Professional Documents
Culture Documents
Security MCQ
Security MCQ
1. What is access?
A. Functions of an object
B. Information flow from objects to subjects
C. Unrestricted admittance of subjects on a system
D. Administration of ACLs
The Correct Answer is B.
8. Which of the following is not a reason why using passwords alone is a poor security
mechanism?
A. When possible, users choose easy-to-remember passwords, which are therefore easy to guess or
crack.
B. Randomly generated passwords are hard to remember, thus many users write them down.
C. Short passwords can be discovered quickly in brute force attacks only when used against a stolen
password database file.
D. Passwords can be stolen through many means, including observation, recording and playback, and
security database theft.
The Correct Answer is C.
9. Which of the following is not a valid means to improve the security offered by password
authentication?
A. Enabling account lockout controls
B. Enforcing a reasonable password policy
C. Using password verification tools and password cracking tools against your own password database
file
D. Allowing users to reuse the same password
The Correct Answer is D.
11. What does the Crossover Error Rate (CER) for a biometric device indicate?
A. The sensitivity is tuned too high.
B. The sensitivity is tuned too low.
C. The False Rejection Rate and False Acceptance Rate are equal.
D. The biometric device is not properly configured.
The Correct Answer is C.
15. Which of the following forms of authentication provides the strongest security?
A. Password and a PIN
B. One-time password
C. Pass phrase and a smart card
D. Fingerprint
The Correct Answer is C.
Explanation: A pass phrase and a smart card provide the strongest authentication security because
it is the only selection offering two-factor authentication.
16. Which of the following is the least acceptable form of biometric device?
A. Iris scan
B. Retina scan
C. Fingerprint
D. Facial geometry
The Correct Answer is B.
18. In general how many key elements constitute the entire security structure?
a) 1
b) 2
c) 3
d) 4
Answer: d
Explanation: The 4 key elements that constitute the security are: confidentiality, integrity, authenticity &
availability.
Authenticity is not considered as one of the key elements in some other security models,
but the popular CIA Triad eliminates this as authenticity at times comes under confidentiality &
availability.
19. When you use the word _____ it means you are protecting your data from getting disclosed.
a) Confidentiality
b) Integrity
c) Authentication
d) Availability
View Answer
Answer: a
20. ______ means the protection of data from modification by unknown users.
a) Confidentiality
b) Integrity
c) Authentication
d) Non-repudiation
Answer: b
21. _______ of information means, only authorised users are capable of accessing the information.
a) Confidentiality
b) Integrity
c) Non-repudiation
d) Availability
Answer: d
22. Why these 4 elements (confidentiality, integrity, authenticity & availability) are considered
fundamental?
a) They help understanding hacking better
b) They are key elements to a security breach
c) They help understands security and its components better
d) They help to understand the cyber-crime better
Answer: c
23. This helps in identifying the origin of information and authentic user. This referred to here as
__________
a) Confidentiality
b) Integrity
c) Authenticity
d) Availability
Answer: c
26. Data integrity gets compromised when _____ and _____ are taken control off.
a) Access control, file deletion
b) Network, file permission
c) Access control, file permission
d) Network, system
Answer: c
30. In role-based access control, each user is assigned one or more roles, and the roles determine
which parts of the system the user is allowed to access.
a. True
b. False
answer: true
31. Authorization aims to determine who the user is, and authentication aims to restrict
what operations/data the user can access.
a. True
b. False
answer: false
34. Security features that control that can access resources in the OS.
a) Authentication
b) Identification
c) Validation
d) Access control
Answer: d
36. Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within
what category of access control ?
A. Discretionary Access Control (DAC)
B. Mandatory Access control (MAC)
C. Non-Discretionary Access Control (NDAC)
D. Lattice-based Access control
Answer : C
37. Which access control type has a central authority that determine to what objects the subjects
have access to and it is based on role or on the organizational security policy?
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control
Answer : C
38. What is called the type of access control where there are pairs of elements that have the least
upper bound of values and greatest lower bound of values?
A. Mandatory model
B. Discretionary model
C. Lattice model
D. Rule model
Answer : C
39. What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate
the individuals requesting access to resources?
A. Micrometrics
B. Macrometrics
C. Biometrics
D. MicroBiometrics
Answer : C
40. A central authority determines what subjects can have access to certain objects based on the
organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control
Answer : C
41. What is called the act of a user professing an identity to a system, usually in the form of a log-
on ID?
A. Authentication
B. Identification
C. Authorization
D. Confidentiality
Answer : B
43. The three classic ways of authenticating yourself to the computer security software are by
something you know, by something you have, and by something:
A. you need.
B. non-trivial
C. you are.
D. you can get.
Answer : C
44. A confidential number used as an authentication factor to verify a user's identity is called a:
A. PIN
B. User ID
C. Password
D. Challenge
Answer : A
45. Which of the following is not a logical control when implementing logical access security?
A. access profiles.
B. userids.
C. employee badges.
D. passwords.
Answer : C
46. Controls to keep password sniffing attacks from compromising computer systems include
which of the following?
