-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathquiz.json
718 lines (718 loc) Β· 32.6 KB
/
quiz.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
{
"questions": [
{
"question": "2021 - Consider Alice and Bob had an exchange of messages using an instant chat messenger. Those messages were quite damaging for Alice, so she filed a court case. However, Bob gave a statement that he did not send any of those messages. Imagine you are a case investigator who has to provide an opinion solely based on the security mechanism used by the messager. Which one of the following security mechanisms can guarantee that Bob sent those messages?",
"options": [
"Symmetric encryption",
"HMAC",
"Digital signature",
"MAC",
"Hash"
],
"answer": "Digital signature"
},
{
"question": "2021 - Q2 - When a secure channel is used for achieving confidentiality, an eavesdropper CANNOT easily learn ___?",
"options": [
"Destination address",
"Communication time",
"Length of a message",
"Frequency of messages",
"Message contents"
],
"answer": "Message contents"
},
{
"question": "2021 - Q3 - Which statement is FALSE about GDPR consent?",
"options": [
"Consent is understandable",
"Consent is in plain language",
"Consent is an easily accessible form",
"Consent cannot be withdrawn",
"Consent is clear"
],
"answer": "Consent cannot be withdrawn"
},
{
"question": "2021 - Q4 - What is FALSE about GDPR\u2019s data breach notification?",
"options": [
"Companies holding the data of EU citizens are responsible for data breach notifications",
"A data processor is required to notify customers about data breaches",
"All of the given options",
"A data controller is required to notify customers about data breaches",
"Companies must notify customers within 72 hours no matter a data breach has been identified or not"
],
"answer": "Companies must notify customers within 72 hours no matter a data breach has been identified or not"
},
{
"question": "2021 - Q5 - Recall that a mode of operation is used for encrypting large messages. Which of the following modes of operation can enable parallelism in both encrypting and decrypting data?",
"options": [
"Both CBC and CTR",
"None of ECB, CBC, and CTR",
"Both ECB and CTR",
"Both ECB and CBC",
"All of ECB, CBC, and CTR"
],
"answer": "Both ECB and CTR"
},
{
"question": "2019 - Q6 - Which one of the following statements is about the General Data Protection Regulation (GDPR) TRUE?",
"options": [
"GDPR requires that the inclusion of data protection should be from the early stages\nof the system design, rather than an addition.",
"GDRP applies to data controllers, but not to data processors.",
"Data controllers and data processors can only collect and process anonymous and de-identified data.",
"A data controller can collect, store, and process any data, i.e., GDPR follows the data maximisation principle."
],
"answer": "GDPR requires that the inclusion of data protection should be from the early stages\nof the system design, rather than an addition."
},
{
"question": "2019 - Q7 - Recall the predecessor attack in TOR. Consider that there are N total relays and M of them are controlled by an attacker, then the likelihood that an attacker can control the first and last relays of a TOR circuit will be:",
"options": [
"0",
"(M*M)/(N*N)",
"1/(N*M)",
"1/M",
"N/M"
],
"answer": "(M*M)/(N*N)"
},
{
"question": "2019 - Q9 - Which one of the following is NOT protected by code obfuscation?",
"options": [
"Password matching",
"Program constants",
"Licence check",
"Business logic",
"Output of a program"
],
"answer": "Output of a program"
},
{
"question": "2019 - Q10 - Which one of the following statements about program analysis is FALSE?",
"options": [
"Dynamic analysis can capture actual behaviour, but there might be too many\nvalues to consider.",
"Concolic execution combines static analysis followed by dynamic analysis.",
"Static analysis tools test programs on input values.",
"Complex programs can be analysed effectively using concolic execution.",
"Static analysis returns path conditions, but there is no information about actual behaviour."
],
"answer": "Static analysis tools test programs on input values."
