24/2/2020 IoT Security 1.

1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

IoT Security 1.1 Capítulo 5 Prueba

Vencimiento Sin fecha de vencimiento Puntos 30 Preguntas 15
Límite de tiempo Ninguno Intentos permitidos ilimitados

Instrucciones
Este cuestionario cubre el contenido presentado en el capítulo 5 de IoT Security . Este cuestionario
está diseñado para practicar. Se le permitirán múltiples intentos y la calificación no aparecerá en el
libro de calificaciones.

Hay varios tipos de tareas que pueden estar disponibles en este cuestionario. En algunos tipos de
tareas, se permite la calificación de crédito parcial para fomentar el aprendizaje. Tenga en cuenta
que en tareas con múltiples respuestas, se pueden deducir puntos por seleccionar opciones
incorrectas.

Al finalizar el cuestionario, algunos elementos pueden mostrar comentarios. La retroalimentación

hará referencia a la fuente del contenido. Ejemplo: "Consulte el tema del plan de estudios: 1.2.3":
indica que la fuente del material para esta tarea se encuentra en el capítulo 1, sección 2, tema 3.

Formulario: 36405

Haz el cuestionario nuevamente

Historial de intentos
Intento Hora Puntuación

ÚLTIMO Intento 1 75 minutos 24 de 30

Puntuación para este intento: 24 de 30

Enviado el 24 de febrero a las 11:30 a.m.
Este intento tomó 75 minutos.

Pregunta 1 2 /2 pts

¿Qué ataque implica un compromiso de datos que ocurre entre dos

puntos finales?

¡Correcto! ataque de hombre en el medio

https://1302556.netacad.com/courses/977984/quizzes/8804235 1/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

negación de servicio

extracción de parámetros de seguridad

enumeración de nombre de usuario

Consulte el tema del plan de estudios: 5.1.1 Los

actores de amenazas con frecuencia intentan acceder a
dispositivos a través de Internet a través de protocolos de
comunicación. Algunos de los exploits remotos más populares
son los siguientes:

Man-In-the-middle attack (MITM) – The threat actor gets

between devices in the system and intercepts all of the data
being transmitted. This information could simply be collected
or modified for a specific purpose and delivered to its original
destination.
Eavesdropping attack – When devices are being installed,
the threat actor can intercept data such as security keys that
are used by constrained devices to establish
communications once they are up and running.
SQL injection (SQLi) – Threat actors uses a flaw in the
Structured Query Language (SQL) application that allows
them to have access to modify the data or gain
administrative privileges.
Routing attack – A threat actor could either place a rogue
routing device on the network or modify routing packets to
manipulate routers to send all packets to the chosen
destination of the threat actor. The threat actor could then
drop specific packets, known as selective forwarding, or drop
all packets, known as a sinkhole attack.

Question 2 0 / 2 pts

Which password is the most hardened password for use on an IoT

device?

https://1302556.netacad.com/courses/977984/quizzes/8804235 2/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

ajkyfrjn0999y*

1245rdghy67#

orrect Answer Hnmmmkoty#4

ou Answered 12gnkjl9!!!ddfgr

Refer to curriculum topic: 5.2.1

Hardened passwords should consist of at least 12 characters
with a combination of uppercase, lowercase, numbers, and
special characters.

Question 3 2 / 2 pts

A threat actor has injected JavaScript code into the output of a web
application and is manipulating client-side scripts to run as desired in
the browser. Which web front-end vulnerability is the threat actor
exploiting?

security misconfiguration

Correct! cross-site scripting

SQL injections

broken authentication

https://1302556.netacad.com/courses/977984/quizzes/8804235 3/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.2

Web front-end vulnerabilities apply to apps, APIs, and services.
Some of the most significant vulnerabilities are as follows:
Cross-site scripting: In a cross-site scripting (XSS) attack,
the threat actor injects code, most often JavaScript, into the
output of a web application. This forces client-side scripts to
run the way that the threat actor wants them to run in the
browser.
SQL injections: In an SQLi the threat actor targets the SQL
database itself, rather than the web browser. This allows the
threat actor to control the application database.
Broken authentication: Broken authentication includes both
session management and protecting the identity of a user. A
threat actor can hijack a session to assume the identity of a
user especially when session tokens are left unexpired.
Security misconfiguration: Security misconfiguration
consists of several types of vulnerabilities all of which are
centered on the lack of maintenance to the web application
configuration.

Question 4 2 / 2 pts

What is a characteristic of the message queueing telemetry transport

(MQTT) publish-subscribe model?

