When & Where

The third exam will be held in our regular classroom on Monday, December 1, 2025.

It will take up about half the lecture, starting approximately during the second half of the class period. Please arrive on time and do not plan on coming in just to take the exam. If you arrive after the exam has started, you will not be allowed to take it.

Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. Plan to use a pen only if you are supremely confident in not changing your mind about your answers. . Check here for information about pencils, sharpeners, and the craft of pencil sharpening.

Past exams

You can use my past exams as a guide to what this exam may look like, but realize there are differences in topics and in the sequencing of the topics. Expect around 25 multiple-choice questions. I do not refer to old exams when I come up with a new one, so it is likely that many of the topics that I considered important in past exams will show up on future exams. Some material may have changed, however, so do not worry about questions that appear to relate to topics we have not covered.

Get past 419 exams here.

Study guide

You are responsible for the material from the first four lectures and recitations.

I've prepared a study guide that attempts to cover most of the material you should know. It is not a substitute for the lectures, lecture material, and other reading matter. All the material may not be in the guide. My goal is to put most of the information you need to know a concise with fewer elaborations. You can also prepare your own guide, which would be a great way to prepare for the exam.

→ Get the study guide

Topics

Topics that you should know and may be on the exam include:

Malware

• General ideas behind how malware operates, spreads, hides, and communicates.

• Understand how to classify malware, how it gains access, how it persists, and how defenders detect or block it.

• Do not try to memorize long technical lists; focus on concepts and why they work.

• Malware types and functions

  • Virus vs. worm

  • Ransomware, spyware, keyloggers, wipers, information stealers, backdoors, RATs

  • Bots and botnets; what they are used for

  • Rootkits at a high level (user mode, kernel mode, and why hypervisor-level rootkits are powerful)

• Exploits and entry vectors

  • Zero-day, N-day, and zero-click exploits

  • Drive-by downloads, malicious attachments, macro malware

  • Social engineering, phishing variants, domain deception (typosquatting, combosquatting, homograph attacks), malicious QR codes

  • Credential stuffing and stolen credentials

  • Supply chain attacks

  • USB attacks: dropped drives, malicious firmware, keystroke-injection devices

  • High-level idea of compiler subversion (Reflections on Trusting Trust)

• Where malware hides and how it persists

  • Startup mechanisms (registry keys, Launch Agents/Daemons, cron/systemd)

  • Bootkits and boot-sector infections

  • Backdoors and remote-access tools

  • Rootkits and basic evasion goals

• Information gathering and covert leakage

  • Keyloggers and information-stealing tools

  • Basic side-channel ideas (such as LED-based exfiltration)

  • Covert communication over DNS at a conceptual level

• Command and control

  • Direct C2 over HTTPS

  • Use of cloud services or social platforms for C2

  • DNS tunneling for low-bandwidth communication

  • Peer-to-peer C2 and why it is resilient

  • Periodic beaconing to blend with normal update traffic

  • Evasion techniques (domain fronting, fast flux, VPN/proxy routing)

• Evasion and anti-analysis techniques

  • Crypters, packers, and the goal of obfuscation

  • Polymorphic vs. metamorphic mutation at a high level

  • Sandbox, VM, and debugger detection

  • Delayed execution and trigger-based activation

• Defenses

  • Signature-based, heuristic, and behavioral detection

  • Sandboxing as a containment and analysis tool

  • Least privilege and removing admin rights

  • Containerization and isolation techniques

  • Honeypots as early-warning and observation systems

  • The general purpose of SPF, DKIM, and DMARC (no need to memorize details)

• You do not need to memorize:

  • Acronyms like DGA or LoTL

  • Fileless malware internals or OS-specific paths

  • AutoRun specifics, JavaScript-based attacks, and repository-level compromises

  • Virtualization tricks such as Blue Pill/Red Pill

  • Historical case studies like Stuxnet

  • Vendor-specific tools or configuration details

Network Security

• Understand why many network protocols were built on trust, how attackers exploit those assumptions, and the general idea behind common defenses.