},
{
"question": "2019 - Q14 - Suppose you are sending an email to your bank. Which of the following statements is FALSE?: \n\n X. If an unauthorised person reads your message, this is a Data Confidentiality issue. \n\n Y. If an unauthorised person modifies the content of your message, this is a Data\nIntegrity issue.\n\n Z. If an unauthorised person ensures that your message is not delivered, this is a\nDenial of Service issue. ",
"options": [
"X and Y only",
"X and Z only",
"Y and Z only",
"All of X, Y, and Z",
"None, or only one of X, Y, and Z"
],
"answer": "None, or only one of X, Y, and Z"
},
{
"question": "2019 - Q15 - Which of the following statements is TRUE?: \n X. Wifi security is an application layer vulnerability.\n\n Y. IP address spoofing is a network layer vulnerability. \n\n Z. Theft of a network router is a physical layer vulnerability",
"options": [
"X only",
"Y only",
"Z only",
"None of X, Y, and Z",
"All, or two of X,Y,and Z"
],
"answer": "All, or two of X,Y,and Z"
},
{
"question": "2019 - Q47 - Suppose a system uses a buffer of 1100 bytes to store TCP connections, Assume that each incomplete TCP connection request needs five bytes of buffer. Also, an incomplete connection request is timed out after 10 seconds. If the rate of sending TCP connections is constant, how many minimum incomplete TCP connection requests per second must be sent to the system to fill system's buffer?",
"options": [
"24",
"25",
"28",
"23",
"27"
],
"answer": "23"
},
{
"question": "2019 - Q48 - Which of the following security services is affected by a Denial of Service (DoS) attack?",
"options": [
"Integrity",
"Non-repudiation.",
"Availability.",
"Authentication.",
"Confidentiality."
],
"answer": "Confidentiality."
},
{
"question": "2019 - Q49 - Which of the following is TRUE?\n X. A Public Blockchain is a permissionless blockchain, and a Private Blockchain is a permissioned blockchain.\n\n Y. Bitcoin is based on blockchain.\n\n Z. Blockchain is based on a peer-to-peer network. ",
"options": [
"X and Y only",
"X and Z only",
"Y and Z only",
"All of X, Y, and Z",
"None, or only one of X, Y, and Z"
],
"answer": "All of X, Y, and Z"
},
{
"question": "Which of the following is TRUE?.\n X. In an intrusion detection system, an Analyser is responsible for providing proof of intrusion.\n\n Y. In Heuristic-based intrusion detection system, the behaviour of an intruder is defined from a set of known attack rules.\n\n Z. In an intrusion detection system, a Proof Reader is responsible for providing proof of the intrusion. ",
"options": [
"X and Y only",
"X and Z only",
"Y and Z only",
"All of X, Y, and Z",
"None, or only one of X, Y, and Z"
],
"answer": "X and Y only"
},
{
"question": "Slides - What is the purpose of a risk mitigation plan?",
"options": [
"to bolster a risk assessment",
"to implement approved countermeasures",
"to reduce threats",
"to ensure compliance",
"none of the given options"
],
"answer": "to implement approved countermeasures"
},
{
"question": "Slides - The CIA triad of information security includes:",
"options": [
"Correctness, Information, and Assurance",
"Confidentiality, Integrity, and Authentication",
"Confidentiality,Integrity,andAuthorisation",
"Confidentiality, Integrity, and Availability",
"Correctness, Information, and Authorisation"
],
"answer": "Confidentiality, Integrity, and Availability"
},
{
"question": "Slides - GDPR applies to:",
"options": [
"Data controllers only",
"Data processors only",
"Data controllers and data processors",
"None of the above",
"Service only"
],
"answer": "Data controllers and data processors"
},
{
"question": "Slides - Which one of the following is the best choice for protecting passwords?\n",
"options": [
"Educate users",
"Do not allow simple password policy\n",
"Use multi-factor authentication",
"Prevent common password breach attacks",
"All of the above"
],
"answer": "All of the above"
},
{
"question": "Slides - Which one of the following statements is TRUE?\n",
"options": [
"Access Control Lists (ACLs) cannot be derived from an access control matrix",
"Capability list cannot be derived from an access control matrix",
"Both ACLs and capability lists can be derived from an access control matrix",
"ACLs are the same as capability lists just different names",
"None of the above"
],
"answer": "Both ACLs and capability lists can be derived from an access control matrix"
},
{
"question": "Slides - Which one is TRUE about zero-day?\n",
"options": [
"A flaw that is discovered and have a patch",
"A flaw that is discovered but does not have a patch",
"A flaw that is undiscovered but have a patch\n",
"A flaw that is undiscovered and does not have a patch",
"None of the above"
],
"answer": "A flaw that is discovered but does not have a patch"
},
{
"question": "Slides - How can we make secure systems more usable?\n",
"options": [
"Make it \"just work\" (an invisible security approach)",