Correct!
It allows for a retained messages option that can be used to provide
status updates.

Clients that are connected will prevent other clients from connecting,
thus preserving power.

https://1302556.netacad.com/courses/977984/quizzes/8804235 4/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

The last will and testament option allows for immediate session
termination, thus saving power.

Clients are prevented from subscribing to any subtopics in order to keep

traffic to a minimum.

Refer to curriculum topic: 5.1.3

MQTT is used for machine to machine (M2M) IoT
communications and has an option to retain messages that can
be used to provide status updates. MQTT allows clients to
receive many messages when subscribed to a topic within
subtopics. It also supports an option called the last will and
testament option that ensures that the client receives the most
current updates of the topics subscribed to. Clients connected
do not prevent other clients from connecting and the traffic
model that is used helps to keep traffic to a minimum, thus
enabling reduction in power.

Question 5 0 / 2 pts

True or False?
On some home routers, to compromise the security on the router, a
Flash applet can be used to change the DNS server settings with an
UPnP request.

ou Answered false

orrect Answer true

https://1302556.netacad.com/courses/977984/quizzes/8804235 5/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.3

On some home routers, security can be compromised by
running a flash applet which can change the DNS server
settings when an UPnP request is made. This could be used to
redirect legitimate traffic to malevolent websites.

Question 6 2 / 2 pts

What is a characteristic of the message queueing telemetry transport

(MQTT) protocol?

MQTT uses the User Datagram Protocol.

It is designed to connect servers together.

It is mainly used for instant messaging.

Correct! The MQTT protocol requires a message broker.

Refer to curriculum topic: 5.1.3

MQTT requires a message broker that manages communication
between publisher and subscriber clients.

Question 7 0 / 2 pts

A client wants to deploy MQTT on a large enterprise network and is

worried about the security of MQTT. The client wants all messages
encrypted, including all messages between the broker and clients.
What could the client do to achieve this goal?

orrect Answer Apply payload encryption.

https://1302556.netacad.com/courses/977984/quizzes/8804235 6/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Use unique client IDs for each client.

Invoke SSL encryption.

ou Answered Use client certificates.

Refer to curriculum topic: 5.2.1

Payload encryption works at the application layer and provides
end to end encryption, protecting all messages between the
client and the broker.

Question 8 2 / 2 pts

What is one of the most widely exposed vulnerabilities listed by the

Open Web Applications Security Project (OWASP)?

adware

botnets

malware

Correct!
single-factor authentication

https://1302556.netacad.com/courses/977984/quizzes/8804235 7/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

According to Open Web Applications Security Project (OWASP),
the most widely exposed vulnerabilities are these:
Username enumeration – The threat actor is able to find
valid usernames through the authentication application.
Weak passwords – The threat actor uses default
passwords which have not been changed or is able to set
account passwords that the threat actor chooses.
Account lockout – The threat actor finds a way to attempt
to authenticate many times after multiple failed attempts.
Lack of multi-factor authentication – It is easier for a
threat actor to gain access when only one form of
authentication is required.
Insecure 3rd party components – As vulnerabilities are
discovered, they often become patched. When components
such as Secure Shell (SSH), BusyBox, or web servers are
not kept up to date, the threat actor might expose these
vulnerabilities and gain access.

Question 9 2 / 2 pts

What is a characteristic of Extensible Messaging and Presence

Protocol (XMPP)?

It uses a client-server model to inform clients of state changes as they

occur.

It uses UDP for efficient packet sizes.

Correct!
It uses an addressing scheme (name@domain.com) which helps
simplify connections.

https://1302556.netacad.com/courses/977984/quizzes/8804235 8/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

It uses a publish-subscribe Model and supports the last will and

testament option.

Refer to curriculum topic: 5.1.3

XMPP uses an addressing scheme (name@domain.com) to
simplify connections and enable communication when data is
sent between distant points.

Question 10 2 / 2 pts

Which popular exploit used by threat actors intercepts a system update

and injects an update of their own?

SQL injections

routing attack

eavesdropping attack

Correct!
firmware replacement

https://1302556.netacad.com/courses/977984/quizzes/8804235 9/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

Some of the most popular local exploits targeted by threat
actors are as follows:
Firmware Replacement – Updates and patches to devices
are usually done remotely. If the process is not secure,
threat actors could intercept the update and install their own
malicious update.They could have full control over the
device and begin attacking other devices in the system.
Cloning – By creating a duplicate device, both in physical
form and the software and firmware running on that device,
the threat actor could replace a legitimate device. When the
device is up and running, the threat actor could then steal
information, or compromise additional devices.
Denial of service (DoS) – The threat actor could launch a
DoS attack to fill the communications channel, causing
devices to respond to requests late, or not at all. Depending
on the devices, this could cause a lot of damage.
Extraction of Security Parameters – When a device is not
protected properly, the threat actor may be able to extract
security parameters from it such as authentication
information or security keys.

