Stratergies to prepare for the exam?

[Lasercookie]

Hmm, personally, I reckon 'social engineering' is an acceptable answer. Here's my thoughts:

Social Engineering isn't actually testing anything physical.
"the art of manipulating people into performing actions or divulging confidential information."
So it's not actually hacking because nothing is, theoretically, being broken.

For example:
Sending a form to employees asking to fill out all of their credit card details, birth dates, pin numbers and security details. This form is from an 'anonymous' sender with a phony email address like "[email protected]". The sender would be the boss of the company, who will receive the e-mail with all the information. Technically, he hasn't breached any security, he has simply sent a text/html e-mail to the coworkers in an attempt to manipulate them into sending them confidential information.

This would be a form of user testing, i believe.

I'm pretty sure you know this, but going to remind you that you might want to be careful how you use the word physical, in the context of security it'd probably refer to "physical security" - which is a term you wouldn't want to use incorrectly since that's something they might dock marks for. Stuff like cracking a password technically isn't anything physical either

Anyway, you could use social engineering as a hacking technique, you could try to procure a password etc. What if it were a hacker sending that email to the employees?

I would say that something has been broken if someone can manipulate the users into leaking confidential information. Say a password, has been leaked, has the network not been breached? Or the information could be a document etc. That's a hole in the network security, is it not?

You would want your users of the network to be aware of phishing attempts and I don't see why that's not something valid to include in an audit. I don't see why you couldn't consider social engineering something to attempt when performing a penetration test.

Going by the assessor report, I don't think what VCAA said for this question would exclude the answer "social engineering".

Many students discussed a version of ethical hacking to test the security. Students are reminded to use technically correct IT terminology. Many students used terms incorrectly, including white-box, black-box, white/black/grey hat hacker, penetration testing, cracker, etc. Appropriate responses included the techniques of penetration testing or packet sniffing and a technical and accurate description of how the technique works.

[Yendall]

I'm pretty sure you know this, but going to remind you that you might want to be careful how you use the word physical, in the context of security it'd probably refer to "physical security" - which is a term you wouldn't want to use incorrectly since that's something they might dock marks for. Stuff like cracking a password technically isn't anything physical either 

Yeah I meant physical as in like.... virtual physical... hahaha you know what I mean.

Anyway, you could use social engineering as a hacking technique, you could try to procure a password etc. What if it were a hacker sending that email to the employees?

I agree with you! I wasn't thinking outside the box with this one, I always thought social engineering was only used by internal sources like bosses, employees, managers etc.
When it's outside of a company wouldn't it be classified differently? It doesn't matter though, social engineering seems like a good way to put it in terms of an outsider manipulating staff.
In the example I wrote, a way of preventing this is having a spam filter if it was from an outside source. It's definitely something to consider when undergoing a penetration test.

I would say that something has been broken if someone can manipulate the users into leaking confidential information. Say a password, has been leaked, has the network not been breached? Or the information could be a document etc. That's a hole in the network security, is it not?

I kind of disagree with you here though. I agree with the document part, that's a breach of security because that document has left/been stolen. However, an employee sharing his password is not a breach of security, that's a personal issue.

If you gave your password to someone else, and they happened to hack the system with it, that's not a problem with security that's a trust issue, is it not?
However yes I do agree with you now.

[ldee]

Okay guys I have been avoiding this thread until I completed the 2011 exam, so having just completed it I thought I would chime in.

Overall, pretty good exam I thought. After marking I believe I would have got between 86-91, just depending on a few poor choices of wording on my behalf and not being sure if examiners would understand. A few things I struggled with:

Multiple choice: Only ones I got wrong were the ones discussed above, 18 and 20. Hopefully the ambiguity is at a limit this year, but we all know that's not going to happen

Short answer: Question 3, poor explanation in the both parts. I basically repeated myself, but now I think I'm good with linking and describing the differences between the code of ethics and decision support framework.

