CYBR 171 Cybersecurity Fundamentals Assignment Trimester 1 2026 | Victoria University

CYBR 171 Cybersecurity Fundamentals

Course learning objectives

Students who pass this course will be able to:

• Apply security techniques and tools to improve their security posture and those around them.
• Analyse security problems, identify threats and propose appropriate mitigations.
• Evaluate ethical and legal issues related to cybersecurity, cybercrime and cyberwarfare.

SECTION A CONCEPTS

Question 1. What is the MOST secure default firewall policy? [27 marks]
A. All computers on the local area network can access any service on the Internet.
B. No computers on the local area network can access the Internet.
C. Some computers on the local area network can access any service on the Internet.
D. Some computers on the local area network can access specific services on the Internet.

Question 2. Your Intrusion Detection System (IDS) reports an attack but on investigation you discover that this was an error. What type of error is this?
A. False negative.
B. False positive.
C. True negative.
D. True positive.

Question 3. What is a vulnerability in a web application that allows a hacker to force another user to execute malicious code?
A. Cross-site scripting (XSS).
B. Path traversal.
C. SQL injection.
D. XML. injection.

Question 4. Which of the following is a WEAKNESS of misuse detection as opposed to anomaly detection?
A. Does not require regular updates.
B. Less likely to raise false alarms.
C. Misses new types of attack.
D. Performance increases as add more rules.

Question 5. Which of the following techniques can be used to stop a cross-site request forgery (CSRF) attack on a web application?
A. Re-authenticate every request.
B. Sanitize user controlled data.
C. Set secure flag on cookie.
D. Use access controls.

Question 6. Which of the following is TRUE for the "steal the cookie" attack?
A. Allows an attacker to impersonate the user.
B. Can ONLY be prevented by setting the secure flag on a cookie. C. Exposes the user's password to the attacker.
D. Prevention only requires the login page to be protected by HTTPS.

Question 7. Consider HTML forms, of the URL whereas sends the values as query string parameters as part sends them as hidden within the HTTP request body.

Choose the pair below that would best complete the sentence above.

A. GET, GET.
B. GET, POST.
C. POST, GET.
D. POST, POST.

Question 8. 
A.XSS attack requires the web site to have some way to return a script provided by one user to another at a later point in time.
A XSS attack may return a script immediately to a user via a error message. Which of the following pairs correctly complete the two sentences above.
A. Reflected, Reflected.
B. Reflected, Stored.
C. Stored, Reflected.
D. Stored, Stored.

Question 9. Which of these statements is TRUE about the following firewall rule, considering 192.168.0.50 is the IP address of a machine on the internal network?
A. All communications from a specific machine on the internal network to any external machine is allowed.
B. All inbound traffic to all machines on the internal network is allowed.
C. Inbound traffic to a specific machine on the internal network is allowed.
D. Only inbound HTTP traffic to a specific machine on the internal network is allowed.

Question 10. Phishing relies primarily on the following:
A. Benefit in exchange for information.
B. Brute forcing a password.
C. False sense of urgency.
D. Tailgating.

Question 11. Which of the following descriptions most closely describes a VPN?
A. Guaranteed anonymity for users.
B. High speed connection.
C. Reliable connection to a corporate network.
D. Private connection across an untrusted network.

Question 12. Which of the following social engineering attacks is considered to be a form of a 419 scam?
A. Baiting.
B. Email compromise and fake invoice scam.
C. Spanish prisoner.
D. Tailgating.

Question 13. Which of the following psychological experiments investigated people's willing- ness to obey others even if asked to do immoral things?
A. Asch's experiment.
B. Jones & Harris' experiment.
C. Milgram's experiment.
D. Zimbardo's prisoner experiment.

Question 14. Which of the following psychological experiments investigated whether people would rather conform and deny the evidence of their senses?
A. Asch's experiment.
B. Jones & Harris' experiment.
C. Milgram's experiment.
D. Zimbardo's prisoner experiment.

Question 15. What is considered to be the weakest link in any security system?
A. Cryptography.
B. Legal powers. C. Passwords.
D. People.

Question 16. What human emotion does Pre-texting exploit?
A. Anxiety.
B. Fear.
C. Sadness.
D. Trust.

