Page | 1
C836/D430 WGU Fundamentals of
Information Security Questions with
Detailed Verified Answers
bounds checking Ans: to set a limit on the amount of data we
expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions Ans: A type of software development vulnerability
that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the
correct handling of that resource depends on the proper ordering
or timing of transactions
input validation Ans: a type of attack that can occur when we fail
to validate the input to our applications or take steps to filter out
unexpected or undesirable content
format string attack Ans: a type of input validation attacks in
which certain print functions within a programming language can
be used to manipulate or view the internal memory of an
application
authentication attack Ans: A type of attack that can occur when
we fail to use strong authentication mechanisms for our
applications
, Page | 2
authorization attack Ans: A type of attack that can occur when
we fail to use authorization best practices for our applications
cryptographic attack Ans: A type of attack that can occur when
we fail to properly design our security mechanisms when
implementing cryptographic controls in our applications
client-side attack Ans: A type of attack that takes advantage of
weaknesses in the software loaded on client machines or one that
uses social engineering techniques to trick us into going along with
the attack
XSS (Cross Site Scripting) Ans: an attack carried out by placing
code in the form of a scripting language into a web page or other
media that is interpreted by a client browser
XSRF (cross-site request forgery) Ans: an attack in which the
attacker places a link on a web page in such a way that it will be
automatically executed to initiate a particular activity on another
web page or application where the user is currently
authenticated
SQL Injection Attack Ans: Attacks against a web site that take
advantage of vulnerabilities in poorly coded SQL (a standard and
common database software application) applications in order to
introduce malicious program code into a company's systems and
networks.
clickjacking Ans: An attack that takes advantage of the graphical
display capabilities of our browser to trick us into clicking on
something we might not otherwise
, Page | 3
server-side attack Ans: A type of attack on the web server that
can target vulnerabilities such as lack of input validation, improper
or inadequate permissions, or extraneous files left on the server
from the development process
Protocol issues, unauthenticated access, arbitrary code
execution, and privilege escalation Ans: Name the 4 main
categories of database security issues
web application analysis tool Ans: A type of tool that analyzes
web pages or web-based applications and searches for common
flaws such as XSS or SQL injection flaws, and improperly set
permissions, extraneous files, outdated software versions, and
many more such items
protocol issues Ans: unauthenticated flaws in network protocols,
authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution Ans: An attack that exploits an
applications vulnerability into allowing the attacker to execute
commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation Ans: An attack that exploits a vulnerability in
software to gain access to resources that the user normally would
be restricted from accessing.
* via SQL injection or local issues
validating user inputs Ans: a security best practice for all software
, Page | 4
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) Ans: A web server analysis tool that performs
checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web
server (a process known as spidering)
burp suite Ans: A well-known GUI web analysis tool that offers a
free and professional version; the pro version includes advanced
tools for conducting more in-depth attacks
fuzzer Ans: A type of tool that works by bombarding our
applications with all manner of data and inputs from a wide
variety of sources, in the hope that we can cause the application
to fail or to perform in unexpected ways
MiniFuzz File Fuzzer Ans: A tool developed by Microsoft to find
flaws in file-handling source code
BinScope Binary Analyzer Ans: A tool developed by Microsoft to
examine source code for general good practices
SDL Regex Fuzzer Ans: A tool developed by Microsoft for testing
certain pattern-matching expressions for potential vulnerabilities
good sources of secure coding guidelines Ans: CERT, NIST 800, BSI,
an organization's internal coding guidelines
OS hardening Ans: the process of reducing the number of
available avenues through which our OS might be attacked
C836/D430 WGU Fundamentals of
Information Security Questions with
Detailed Verified Answers
bounds checking Ans: to set a limit on the amount of data we
expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions Ans: A type of software development vulnerability
that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the
correct handling of that resource depends on the proper ordering
or timing of transactions
input validation Ans: a type of attack that can occur when we fail
to validate the input to our applications or take steps to filter out
unexpected or undesirable content
format string attack Ans: a type of input validation attacks in
which certain print functions within a programming language can
be used to manipulate or view the internal memory of an
application
authentication attack Ans: A type of attack that can occur when
we fail to use strong authentication mechanisms for our
applications
, Page | 2
authorization attack Ans: A type of attack that can occur when
we fail to use authorization best practices for our applications
cryptographic attack Ans: A type of attack that can occur when
we fail to properly design our security mechanisms when
implementing cryptographic controls in our applications
client-side attack Ans: A type of attack that takes advantage of
weaknesses in the software loaded on client machines or one that
uses social engineering techniques to trick us into going along with
the attack
XSS (Cross Site Scripting) Ans: an attack carried out by placing
code in the form of a scripting language into a web page or other
media that is interpreted by a client browser
XSRF (cross-site request forgery) Ans: an attack in which the
attacker places a link on a web page in such a way that it will be
automatically executed to initiate a particular activity on another
web page or application where the user is currently
authenticated
SQL Injection Attack Ans: Attacks against a web site that take
advantage of vulnerabilities in poorly coded SQL (a standard and
common database software application) applications in order to
introduce malicious program code into a company's systems and
networks.
clickjacking Ans: An attack that takes advantage of the graphical
display capabilities of our browser to trick us into clicking on
something we might not otherwise
, Page | 3
server-side attack Ans: A type of attack on the web server that
can target vulnerabilities such as lack of input validation, improper
or inadequate permissions, or extraneous files left on the server
from the development process
Protocol issues, unauthenticated access, arbitrary code
execution, and privilege escalation Ans: Name the 4 main
categories of database security issues
web application analysis tool Ans: A type of tool that analyzes
web pages or web-based applications and searches for common
flaws such as XSS or SQL injection flaws, and improperly set
permissions, extraneous files, outdated software versions, and
many more such items
protocol issues Ans: unauthenticated flaws in network protocols,
authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution Ans: An attack that exploits an
applications vulnerability into allowing the attacker to execute
commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation Ans: An attack that exploits a vulnerability in
software to gain access to resources that the user normally would
be restricted from accessing.
* via SQL injection or local issues
validating user inputs Ans: a security best practice for all software
, Page | 4
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) Ans: A web server analysis tool that performs
checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web
server (a process known as spidering)
burp suite Ans: A well-known GUI web analysis tool that offers a
free and professional version; the pro version includes advanced
tools for conducting more in-depth attacks
fuzzer Ans: A type of tool that works by bombarding our
applications with all manner of data and inputs from a wide
variety of sources, in the hope that we can cause the application
to fail or to perform in unexpected ways
MiniFuzz File Fuzzer Ans: A tool developed by Microsoft to find
flaws in file-handling source code
BinScope Binary Analyzer Ans: A tool developed by Microsoft to
examine source code for general good practices
SDL Regex Fuzzer Ans: A tool developed by Microsoft for testing
certain pattern-matching expressions for potential vulnerabilities
good sources of secure coding guidelines Ans: CERT, NIST 800, BSI,
an organization's internal coding guidelines
OS hardening Ans: the process of reducing the number of
available avenues through which our OS might be attacked