Case study: As discussed above, didn't really know what question 3 was asking us to do. I ended up giving 2/4 for this, because I basically just re worded what I said in the function requirement part as the example.
Question 8, stupid mistake on my behalf. When justifying the use of the queue, I didn't say why you wouldn't use the stack, so I'm guessing that would lose a mark.
Question 13, just poor wording by me. Need to brush up on how to accurately describe UAT. Had the right idea, but just poorly explained
Question 15, in part b I thought that to measure the suitability, this would be something you do before implementing? Like, interviewing the staff in which training program they would like to participate in, then rendering which one is suitable for their needs. If you measured after, wouldn't this be effectiveness of the program..?

[Yendall]

Question 15:You can measure suitability before implementing, but you must show if the training program is successful or not.

Suitability is defined: "the quality of having the properties that are right for a specific purpose"

A way of testing whether or not the program itself is suitable, and remember we are talking about the training program, is to test whether or not the employees (parking officers) have actually learnt something from this training program. So, in order to successfully juxtapose the effects of the program you could test their knowledge before and after the program has taken place, for example.

I wrote this:

By asking the Parking Officers questions about their understanding of their job or running appropriate tests/questionnaires before and after training sessions, the Council could successfully measure whether or not the training program is effective and has a positive effect on the Parking Officers, thus testing the suitability of the program.

[ldee]

Question 15:You can measure suitability before implementing, but you must show if the training program is successful or not.

Suitability is defined: "the quality of having the properties that are right for a specific purpose"

A way of testing whether or not the program itself is suitable, and remember we are talking about the training program, is to test whether or not the employees (parking officers) have actually learnt something from this training program. So, in order to successfully juxtapose the effects of the program you could test their knowledge before and after the program has taken place, for example.

I wrote this:

By asking the Parking Officers questions about their understanding of their job or running appropriate tests/questionnaires before and after training sessions, the Council could successfully measure whether or not the training program is effective and has a positive effect on the Parking Officers, thus testing the suitability of the program.

Yeah that's what I thought after reading the assessment report. But I just thought about it logically, in that you wouldn't want to do something and then say "oh let's check if it's suitable", you'd want to do that before hand. But for the purposes of IT i'll just shut that out haha.

Your answer makes perfect sense. If the had of asked for a way to measure the effectiveness of the testing program, that's exactly what I would have written (minus the last part, obviously). But thanks for the response, that's all cleared up now.

[Yendall]

Yeah that's what I thought after reading the assessment report. But I just thought about it logically, in that you wouldn't want to do something and then say "oh let's check if it's suitable", you'd want to do that before hand. But for the purposes of IT i'll just shut that out haha.

Your answer makes perfect sense. If the had of asked for a way to measure the effectiveness of the testing program, that's exactly what I would have written (minus the last part, obviously). But thanks for the response, that's all cleared up now.

Yeah I know what you mean. But there isn't really anyway of seeing whether or not it has worked until you have done it. Obviously you can say before implementing "we wish to implement this to achieve x and y", but in order to test whether x and y were achieved you have to return results. The only way to return credible results is to test whether the program was a success or not, thus using before and after tests, surveys etc.

[Yendall]

Is anyone finding VITTA exams ridiculously difficult? :/

[paulsterio]

I've always found VITTA quite reasonable.

[Yendall]

I've always found VITTA quite reasonable.

I just did the Unit 3 Theory test one from 2011, and got 15/20 for multiple-choice :/

Question 2: Name a device that operates only at the physical layer of the OSI model.
A.   Hub
B.   Switch
C.   Router
D.   USB stick
I said USB stick mainly because it cannot have any other function but connect to a port. However, some USB sticks can connect to the internet (ie. 3G mobile broadband) but how can you determine that a hub only runs at the physical layer of the OSI? Can't you have Ethernet Hubs that transfer actual data? The physical data is only binary and circuit transmission?
Question 9:A program is to be written to store the list of items sold and their characteristics. What would be the most appropriate data structure to use?
A.   An array of records
B.   An array of numbers
C.   A one-dimensional array
D.   A two-dimensional array
is it always appropriate in a situation like this to chose an array of records?
Question 17: A discount procedure algorithm has the following rules:

Orders over $500 receieve a 10% discount and orders over $1000 receive a 10% discount and free postage. Which of the following sets of test data would adequately test the discount procedure?

