24/2/2020 IoT Security 1.

1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

IoT Security 1.1 Capítulo 5 Prueba

Vencimiento Sin fecha de vencimiento Puntos 30 Preguntas 15
Límite de tiempo Ninguno Intentos permitidos ilimitados

Instrucciones
Este cuestionario cubre el contenido presentado en el capítulo 5 de IoT Security . Este cuestionario
está diseñado para practicar. Se le permitirán múltiples intentos y la calificación no aparecerá en el
libro de calificaciones.

Hay varios tipos de tareas que pueden estar disponibles en este cuestionario. En algunos tipos de
tareas, se permite la calificación de crédito parcial para fomentar el aprendizaje. Tenga en cuenta
que en tareas con múltiples respuestas, se pueden deducir puntos por seleccionar opciones
incorrectas.

Al finalizar el cuestionario, algunos elementos pueden mostrar comentarios. La retroalimentación

hará referencia a la fuente del contenido. Ejemplo: "Consulte el tema del plan de estudios: 1.2.3":
indica que la fuente del material para esta tarea se encuentra en el capítulo 1, sección 2, tema 3.

Formulario: 36405

Haz el cuestionario nuevamente

Historial de intentos
Intento Hora Puntuación

MANTENIDO Intento 2 13 minutos 28 de 30

ÚLTIMO Intento 2 13 minutos 28 de 30

Intento 1 75 minutos 24 de 30

Puntuación para este intento: 28 de 30

Enviado el 24 de febrero a las 11:44 a.m.
Este intento tomó 13 minutos.

Pregunta 1 2 /2 pts

¿Qué es una vulnerabilidad de aplicación móvil comúnmente

expuesta?
https://1302556.netacad.com/courses/977984/quizzes/8804235 1/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Inyecciones SQL

enumeración de usuarios

¡Correcto!
almacenamiento de datos inseguro

malware

Consulte el tema del plan de estudios: 5.1.1 Los

actores de amenazas pueden obtener acceso y controlar
dispositivos móviles a través de aplicaciones móviles
comprometidas, a pesar de que tanto Android como iOS son
relativamente seguros. Algunas de las vulnerabilidades más
expuestas son las siguientes:
Comunicación insegura : la tecnología de comunicación y
el canal deben estar asegurados. Cuando hay una
negociación débil, malas prácticas de apretón de manos y el
uso de versiones incorrectas de SSL, la comunicación no es
segura.
Almacenamiento de datos inseguro : muchas
aplicaciones tienen acceso a las áreas de almacenamiento
de datos de los dispositivos móviles, aunque pueden no
necesitarlo. El almacenamiento de datos debe estar
asegurado y las aplicaciones deben probarse para
garantizar que no haya fugas de datos.
Autenticación insegura: una sesión debe administrarse
correctamente para garantizar que se realice de forma
segura. Los usuarios deben identificarse cuando sea
necesario y su identidad debe mantenerse de forma segura.
Uso incorrecto de la plataforma : las aplicaciones móviles
utilizan funciones integradas en las plataformas, como
TouchID, Keychain y Android. En caso de mal uso de estos
controles de seguridad, el acceso al dispositivo y a otras
aplicaciones puede verse comprometido.
Criptografía insuficiente : la criptografía utilizada para
cifrar datos confidenciales debe ser suficiente y debe
aplicarse cuando sea necesario.

https://1302556.netacad.com/courses/977984/quizzes/8804235 2/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Pregunta 2 0 /2 pts

Un actor de amenazas ha secuestrado una sesión para asumir la

identidad de un usuario válido. ¿Qué vulnerabilidad de front-end web
está explotando el actor de amenaza?

u respondiste secuencias de comandos entre sitios

espuesta correcta autenticación rota

Inyecciones SQL

mala configuración de seguridad

https://1302556.netacad.com/courses/977984/quizzes/8804235 3/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Consulte el tema del plan de estudios: 5.1.2

