Exam Info

When & Where

The third exam will be held in our regular classroom on Monday, April 28, 2025.

It will take up about half the lecture, starting approximately during the second half of the class period. Please arrive on time and do not plan on coming in just to take the exam. If you arrive after the exam has started, you will not be allowed to take it.

Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. Plan to use a pen only if you are supremely confident in not changing your mind about your answers. . Check here for information about pencils, sharpeners, and the craft of pencil sharpening.

Past exams

You can use my past exams as a guide to what this exam may look like, but realize there are differences in topics and in the sequencing of the topics. Expect around 25 multiple-choice questions. I do not refer to old exams when I come up with a new one, so it is likely that many of the topics that I considered important in past exams will show up on future exams. Some material may have changed, however, so do not worry about questions that appear to relate to topics we have not covered.

Get past 419 exams here.

Study guide

You are responsible for the material from the first four lectures and recitations.

I’ve prepared a study guide that attempts to cover most of the material you should know. It is not a substitute for the lectures, lecture material, and other reading matter. All the material may not be in the guide. My goal is to put most of the information you need to know a concise with fewer elaborations. You can also prepare your own guide, which would be a great way to prepare for the exam.

Get the study guide

Topics

Topics that you should know and may be on the exam include:

Malware

  • Worm vs. virus

  • Malware components

    • Delivery (initial access)
    • Installation (persistence)
    • Command and control
    • Execution (payload)
    • Trigger

  • Zero-Day vulnerabilities & exploits

  • N-Day exploits

  • Zero-Click exploits

  • Be familiar with the terms: adware, exfiltration, spyware, ransomware, wiper, keylogger

  • Infiltration mechanisms

    • File infector virus
    • Infected flash drives: AutoRun, hacked firmware, and data leakage
    • Code vulnerabilities, modified compilers (Ken Thompson’s paper), modified USB firmware, …
    • Social engineering
    • Credential stuffing, stolen credentials
    • Supply chain attacks
    • Macro viruses

  • Where malware lives

    • Bootloader (or boot sector) virus, bootkits
    • Backdoors
    • Remote Access Trojans (RAT)
    • I will not ask about JavaScript, source repositories
    • Rootkits: user & kernel mode rootkits
    • Hypervisor rootkit: what makes it more dangerous than other rootkits?
    • File-less malware
    • I will not ask you about the Blue Pill or Red Pill (SIDT instruction)
    • I will not ask about Stuxnet

  • Social Engineering

    • Trojan
    • Phishing, spear phishing
    • Smishing
    • Deceptive pop-ups, deceptive websites
    • Typosquatting and combosquatting
    • Malicious QR codes

  • Gathering information via malware

    • Keyloggers
    • Side-channel attacks

  • Bots, botnets, command & control servers

  • Defenses

    • file protection (including mandatory access control)
    • warning users (e.g., before opening macros)
    • I will not ask you about SPF, DKIM, DMARC for email authentication
    • Anti-malware software
      • Signature scanning
      • Static heuristic analysis
      • Behavioral analysis
      • Sandboxing
    • Other defenses
      • Removing admin rights from users
      • Containers
      • Running in a sandboxed environment

  • Malware detection countermeasures:

    • Encryption (crypters)
    • Packing (packers)
    • Polymorphic malware
    • Triggers
    • Understand the lessons of Reflections on Trusting Trust
    • Covert communication using DNS (see assignment)

  • Honeypot

Network security

Acronyms you should know: DNS, TTL, TCP, UDP, UP, ARP, DHCP, BGP, CAM, VLAN.

  • Basic concepts: local area network (LAN), IP, transport layer, TCP, UDP
  • Internet: end-to-end principle
  • Link layer
    • CAM overflow
      • What does a CAM overflow attack do?
      • Switch (MAC address) table, self-learning property
      • Content addressable memory (CAM)
      • Port security
    • VLAN hopping
      • What does a switch spoofing attack (VLAN hopping) do?
      • What is VLAN trunking?
    • ARP cache poisoning?
      • What is ARP cache poisoning?
      • What is the purpose of ARP? Know the purpose of an ARP response and a gratuitous ARP.
      • MAC address vs. IP address
      • ARP table
      • ARP broadcast
      • How can a system try to defend against ARP cache poisoning?
  • Network layer
    • What is DHCP server spoofing?
    • How does DHCP snooping work?
    • Understand the lack of authentication in IP datagrams, source address spoofing
    • Router attacks
  • Transport layer
    • Simplicity of forging UDP packets
    • Understand the need for random TCP starting sequence numbers
    • What is a SYN flooding attack and how can you guard against it?
    • SYN cookies
  • Routing
    • You don’t need to know External BGP vs. Internal BGP or OSPF (that’s background 352 info)
    • What is the purpose of BGP?
    • What is the security problem with BGP?
    • What is a prefix?
    • Path forgery, prefix forgery
    • Purpose of RPKI
    • Purpose of BGPsec
  • DNS
    • Security problem with DNS
    • You don’t need to know about the domain registry, registar, root servers (that’s background 352 info)
    • How does DNS (spoofing) cache poisoning differ from pharming?
    • Use of Query ID
    • Possible defenses against DNS spoofing
    • What is a DNS rebinding attack?
    • DNS pinning
    • Purpose of DNSSEC
    • Use of DNS for malware (homework)

DDoS Attacks

Acronyms you should know: DoS, DDoS, C2, C&C.