A.   Order values of $500 & $1000
B.   Order values of $501, $502, $600, $1200
C.   Order values of $500, $501, $1000, $1001 & $1200
D.   Order values of $400, $500, $600, $700, $800, $900, &1000 & $1200
The answer was C, I chose D.

The reason why I chose D is:

• Must test data <500 to ensure no discounts are included
• Must test data = 500 to ensure 500 isn't included in the discount (>500)
• Must test data over 500 to ensure a discount of 10% is given (>500)
• Must test data under 1000 to ensure it's not included in "free postage" (<1000)
• Must test data equal to 1000 to ensure it's not included in "free postage" (=1000)
• Must test data over 1000 to ensure "free postage" is included (>1000)

The test data at C does not wager for <500, so how can it be adequate?

[billyjackson768]

I just did the Unit 3 Theory test one from 2011, and got 15/20 for multiple-choice :/

Question 2: Name a device that operates only at the physical layer of the OSI model.
A.   Hub
B.   Switch
C.   Router
D.   USB stick
I said USB stick mainly because it cannot have any other function but connect to a port. However, some USB sticks can connect to the internet (ie. 3G mobile broadband) but how can you determine that a hub only runs at the physical layer of the OSI? Can't you have Ethernet Hubs that transfer actual data? The physical data is only binary and circuit transmission?

I see why you could have chosen the USB stick, but as you say, USB's aren't something that's so clear cut. A hub however due to the nature of how they generally work as opposed to a switch or router would be a much better answer. As I understand it, what a hub does is just receive a signal in one port. Then without any questioning of it's origin or destination it sends it down all the other ports it has connected and leaves the end device to decide if they want that data or not. I think this process may be done with a simple signal splitter and amplifier or repeater nothing more than circuitry. Whereas a switch is much more intelligent and does a number or other things. Switches keep a table of all connected devices MAC addresses and only send data labelled with an address down the port to the device with that address. (or the device that claims to have that address address spoofing) Then a router, well uses TCP/IP to connect to the internet so that's obviously not it.

Question 9:A program is to be written to store the list of items sold and their characteristics. What would be the most appropriate data structure to use?
A.   An array of records
B.   An array of numbers
C.   A one-dimensional array
D.   A two-dimensional array
is it always appropriate in a situation like this to chose an array of records?

In a situation like that? I think so. An array of record would have been my answer without even thinking.

Question 17: A discount procedure algorithm has the following rules:

Orders over $500 receieve a 10% discount and orders over $1000 receive a 10% discount and free postage. Which of the following sets of test data would adequately test the discount procedure?

A.   Order values of $500 & $1000
B.   Order values of $501, $502, $600, $1200
C.   Order values of $500, $501, $1000, $1001 & $1200
D.   Order values of $400, $500, $600, $700, $800, $900, &1000 & $1200
The answer was C, I chose D.

The reason why I chose D is:

• Must test data <500 to ensure no discounts are included
• Must test data = 500 to ensure 500 isn't included in the discount (>500)
• Must test data over 500 to ensure a discount of 10% is given (>500)
• Must test data under 1000 to ensure it's not included in "free postage" (<1000)
• Must test data equal to 1000 to ensure it's not included in "free postage" (=1000)
• Must test data over 1000 to ensure "free postage" is included (>1000)

The test data at C does not wager for <500, so how can it be adequate?

Completely agree with you. Testing just on the lower boundary isn't enough. I would think you should also test below. D does have a number of redundant tests though so they obviously intended it to be "more than adequate" but, even with out worrying about not going below that lower boundary... C has the $1200 that would be completely unnecessary. Unless by adequate they mean thorough in which case D is defiantly a better choice. Who does just one test slightly above the boundary anyways... I test anything I make completely.

[MJRomeo81]

Question 2: Name a device that operates only at the physical layer of the OSI model.
A.   Hub
B.   Switch
C.   Router
D.   USB stick
I said USB stick mainly because it cannot have any other function but connect to a port. However, some USB sticks can connect to the internet (ie. 3G mobile broadband) but how can you determine that a hub only runs at the physical layer of the OSI? Can't you have Ethernet Hubs that transfer actual data? The physical data is only binary and circuit transmission?

