CSIA 310 Study Guide Flashcards


Set Details Share
created 3 years ago by Ash4249
357 views
Internet Security: How to Defend Against Attackers on the Web Chapters 9 - 15
updated 3 years ago by Ash4249
show moreless
Page to share:
Embed this setcancel
COPY
code changes based on your size selection
Size:
X
Show:

1

9-1. Because it's a perimeter defense strategy, a firewall is not a critical element for cardholder data security.

B. False

2

9-2. You are tasked with designing a security policy for cardholder data. Which of the following are recommended security strategies for cardholder data?

A. Verify that data is retained for a limited period of time

B. Verify that data is disposed of properly

C. Verify that passwords are encrypted during transmission

3

9-3. Use WEP to secure communications sent over a wired network.

B. False

4

9-4. Which of the following elements are typically examined during a PCI DSS Security Assessment?

A. Firewalls

B. Network hardware

5

9-5. When credit card transactions are handled in __________, receipts are often collected over a day or week and then sent in as multiple sets of information.

Batch processing

6

9-6. PSS DSS is a set of standards designed to help organizations that process credit card payments prevent fraud by having increased control over data and its exposure.

A. True

7

9-7. When credit card transactions are handled in __________, a consumer's credit card is charged immediately to complete a purchase.

Real-time processing

8

9-8. You are attempting to synchronize your Web server to online timekeeping. Which of the following protocols is responsible for managing system time?

C. NTP

9

9-9. Which of the following firewall considerations are recommended by the PCI Security Standards Council?

B. Block unused ports

C. Use host-based firewall systems on mobile computers

D. Conduct periodic reviews of firewall and router set rules

10

9-10. Merchants should develop a two-factor authentication scheme to protect access to cardholder data.

A. True

11

10-1. The bounce rate identifies the percentage of people who leave you site from the page they initially visited.

A. True

12

10-2. You recently developed an application. In which SDLC stages would the application likely be in just prior to being released to the production environment?

A. RC1

D. Beta

13

10-3. Recovery testing analyzes how an application manages the aftermath of failures and crashes.

A. True

14

10-4. As a software developer, you have recently coded a security patch to a Web application. Which of the following might you do after finishing the patch?

A. Perform a regression test

15

10-5. You have completed an application and now you wonder if it will work with both the Microsoft Internet Explorer and Mozilla Firefox Web browsers. Which of the following tests might you perform.

C. Compatibility test

16

10-6. __________ incorporates features of black and white box testing.

Gray box testing

17

10-7. Regulations are not set by organizations but by applicable laws.

A. True

18

10-8. You are using a testing mechanism that looks at the input and output of an application to determine potential problems. Which mechanisms may be in use?

A. Black box testing

B. White box testing

C. Gray box testing

19

10-9. Which of the following is often developed by first creating a risk analysis?

C. Security policies

20

14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database?

A. Network architect

21

11-1. The "percentage of vulnerabilities not found" metric is a useful way of reporting assessment data.

B. False

22

11-2. How many tiers are commonly used for Web sites?

C. 3

23

11-3. The act of fixing vulnerabilities or findings resulting from an assessment is known as __________.

Remidiation

24

11-4. Which of the following activities are considered parts of a Web server OS assessment?

B. Identifying the patches and updates that have been installed

C. Identify the services and ports that are active

25

11-5. Ping sweeps are part of what process?

B. Discovery

26

11-6. Web site forms and user input fields are often attacked using cross-site scripting.

A. True

27

11-7. Which section of the assessment report is intended to be a high-level briefing of the findings?

D. Executive summary

28

11-8. An in-depth security assessment of a Web sever application includes performing which of the following?

C. A source code review

29

11-9. SQL __________ is an attempt to manipulate a database by inserting commands into a field or URL.

Injection

30

11-10. Nmap's primary features include which of the following?

B. OS fingerprinting

C. Port scanning

E. Ping sweeps

31

11-11. What is the purpose of exploiting a vulnerability or flaw in a system to gain access to resources not otherwise available to the attacker or tester?

C. Privilege escalation

32

11-12. OWASP is the organization known for developing secure application development standards and practices.

A. True

33

11-13. Nessus uses thousands of __________ to identify vulnerabilities associated with services, application, and operating systems.

Plug-ins

34

11-14. Which attack involves exploring the files and folders of a Web server by manipulating URLs?

D. Directory traversal attacks

35

11-15. Unauthenticated scanning requires the scanner logging onto the systems being accessed.

B. False

36

12-1. Which two security risks apply to IM chatting?

B. Possible data compromise

C. Virus and malware

37

12-2. 3G networks use packet-switching to route voice calls.

B. False

38

12-3. __________ is a form of messaging used to share pictures, text pages, and ringtones.

MMS

39

12-4. 4G network speeds are comparable to DSL and cable modem Internet services.

A. True

40

12-5. Which of the following risks does not apply to Internet browsing?