Question 17. Which of the following types of security are concerned with attacks such as the theft of a USB containing sensitive information?
A. Application.
B. Network.
C. Physical.
D. Web application.

Question 18. The correct ordering of the steps involved in a social engineering attack is:
A. Define your goal, build trust, exploit the relationship, seek information and use the in- formation gathered for malicious purposes.
B. Define your goal, build trust, seek information, exploit the relationship and use the in- formation gathered for malicious purposes.
C. Define your goal, build trust, seek information, use the information gathered for mali- cious purposes and exploit the relationship.
D. Define your goal, seek information, build trust, exploit the relationship and use the in- formation gathered for malicious purposes.

Question 19. Which one of the following categories of protection component would Ruapekapeka's location inland from the coast BEST fit?
A. Deter.
B. Alarm.
C. Detect.
D. Delay.

Question 20. Which one of the following categories of protection component would Ruapekapeka's position on the hill allowing easy visibility of the British encampment BEST fit?
A. Alarm.
B. Delay.
C. Detect.
D. Respond.

Question 21. What is the BEST description of the principle of defence-in-depth?
A. Minimise privilege required by users.
B. Multiple protection components.
C. Strong encryption.
D. Strong protection components.

Question 22. Which of the following terms describe the set of instructions and actions to be performed at every step in the incident response (IR) process?
A. Analysis steps.
B. Playbook.
C. Response plan.
D. Recovery manual.

Question 23. What is the definition of realevidence as discussed in the lectures?
A. Any evidence given by a first party.
B. Any evidence such as an inanimate object.
C. Any hearsay evidence.
D. The best or "first hand" evidence.

Question 24. What does the acronym CSIRT stand for?
A. Computer Security Incident Reaction Team.
B. Computer Security Incident Response Team.
C. Cyber Security Incident Reaction Team.
D. Cyber Security Incident Response Team.

Question 25. Which of the following correctly lists the first four steps of the cyber kill chain?
A. Delivery, Weaponization, Reconnaissance, Exploitation.
B. Exploitation, Reconnaissance, Weaponization, Delivery.
C. Reconnaissance, Weaponization, Delivery, Exploitation.
D. Weaponization, Reconnaissance, Delivery, Exploitation.

Question 26. Which statement regarding tabletop exercises is FALSE?
A. Allows you to test the plan and playbooks.
B. Identifies whom to blame.
C. Identify gaps in the plans or playbooks.
D. Led by a facilitator.

Question 27. Which one of the following is the correct definition of Locard's exchange princi- ple as discussed in the lectures?
A. A trace left by an event will be visible on the objects involved.
B. When an event happens, it leaves a trace.
C. When an event affects an obiect, it will leave a trace of it's occurrence.

SECTION B APPLYING CONCEPTS

Each questionin this sectionisworth TWO marks. [16 marks]

Question 28. What is the main reason for the discussion of physical security in a course on cybersecurity?
A. Attackers might damage your property through vandalism.
B. Attackers might dumpster dive to steal commercial secrets.
C. Attackers might target your physical cash for theft.
D. Attackers might use physical access to defeat any of your security technologies.

Question 29. Which one of the following statements about a protection system is FALSE? 
A. Both physical and software components may be included.
B. Ideally has multiple layers of defence.
C. Usually has a goal.
D. Will always protect all assets.

Question 30. A long-anticipated PC game is about to be released. An attacker makes available a pre-release copy of the game available via a file sharing service via BitTorrent. The game is actually a trojan that will allow the attacker to steal banking information.

What type of attack would you classify this as?
A. Baiting.
B. Phishing.
C. Pre-texting.
D. Quid Pro Quo.

Question 31. A scammer stops people on the street and invites them to take part in a prize draw for the Mother's day. They can participate as long as they provide their full name, date of birth, email address and mother's maiden name.

Which of the following is the best description of this scam?
A. Baiting.
B. Phishing.
C. Pre-texting.
D. Quid Pro Quo.

Question 32. Tech support scams are quite common in New Zealand. These scammers use familiar brand names such as Microsoft, Spark, Vodafone and Chorus. They may call on the phone and will often attempt to get "remote access" to your device. Remote access is when someone can access a computer or a network from another location.

What type of attack would you classify this as?
A. Baiting.
B. Phishing.
C. Pre-texting.
D. Quid Pro Quo.