Question 11 2 / 2 pts

A threat actor has hijacked a session to assume the identity of a valid

user. Which web front-end vulnerability is the threat actor exploiting?

cross-site scripting

Correct!
broken authentication

SQL injections

security misconfiguration

https://1302556.netacad.com/courses/977984/quizzes/8804235 10/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.2

Web front-end vulnerabilities apply to apps, APIs and services.
Some of the most significant vulnerabilities are as follows:
Cross-site scripting: In a cross-site scripting (XSS) attack,
the threat actor injects code, most often JavaScript, into the
output of a web application. This forces client-side scripts to
run the way that the threat actor wants them to run in the
browser.
SQL injections: In a SQLi the threat actor targets the SQL
database itself, rather than the web browser. This allows the
threat actor to control the application database.
Broken authentication: Broken authentication includes both
session management and protecting the identity of a user. A
threat actor can hijack a session to assume the identity of a
user especially when session tokens are left unexpired.
Security misconfiguration: Security misconfiguration
consists of several types of vulnerabilities all of which are
centered on the lack of maintenance to the web application
configuration.

Question 12 2 / 2 pts

What is a characteristic of the constrained application protocol (CoAP)?

It is primarily designed to collect data from many devices and deliver

that data to the IT infrastructure.

It supports the last will and testament option.

Correct!
It allows for efficient sensor and node communication without requiring
a centralized control mechanism.

It is mostly used for multiple clients where live data is the only data.

https://1302556.netacad.com/courses/977984/quizzes/8804235 11/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.3

CoAP uses a client-server model that allows for efficient sensor
and node communication. CoAP is a lightweight protocol that
uses UDP (but can use TCP) and is mainly used for M2M
communication.

Question 13 2 / 2 pts

What is a commonly exposed mobile application vulnerability?

Correct! insecure data storage

malware

SQL injections

user enumeration

https://1302556.netacad.com/courses/977984/quizzes/8804235 12/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

Threat actors can gain access and control mobile devices
through compromised mobile applications, even though both
Android and iOS are relatively secure. Some of the most widely
exposed vulnerabilities are as follows:

Insecure communication – The communication technology

and channel must be secured. When there is weak
negotiation, poor handshake practices, and the use of
incorrect versions of SSL, the communication is not secure.
Insecure data storage – Many applications have access to
data storage areas of mobile devices, even though they may
not need it. Data storage must be secured and applications
must be tested to ensure there is no data leakage.
Insecure authentication –A session must be managed
properly to ensure that it is performed securely. Users must
be identified when necessary, and their identity must be
maintained securely.
Improper platform usage – Mobile apps use features built
into the platforms such as TouchID, Keychain, and Android
intents. Should these security controls be misused, access
to the device and other apps can be compromised.
Insufficient cryptography – The cryptography used to
encrypt sensitive data must be sufficient and must be
applied when necessary.

Question 14 2 / 2 pts

For which type of devices is the use of DDS (data distribution service)
in M2M connections well suited?

for devices that require a collection of data for centralized storage and
filtration

https://1302556.netacad.com/courses/977984/quizzes/8804235 13/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

for devices that require subscription of data on a server referred to as a

broker

for devices where live data is not the only data and which use a client-
server model

Correct!
for devices that measure real-time data in microseconds that need to be
filtered and delivered efficiently

Refer to curriculum topic: 5.1.3

Devices that measure real-time data in microseconds are good
candidates for DDS (data distribution service). DDS will filter the
data and send the required data efficiently to endpoints requiring
it. DDS is the protocol of choice when dealing with applications
that require speed and reliability.

Question 15 2 / 2 pts

What is the safest way to prevent an XXE attack?

Correct! Disable XML external entity and DTD processing in the application.

Use hardened passwords with a minimum of 12 characters.

Use SSL encryption on all traffic between the server and external
clients.

Use Pass phrases instead of a password.

https://1302556.netacad.com/courses/977984/quizzes/8804235 14/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Consulte el tema del plan de estudios: 5.2.1

Se puede prevenir un ataque XXE deshabilitando la entidad
externa XML y el procesamiento de DTD en la aplicación.

Puntuación del cuestionario: 24 de 30

https://1302556.netacad.com/courses/977984/quizzes/8804235 15/15