  • Botnet, zombie, command-and-control server (C2, C&C)
  • Denial of Service attack
  • Distributed Denial of Service attack
  • Volumetric vs packet-per-second attack
  • Reflection amplification

Secure communication: TLS and VPNs

Acronyms you should know: SSL, TLS, HMAK, HKDF, AH, ESP, IPsec, VPN.

  • Virtual Private Networks

    • What is a tunnel?
    • Tunnel mode vs. transport mode
    • IPsec Authentication Heander (AH) protocol
      • Just understand what it authenticates and encrypts
    • IPsec Encapsulating Security Payload (ESP) protocol
      • Just understand what it authenticates and encrypts
    • You don’t need to know the ciphers used by IPsec but know that it uses symmetric cryptography and HMACs. Know that Diffie-Hellman is most commonly used for key exchange

  • High-level disitnction between IPsec, OpenVPN, WireGuard

    • Kernel-level (IPsec, WireGuard), Communication (IPsec: network layer, OpenVPN & WireGuard: transport layer)

  • Transport Layer Security (TLS)

    • Goal of TLS
    • Mutual vs. uni-directional authentication
    • Remember that SSL (Secure Socket Layer) evolved into TLS (just so you’re not confused between the acronyms)
    • Basic concepts: authentication, key exchange, message integrity, communication.
    • You don’t need to know the ciphers used by TLS but know that authentication is done with public keys and X.509 certificates, key exchange is be done with Diffie-Hellman keys; know that data is encrypted with a symmetric algorithm (usually AES)
      • Know there are handshake and record phases and the purpose of each
    • You don’t need to know how the protocol changed in TLS 1.3
    • What is the purpose of HKDF - HMAC-based Extract-and-Expand Key Derivation Function?
    • What does AEAD (Authenticated Encryption with Associated Data) accomplish?
      • You don’t need to know how TLS 1.3 key derivation (HKDF) or how AEAD works
    • You don’t need to know attacks on TLS
    • Know that client authentication is almost never used. Why?

  • Difference between using VPNs and TLS

Firewalls

Acronyms you should know: DCI, DPI, DMZ, IDS, IPS.

  • Now does Network Address Translation (NAT) help with security?
  • High-level goal of a firewall
  • Approaches: Packet filters (screening routers), application proxies, IDS/IPS
  • Packet filters
    • What does a screening router do?
    • You don’t have to know filter chains but know that packet filters go through a list of conditions (rules) to find one that matche the date in the IP packet header.
    • You don’t have to know the syntax of rules but should recognize allow/reject rules
    • You don’t have to know any of differences between Windows, OpenBSD, and Linux implementations
    • What is the principle of firewalling?
    • Why is a default deny filtering model a good policy?
    • How do you guard against spoofed internal traffic?
    • First-generation vs. second-generation vs. third-generation packet filters
    • What does stateful inspecion add to a packet filter?
    • What is a DMZ (demilitarized zone)?
    • What is microsegmentation?
    • What is deep packet inspection (DPI) and deep content inspection (DCI)?
  • Intrusion Detection/Prevention Systems (IDS/IPS)
    • Understand the three types of systems: protocol-, signature-, and anomaly-based
    • Anomaly vs. misuse detection
    • Problem of false positives
    • Signatures in the context of IDS/IPS
    • Why is anomaly detection difficult?
  • Application proxies
    • What are they?
    • What is a dual-homed host?
    • What is a bastion host?
  • What is deperimiterization and how does the zero-trust model address it?
  • Host-based vs. network firewalls

Web browser security

Acronyms you should now: DOM, HTTP, HTTPS, HTML, CSRF, CORS, XSS.

  • Understand the increase in browser complexity (don’t memorize the list but understand the issues)
    • JavaScript, DOM allows modification of pages, more communication models, multimedia support
    • Components come from multiple sources
  • Role of iFrames
  • Same-origin policy
    • When are frames considered to have the same origin?
    • What unique resources can an origin access? Cookies, JavaScript namespace, DOM storage, DOM tree
    • I won’t ask you about the MIME sniffing attack
    • Cross-Origin Resource Sharing (CORS)
    • What does CORS enable?
  • Cookies
    • When are they sent to the server?
    • Purpose of HttpOnly
    • Purpose of Secure flag
  • Cross-Site Request Forgery (CSRF)
    • How does it work and when is it a problem?
    • How can you defend against it?
  • What is Clickjacking? How can you defend against it?
  • I will not ask you about screen sharing
  • Input sanitization issues
  • What is an SQL injection attack?
  • Cross-Site Scripting (XSS)
    • What is XSS?
    • Whet causes it?
    • Reflected vs. Persistent XSS
    • How do you defend against it?
  • Homograph/homoglyph attacks, typosquatting, combosquatting
  • Using images on the web to track access: tracking (spy) pixels
Last modified April 19, 2025.

© Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, gro.kp@ofnibew

recycled pixels

The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is something on this page that you want to use, please let me know. Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect my own.

Page design derived from: HTML5 UP.