WGU C725 Exam Practice Questions and Answers | Latest Update (Graded 100%)

WGU C725 Exam Practice Questions and Answers | Latest Update (Graded 100%). Buffer overflow attacks allow an attacker to modify the contents of a system's memory by writing beyond the space allocated for a variable. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Application Attacks - What type of application vulnerability most directly allows an attacker to modify the contents of a system's memory? WGU C725 Exam Study Guide 8th Edition Questions and Answers | Latest A+ A TOC/TOU B Back door C Rootkit D Buffer overflow Reflected Input Cross-site scripting attacks are successful only against web applications that include reflected input. Domain 8: Software Development Security 8.5 Define and apply secure coding guidelines and standards Web App Security - What condition is necessary on a web page for it to be used in a crosssite scripting attack? A .NET technology B Database-driven content C Reflected input D CGI scripts Stuxnet Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - What worm was the first to cause major physical damage to a facility? A Melissa B RTM C Stuxnet D Code Red DMZ (demilitarized zone) The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security - You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use? A Intranet B Sandbox C Internet D DMZ fsas3alG Except option C, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backward, and dayorange combines two dictionary words. Crack and other utilities can easily see through these "sneaky" techniques. Option C is simply a random string of characters that a dictionary attack would not uncover. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks - Which one of the following passwords is least likely to be compromised during a dictionary attack? A elppa B dayorange C fsas3alG D mike Salting Salting passwords adds a random value to the password prior to hashing, making it impractical to construct a rainbow table of all possible values. 3.0 Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks - What technique may be used to limit the effectiveness of rainbow table attacks? A Salting B Hashing C Transport encryption D Digital signatures Port Scan Port scans reveal the ports associated with services running on a machine and available to the public. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Reconnaissance Attacks - What type of reconnaissance attack provides attackers with useful information about the services running on a system? A Dumpster diving B Port scan C Session hijacking D IP sweep LastPass LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all. 3.0 Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks - Which one of the following tools provides a solution to the problem of users forgetting complex passwords? A Tripwire B Shadow password files C Crack D LastPass Zero-Day Exploit While an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - Which one of the following techniques is most closely associated with APT (Advanced Persistent Threat) attacks? A Social engineering B Zero-day exploit C SQL injection D Trojan horse The SCRIPT (Note: enclosed in <>) tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - What HTML tag is often used as part of a cross-site scripting (XSS) attack? (Note: enclosed in <> Quizlet won't allow <> around answers due to cross-site scripting (XSS) ) A H1 B SCRIPT C XSS D HEAD The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security - What character should always be treated carefully when encountered as user input on a web form? A ' B ! C & D * Polymorphism In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - What advanced virus technique modifies the malicious code of a virus on each system it infects? A Encryption B Stealth C Polymorphism D Multipartitism TOCOU The time of check to time of use (TOCTOU) attack relies on the timing of the execution of two events. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Application Attacks - Which one of the following types of attacks relies on the difference between the timing of two events? A Land B Fraggle C Smurf D TOCTOU Multipartite Virus Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems? A Multipartite virus B Stealth virus C Companion virus D Polymorphic virus Stored Procedures Developers of web applications should leverage database stored procedures to limit the application's ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators. Domain 8: Software Development Security 8.5 Define and apply secure coding guidelines and standards Web App Security - What database technology, if implemented for web forms, can limit the potential for SQL injection attacks? A Triggers B Concurrency control C Column encryption D Stored procedures Sandbox The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code - What technology does the Java language use to minimize the threat posed by applets? A Confidentiality B Sandbox C Stealth D Encryption Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Masquerading Attacks - When designing firewall rules to prevent IP spoofing, which of the following principles should you follow? A Packets with external source IP addresses don't enter the network from the outside. B Packets with public IP addresses don't pass through the router in either direction. C Packets with internal source IP addresses don't exit the network from the inside. D Packets with internal source IP addresses don't enter the network from the outside. Input Validation Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML SCRIPT tag <> in the input. (Note: SCRIPT should be enclosed in <> tags) Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security - What is the most effective defense against cross-site scripting attacks? A User authentication B Input validation C Limiting account privileges D Encryption Polyinstantiation Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing - What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them? A Manipulation B Inference C Aggregation D Polyinstantiation ODBC acts as a proxy between applications and the backend DBMS. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing - Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers? A ODBC B DSS C Abstraction D SDLC Isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing - What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data? A Isolation B Durability C Atomicity D Consistency Configuration Audit is part of the configuration management process rather than the change control process. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls - Which one of the following is not part of the change management process? A Change control B Configuration audit C Release control D Request control Aggregation In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing - Richard believes that a database user is misusing his privileges to gain information about the company's overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of? A Aggregation B Polyinstantiation C Contamination D Inference Gantt A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls - What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks? A PERT B Gantt C Venn D Bar Static Testing In order to conduct a static test, the tester must have access to the underlying source code. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls - In what type of software testing does the tester have access to the underlying source code? A Black-box testing B Cross-site scripting testing C Dynamic testing D Static testing Prioritize Security over other requirements In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls - Which one of the following is not a principle of Agile development? A Pay continuous attention to technical excellence. B Business people and developers work together. C Satisfy the customer through early and continuous delivery. D Prioritize security over other requirements. Three The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing - Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table? A Thirty B Undefined