Las vulnerabilidades de front-end web se aplican a
aplicaciones, API y servicios. Algunas de las vulnerabilidades
más importantes son las siguientes:
Secuencias de comandos en sitios cruzados : en un
ataque de secuencias de comandos en sitios cruzados
(XSS), el actor de la amenaza inyecta código, a menudo
JavaScript, en la salida de una aplicación web. Esto obliga a
que los scripts del lado del cliente se ejecuten de la forma
en que el actor de la amenaza quiere que se ejecuten en el
navegador.
Inyecciones de SQL : en un SQLi, el actor de la amenaza
se dirige a la base de datos SQL, en lugar del navegador
web. Esto permite que el actor de la amenaza controle la
base de datos de la aplicación.
Autenticación rota : la autenticación rota incluye tanto la
administración de la sesión como la protección de la
identidad de un usuario. Un actor de amenazas puede
secuestrar una sesión para asumir la identidad de un
usuario, especialmente cuando los tokens de sesión no han
caducado.
Configuración incorrecta de seguridad : La configuración
incorrecta de seguridad consta de varios tipos de
vulnerabilidades, todas centradas en la falta de
mantenimiento de la configuración de la aplicación web.

Pregunta 3 2 /2 pts

¿Cuáles son dos de las vulnerabilidades más expuestas actualmente

enumeradas por el Proyecto de seguridad de aplicaciones web
abiertas (OWASP)? (Escoge dos.)

¡Correcto! bloqueo de cuenta

correo no deseado

https://1302556.netacad.com/courses/977984/quizzes/8804235 4/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

malware

¡Correcto! enumeración de nombre de usuario

suplantación de identidad

Consulte el tema del plan de estudios: 5.1.1

Según el Proyecto de seguridad de aplicaciones web abiertas
(OWASP), las vulnerabilidades más expuestas son las
siguientes:
Enumeración de nombre de usuario : el actor de amenaza
puede encontrar nombres de usuario válidos a través de la
aplicación de autenticación.
Contraseñas débiles : el agente de amenazas utiliza
contraseñas predeterminadas que no se han cambiado o
puede establecer contraseñas de cuenta que elija el actor
de amenazas.
Bloqueo de cuenta : el actor de amenaza encuentra una
forma de intentar autenticarse muchas veces después de
varios intentos fallidos.
Falta de autenticación multifactor : es más fácil para un
actor de amenazas obtener acceso cuando solo se requiere
una forma de autenticación.
Componentes inseguros de terceros : a medida que se
descubren vulnerabilidades, a menudo se reparan. Cuando
componentes como Secure Shell (ssh), BusyBox o
servidores web no se mantienen actualizados, el actor de la
amenaza puede exponer estas vulnerabilidades y obtener
acceso.

Pregunta 4 2 /2 pts

¿Cuál es la forma más segura de prevenir un ataque XXE?

https://1302556.netacad.com/courses/977984/quizzes/8804235 5/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Utilice el cifrado SSL en todo el tráfico entre el servidor y los clientes

externos.

Use contraseñas reforzadas con un mínimo de 12 caracteres.

Use frases de paso en lugar de una contraseña.

¡Correcto!
Deshabilite la entidad externa XML y el procesamiento DTD en la
aplicación.

Consulte el tema del plan de estudios: 5.2.1

Se puede prevenir un ataque XXE deshabilitando la entidad
externa XML y el procesamiento de DTD en la aplicación.

Pregunta 5 2 /2 pts

Which attack involves a compromise of data that occurs between two

end points?

denial-of-service

Correct! man-in-the-middle attack

username enumeration

extraction of security parameters

https://1302556.netacad.com/courses/977984/quizzes/8804235 6/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

Threat actors frequently attempt to access devices over the
internet through communication protocols. Some of the most
popular remote exploits are as follows:
Man-In-the-middle attack (MITM) – The threat actor gets
between devices in the system and intercepts all of the data
being transmitted. This information could simply be collected
or modified for a specific purpose and delivered to its original
destination.
Eavesdropping attack – When devices are being installed,
the threat actor can intercept data such as security keys that
are used by constrained devices to establish
communications once they are up and running.
SQL injection (SQLi) – Threat actors uses a flaw in the
Structured Query Language (SQL) application that allows
them to have access to modify the data or gain
administrative privileges.
Routing attack – A threat actor could either place a rogue
routing device on the network or modify routing packets to
manipulate routers to send all packets to the chosen
destination of the threat actor. The threat actor could then
drop specific packets, known as selective forwarding, or drop
all packets, known as a sinkhole attack.

