Internet of Things Security - IOT Security Multiple Choice Questions

(MCQs) with Correct Answers

1. _________ is an attack which forces an end user to execute unwanted actions on a web
application in which he/she is currently authenticated.
o a. Cross-site scoring scripting
o b. Cross-site request forgery
o c. Two-factor authentication
o d. Cross-site scripting

2. A Web site that allows users to enter text, such as a comment or a name, and then stores
it and later displays it to other users, is potentially vulnerable to a kind of attack called a
___________________ attack.
o a. Cross-site scripting
o b. Cross-site scoring scripting
o c. Cross-site request forgery
o d. Two-factor authentication

3. AES uses a 128 bit block size and a key size of __________ bits.
o a. 128 or 192
o b. 128 or 256
o c. 128, 192, or 256
o d. 128, 192, or 256

4. All of following are biometric techniques except

o a. Badge
o b. Retina
o c. Face
o d. Palm print
5. An encryption scheme is unconditionally secure if the ciphertext generated does not
contain enough information to determine uniquely the corresponding plaintext, no matter
how much cipher text is available.
o a. True
o b. False

Check-out our free tutorials on IOT (Internet of Things):

6. Even with two-factor authentication, users may still be vulnerable

to_____________attacks.
o a. Scripting
o b. Cross attack
o c. Man-in-the-middle
o d. Radiant

7. Example of a good password is

o a. name of a partner or spouse
o b. word related to a job or hobby
o c. words contains multiple random digits
o d. name of a child or pet

8. The DES algorithm has a key length of

o a. 64 Bits
o b. 128 Bits
o c. 16 Bits
o d. 32 Bits
9. If the sender and receiver use different keys, the system is referred to as conventional
cipher system.
o a. True
o b. False

10. In asymmetric key cryptography, the private key is kept by

o a. Receiver
o b. sender and receiver
o c. Sender
o d. all the connected devices to the network

11. In cryptography, what is cipher?

o a. none of the mentioned
o b. encrypted message
o c. both algorithm for performing encryption and decryption and encrypted
message
o d. algorithm for performing encryption and decryption

12. In dealing with the risk, which response is done by buying insurance
o a. Risk acceptance
o b. Risk mitigation
o c. Risk transfer
o d. Risk avoidance

13. In DREAD methodology of risk analysis in threat analysis, how is the Risk score for each
threat is calculated
 o a. Risk score = (Reproducibility + Exploitability + Discoverability) *
(Damage potential + Affected users)
o b. Risk score = (Reproducibility * Exploitability * Discoverability) / (Damage
potential * Affected users)
o c. Risk score = (Reproducibility + Exploitability + Discoverability) / (Damage
potential + Affected users)
o d. Risk score = (Reproducibility * Exploitability - Discoverability) ^ (Damage
potential + Affected users)

14. In threat modeling, what methodology used to perform risk analysis

o a. DREAD
o b. OWASP
o c. STRIDE
o d. DAR

15. Many applications use _________________, where two independent factors are used to
identify a user.
o a. Cross-site request forgery
o b. Cross-site scoring scripting
o c. Two-factor authentication
o d. Cross-site scripting

16. Most devastating loss to a company is

o a. Loss of printouts
o b. Loss of data
o c. Loss of Hardware
o d. Loss of software

17. Out of the following which is not element of threat modelling

o a. Asset
 o b. Vulnerability
o c. Threat
o d. Time

18. Process of identifying any individual

o a. Auditing
o b. Authorisation
o c. Authentication
o d. Accounting

19. Process of keeping track of users activity -

o a. Authentication
o b. Authoring
o c. Authorisation
o d. Accounting

20. Process that prevents someone from denying that she accessed resource
o a. Accounting
o b. Non-repudiation
o c. Sniffing
o d. Authorisation

21. Secret words or numbers used for protection of devices is called

o a. Biometrics data
o b. Private words
o c. Backup
o d. Passwords
22. Security protection for personal computers includes
o a. Internal components
o b. Software
o c. All of these
o d. Locks and cables

23. The most common form of authentication

o a. Password
o b. Smart cards
o c. PIN
o d. Digital certificates

24. The process of converting data into a format that can not be read by another user
o a. Registering
o b. Locking
o c. Encryption
o d. Keying

25. The process of identifying assets and threats in an organisation is known as

o a. Threat Modeling
o b. Security Auditing
o c. Security Planning
o d. Firewalling

26. The process of indentifying a person before giving an access?

o a. Authentication
o b. Encryption
o c. Auditing
 o d. Access control

27. True or false: It's important that the data stored on IoT drives is encrypted
o a. False
o b. True

28. What concept determines what resources users can access after they log on?
o a. Auditing
o b. Defense in depth
o c. Authentication
o d. Access control

29. What do you call the scope that hacker can use to break into a system
o a. Attack surface
o b. Defense in depth
o c. Principle of least privilege
o d. Risk mitigation

