trespass can take the form of a _________ .


  1. A) 



  1. C) 
Trojan horse D) 
all of the above



  1. A _________ is an individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.


  1. A) 



  1. C) 
clandestine user 



  1. _________ involves counting the number of occurrences of a specific event type over an interval of time.


  1. A) 
Rule-based detection 
Resource usage


  1. C) 
Threshold detection 
Profile-based system



  1. A ________ is a legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges.



  1. A) 
clandestine user 



  1. C) 








  1. The simplest statistical test is to measure the _________ of a parameter over some historical period, which would give a reflection of the average behavior and its variability.


  1. multivariate 
             B.  mean and standard deviation


  1. time series 

             D.  Markov process



  1. _________ detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.


  1. Action condition 

             B.  Threshold


  1. Profile-based anomaly 

 D.  Statistical anomaly



  1. A ________ is an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.


  1. clandestine user 

 B.  misfeasor


  1. masquerader 

 D.  mole



  1. The _________ model is used to establish transition probabilities among various states, such as looking at transitions between certain commands.


  1. multivariate 
 B.  profile-based


  1. Markov process 
 D.  operational



  1. The _________ is based on a judgment of what is considered abnormal rather than an automated analysis of past audit records.


  1. Markov process 
 B.  mean and standard deviation


  1. time series 

 D.  operational model







  1. The ________ is an audit collection module operating as a background process on a monitored system whose purpose is to collect data on security related events on the host and transmit these to the central manager.


  1. central manager module 
 B.  host agent module


  1. intruder alert module 

 D.  LAN monitor agent module



  1. The _________ prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned at different times.


  1. honeypot 
 B.  salt


  1. audit record 

             D.  rule based intrusion detection



  1. An operation such as login, read, perform, I/O or execute that is performed by the subject on or with an object is the _________ audit record field.


  1. resource-usage 

             B.  subject


  1. object 

                         D.  action



  1. A ________ is used to measure the current value of some entity. Examples include the number of logical connections assigned to a user application and the number of outgoing messages queued for a user process.


  1. gauge 
                         B.  interval timer


  1. resource utilization 

 D.  counter



  1. A ________ model is based on correlations between two or more variables.


  1. mean and Standard Deviation 

 B.  multivariate


  1. Markov process 
                         D.  operational







  1. The most promising approach to improved password security is __________ .


  1. user education


  1. a proactive password checker


  1. computer generated passwords


  1. a reactive password checking strategy






  1. __________ systems have been developed to provide early warning of an intrusion so that defensive action can be taken to prevent or minimize damage.


  1. _________ detection involves the collection of data relating to the behavior of legitimate users over a period of time.  Statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.


  1. The three classes of intruders identified by Anderson are: Masquerader, Misfeasor, and _________ .


  1. Password files can be protected in one of two ways: one-way function or __________ .


  1. Metrics that are useful for profile-based intrusion detection are: counter, gauge, resource utilization, and _________ .


  1. _________ is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.


  1. Two types of audit records used are Detection-specific audit records and _________ audit records.


  1. _________ techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious.


  1. Designed to lure a potential attacker away from critical systems ____________ are decoy systems that divert an attacker from accessing critical systems, collect information about the hacker’s activity, and encourage the attacker to stay on the system long enough for administrators to respond.


  1. The focus of the __________ is to define data formats and exchange procedures

for sharing information of interest to intrusion detection and response

systems and to management that may need to interact with them.


  1. A _________ strategy is one in which the system periodically runs its own

password cracker to find guessable passwords.


  1. A fundamental tool for intrusion detection is the _________ record.


  1. An example of a metric used for profile-based intrusion detection is _________ which is a non-negative integer that may be incremented but not decremented until it is reset by management action. Examples include the number of logins by a single user during an hour, the number of times a given command is executed during a single user session, and the number of password failures during a minute.


  1. _________ identification takes a very different approach to intrusion detection.  The key feature of such systems is the use of rules for identifying known penetration or penetrations that would exploit known weaknesses.  Typically the rules used in these systems are specific to the machine and operating system.


  1. One of the most important results from probability theory is known as

________ which is used to calculate the probability that something really is the

case, given evidence in favor of it.