C836 WGU Study Review with Complete Solutions
bounds checking - ANSWER -to set a of attack that can occur when we fail to
limit on the amount of data we expect to properly design our security mechanisms
receive to set aside storage for that data when implementing cryptographic controls in
*required in most programming languages our applications
* prevents buffer overflows
client-side attack - ANSWER -A type of
race conditions - ANSWER -A type of attack that takes advantage of weaknesses in
software development vulnerability that the software loaded on client machines or
occurs when multiple processes or multiple one that uses social engineering techniques
threads within a process control or share to trick us into going along with the attack
access to a particular resource, and the
correct handling of that resource depends on
the proper ordering or timing of transactions XSS (Cross Site Scripting) - ANSWER -
an attack carried out by placing code in the
form of a scripting language into a web page
input validation - ANSWER -a type of or other media that is interpreted by a client
attack that can occur when we fail to validate browser
the input to our applications or take steps to
filter out unexpected or undesirable content
XSRF (cross-site request forgery) -
ANSWER -an attack in which the
format string attack - ANSWER -a type attacker places a link on a web page in such a
of input validation attacks in which certain way that it will be automatically executed to
print functions within a programming initiate a particular activity on another web
language can be used to manipulate or view page or application where the user is
the internal memory of an application currently authenticated
authentication attack - ANSWER -A SQL Injection Attack - ANSWER -
type of attack that can occur when we fail to Attacks against a web site that take
use strong authentication mechanisms for advantage of vulnerabilities in poorly coded
our applications SQL (a standard and common database
software application) applications in order to
introduce malicious program code into a
authorization attack - ANSWER -A type company's systems and networks.
of attack that can occur when we fail to use
authorization best practices for our
applications clickjacking - ANSWER -An attack that
takes advantage of the graphical display
capabilities of our browser to trick us into
cryptographic attack - ANSWER -A type clicking on something we might not otherwise
, C836 WGU Study Review with Complete Solutions
to gain access to resources that the user
normally would be restricted from accessing.
server-side attack - ANSWER -A type of * via SQL injection or local issues
attack on the web server that can target
vulnerabilities such as lack of input
validation, improper or inadequate validating user inputs - ANSWER -a
permissions, or extraneous files left on the security best practice for all software
server from the development process * the most effective way of mitigating SQL
injection attacks
Protocol issues, unauthenticated access,
arbitrary code execution, and privilege Nikto (and Wikto) - ANSWER -A web
escalation - ANSWER -Name the 4 server analysis tool that performs checks for
main categories of database security issues many common server-side vulnerabilities &
creates an index of all the files and directories
it can see on the target web server (a process
web application analysis tool - known as spidering)
ANSWER -A type of tool that analyzes
web pages or web-based applications and
searches for common flaws such as XSS or burp suite - ANSWER -A well-known
SQL injection flaws, and improperly set GUI web analysis tool that offers a free and
permissions, extraneous files, outdated professional version; the pro version includes
software versions, and many more such advanced tools for conducting more in-depth
items attacks
protocol issues - ANSWER - fuzzer - ANSWER -A type of tool that
unauthenticated flaws in network protocols, works by bombarding our applications with
authenticated flaws in network protocols, all manner of data and inputs from a wide
flaws in authentication protocols variety of sources, in the hope that we can
cause the application to fail or to perform in
unexpected ways
arbitrary code execution - ANSWER -An
attack that exploits an applications
vulnerability into allowing the attacker to MiniFuzz File Fuzzer - ANSWER -A tool
execute commands on a user's computer. developed by Microsoft to find flaws in file-
* arbitrary code execution in intrinsic or handling source code
securable SQL elements
BinScope Binary Analyzer - ANSWER -A
Privilege Escalation - ANSWER -An tool developed by Microsoft to examine
attack that exploits a vulnerability in software source code for general good practices
, C836 WGU Study Review with Complete Solutions
stuxnet - ANSWER -A particularly
complex and impactful item of malware that
SDL Regex Fuzzer - ANSWER -A tool targeted the Supervisory Control and Data
developed by Microsoft for testing certain Acquisition (SCADA) systems that run various
pattern-matching expressions for potential industrial processes; this piece of malware
vulnerabilities raised the bar for malware from largely being
a virtual-based attack to actually being
physically destructive
good sources of secure coding guidelines -
ANSWER -CERT, NIST 800, BSI, an
organization's internal coding guidelines anti-malware tool - ANSWER -A type of
tool that uses signature matching or anomaly
detection (heuristics) to detect malware
OS hardening - ANSWER -the process threats, either in real-time or by performing
of reducing the number of available avenues scans of files and processes
through which our OS might be attacked
heuristics - ANSWER -the process of
attack surface - ANSWER -The total of anomaly detection used by anti-malware
the areas through which our operating tools to detect malware without signatures
system might be attacked
executable space protection -
6 main hardening categories - ANSWER -A hardware and software-
ANSWER -1. Removing unnecessary based technology that prevents certain
software portions of the memory used by the operating
2. Removing or turning off unessential system and applications from being used to
services execute code
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely buffer overflow (overrun) - ANSWER -
manner The act of inputting more data than an
6. Making use of logging and auditing application is expecting from a particular
functions input, creating the possibility of executing
commands by specifically crafting the excess
data
Principle of Least Privilege - ANSWER -
states we should only allow a party the
absolute minimum permission needed for it ASLR (Address Space Layout Randomization)
to carry out its function - ANSWER -a security method that
involves shifting the contents of memory
around to make tampering difficult
bounds checking - ANSWER -to set a of attack that can occur when we fail to
limit on the amount of data we expect to properly design our security mechanisms
receive to set aside storage for that data when implementing cryptographic controls in
*required in most programming languages our applications
* prevents buffer overflows
client-side attack - ANSWER -A type of
race conditions - ANSWER -A type of attack that takes advantage of weaknesses in
software development vulnerability that the software loaded on client machines or
occurs when multiple processes or multiple one that uses social engineering techniques
threads within a process control or share to trick us into going along with the attack
access to a particular resource, and the
correct handling of that resource depends on
the proper ordering or timing of transactions XSS (Cross Site Scripting) - ANSWER -
an attack carried out by placing code in the
form of a scripting language into a web page
input validation - ANSWER -a type of or other media that is interpreted by a client
attack that can occur when we fail to validate browser
the input to our applications or take steps to
filter out unexpected or undesirable content
XSRF (cross-site request forgery) -
ANSWER -an attack in which the
format string attack - ANSWER -a type attacker places a link on a web page in such a
of input validation attacks in which certain way that it will be automatically executed to
print functions within a programming initiate a particular activity on another web
language can be used to manipulate or view page or application where the user is
the internal memory of an application currently authenticated
authentication attack - ANSWER -A SQL Injection Attack - ANSWER -
type of attack that can occur when we fail to Attacks against a web site that take
use strong authentication mechanisms for advantage of vulnerabilities in poorly coded
our applications SQL (a standard and common database
software application) applications in order to
introduce malicious program code into a
authorization attack - ANSWER -A type company's systems and networks.