Hubs do not read any of the data passing through them and are not aware of their source or destination. Essentially, a hub simply receives incoming packets, possibly amplifies the electrical signal, and broadcasts these packets out to all devices on the network. Switches are typically layer 2 as they are dealing with frames and MAC addresses, routers are layer 3.

Question 9:A program is to be written to store the list of items sold and their characteristics. What would be the most appropriate data structure to use?
A.   An array of records
B.   An array of numbers
C.   A one-dimensional array
D.   A two-dimensional array
is it always appropriate in a situation like this to chose an array of records?

It depends on the nature of the item's characteristics. An array can only store one data type, so generally you would want to use a record (e.g. the name of the item (String), number sold (int), etc.). Of course you could define a class of type Object (with different attributes of different types) and store everything in an array as type object, but this is not within the scope of this course. In VCAA exams stick to the array of records for these type of questions.

Question 17: A discount procedure algorithm has the following rules:

Orders over $500 receieve a 10% discount and orders over $1000 receive a 10% discount and free postage. Which of the following sets of test data would adequately test the discount procedure?

A.   Order values of $500 & $1000
B.   Order values of $501, $502, $600, $1200
C.   Order values of $500, $501, $1000, $1001 & $1200
D.   Order values of $400, $500, $600, $700, $800, $900, &1000 & $1200

EDIT. As correctly pointed out below the answer is C.

[paulsterio]

Question 17: A discount procedure algorithm has the following rules:

Orders over $500 receieve a 10% discount and orders over $1000 receive a 10% discount and free postage. Which of the following sets of test data would adequately test the discount procedure?

A.   Order values of $500 & $1000
B.   Order values of $501, $502, $600, $1200
C.   Order values of $500, $501, $1000, $1001 & $1200
D.   Order values of $400, $500, $600, $700, $800, $900, &1000 & $1200

It's the rubbish questions like this that make me face palm. I agree in a real world scenario the answer should be D. Sure D may be a little excessive but it does test what happens if you enter something less than 500. To me this is still testing the discount procedure, because I am checking its implementation to ensure that the discount is not incorrectly applied to items less than $500. Whoever wrote this question should take a long hard look at themselves. Disgusting.

I personally disagree, I think the answer should be C, that tests all the ranges of values we have.

1) =< 500
2) 500<x=<1000
3) >1000

[Yendall]

Question 17: A discount procedure algorithm has the following rules:

Orders over $500 receieve a 10% discount and orders over $1000 receive a 10% discount and free postage. Which of the following sets of test data would adequately test the discount procedure?

A.   Order values of $500 & $1000
B.   Order values of $501, $502, $600, $1200
C.   Order values of $500, $501, $1000, $1001 & $1200
D.   Order values of $400, $500, $600, $700, $800, $900, &1000 & $1200

It's the rubbish questions like this that make me face palm. I agree in a real world scenario the answer should be D. Sure D may be a little excessive but it does test what happens if you enter something less than 500. To me this is still testing the discount procedure, because I am checking its implementation to ensure that the discount is not incorrectly applied to items less than $500. Whoever wrote this question should take a long hard look at themselves. Disgusting.

I personally disagree, I think the answer should be C, that tests all the ranges of values we have.

1) =< 500
2) 500<x=<1000
3) >1000

Actually upon inspection again, I think it might test it properly.

• "No 10% Discount" (<501) - Tested with 500
• "10% Discount" (>=501) - Tested with 501
• "Postage" (<1001)- Tested with 1000
• "No Postage and 10% Discount" (>=1001) - Tested with 1001 and 1200

What annoys me is "1200" which leads me to believe "400" should be tested as well to ensure complete accuracy, which is why D would be suitable. But I guess this works adequately as well.

[MJRomeo81]

Oh I see. I guess they also said "adequately" as well. I think I missed the part where it said over 500. Fair enough.

[Yendall]

A little off-topic:
Are we required to have an extensive knowledge of all layers of the OSI Model? Also do we need to memorise the protocol stack in regards to TCP/IP and know the functions of each layer?