• Focus on conceptual mechanisms rather than packet layouts or configuration details.

• Concentrate on the vulnerability and why the defense works.

• Link-layer attacks

  • CAM overflow: limited table size causes fallback to flooding

  • ARP cache poisoning (ARP spoofing): no authentication, unsolicited replies accepted

  • VLAN hopping: trunk negotiation abuse or double-tagging

  • DHCP starvation and rogue servers: clients trust the first response

  • How managed switches enforce policies like port security, DHCP snooping, and Dynamic ARP Inspection

• Network-layer issues

  • IP spoofing and how it enables concealment and reflection

  • Router attacks: denial of service, route table poisoning, malware installation

  • BGP hijacking: Autonomous Systems, prefix (route) advertisements, more-specific-prefix preference

• Transport-layer attacks

  • TCP session hijacking with predictable sequence numbers

  • SYN flooding and backlog exhaustion

  • TCP reset attacks via forged RST packets

  • UDP spoofing and its use in reflection and impersonation

• DNS security issues

  • DNS pharming via altered DNS settings or compromised infrastructure

  • DNS cache poisoning by racing resolvers with forged replies

  • That DNSSEC provides authentication of DNS data (not encryption)

  • DNS rebinding and how browsers can be tricked into reaching internal systems

  • Risks from abandoned or misconfigured DNS delegations

• Distributed denial of service (DDoS)

  • Volumetric attacks, packet-per-second floods, and application-layer request floods

  • Reflection and amplification: attackers spoof the victim and trigger larger responses

  • Common amplification sources to be aware of: open DNS resolvers, NTP, and memcached

  • Botnets and why IoT devices expand attack capacity

• Key themes

  • Many protocols lack authentication by design

  • Spoofing and resource asymmetry drive many attacks

  • DNS and BGP weaknesses spread across the Internet

  • Effective defense requires layered protections

• You do not need to memorize:

  • Details of RPKI, ROAs, or BGPsec

  • Packet formats or header fields

  • Vendor-specific switch or router configuration

  • DNSSEC record types

  • Historical case studies

VPNs

• Understand why the Internet’s core protocols lack strong security and how VPNs provide confidentiality, integrity, and authenticated endpoints over untrusted networks.

• Focus on what VPNs do and how they are used, not low-level cryptographic or negotiation details.

• Do not memorize protocol internals, algorithm names, or implementation-specific mechanisms.

• Why VPNs exist

• TLS vs. VPNs

• What is a VPN?

• VPN deployment models

  • Site-to-site VPNs connecting private networks

  • Remote-access VPNs for off-site users

  • Consumer “privacy VPNs” routing all user traffic through a provider

• Tunneling concepts

  • Packet encapsulation

  • Use of virtual interfaces such as TUN for IP-layer tunneling

• IPsec (conceptual overview only)

  • High-level idea: protects IP traffic with encryption, integrity, and authentication

  • Difference between transport mode and tunnel mode

  • What the Authentication Header (AH) provides integrity vs. what the Encapsulating Security Payload (ESP) provides

• OpenVPN

  • Runs in user space and uses TUN interfaces

  • Uses TLS for authentication and key negotiation

  • Encrypts all traffic flowing through the tunnel

  • Flexible in protocol choice (TCP or UDP) and port usage

• WireGuard

  • Designed with a small, auditable codebase

  • Uses a fixed modern cryptographic suite (details not required for the exam)

  • No cipher negotiation; intentionally minimal design

  • Efficient key handling and very low protocol overhead

• VPN security limitations

  • VPNs secure traffic only between the tunnel endpoints

  • Malware on endpoints can still inspect traffic

  • Privacy VPNs require trusting the provider with exit traffic

  • VPNs do not provide anonymity if identification occurs at higher layers

• VPN performance factors

  • CPU overhead from encryption and decryption

  • Tunnel encapsulation overhead and context switching

  • Latency introduced by routing through VPN endpoints

  • WireGuard generally performs better due to its streamlined design

• You do not need to memorize:

