CSS 211 - Introduction to Network Security

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.


  1. What does the text mean when it says that there are simple tools for staging attacks on computers and networks?

  2. I mentioned in the notes that Microsoft generally issues patches on the second Tuesday of every month. What is your opinion about the frequency of this schedule?

  3. The more secure a system is, the harder it may be to use. Relate this to the patch schedule in the question above. Should there be options?

  4. What is the classic security word for information only being accessed by those who are meant to access it?

  5. What is the classic security word for information only being changed by those who are allowed to change it?

  6. What is the classic security word for a system being up and ready to use when users expect it to be so?

  7. How are authentication and authorization different?

  8. Is there a good definition of the word "hacker"?

  9. What is a script kiddie?

  10. Why are employees possible security threats? Explain three ways they could be.

  11. What is the difference between a cybercriminal and a cyberterrorist?

  12. What is the difference between layering security measures and showing diversity in them?

  13. Give an example of using obscurity as a security measure.

  14. Viruses and worms both infect systems. What is an operational difference between them?

  15. What part of a system does a boot virus infect?

  16. What is a virus signature?

  17. What is the scope of each of these acts with regard to information security?
    • HIPAA
    • GLBA
    • Sarbox
    • Patriot Act
    • COPPA

  18. Which of the social engineering scenarios is an attacker using if he/she makes a request while pretending to be the person the request is for?

  19. Which of the social engineering scenarios is an attacker using if he/she pretends to be an employee of the company who needs help to complete a task?

  20. Which of the social engineering scenarios is an attacker using if he/she threatens to report the victim to an authority for discipline?

  21. What is the difference between spear phishing and whaling?

  22. Think of a secure location you might like to enter, and tell me how to use tailgating to do so.

  23. What is a rootkit? Why might a user not notice a rootkit infection as opposed to an adware infection?

  24. Which category of malware harvests information without the user's notice, consent, or control?

  25. What is ransomware?

  26. What characteristic of network security devices causes attackers to consider using HTTP traffic as a vector?

  27. Why is Javascript Injection an appropriate name for the exploit that is usually called Cross Site Scripting?

  28. How could an SQL injection attack be used to create a back door for an attacker? (If you are not familiar with SQL, do a web search on the INSERT INTO command.)

  29. Is the usual cookie that is set by a web site a session cookie or a persistent cookie? What is its probable size?

  30. What is the difference between a first-party cookie and a third-party cookie?

  31. What kind of cookie is a Locally Shared Object? On what platforms would you expect to see and not see this kind of object?

  32. Why might a session hijack attack begin as a man-in-the-middle attack?

  33. Which is meant to have a broader scope of use, a browser plug-in or a browser add-on?

  34. Users are often warned not to open email attachments unless they recognize who the email is from. Why is this an obsolete recommendation?

  35. Assume you are using a standard signed integer in a running application. What might be the result of an attacker overflowing that integer by 100? How might that action apply to an attack during a credit card payment transaction?

  36. How does a SYN flood attack work as a variant of a DDoS attack?

  37. What happens in the man-in-the-middle variant called a replay attack?

  38. What is an attacker's goal in an ARP Poisoning attack?

  39. What is an attacker's goal in a DNS Poisoning attack?

  40. What is the difference between an administrative security control and a technical security control?

  41. Security controls can be devices or procedures, according to the text. What is the third thing they could be?

  42. Why are deterrent controls probably the least expensive type? Have you seen deterrent controls that may not have been associated with other types of controls?

  43. With respect to an attack, when are each of the control subtypes applied: deterrent, preventive, detective, compensating, corrective.

  44. What is special about compensating controls, with regard to your normal procedures?

  45. The text discusses several types of barrier controls. Which of the controls mentioned are not meant to stop an attacker?

  46. Why are guards considered active controls instead of passive controls?

  47. What determines whether a remote monitor falls under preventive or detective controls?

  48. Which of the motion detection devices mentioned in the text typically detects a change in the site instead of detecting an intruder?

  49. Why is a passage lock not really a lock?

  50. Why can we say that a privacy lock would not prevent a determined intruder?

  51. How is a door that is operated by swiping a magnetic-strip card different from one operated by a activating a proximity reader?

  52. What kinds of updates typically address security issues? What kinds typically do not?

  53. What are some of the options a user is typically offered regarding downloading and installing updates for Microsoft products?

  54. The text listed four principles that apply to hardened operating systems. What is meant by the principle of Least Privilege?

  55. What has been done if the system has been hardened by Kernal Pruning?

  56. What is a popup blocker?

  57. What are static systems? What can you do to defend them from attacks?

  58. The text discusses validating user input and data in several places. What could go wrong if we do not validate?