30. What do you call the security discipline that requires that a user is given no more
privileges necessary to perform his or her job?
o a. Defense in Depth
o b. Risk transfer
o c. Principle of least privilege
o d. Reduction of attack surface

31. What is data at rest ?

 o a. Data that is not actively traversing a network
o b. Data stored on a device
o c. Both a and b
o d. Data that is taking a nap

32. What is data encryption standard (DES)?

o a. none of the mentioned
o b. bit cipher
o c. block cipher
o d. stream cipher

33. What is Defense in Depth

o a. An approach
o b. A security solution
o c. A battle tactic
o d. All of the Above

34. What is needed to highly secure a system?

o a. Lot of time
o b. More money
o c. System update
o d. Disabled administrator account

35. What is the best way to protect against social engineering?

o a. Employee awareness
o b. Risk mitigation
o c. Stronger authentication
o d. Strong encryption
36. What is the first line of defence when setting up a network?
o a. Physically secure a network
o b. Configure an authentication
o c. Configure encryption
o d. Configure an ACL

37. What is used to provide protection when one line of defense is breached?
o a. Defense in depth
o b. Attack surface
o c. Principle of least privilege
o d. Risk mitigation

38. What kind of electronic document contains a public key?

o a. PIN
o b. Digital certificate
o c. PAN
o d. Biometrics

39. What method used by hacker relies on trusting nature of the person being attacked?
o a. Social engineering
o b. Principle of least privilege
o c. Attack surface
o d. Risk avoidance

40. What security threats do employee-owned devices pose by storing corporate data and
accessing corporate networks?
o a. Making infrastructure vulnerable to malware
 o b. All of the above
o c. Potential for noncompliance
o d. Data loss

41. What technology is not used to implement confidentiality?

o a. Encryption
o b. Auditing
o c. Access control
o d. Authentication

42. What type of attack tries to guess password by trying common words
o a. Dictionary attack
o b. Brute force attack
o c. Man in the middle attack
o d. Smurf attack

43. What type of authentication method identifies and recognises people based o physical
traits such as finger prints?
o a. WEP
o b. Digital certificates
o c. Biometrics
o d. RADIUS

44. Which of the following are not assets in a typical IoT System
o a. IoT Device
o b. Gateway
o c. None of them
o d. Application
o e. Sensor Data
45. Which of the following is not a correct way to secure communication layer
o a. Cloud initiated communication
o b. TLS/SSL
o c. IPS(Intrusion Prevention System)
o d. Firewalls

46. Which of the following is not a response when dealing with a risk?
o a. Mitigation
o b. Avoidance
o c. Transfer
o d. Patching

47. Which of the following is not a type of cloud deployment

o a. Private
o b. Public
o c. Hybrid
o d. Social

48. Which of the following is not a type or source of threat

o a. Operational threat
o b. Cultural threat
o c. Technical threat
o d. Social threat

49. Which of the following is not the component of IoT Endpoint

o a. Sensor
 o b. Gateway
o c. Communication Module
o d. MCU

50. Which of the following is not the part of basic services offered by cloud
o a. PaaS
o b. SaaS
o c. IaaS
o d. LaaS

51. Which of the following is not the part of IoT Ecosystem

o a. Edge Device
o b. Public cloud
o c. None of them
o d. Mobile App
o e. Router

52. Which of the following is threat to IoT Device

o a. Virus
o b. All of the above
o c. People
o d. Natural Disaster
o e. Spoofing

53. Which of the following makes sure that data is not changed when it not supposed to be?
o a. Integrity
o b. Availability
o c. Confidentiality
o d. Accounting
54. Which of the following terms indicates that information is to be read only by those
people for whom it is intended?
o a. Availability
o b. Accounting
o c. Integrity
o d. Confidentiality

55. Which one is not part of CIA Triad

o a. Authorisation
o b. Authenticity
o c. Integrity
o d. Confidentiality

56. Which one is not the component of IoT Security Architecture

o a. None of them
o b. Secure Device
o c. Secure Lifecycle Management
o d. Secure Communication
o e. Secure Cloud

57. Which one of this is not threat modelling methodology

o a. NANO
o b. STRIDE
o c. OCTAVE
o d. PASTA
 58. Which tool can be used for Threat Modeling
o a. Netbeans
o b. Spyder
o c. TMT 2016
o d. Eclipse

59. Why threat modelling is not performed

o a. Secure Application building
o b. Performing data analytics
o c. Achieving Defense in Depth
o d. To save time, revenue and reputation of a company

60. You are asked to develop application from scratch, when will you start performing threat
modeling of the application
o a. During requirements collection phase
o b. At the design stage
o c. At the beginning of the testing phase

--------------------------------------------------------------------------------
Internet of Things (IoT) — Security, Risks and Vulnerabilities

IoT is the sensational topic that is here for quite some time now. But in the recent past years, IoT
has gained more relevance. All the major technology giants are amazed about what IoT has
achieved in the past and what more it has in the future for the mankind. Most of us are not aware
about the term IoT. Let us first understand what IoT actually is.