Question 6 2 / 2 pts

True or False?
On some home routers, to compromise the security on the router, a
Flash applet can be used to change the DNS server settings with an
UPnP request.

false

Correct!
true

https://1302556.netacad.com/courses/977984/quizzes/8804235 7/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.3

On some home routers, security can be compromised by
running a Flash applet which can change the DNS server
settings when an UPnP request is made. This could be used to
redirect legitimate traffic to malevolent websites.

Question 7 2 / 2 pts

How does UPnP assist a user to easily set up network-enabled

devices?

It allows for the detection of all devices without user intervention.

It allows users to deploy enterprise-level networks easily and efficiently.

Correct!
It automatically configures communication between UPnP-enabled
devices.

It forces the devices to use UDP for all connections because of its lower
overhead.

Refer to curriculum topic: 5.1.3

UPnP (universal plug and play) will enable all UPnP devices to
communicate with each other easily. It is used mainly in
residential setups as the multicast nature of the UPnP
consumes too many resources on networks for it to be efficiently
deployed in an enterprise network.

Question 8 2 / 2 pts
https://1302556.netacad.com/courses/977984/quizzes/8804235 8/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

For which type of devices is the use of DDS (data distribution service)
in M2M connections well suited?

for devices that require a collection of data for centralized storage and
filtration

for devices that require subscription of data on a server referred to as a

broker

Correct!
for devices that measure real-time data in microseconds that need to be
filtered and delivered efficiently

for devices where live data is not the only data and which use a client-
server model

Refer to curriculum topic: 5.1.3

Devices that measure real-time data in microseconds are good
candidates for DDS (data distribution service). DDS will filter the
data and send the required data efficiently to endpoints requiring
it. DDS is the protocol of choice when dealing with applications
that require speed and reliability.

Question 9 2 / 2 pts

A threat actor has injected JavaScript code into the output of a web
application and is manipulating client-side scripts to run as desired in
the browser. Which web front-end vulnerability is the threat actor
exploiting?

https://1302556.netacad.com/courses/977984/quizzes/8804235 9/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

broken authentication

security misconfiguration

SQL injections

Correct!
cross-site scripting

Refer to curriculum topic: 5.1.2

Web front-end vulnerabilities apply to apps, APIs, and services.
Some of the most significant vulnerabilities are as follows:

Cross-site scripting: In a cross-site scripting (XSS) attack,

the threat actor injects code, most often JavaScript, into the
output of a web application. This forces client-side scripts to
run the way that the threat actor wants them to run in the
browser.
SQL injections: In an SQLi the threat actor targets the SQL
database itself, rather than the web browser. This allows the
threat actor to control the application database.
Broken authentication: Broken authentication includes both
session management and protecting the identity of a user. A
threat actor can hijack a session to assume the identity of a
user especially when session tokens are left unexpired.
Security misconfiguration: Security misconfiguration
consists of several types of vulnerabilities all of which are
centered on the lack of maintenance to the web application
configuration.

Question 10 2 / 2 pts

What is a characteristic of the message queueing telemetry transport

(MQTT) protocol?

It is mainly used for instant messaging.

It is designed to connect servers together.

https://1302556.netacad.com/courses/977984/quizzes/8804235 10/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

MQTT uses the User Datagram Protocol.

Correct!
The MQTT protocol requires a message broker.

Refer to curriculum topic: 5.1.3

MQTT requires a message broker that manages communication
between publisher and subscriber clients.

Question 11 2 / 2 pts

Which password is the most hardened password for use on an IoT

device?

Correct!
Hnmmmkoty#4

ajkyfrjn0999y*

12gnkjl9!!!ddfgr

1245rdghy67#

Refer to curriculum topic: 5.2.1

Hardened passwords should consist of at least 12 characters
with a combination of uppercase, lowercase, numbers, and
special characters.

