36.
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in
an Internet application can be BEST mitigated using proper
- A.Configuration Management.
- B.Session Management.
- C.Patch Management.
- D.Exception Management.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Internet application means that the ability to manage identities as would be possible in an Intranet application is not easy or in some cases infeasible. Internet applications also use stateless protocols such as HTTP or HTTPS and this requires the management of user sessions. |
37.
Implementing Completely Automated Public Turing test to tell
Computers and Humans Apart (CAPTCHA) protection is a means
of defending against
- A.SQL Injection
- B.Cross-Site Scripting (XSS)
- C.Cross-Site Request Forgery (CSRF)
- D.Insecure cryptographic storage
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| In addition to assuring that the requestor is a human, CAPTCHA’s are useful mitigating CSRF attacks. Since CSRF is dependent on a pre-authenticated token to be in place, using CAPTCHA as the anti-CSRF token is an effective way of dealing with the inherent XSS problems regarding anti-CSRF tokens as long as the CAPTCHA image itself is not guessable, predictable or reserved to the attacker. |
38.
The findings of a code review indicate that cryptographic operations
in code use the Rijndael cipher, which is the original publication of
which of the following algorithms?
- A.Skipjack
- B.Data Encryption Standard (DES)
- C.Triple Data Encryption Standard (3DES)
- D.Advanced Encryption Standard (AES)
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Advanced Encryption Standard (FIPS 197) is published as the Rijndael cipher. Software should be designed in such a way that you should be able to replace one cryptographic algorithm with a stronger one, when needed, without much rework and recoding. This is referred to as cryptographic agility. |
39.
Which of the following transport layer technologies can BEST mitigate
session hijacking and replay attacks in a local area network (LAN)?
- A.Data Loss Prevention (DLP)
- B.Internet Protocol Security (IPSec)
- C.Secure Sockets Layer (SSL)
- D.Digital Rights Management (DRM)
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| SSL provides disclosure protection, and protection against session hijacking and replay at the transport layer (layer 4) while IPSec provides confidentiality and integrity assurance operating in the network layer (layer 3). DRM provides some degree of disclosure (primarily IP) protection and operates in the presentation layer (layer 6), and data loss prevention (DLP) technologies prevent the inadvertent disclosure of data to unauthorized individuals, predominantly who are external to the organization. |
40.
Verbose error messages and unhandled exceptions can result in which
of the following software security threats?
- A.Spoofing
- B.Tampering
- C.Repudiation
- D.Information disclosure
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Information disclosure is primarily a design issue and therefore is a languageindependent problem, although with accidental leakage, many newer highlevel languages can worsen the problem by providing verbose error messages that might be helpful to attack in their information gathering (reconnaissance) efforts. It must be recognized that there is a tricky balance between providing the user with helpful information about errors, and preventing attackers from learning about the internal details and architecture of the software. From a security standpoint, it is advisable to not disclose verbose error messages and still provide the users with a helpline to get additional support. |
|
|
||||||||||||||||||||||||||||
