100 Points - 25 Questions - 4 Points each
For each statement, select the most appropriate answer.
- Which scenario is an example of a _privacy violation_ but not a confidentiality breach?
(a) A social media company collecting user location data without consent.
(b) A hacker gaining access to classified government files.
(c) An employee leaking customer financial data to a competitor.
(d) A hospital's database being accessed by an unauthorized doctor. - The CIA Triad is a set of principles for information security. The letters stand for Confidentiality, Integrity, and:
(a) Authorization.
(b) Authentication.
(c) Availability.
(d) Accountability. - Which of the following describes an integrity attack?
(a) An employee sends sensitive company data to a competitor.
(b) A hacker alters log files to erase evidence of a breach.
(c) A power outage disrupts access to an online banking system.
(d) A virus spreads across a corporate network, causing system slowdowns. - Which of the following best describes an attack vector?
(a) A security control designed to protect against attacks.
(b) A strategy for recovering from a cyberattack.
(c) A report listing all vulnerabilities in an organization's network.
(d) The method or pathway an attacker uses to exploit a vulnerability. - Which of the following is an example of an attack surface?
(a) All publicly accessible web applications of an organization.
(b) An email with a malicious attachment sent to an employee.
(c) An exploit used against an unpatched system.
(d) A security patch that fixes a software flaw. - Which of the following violates Kerckhoffs's Principle?
(a) Using AES with a 128-bit key instead of a 256-bit key
(b) Using a proprietary encryption algorithm.
(c) Relying on keeping the keys secret rather than keeping the algorithm secret.
(d) Publishing encryption protocols for peer review and security analysis. - A cryptanalyst observes that the frequency distribution of letters in the ciphertext closely matches the typical frequency distribution of those letters in French text. Which type of cipher was most likely used for encryption?
(a) Monoalphabetic substitution cipher.
(b) Polyalphabetic substitution cipher.
(c) One-time pad cipher.
(d) Transposition cipher. - Which of the following ciphers most closely attempts to simulate the functionality of a one-time pad?
(a) ChaCha20, a stream cipher.
(b) DES, a Feistel cipher.
(c) AES, a substitution-permutation network cipher.
(d) Caesar, a shift cipher. - Which of the following ciphers does NOT require padding?
(a) Camellia, a Japanese cipher with a Feistel network structure.
(b) ARIA, a South Korean standard cipher that uses a substitution-permutation network.
(c) Playfair, a classical digraph substitution cipher.
(d) RC4, a stream cipher that was previously used in Wi-Fi protocols. - Why is the one-time pad (OTP) not commonly used in practical cryptographic applications?
(a) Its key size makes key distribution impractical.
(b) It can be broken using frequency analysis.
(c) It is vulnerable to quantum computing attacks.
(d) Ciphers such as AES provide better security. - If an attacker can break a 64-bit key in 292 years using brute force, approximately how much longer would it take to brute-force a 128-bit key, assuming the same computational power?
(a) Approximately 600 years.
(b) 264 times longer, or roughly 5.4x1028 years.
(c) 64 times longer, or about 18,688 years.
(d) It would take the same amount of time with quantum computers. - What is the primary purpose of an Initialization Vector (IV) in encryption?
(a) Maximize confusion and diffusion in the ciphertext.
(b) Ensure that the same plaintext encrypted with the same key produces different ciphertexts.
(c) Extend the plaintext so it aligns with the block size of the cipher.
(d) Build a table of substitutions for the substitution-permutation network of a cipher. - What is the primary purpose of the Diffie-Hellman algorithm?
(a) To encrypt and decrypt messages using asymmetric keys.
(b) To allow two parties to securely establish a shared secret key over an insecure channel.
(c) To hash messages to ensure integrity.
(d) To provide digital signatures for authentication. - How are public and private keys used where Alice wants to send a message securely to Bob that only he can read?
(a) Alice encrypts a message using Bob's public key, and Bob decrypts it with his private key.