B. Physical theft

41

12-6. __________ is the threat related to voice communications and involves an unauthorized party listening in to conversations.

Eavesdropping

42

12-7. The term endpoint is typically used to describe what type of device?

B. A device with server capabilities

43

12-8. What is the minimum strength recommended for whole-device encryption?

D. There is no minimum

44

12-9. The term __________ describes the merging of various types of devices and technologies into a common single form.

Convergence

45

12-10. Which two controls provide physical security for devices?

B. Locking the device

C. Remote erasure

46

12-11. A hand off, or transfer of communications from on cell to another, was a significant factor regarding the mobility and popularity of cellular phones.

A. True

47

12-12. Which form of communication is compatible across nearly all cellular networks and is widely considered to be the most often used communication method, by quantity, on today's phones?

A. SMS texting

48

12-13. Which of these mobile risks are included among the OWASP Top 10?

A. Weak server-side controls

B. Poor authorization and authentication

D. Client-side injection

49

12-14. The OWASP mobile security risk "Security Decisions Via Untrusted Inputs" refers to what unsecure practice?

B. Making security decisions on potentially untrusted sources

50

12-15. What are two popular ways that Web sites arrange a session?

A. By creating cookies

D. By creating a random string of characters in the URL or Web address

51

13-1. When information is temporarily kept at one or more middle points during transmission, that technique is called __________ communication.

Store-and-forward

52

13-2. Which of the following describes multiple points of presence (MPOP)?

B. Aggregating presence information from multiple applications or devices

53

13-3. Phishing, social engineering, and 419 scams are some of the threats encountered when using __________.

E-mail

54

13-4. Messaging or chatting on social networking sites can be considered very private and secure.

B. False

55

13-5. Why are PBXs an attractive target to attackers?

A. Several services depend on the PBX's operation

B. Numerous protocols are involved

56

13-6. Store-and-forward communication is preferred over real-time communication in which environments?

A. When delivery is unreliable

B. When the destination is not always available

57

13-7. Which areas of concern are associated with SMS vulnerabilities?

B. Integrity

C. Confidentiality

58

13-8. SMS and MMS are primarily the same service apart from the addition of multimedia with MMS.

B. False

59

13-9. Protocols such as SIP, H.323, MGCP, IP, and RTP are encountered when discussing which of the following?

C. VoIP

60

13-10. This chapter discussed which issues brought on by adding VoIP devices to an organization?

A. Performance issues: significantly more network traffic

B. Security issues: new attack vectors and more vulnerabilities to deal with

61

13-11. A networking method of segregating VoIP traffic from data traffic is __________.

VLANs

62

13-12. Select one way SIP does not assist with establishing a multimedia connection.

D. User distance

63

13-13. SIP manages multimedia sessions with features similar to how the telephone system dials, rings, and manages responses from phones.

A. True

64

13-14. The SIP session request and response messages are formed similarly to __________ messages.

C. HTTP

65

14-1. Data typically refers to RAW unorganized facts.

A. True

66

14-2. A SQL server database is an example of a relational database.

B. True

67

14-3. The TOR browser is used to access which of the following?

C. Deep web

68

14-4. Which of the following represents a mindset whereby programming is done with a clear understanding of current threats and how these threats potentially impact overall security?

C. Defensive programming

69

14-5. Which of the following professions are concerned with the back-end development of a Web sire and will incorporate appropriate security measures from initial concept to completion?

B. Web developer

70

14-6. A(n) __________ is a set of instructions understood by the computer allowing it to perform predetermined functions.

A. Program

71

14-7. Which of the following professions are opensource programming languages?

B. Perl

C. PHP

72

14-8. __________ refers to the systems and processes used to ensure technology helps meet and organizations goals?

C. Governance

73

14-9. Certification courseware and training materials are focused and directed, but degree programs often require elective courses that are not always related to the specific area of IT.

A. True

74

14-10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database>

A. Network architect

75

15-1. Which organization provides incident response support for the federal government?

C. US-CERT

76

15-2. Which organizations investigate Internet crime?

B. IC3

C. ECTFs

77

15-3. Which of the following standards are governed by NIST?

A. Advances Encryption Standard (AES)

C. The United States Government Configuration Baseline

78

15-4. Which of the following are (ISC)2 qualifications?

B. CISSP

C. CISSP-ISSEP

E. CSSLP

79

15-5. You must pass an exam to become an (ISC)2 Associate.

A. True

80

15-6. Which certification organization is not approved under DoD Directive 8750?

D. FLETC

81

15-7. What is the purpose of open proxy honeypots in relation to Internet-based Web attacks?

A. Silently record for later analysis

82

15-8. Roughly how many site reviews were used to generate the most recent WASC Web Security Report?

B. 10,000

83

15-9. ISO 17024 is the international standard for which of the following?

D. Certification programs for personal competence

84

15-10. The National Institute of Standards and Technology (NIST) represents the United States in the International Standards Organization.

B. False