of attack that can occur when we fail to use
authorization best practices for our
applications clickjacking - ANSWER -An attack that
takes advantage of the graphical display
capabilities of our browser to trick us into
cryptographic attack - ANSWER -A type clicking on something we might not otherwise
, C836 WGU Study Review with Complete Solutions
to gain access to resources that the user
normally would be restricted from accessing.
server-side attack - ANSWER -A type of * via SQL injection or local issues
attack on the web server that can target
vulnerabilities such as lack of input
validation, improper or inadequate validating user inputs - ANSWER -a
permissions, or extraneous files left on the security best practice for all software
server from the development process * the most effective way of mitigating SQL
injection attacks
Protocol issues, unauthenticated access,
arbitrary code execution, and privilege Nikto (and Wikto) - ANSWER -A web
escalation - ANSWER -Name the 4 server analysis tool that performs checks for
main categories of database security issues many common server-side vulnerabilities &
creates an index of all the files and directories
it can see on the target web server (a process
web application analysis tool - known as spidering)
ANSWER -A type of tool that analyzes
web pages or web-based applications and
searches for common flaws such as XSS or burp suite - ANSWER -A well-known
SQL injection flaws, and improperly set GUI web analysis tool that offers a free and
permissions, extraneous files, outdated professional version; the pro version includes
software versions, and many more such advanced tools for conducting more in-depth
items attacks
protocol issues - ANSWER - fuzzer - ANSWER -A type of tool that
unauthenticated flaws in network protocols, works by bombarding our applications with
authenticated flaws in network protocols, all manner of data and inputs from a wide
flaws in authentication protocols variety of sources, in the hope that we can
cause the application to fail or to perform in
unexpected ways
arbitrary code execution - ANSWER -An
attack that exploits an applications
vulnerability into allowing the attacker to MiniFuzz File Fuzzer - ANSWER -A tool
execute commands on a user's computer. developed by Microsoft to find flaws in file-
* arbitrary code execution in intrinsic or handling source code
securable SQL elements
BinScope Binary Analyzer - ANSWER -A
Privilege Escalation - ANSWER -An tool developed by Microsoft to examine
attack that exploits a vulnerability in software source code for general good practices
, C836 WGU Study Review with Complete Solutions
stuxnet - ANSWER -A particularly
complex and impactful item of malware that
SDL Regex Fuzzer - ANSWER -A tool targeted the Supervisory Control and Data
developed by Microsoft for testing certain Acquisition (SCADA) systems that run various
pattern-matching expressions for potential industrial processes; this piece of malware
vulnerabilities raised the bar for malware from largely being
a virtual-based attack to actually being
physically destructive
good sources of secure coding guidelines -
ANSWER -CERT, NIST 800, BSI, an
organization's internal coding guidelines anti-malware tool - ANSWER -A type of
tool that uses signature matching or anomaly
detection (heuristics) to detect malware
OS hardening - ANSWER -the process threats, either in real-time or by performing
of reducing the number of available avenues scans of files and processes
through which our OS might be attacked
heuristics - ANSWER -the process of
attack surface - ANSWER -The total of anomaly detection used by anti-malware
the areas through which our operating tools to detect malware without signatures
system might be attacked
executable space protection -
6 main hardening categories - ANSWER -A hardware and software-
ANSWER -1. Removing unnecessary based technology that prevents certain
software portions of the memory used by the operating
2. Removing or turning off unessential system and applications from being used to
services execute code
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely buffer overflow (overrun) - ANSWER -
manner The act of inputting more data than an
6. Making use of logging and auditing application is expecting from a particular
functions input, creating the possibility of executing
commands by specifically crafting the excess
data
Principle of Least Privilege - ANSWER -
states we should only allow a party the
absolute minimum permission needed for it ASLR (Address Space Layout Randomization)
to carry out its function - ANSWER -a security method that
involves shifting the contents of memory
around to make tampering difficult