"Make security and privacy understandable through visibility, intuitive design, and metaphors\n",
"Train the user",
"Ensure that only experienced users can use and understand the system",
"All of the above"
],
"answer": "Make security and privacy understandable through visibility, intuitive design, and metaphors\n"
},
{
"question": "Slides - Which category includes XSS in OWASP Top 10 2021?",
"options": [
"Broken Access Control",
"Insecure Design",
"Software and Data Integrity Failure",
"Injection",
"None of the above"
],
"answer": "Injection"
},
{
"question": "Slides - Which one of the following best describes Concolic Execution?\n",
"options": [
"It is static analysis",
"It is dynamic analysis",
"Static analysis followed by dynamic analysis",
"Dynamic analysis followed by static analysis",
"None of the above"
],
"answer": "Static analysis followed by dynamic analysis"
},
{
"question": "Slides - What is the privacy paradox?\n",
"options": [
"Studying privacy preferences requires people to disclose their preferences, and people do not wish to disclose their preferences\n",
"People only want privacy after a privacy harm as occurred",
"People want to enjoy the benefits of personalization but do not want to give up information for that personalization",
"People only care about privacy when the system is secure",
"None of the above"
],
"answer": "None of the above"
},
{
"question": "Slides - A/An _________ is the likelihood that a loss will occur.",
"options": [
"threat",
"risk",
"vulnerability",
"assessment",
"exploit"
],
"answer": "risk"
},
{
"question": "Slides - Which of the following statements about Cyber Security Risks Management is TRUE?",
"options": [
"Exploited vulnerabilities result in losses.",
"All vulnerabilities result in losses.",
"Vulnerability is a synonym for loss.",
"The method used to take advantage of a vulnerability is known as a threat.",
"None of the given options."
],
"answer": "Exploited vulnerabilities result in losses."
},
{
"question": "Slides - When should you perform a risk assessment?",
"options": [
"when mitigating a threat",
"when eliminating a threat",
"periodically",
"continuously",
"at the end"
],
"answer": "periodically"
},
{
"question": "Slides - Why should the people on the RA team be different from the people responsible for correcting deficiencies?",
"options": [
"to avoid potential losses",
"to increase profitability",
"to avoid conflicts of interest",
"to increase survivability",
"to look at the organisation from different angle"
],
"answer": "to avoid conflicts of interest"
},
{
"question": "2021 - Q7 - Which of the following statement(s) about Denial of Service (DoS) attacks is/are TRUE?\n\nX: A DoS is an attempt to compromise availability by hindering or completely blocking the\nprovision of some service.\n\nY: DoS attacks cause physical damage and destruction of IT infrastructures.\n\nZ: A DoS attack targeting application resources typically aims to overload or crash its\nnetwork handling software.\n ",
"options": [
"Y only",
"none of X, Y, and Z",
"All of X, Y and Z",
"X and Y only",
"X only"
],
"answer": "X only"
},
{
"question": "2021 - Q8 - What is the traffic generated in response to DoS attacks using source address spoofing called? ",
"options": [
"SYN Flood",
"FIN Flood",
"UDP Flood",
"Backscatter",
"Backpropagation"
],
"answer": "Backscatter"
},
{
"question": "2021 - Q10 - Which of the following statement(s) about Slowloris is/are TRUE?\nX: It establishes multiple connections to a Web server.\n\nY: Each connection sends a request devoid of the terminating newline sequence.\n\nZ: The attacker sends additional header lines periodically to keep the connection alive.",
"options": [
"Y only",
"Z only",
"None of X, Y, and Z",
"X only",
"All of X, Y, and Z"
],
"answer": "All of X, Y, and Z"
},
{
"question": "2021 - Q12 - Consider the classic DoS attack using ICMP echo request packets. The size of each of these packets is 500 bytes ignoring framing overhead. The attacker has compromised several residential network computers around the world. Each compromised computer has an average upstream capacity of 128 kilobits per second. The attacker's target is using a 10 megabits per second link. Approximately how many compromised computers does the attacker need to flood the target?",
"options": [
"30",
"20",
"80",
"40",
"10"
],
"answer": "80"
},
{
"question": "2021 - Q13 - One line of defence against DoS attacks is network ingress filtering. Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, which entity is best placed to ensure that valid source addresses are used in all packets from the source hosts?",
"options": [
"Federal Communications Commission",
"Internet Service Provider",
"Internet Engineering Task Force",
"Internet Registry",
"Government"
],
"answer": "Internet Service Provider"
},
{
"question": "2021 - Q14 - What is the typical order of steps used by intruders when attacking a system?",
