CS419 Exam 3

Fall 2024

Paul Krzyzanowski

December 2, 2024

100 Points - 25 Questions - 4 Points each

For each statement, select the most appropriate answer.

  1. What is the primary purpose of using packers in malware?
    (a) To infect executable files.
    (b) To encrypt files in a system in a ransomware attack.
    (c) To evade detection by anti-virus software.
    (d) To exfiltrate the victim's data to a remote server.
  2. Which of the following best describes polymorphic malware?
    (a) Malware that exploits vulnerabilities across multiple network layers.
    (b) Malware that infects multiple file types.
    (c) Malware that works across different operating systems.
    (d) Malware that changes its code to evade detection.
  3. A rootkit is:
    (a) Software designed to hide certain processes or programs from detection.
    (b) Software that installs itself in a bootloader to run before the operating system boots.
    (c) A framework for building viruses and worms.
    (d) Malicious software that allows the attacker to gain admin (root) privileges.
  4. What distinguishes a Trojan from other types of malware?
    (a) It self-replicates across networks.
    (b) It encrypts user files and demands a ransom.
    (c) It disguises itself as legitimate software while performing malicious actions.
    (d) It exploits vulnerabilities in network protocols to provide remote access to attackers.
  5. How does spear phishing differ from regular phishing?
    (a) It targets multiple victims simultaneously.
    (b) It relies on exploiting vulnerabilities rather than social engineering.
    (c) It uses tailored messages for specific individuals.
    (d) It cannot exfiltrate data.
  6. Which of the following is a limitation of signature-based malware detection?
    (a) High false positive rate.
    (b) Dependence on network firewalls.
    (c) Inability to detect unknown malware.
    (d) Overhead in sandboxing applications.
  7. How did the example in Ken Thompson's Reflections on Trusting Trust paper demonstrate the persistence of a malicious backdoor?
    (a) By modifying the source code of an operating system.
    (b) By introducing vulnerabilities through linked libraries.
    (c) By exploiting runtime execution flaws in compiled programs.
    (d) By embedding a self-propagating backdoor into the compiler itself.
  8. What is the primary goal of a CAM overflow attack?
    (a) To force a switch to broadcast traffic to all ports.
    (b) To generate high network traffic so legitimate packets will be dropped.
    (c) To disable all VLAN configurations on a switch.
    (d) To redirect traffic to an attacker's MAC address.
  9. What is the purpose of SYN cookies in defending against SYN flooding?
    (a) To encrypt SYN packets.
    (b) To verify the client's IP address.
    (c) To block unauthorized connections from untrusted IP ranges.
    (d) To validate incoming SYN-ACK packets without storing state information.
  10. How can attackers use DNS to covertly communicate with a command-and-control (C&C) server?
    (a) By redirecting all DNS traffic to a public DNS server.
    (b) By embedding encrypted commands in DNS queries and responses.
    (c) By using DNSSEC to bypass firewalls.
    (d) By poisoning DNS cache entries on the target system.
  11. How does a DNS rebinding attack bypass the same-origin policy?
    (a) By using short TTL values to later change the IP address of a domain name.
    (b) By embedding malicious JavaScript into a trusted webpage.
    (c) By exploiting DNSSEC vulnerabilities.
    (d) By modifying the client's hosts file.
  12. Which of the following is an effective defense against DNS rebinding attacks?
    (a) Implementing a firewall to block external DNS requests to private IP addresses.
    (b) Using DNSSEC to authenticate DNS records.
    (c) Decreasing the TTL of DNS responses.
    (d) Using randomized query IDs for DNS requests.
  13. What does a BGP hijacking attack do?
    (a) Floods the network with spoofed BGP packets.
    (b) Redirects traffic to malicious servers.
    (c) Exploits a vulnerability in a router to modify its routing table.
    (d) Creates new IP prefixes in routing tables.
  14. What is the main difference between the transport and tunnel modes in IPsec?
    (a) Transport mode encrypts only the payload, while tunnel mode encrypts the entire packet.
    (b) Transport mode encrypts only the IP header, while tunnel mode encrypts the entire packet.
    (c) Transport mode requires pre-shared keys, while tunnel mode requires digital certificates.
    (d) Transport mode is used for multicast traffic, while tunnel mode is used for unicast traffic.
  15. What is the primary purpose of TLS (Transport Layer Security)
    (a) To provide encryption, authentication, and integrity for application-layer communication.
    (b) To establish a secure connection for all traffic between networks.
    (c) To create a private network tunnel over a public network.
    (d) To secure routing tables for internet traffic.
  16. How does TLS differ from VPNs in terms of functionality?
    (a) TLS operates at the network layer, while VPNs operate at the application layer.
    (b) TLS encrypts IP headers, while VPNs encrypt only the payload.
    (c) VPNs rely on public key cryptography, while TLS relies on symmetric encryption only.
    (d) VPNs secure all network traffic between endpoints, while TLS secures specific application communications.
  17. What is the primary reason organizations adopt a zero trust model?
    (a) To simplify network configurations.
    (b) To assume that internal networks are not automatically secure.
    (c) To eliminate the need for endpoint security tools.
    (d) To replace encryption with other security mechanisms.
  18. Which of the following is a limitation of stateless packet filtering firewalls?
    (a) They do not track connections, making them vulnerable to spoofing.
    (b) They cannot block packets based on IP addresses.
    (c) They cannot filter packets based on the transport layer protocol.
    (d) They require deep packet inspection for effectiveness.
  19. How does a reflection amplification attack increase the effectiveness of a DDoS attack?
    (a) By sending large volumes of ICMP packets to the target.
    (b) By targeting the target's routers with malformed packets.
    (c) By directly accessing the target's resources with repeated HTTP requests.
    (d) By leveraging remote UDP-based services to generate responses to spoofed requests.
  20. Which of the following is considered the same origin according to the same-origin policy? Assume www.example.com and example.com share the same IP address.
    (a) http://example.com and https://example.com
    (b) http://example.com and http://www.example.com
    (c) http://example.com:8080 and http://example.com
    (d) http://example.com/page1 and http://example.com/page2
  21. What does the Secure flag on a cookie do?
    (a) Encrypts the cookie before transmission.
    (b) Restricts access to the cookie by client-side scripts.
    (c) Prevents the cookie from being shared across domains.
    (d) Ensures the cookie is only sent over HTTPS.
  22. What makes CSRF attacks possible?
    (a) Users reusing passwords across multiple sites.
    (b) Browsers automatically sending cookies with requests.
    (c) Exploiting software vulnerabilities in the operating system.
    (d) Using outdated DNS records.
  23. What is the main purpose of CORS (Cross-Origin Resource Sharing)?
    (a) To prevent XSS attacks.
    (b) To ensure cookies are only sent over secure channels.
    (c) To allow controlled access to resources across domains.
    (d) To enforce the same-origin policy.
  24. Why might a combosquatting attack be more effective than typosquatting?
    (a) It uses misspellings that may be hard to notices.
    (b) Parts of the domain name refer to a legitimate site.
    (c) It combines typographic attacks with cross-site scripting.
    (d) It injects malicious JavaScript into pages from legitimate websites.
  25. Which of the following violates the same-origin policy?
    (a) An embedded CSS file from a third-party domain.
    (b) A JavaScript script reading a resource from another domain.
    (c) An image loaded from a different domain.
    (d) A cookie set by the server with the HttpOnly flag.
Last modified April 19, 2025.

© Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, gro.kp@ofnibew

recycled pixels

The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is something on this page that you want to use, please let me know. Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect my own.

Page design derived from: HTML5 UP.