A. static and recurring passwords.
B. encryption and recurring passwords.
C. one-time passwords and encryption.
D. static and one-time passwords.
Answer : C
48. In discretionary access environments, which of the following entities is authorized to grant
information access to other people?
A. Manager
B. Group Leader
C. Security Manager
D. Data Owner
Answer : D
49. What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed.
B. The security administrator's workload would increase.
C. The users' password would be too hard to remember.
D. User access rights would be increased.
Answer : A
50. What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye
Answer : D
51. Which of the following means authorized subjects are granted timely and uninterrupted access
to objects?
A. Identification
B. Availability
C. Encryption
D. Layering
The Correct Answer is B.
53. It can be a software program or a hardware device that filters all data packets coming through
the internet, a network, etc. it is known as the_______:
a. Antivirus
b. Firewall
c. Cookies
d. Malware
Answer: b
56. A large table includes multiple subjects and objects. It identifies the specific access each
subject has to different objects. What is this table called?
A) Access control list
B) Access control matrix
C) Federation
D) Creeping privilege
answer: b
57.Which of the following can help mitigate the success of an online brute-force attack?
A) Rainbow table
B) Account lockout
C) Salting passwords
D) Encryption of password
answer: b
58.What can be used as an authentication factor that is a behavioral or physiological
characteristic unique to a subject?
A) Account ID
B) Biometric factor
C) Token
D) PIV
answer: b
60.Users are given a device that generates one-time passwords every 60 seconds. A server hosted
within the organization knows what this password is at any given time. What type of device is
this?
A) Synchronous token
B) Asynchronous token
C) Smart card
D) Common access card
answer: a
61.A biometric system has falsely rejected a valid user, indicating that the user is not recognized.
What type of error is this?
A) Type 1 error
B) Type 2 error
C) Crossover error rate
D) Equal error rate
answer: a
66.During which phase of the access control process does the system answer the question,
"What can the requestor access?"
a. Identification
b. Authorization
c. Accountability
d. Authentication
answer: b
67.Which characteristic of a biometric system measures the system's accuracy using a balance of
different error types?
a.Crossover error rate (CER)
b.Reaction time
c.False rejection rate (FRR)
d.False acceptance rate (FAR)
answer: a
69.Which one of the following is NOT a commonly accepted best practice for password security?
a.Use at least six alphanumeric characters
b.Do not include usernames in passwords.
c.Include a special character in passwords.
d.Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
answer: a
70. During which phase of the access control process does the system verifies the identity of the
user who is requesting to access resources?
"What can the requester access?"
a.Authorization.
b.Identification.
c.Accountability.
d.Authentication
answer: d
74. _______ requires that a user or process be granted access to only those resources
necessary to perform assigned functions.
A. Discretionary access control
B. Separation of duties
C. Least privilege
D. Rotation of duties
answer: c
75. What are types of failures in biometric identification systems? (Choose ALL that apply)
A. False reject
B. False positive
C. False accept
D. False negative
answer: a/c
80.The only time that a user may share their password with another user is:
a. When the other user requires higher access privileges
b. During a disaster
c. Only temporarily until the other user is issued a userid and password
d. It is never appropriate for a user to share their password
answer: d
chapter 2
1. What is used to keep subjects accountable for their actions while they are authenticated to a
system?
A. Access controls
B. Monitoring
C. Account lockout
D. Performance reviews
The Correct Answer is B.
2. Which of the following tools is the most useful in sorting through large log files when searching
for intrusion-related events?
A. Text editor
B. Vulnerability scanner
C. Password cracker
D. IDS
The Correct Answer is D.
3. IDSs are capable of detecting which type of abnormal or unauthorized activities? (Choose all
that apply.)
A. External connection attempts
B. Execution of malicious code
C. Unauthorized access attempts to controlled objects
D. None of the above
The Correct Answers are A, B and C.
5. Which of the following types of IDS is effective only against known attack methods?
A. Host-based
B. Network-based
C. Knowledge-based
D. Behavior-based
The Correct Answer is C.
6. Which type of IDS can be considered an expert system?
A. Host-based
B. Network-based
C. Knowledge-based
D. Behavior-based
The Correct Answer is D.
7. Which of the following is a fake network designed to tempt intruders with unpatched and
unprotected security vulnerabilities and false data?
A. IDS
B. Honey pot
C. Padded cell
D. Vulnerability scanner
The Correct Answer is B.
8. When a padded cell is used by a network for protection from intruders, which of the following is
true?
A. The data offered by the padded cell is what originally attracts the attacker.
B. Padded cells are a form of entrapment.
C. The intruder is seamlessly transitioned into the padded cell once they are detected.
D. Padded cells are used to test a system for known vulnerabilities.
The Correct Answer is C.