"options": [
"Target acquisition, initial access, privilege escalation, covering tracks, system exploit, maintain access",
"Target acquisition, initial access, privilege escalation, system exploit, maintain access, covering tracks",
"Target acquisition, covering tracks, initial access, maintain access, privilege escalation, system exploit",
"Target acquisition, initial access, maintain access, privilege escalation, system exploit, covering tracks\n",
"Target acquisition, initial access, covering tracks, privilege escalation, system exploit, maintain access\n"
],
"answer": "Target acquisition, initial access, privilege escalation, system exploit, maintain access, covering tracks"
},
{
"question": "2021 - Q15 - Assume that only 1% of the network traffic are real attacks. Assume that the detection rate of an IDS is 87%. What is the approximate probability that a connection is incorrectly labelled an attack?",
"options": [
"94%",
"87%",
"13%",
"99%",
"Not possible to calculate"
],
"answer": "94%"
},
{
"question": "2021 - Q16 - Which of the following statement(s) about anomaly detection is/are TRUE?:\nX: Statistical approaches are simple to implement and have low computational cost.\n\nY: Knowledge-based approaches classify the observed behaviour using a set of rules.\n\nZ: Anomaly detection has low rates of false alarms.",
"options": [
"Z only",
"Y only",
"All of X, y, and Z",
"X only",
"X and Y only"
],
"answer": "X and Y only"
},
{
"question": "2021 - Q17 - Which of the following statement about signature or heuristic detection is FALSE?",
"options": [
"Signature approaches are widely used in anti-virus products.",
"Signature approaches are widely used in network-based IDS.",
"Signature approaches can detect zero-day attacks.",
"Signatures need to be large enough to minimise false alarm rate.",
"Signature approach is relatively low cost in time and resource use.\n"
],
"answer": "Signature approaches can detect zero-day attacks."
},
{
"question": "2021 - Q18 - Which of the following statement(s) about NIDS sensors is/are TRUE?\nX: Inline sensors can be achieved by combining the NIDS sensor logic with another\nnetwork device.\n\nY: A stand-alone inline NIDS sensor can block an attack when one is detected.\n\nZ: An inline sensor is more efficient than the passive sensor from the point of view of traffic flow.",
"options": [
"X only",
"X and Y only",
"All of X, Y, and Z",
"None of X, Y, and Z",
"X and Z only"
],
"answer": "X and Z only"
},
{
"question": "2021 - Q20 - Which of the following statement(s) about honeypots is/are TRUE?\nX: A high interaction honeypot is a realistic target that may occupy an attacker for an extended period.\n\nY: A honeypot outside the external firewall has the full ability to trap attacks emerging from within that network.\n\nZ: A honeypot can be instrumented with monitors to collect information about potential attackers.",
"options": [
"Z only",
"Y only",
"All of X, Y, and Z",
"X only",
"X and Z only"
],
"answer": "X and Z only"
},
{
"question": "2021 - Q23 - Nefarious_G mainly uses existing scripting toolkits for launching an attack. Nefarious_G has enough skills to download the toolkits, but may not have the expertise to modify or extend the toolkits. Nefarious_G belongs to which class of intruders?",
"options": [
"Activist",
"Journeyman",
"Master",
"Apprentice",
"Hacktivist"
],
"answer": "Apprentice"
},
{
"question": "2021 - Q26 - Alice is deploying a Network Intrusion Prevention System (NIPS) in an enterprise network. This NIPS scans for attack signatures in the context of a traffic stream. This NIPS does not inspect individual packets. What is this method called?",
"options": [
"Pattern matching",
"Stateful matching",
"Statistical anomaly",
"Protocol anomaly",
"Traffic anomaly"
],
"answer": "Stateful matching"
},
{
"question": "2021 - Q28 - Which of the following statement(s) about Snort is/are TRUE?\nX: Snort Inline functions as an intrusion prevention system.\n\nY: Snort Inline adds new rules like drop, reject, and sdrop.\n\nZ: Snort Inline replace option is useful for honeypot implementation.",
"options": [
"None of X, Y, and Z",
"X only",
"All of X, Y, and Z",
"Y only",
"Z only"
],
"answer": "All of X, Y, and Z"
},
{
"question": "2021 - Q29 - Which type of firewall sets up two TCP connections, one between itself and a host running TCP in an internal network and a TCP host outside the network?",
"options": [
"Firewire gateway",
"Packet filtering gateway",
"Application-level gateway",
"Circuit-level gateway",
"Stateful inspection gateway"
],
"answer": "Circuit-level gateway"
},
{
"question": "2021 - Q33 - Let's assume you are a cybersecurity consultant working for a privacy related project in the government sector. Which one of the following techniques is NOT an appropriate solution for preserving privacy?",
"options": [
"Implement privacy-focused search engine",