(b) Alice encrypts the message with her private key and Bob decrypts it with his public key.
(c) Alice and Bob agree on a key to use and then use that chosen key for encryption and decryption.
(d) Alice encrypts the message with her private key and Bob decrypts it with Alice's public key. - What is the primary characteristic of a hybrid cryptosystem?
(a) It encrypts data with multiple keys to guard against the theft of a subset of those keys.
(b) It enhances security by adding message authentication codes (MACs) to encrypted data.
(c) It uses public key cryptography for key exchange and symmetric cryptography for data encryption.
(d) It uses multiple layers of encryption for greater security in case one algorithm is found to be weak. - How is quantum computing expected to impact modern cryptographic algorithms?
(a) It will render symmetric encryption algorithms like AES and 3DES completely insecure.
(b) It will make RSA and ECC public key algorithms ineffective.
(c) It will make both symmetric and public-key encryption equally vulnerable.
(d) It will have no significant impact on cryptographic security. - What is the main benefit of forward secrecy in cryptographic communications?
(a) It ensures that past encrypted sessions remain secure even if the long-term private key is compromised
(b) It allows previously encrypted messages to be decrypted if the private key is later recovered.
(c) It prevents attackers from performing a brute-force attack on a symmetric encryption key.
(d) It guarantees protection against future quantum computing attacks. - Why is collision resistance an important property of cryptographic hash functions?
(a) It makes it impossible to find the original input given a hash value.
(b) It prevents an attacker from modifying an encrypted message without knowing the encryption key.
(c) It makes finding two inputs with the same hash infeasible, ensuring data integrity.
(d) It ensures that hash functions are always faster than using symmetric encryption algorithms. - Which of the following is a key difference between Message Authentication Codes (MACs) and digital signatures?
(a) MACs use asymmetric cryptography, while digital signatures use symmetric cryptography.
(b) MACs generate a fixed-length hash of a message, while digital signatures encrypt the message.
(c) MACs use a shared secret key, while digital signatures provide non-repudiation by using public-key cryptography.
(d) MACs require a trusted third party (Certificate Authority), while digital signatures do not. - In the Needham-Schroeder protocol, what role does the trusted third party play?
(a) It acts as a trusted central storage place for the public keys of all users.
(b) It encrypts all messages between Alice and Bob.
(c) It generates a session key and securely distributes it to both parties.
(d) It provides non-repudiation for the established session. - Why does Kerberos use timestamps instead of nonces in its authentication process?
(a) To increase the randomness of session keys, making brute-force attacks harder.
(b) To prevent replay attacks by ensuring authentication messages are valid onlyfor a short time.
(c) To prevent users from having to remember their session keys after authentication.
(d) To ensure that messages are delivered in the correct sequence during the authentication protocol. - Which of the following is an example of multi-factor authentication (MFA)?
(a) A password and a security question.
(b) A fingerprint scan and facial recognition
(c) A PIN and a username.
(d) A password and a one-time passcode sent via SMS. - What is the primary reason for salting passwords before hashing them?
(a) To increase the randomness of the password itself.
(b) To allow users to reset their passwords securely.
(c) To prevent attackers from using precomputed hash lookup tables to crack passwords.
(d) To reduce the storage space required for hashed passwords. - What is the main reason credential stuffing attacks succeed?
(a) Many websites do not require passwords for authentication.
(b) Hackers can break even relatively strong passwords easily using brute force.
(c) Some modern password hashing algorithms are weak.
(d) Many users reuse the same password across multiple sites. - Why is TOTP (time-based one-time passwords) generally considered more secure than HOTP?
(a) TOTP passwords are encrypted, while HOTP passwords are not.
(b) HOTP passwords can be used multiple times, while TOTP passwords are for one-time use only.
(c) TOTP-generated passwords expire after a short time, reducing opportunities for a replay attack.
(d) TOTP does not rely on the security of a cryptographic hash function.