Explanation: When an intruder is detected by an IDS, they are transferred to a padded cell.
The transfer of the intruder into a padded cell is performed automatically,
without informing the intruder that the change has occurred. The padded cell is unknown to the intruder
before the attack,
so it cannot serve as an enticement or entrapment. Padded cells are used to detain intruders, not to detect
vulnerabilities.
9. When using penetration testing to verify the strength of your security policy, which of the
following is not recommended?
A. Mimicking attacks previously perpetrated against your system
B. Performing the attacks without managements consent
C. Using manual and automated attack tools
D. Reconfiguring the system to resolve any discovered vulnerabilities
The Correct Answer is B.
10. Which of the following attacks is an attempt to test every possible combination against a
security feature in order to bypass it?
A. Brute force attack
B. Spoofing attack
C. Man-in-the-middle attack
D. Denial of service attack
The Correct Answer is A.
11. Which of the following is not a valid measure to take to improve protection against brute force
and dictionary attacks?
A. Enforce strong passwords through a security policy.
B. Maintain strict control over physical access.
C. Require all users to log in remotely.
D. Use two-factor authentication.
The Correct Answer is C.
14. Which of the following attacks sends packets with the victim’s IP address as both the source
and destination?
A. Land
B. Spamming
C. Teardrop
D. Stream
The Correct Answer is A.
15. In what type of attack are packets sent to a victim using invalid resequencing numbers?
A. Stream
B. Spamming
C. Distributed denial of service
D. Teardrop
The Correct Answer is D.
17. Spamming attacks occur when numerous unsolicited messages are sent to a victim. Because
enough data is sent to the victim to prevent legitimate activity, it is also known as what?
A. Sniffing
B. Denial of service
C. Brute force attack
D. Buffer overflow attack
The Correct Answer is B.
18. What type of attack occurs when malicious users position themselves between a client and
server and then interrupt the session and takes it over?
A. Man-in-the-middle
B. Spoofing
C. Hijack
D. Cracking
The Correct Answer is C.
25. An intrusion detection system (IDS) is primarily designed to perform what function?
A. Detect abnormal activity.
B. Detect system failures.
C. Rate system performance.
D. Test a system for vulnerabilities.
Answer: a
28.What type of attack can detect passwords sent across a network in clear text?
A) Spoofing attack
B) Spamming attack
C) Sniffing attack
D) Side-channel attack
answer:c
29.Which of the following refers to the violation of the principle if a computer is no more
accessible?
a.Access control
b.Confidentiality
c.Availability
d.All of the above
Answer: c
30. How many steps take place in the standard TCP/IP handshaking process?
A. One
B. Two
C. Three
D. Four
The Correct Answer is C.
Explanation: The TCP/IP handshake consists of three phases: SYN, SYN/ACK, and ACK.
36. Instead of implementing single computer & its internet bandwidth, a ____________ utilizes
various systems & their connections for flooding the targeted website.
a) GoS attack
b) PoS attack
c) DDoS attack
d) DoS attack
Answer: c
Chapter 5
1. Confidentiality is dependent upon which of the following?
A. Accountability
B. Availability
C. Nonrepudiation
D. Integrity
Answer: d
2. If a security mechanism offers availability, then it offers a high level of assurance that the data,
objects, and resources are______________ by authorized subjects.
A. Controlled
B. Audited
C. Accessible
D. Repudiated
Answer: c
3. All but which of the following items require awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages
Answer: d
4. Which of the following is the most important and distinctive concept in relation to layered
security?
A. Multiple
B. Series
C. Parallel
D. Filter
Answer: b
8. Which of the following is typically not a characteristic considered when classifying data?
A. Value
B. Size of object
C. Useful lifetime
D. National security implications
Answer: b
10. Which of the following is the lowest military data classification for classified data?
A. Sensitive
B. Secret
C. Sensitive but unclassified
D. Private
Answer: b
11. Which commercial business/private sector data classification is used to control information
about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary
Answer: b
12. Data classifications are used to focus security controls over all but which of the following?
A. Storage
B. Processing
C. Layering
D. Transfer
Answer: c
Chapter 7
1. Which one of the following malicious code objects might be inserted in an application by a
disgruntled software developer with the purpose of destroying system data after the developer’s
account has been deleted (presumably following their termination)?
A. Virus
B. Worm
C. Trojan horse
D. Logic bomb
Answer: d
2. What term is used to describe code objects that act on behalf of a user while operating in an
unattended manner?
A. Agent
B. Worm
C. Applet
D. Browser
Answer: a
3. Which of the following characteristics can be used to differentiate worms from viruses?
A. Worms infect a system by overwriting data in the master boot record of a storage device.
B. Worms always spread from system to system without user intervention.
C. Worms always carry a malicious payload that impacts infected systems.
D. All of the above.
Answer: b
4.A media player that is running within a web browser is known as a(n):
a. Agent
b. Mashup
c. Applet
d. Script
answer: c