First, What is IOT?

IoT is know as Internet of Things. It is a system of interconnected devices that shares the real
time information among themselves in a network. When devices like home apppliaces, vehicles,
weather forecast systems, navigations systems are interconnected over a network, they together
make Internet of Things.

Let us take an example to understand the beauty of IoT:

You have a meeting at 10:00 am. You got an email that the meeting is delayed due to some
reason. The smart alarm system connected to email system automatically delays the alarm
according to stipulated time. Your coffee machine is also synced with your alarm system. As
soon as your alarm hits, your coffee machines automatically brews coffee for you. You are ready
to go and rain starts pouring outside. As a result, there is a huge traffic jam. IoT system
automatically finds the best possible way of reaching your destination. Books ticket for you and
you are ready to go. This is just an introduction of what IoT can achieve. IoT is a vast concept
that can totally revolutionise the way things are done…

IoT and artificial intelligence applications will also help in building smart cities by improving the
transportation, electricity supply, water distribution etc. It does so by finding all possible
solutions to the problems and choosing the best solution. In the upcoming future, people will
witness smart cities that are free from pollution, smarter transport and smarter energy
management.

IoT has a wide scope. In the new era of connectivity, it is going beyond laptops and smartphones.
It is the technology which is going to connect vehicles, smart homes, smart cities and healthcare.
IoT is making more intelligent systems by bridging the gap between digital and the physical
world.

But with great power comes great responsibilities too. IoT if used for good can change the whole
scenario. But misuse of the technology can be devastating. So, it is important that IoT system
must be secure enough that can prevent data theft and any potential threat to our system. Let us
discuss about what are the various security risks and vulnerabilities involved in IoT and how we
can prevent them.

1.Security Risks in IoT Systems

IoT system has a cloud database that is connected to all your devices. These devices are
connected to the internet and it could be accessed by the cybercriminals and hackers. As the
number of connected devices increases, chances for hackers to breach the security system gets
increased.

Making IoT System more Secure

The security must be the main concern before implementing IoT systems. It is necessary that
security of IoT system is to be considered at an early stage of development. Any unauthenticated
access in the IoT network system must be detected at an early stage so that degree of damage can
be mitigated. Meanwhile, many embedded devices are set up externally for the security purposes.
For making secure IoT systems, two things must be kept in mind.

1.Data security: Data security and data mining must be on the top of the list of IoT security
features. It is the initial step to prevent any unauthenticated access to the devices in the IoT
network. Layered architecture must be used in data security system. Therefore, any breach of
initial security level does no expose all the data. Rather it must alarm the authorities about the
potential threats and initial level security breach.

2.Authentication: Devices must be secured with the strong passwords for the authentication.
Also, third party software security tools can be used that makes devices more secure. This may
include bio metrics, facial recognition, speech processing systems etc.

“A smiling Guy Fawkes mask in shadow against a black background” by Samuel Zeller on Unsplash

2.Vulnerabilities in IoT Systems

Let us discuss some of the vulnerabilities that IoT sytems are facing:

1. Absence of Transport layer security: In most of the IoT systems data is stored on the online
cloud servers, mobile phones or online databases. This data can be hacked easily as it is not
encrypted in the transport layer before storing. This enhances the data security risk in IoT
system.

2. Inadequate Security Features: With the growing competition and huge demand, technology
giants want to launch their IoT software system as soon as soon as possible. Thus the important
part of the software life cycle such as testing, quality assurance, and security vulnerabilities are
not done properly.
3. Poor mobile security: Poor mobile security in IoT systems make it more vulnerable and
risky. Data is stored in a very unsecure way in mobile devices. However, iOS devices are more
secure than the Android devices. If a user loses his smartphone and data is not backed up, he will
be in a big trouble.

4. Storing data on cloud servers: Storing data on the cloud servers is also considered as a weak
link in the security of IoT systems. Cloud servers have less security and are open to attackers
from all the dimensions. Developers must make sure that data stored on the cloud servers must
always be in the encrypted format.

Photo by Franck V. on Unsplash

5. Network attacks: Another big vulnerability in the IoT systems is the wireless connection that
is exposed for the attackers. For example, hackers can jam the functionality of a gateway in IoT
systems. This can bring down the whole IoT system.

Conclusion

In the nutshell, we can say that IoT is the one of the interesting and latest technology these days.
Internet of Thing is used to define the network that consists of a number of electronic devices
interconnected with smart technology. Smart Cities, smart cars, smart home appliances are going
to be the next big thing that will revolutionise the way we live, work and interact. As we know
every coin has two sides. Similarly, IoT has some risks and vulnerabilities too. By overcoming
these threats, we can enjoy the services of the IoT systems.