Question 12 2 / 2 pts

A threat actor has placed a rogue device on the network to manipulate

the chosen destination of all packets. Which remote exploit was used
by the threat actor?

https://1302556.netacad.com/courses/977984/quizzes/8804235 11/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

extraction of security parameters

username enumeration

denial-of-service

Correct! routing attack

Refer to curriculum topic: 5.1.1

Threat actors frequently attempt to access devices over the
internet through communication protocols. Some of the most
popular remote exploits are as follows:

Man-In-the-middle attack (MITM) – The threat actor gets

between devices in the system and intercepts all of the data
being transmitted. This information could simply be collected
or modified for a specific purpose and delivered to its original
destination.
Eavesdropping attack – When devices are being installed,
the threat actor can intercept data such as security keys that
are used by constrained devices to establish
communications once they are up and running.
SQL injection (SQLi) – Threat actors uses a flaw in the
Structured Query Language (SQL) application that allows
them to have access to modify the data or gain
administrative privileges.
Routing attack – A threat actor could either place a rogue
routing device on the network or modify routing packets to
manipulate routers to send all packets to the chosen
destination of the threat actor. The threat actor could then
drop specific packets, known as selective forwarding, or drop
all packets, known as a sinkhole attack.

Question 13 2 / 2 pts

What is a characteristic of the constrained application protocol (CoAP)?

https://1302556.netacad.com/courses/977984/quizzes/8804235 12/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

It supports the last will and testament option.

Correct!
It allows for efficient sensor and node communication without requiring
a centralized control mechanism.

It is primarily designed to collect data from many devices and deliver

that data to the IT infrastructure.

It is mostly used for multiple clients where live data is the only data.

Refer to curriculum topic: 5.1.3

CoAP uses a client-server model that allows for efficient sensor
and node communication. CoAP is a lightweight protocol that
uses UDP (but can use TCP) and is mainly used for M2M
communication.

Question 14 2 / 2 pts

Which popular exploit used by threat actors intercepts a system update

and injects an update of their own?

SQL injections

eavesdropping attack

routing attack

Correct! firmware replacement

https://1302556.netacad.com/courses/977984/quizzes/8804235 13/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

Some of the most popular local exploits targeted by threat
actors are as follows:
Firmware Replacement – Updates and patches to devices
are usually done remotely. If the process is not secure,
threat actors could intercept the update and install their own
malicious update.They could have full control over the
device and begin attacking other devices in the system.
Cloning – By creating a duplicate device, both in physical
form and the software and firmware running on that device,
the threat actor could replace a legitimate device. When the
device is up and running, the threat actor could then steal
information, or compromise additional devices.
Denial of service (DoS) – The threat actor could launch a
DoS attack to fill the communications channel, causing
devices to respond to requests late, or not at all. Depending
on the devices, this could cause a lot of damage.
Extraction of Security Parameters – When a device is not
protected properly, the threat actor may be able to extract
security parameters from it such as authentication
information or security keys.

Question 15 2 / 2 pts

What is one of the most widely exposed vulnerabilities listed by the

Open Web Applications Security Project (OWASP)?

malware

botnets

Correct! single-factor authentication

adware

https://1302556.netacad.com/courses/977984/quizzes/8804235 14/15
24/2/2020 IoT Security 1.1 Chapter 5 Quiz: ELECTRO-S5-G18-IoT_SeC-P55-JD

Refer to curriculum topic: 5.1.1

According to Open Web Applications Security Project (OWASP),
the most widely exposed vulnerabilities are these:

Username enumeration – The threat actor is able to find

valid usernames through the authentication application.
Weak passwords – The threat actor uses default
passwords which have not been changed or is able to set
account passwords that the threat actor chooses.
Account lockout – The threat actor finds a way to attempt
to authenticate many times after multiple failed attempts.
Lack of multi-factor authentication – It is easier for a
threat actor to gain access when only one form of
authentication is required.
Insecure 3rd party components – As vulnerabilities are
discovered, they often become patched. When components
such as Secure Shell (SSH), BusyBox, or web servers are
not kept up to date, the threat actor might expose these
vulnerabilities and gain access.

Quiz Score: 28 out of 30

https://1302556.netacad.com/courses/977984/quizzes/8804235 15/15