"Use privacy by software",
"Use VPN",
"Use Tor",
"Use PbD"
],
"answer": "Implement privacy-focused search engine"
},
{
"question": "2021 - Q34 - Which one of the following statements about Trojans is FALSE?",
"options": [
"Trojans are developed to mislead users of its true intent and ransomware attacks are often carried out using a trojan",
"Trojan is a type of malicious code or software that looks legitimate but can take control of your computer",
"A Trojan is a malicious program that runs hidden on the infected system",
"Trojan works behind the system and steals sensitive data while self-replicating",
"Trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network\n"
],
"answer": "Trojan works behind the system and steals sensitive data while self-replicating"
},
{
"question": "2021 - Q36 - Bob received an email greeting \"Dear account holder\" and it claimed that his personal email account's details have been compromised and he needs to click a link to reset the password. However, he finds the email contains misspelled words. What type of attack is he being presented with?",
"options": [
"Spam",
"All of the given options",
"Both phishing and spear phishing",
"Phishing only",
"Whaling"
],
"answer": "Phishing only"
},
{
"question": "2021 - Q37 - Tom receives notices from his bank that he has unauthorised charges on his credit card account. What type of attack is Tom a victim of?",
"options": [
"Human hacking",
"Phishing",
"Bad luck",
"Social engineering",
"Identity theft"
],
"answer": "Identity theft"
},
{
"question": "2021 - Q38 - Which of the following statements about blind SQL injection attacks is TRUE?",
"options": [
"The database is not SQL compatible",
"The database is relational",
"All of the given options",
"Error messages are not available",
"Must be a relational database, and error messages are not available\n"
],
"answer": "Must be a relational database, and error messages are not available\n"
},
{
"question": "2021 - Q40 - Which one of the following statements is TRUE about Mix Networks?",
"options": [
"A mix receives messages from one sender only",
"A mix doesn't require a lot of traffic",
"Messages are randomly shuffled and sent in a different order",
"A mix can not delete real traffic data",
"Messages can not be artificially delayed to resist timing attacks"
],
"answer": "Messages are randomly shuffled and sent in a different order"
},
{
"question": "2021 - Q41 - Which of the following statement is TRUE about blockchain technology?",
"options": [
"A blockchain is a centralised digital ledger consisting of records called blocks",
"A blockchain is a digital database consisting of records called class",
"A blockchain is a decentralised, distributed, digital ledger consisting of records called class blocks",
"None of the given options\n",
"A blockchain is a decentralised, distributed, digital ledger consisting of records called blocks\n"
],
"answer": "A blockchain is a decentralised, distributed, digital ledger consisting of records called blocks\n"
},
{
"question": "2021 - Q42 - Which one of the following statements about the future of the blockchain application is TRUE?",
"options": [
"Cryptocurrency transactions, a transaction between governments, companies and consumers, voting, healthcare and many other applications",
"Only transactions between government and agencies using tokens",
"Blockchains will not depend on nodes for efficiency support and security",
"Only transactions involving cryptocurrencies",
"Need not to build a blockchain platform to introduce a new cryptocurrency"
],
"answer": "Cryptocurrency transactions, a transaction between governments, companies and consumers, voting, healthcare and many other applications"
},
{
"question": "2021 - Q43 - Let's assume you have been appointed as a cyber security consultant to a major project in New Zealand government. You have been tasked to lead a team of software developers to securely design a password management system for military use. Which of the following of using SCrypt.generate () you would typically advise the team to adhere to?",
"options": [
"Use strong values for method parameters for SCrypt",
"Using salt with SCrypt.generate() method",
"All of the given options",
"Using salt value to mitigate some password vulnerabilities",
"Implement PGP keys for secure transfer of passwords"
],
"answer": "All of the given options"
},
{
"question": "2021 - Q44 - Which of the following statements is TRUE regarding aligning risks?",
"options": [
"Conveying IT risks in terms of business risks and translating business goals into IT goals can be challenging",
"All of the given options",
"Organisations should not attempt to align risks, threats, and vulnerabilities to risk management controls\n",
"The worlds of business and IT inherently align",
"There is currently no framework available for aligning risks, threats, and vulnerabilities to risk management controls\n"