  • AEAD mode names such as AES-GCM or ChaCha20-Poly1305

  • Details of IKE or how it negotiates keys

  • NAT-Traversal (NAT-T) mechanisms

  • Specific algorithms used by WireGuard

  • Internal packet formats of AH, ESP, TLS, or OpenVPN

  • Vendor-specific commands or configuration syntax

  • IKE (Internet Key Exchange, used by IPsec, which uses Diffie-Hellman); MOBIKE (mentioned in the lecture notes)

Firewalls

• General purpose of firewalls and why networks need them

• How NAT interacts with firewalls and why NAT blocks unsolicited inbound traffic

• Packet filtering

  • What packet filters examine (IP addresses, ports, protocol, flags)

  • Why rule order matters

  • Ingress and egress filtering

• Stateful firewalls

  • What connection state means

  • What stateful inspection adds beyond stateless filtering

• Security zones and DMZs

  • Purpose of a DMZ as an isolated zone for Internet-facing systems

  • Typical systems placed in a DMZ (public web servers, mail gateways, reverse proxies)

• Network segmentation and why it limits lateral movement

• Deep Packet Inspection (DPI)

  • Ability to look above Layer 4

  • Limits when traffic is encrypted

• Deep Content Inspection

• IDS vs IPS

  • Signature-based, protocol-based, and anomaly-based detection

  • Strengths and weaknesses at a high level

• Next-Generation Firewalls (NGFWs)

  • Application awareness (sort of)

  • Identity-based and policy-based filtering

• Application proxies

  • Why terminating connections allows more powerful inspection

• Host-based firewalls and their role alongside network firewalls

• Zero Trust

  • What's meant by zero trust?

  • Application to firewalling

  • Microsegmentation as fine-grained internal isolation

• Defense in depth: firewalls as one layer among many

• You do not need to memorize:

  • Vendor feature sets or rule syntax

  • Proprietary detection engines or configuration steps

Web Security

• Focus on the major threats we covered in class: XSS, CSRF, CORS, session handling issues, cookie flags, clickjacking, input sanitization, and common deception techniques.

• You are not expected to memorize niche attacks, low-level browser behaviors, or security headers we did not emphasize.

• Understand the high-level browser security model rather than implementation details.

• Core browser concepts

  • Same-Origin Policy, SOP (what it restricts, why it exists)

  • What HTTPS protects and what it does not protect

• Cookies and session management

  • Purpose of cookies

  • HttpOnly and Secure flags

  • Session hijacking and fixation at a conceptual level

• CORS

  • What is it and why it exists

  • Why browsers block cross-origin responses without CORS

  • High-level idea of preflight checks

• Input sanitization

  • Why server-side validation is essential

  • Why client-side validation is insufficient

• Cross-Site Scripting (XSS)

  • Reflected and stored (persistent) XSS

  • Why input sanitization and output encoding are necessary defenses

• Cross-Site Request Forgery (CSRF)

  • Why SOP does not prevent CSRF

  • Why sites relying solely on cookies are vulnerable

  • Anti-CSRF tokens and SameSite cookies as conceptual defenses

• Clickjacking

  • High-level idea of UI redressing

  • You don't need to know X-Frame-Options / frame-ancestors

• Tracking and deception

  • Tracking pixels and how they reveal user or email activity

  • Typosquatting and combosquatting (covered earlier in malware)

• You do not need to memorize:

  • MIME sniffing attacks

  • Screen-sharing or tab-switch spoofing attacks

  • WebAssembly details

  • CSP directive syntax or detailed configuration

  • Full CORS header list or preflight structure

  • Full set of cookie attributes beyond HttpOnly, Secure, and SameSite

  • Internal browser mechanisms (event loops, parser quirks, preload scanners)

  • TLS handshake behavior

  • Specific iframe sandbox attributes

  • DOM-based XSS

  • SSRF details (covered minimally; not required for exam)

  • Fingerprinting techniques beyond the idea that they exist

  • Any niche or historical browser quirks not covered explicitly

Last update: Wed Nov 26 14:28:32 2025