],
"answer": "Conveying IT risks in terms of business risks and translating business goals into IT goals can be challenging"
},
{
"question": "2021 - Q45 - A consistent approach for IT risk management, effective management of IT risks, continuous evaluation of current IT risks and threats to the organisation, and a broadened IT risk management approach are all considered __________ of the IT Risk Management Framework.",
"options": [
"Risk drivers",
"Control objectives",
"Value drivers",
"Risk factors",
"Goal drivers"
],
"answer": "Value drivers"
},
{
"question": "2021 - Q46 - Identifying the opportunities or threats that are present, understanding the significance of each of them, recognising what action to take to handle both of them, and monitoring all of the above, are all elements of:",
"options": [
"Risk planning",
"Risk assessment",
"Eliminating all risks",
"Risk management",
"Risk controls"
],
"answer": "Risk management"
},
{
"question": "2021 - Q47 - Which one of the following statements is FALSE about designing security systems that people can use?\n",
"options": [
"Designing usable security systems involves borrowing methods and models from cognitive science and psychology",
"Examining security and usability together is often critical for designing secure systems that people can use",
"Designing usable security systems is interdisciplinary nature\n",
"Designing usable security systems involves borrowing theories and frameworks from non- security disciplines\n",
"Designing usable security systems does not typically involve behavioural economics\n"
],
"answer": "Designing usable security systems does not typically involve behavioural economics\n"
},
{
"question": "2021 - Q48 - Which one of the following statements is TRUE about implementing access control mechanisms?",
"options": [
"Implementing access control policies depends on reliable input",
"Principle of most privileges deals with granting the minimum set of access rights to do a job",
"Capability list cannot be derived from an access control matrix",
"Access control lists provide an access control matrix",
"A special entity like an administrator should not be able to manage access rights"
],
"answer": "Implementing access control policies depends on reliable input"
},
{
"question": "2021 - Q49 - Which one of the following attack techniques is used to exploit websites by altering backend database queries through inputting manipulated queries?",
"options": [
"SQL Injection",
"XSS injection",
"OS Commanding",
"LDAP Injection",
"XML Injection"
],
"answer": "SQL Injection"
},
{
"question": "2021 - Q50 - Let's assume an application takes user-input data and sends it to a web browser without proper validation and escaping. What is this vulnerability called?",
"options": [
"Broken Authentication and Session Management",
"Insecure Direct Object Reference",
"Cross Site Scripting",
"Input Output validation error\n",
"Security Misconfiguration"
],
"answer": "Input Output validation error\n"
},
{
"question": "Slides - Alice sends a message to Bob. Bob wants to ensure that the message\nhas come from Alice, and not Eve. Which of the following goals need to\nbe achieved?",
"options": [
"Confidentiality",
"Integrity",
"Authentication",
"Availability",
"Authorisation\n"
],
"answer": "Authentication"
},
{
"question": "Slides - Traffic analysis is difficult in Chaum's Mix due to which of the following\nreasons?",
"options": [
"Fixed-size messages",
"Message reordering in each mix",
"Accumulating threshold number of messages in each mix",
"Using a series of mix nodes",
"All of the above"
],
"answer": "All of the above"
},
{
"question": "Slides - Which of the following is not contained in a block?",
"options": [
"Cryptographic nonce",
"Hash of the previous block's header",
"Hash of the previous block's data",
"Timestamp",
"Digitally signed transactions"
],
"answer": "Hash of the previous block's data"
},
{
"question": "Slides - Which of the following is NOT true about Blockchains?",
"options": [
"Transactions in a blockchain network are digitally signed",
"Transactions in a blockchain network are encrypted with receiver's public key",
"Blockchain is immune to single-point failure",
"Transactions in a blockchain network can be validated by any node",
"Transactions in a blockchain network can only be published by a miner"
],
"answer": "Transactions in a blockchain network are encrypted with receiver's public key"
},
{
"question": "Which of the following is NOT true about IoT devices?",
"options": [
"IoT devices are mostly constrained in memory and computational capabilities",
"All IoT devices have built-in-security",
"IoT devices generate real-time information",
"Attackers seek to use IoT devices as Botnets due to no/less security\nimplementations in these devices\n",
"IoT devices stand for 'Internet over Touching-grass'"
],
"answer": "All IoT devices have built-in-security"
}
]
}