10 - Software Development Security Flashcards
1
Q
- When security is increased, what is typically decreased?a. Administrative responsibilitiesb. User functionalityc. Complexity of the systemd. Cost of sustaining the IT environment
A
B: When security is increased, user functionality is usually decreased.
2
Q
- Which of the following occurrences does not demonstrate foresight and planning on the part of a programmer when a software product encounters a security error?a. Blue screenb. Switching into a non-privileged state upon failurec. Locking out all high-level privilegesd. Rebooting into any available state
A
D: Rebooting into any available state could result in booting into a privileged state which is not the proper outcome when software encounters a security error.
3
Q
- Database access is usually indirect access that provides for all but which of the following?a. Confidentiality b. Integrityc. Availabilityd. Controlled interface
A
C: Availability is not ensured with indirect access.
4
Q
- Which of the following is required in every row of a table in order to maintain uniqueness?a. Cellb. Filec. Primary keyd. Schema
A
C: A primary key is required in every row of a table in order to maintain uniqueness.
5
Q
- An attribute in one table that also serves as the primary key in another table is known as?a. A cross-referenceb. A viewc. Tupled. A foreign key
A
D: A foreign key is an attribute in one table that also serves as the primary key in another table.
6
Q
- What is the data that defines or describes the database?a. Schemab. Primary keyc. Data dictionaryd. Base relation
A
A: A schema holds the data that defines or describes the database.
7
Q
- Why does most software have security disabled by default?a. Ease of installation b. Every environment has different security needsc. Most environments don’t require securityd. Security is dependant upon a security policy
A
A: Most software has security disabled by default for ease of installation.
8
Q
- What is a collection of related items of the same type?a. Fileb. Record c. Databased. Base relation
A
A: A file is a collection of related items or records of the same type.
9
Q
- A tuple is what?a. A table stored in a databaseb. A row stored in a databasec. A column stored in a databased. A column that makes each row of a table unique
A
B: A tuple is a row stored in a database.
10
Q
- What is an attribute?a. A table stored in a databaseb. A column that has a unique value in each rowc. A column in a databased. The data that describes the database
A
C: An attribute is a column in a database.
11
Q
- What database model provides for many-to-many relationships?a. Sequential data modelb. Hierarchical data modelc. Ordinal data modeld. Distributed data model
A
D: A distributed data model offers many-to-many relationships.
12
Q
- An indication that integrity of the database has been violated is when which following includes a null value?a. primary keyb. cellc. tupled. relation
A
A: If the primary key contains a null value then integrity has been violated.
13
Q
- In a relational database, the number of rows is referred to as?a. Degreeb. Cardinalityc. Prime factord. Tuple
A
B: The number of rows in a relational database is known as the cardinality.
14
Q
- Which of the following in the design and programming phases of software development can not result in buffer overflows?a. data input block sizeb. ASCII vs. binary inputc. Alpha vs. numeric inputd. English vs. Spanish
A
D: Whether the input is in Spanish or English will not have a direct bearing on a buffer overflow.
15
Q
- When a program or operating system experiences a failure state, what should it do?a. save a memory dumpb. revert to a secure statec. restart in privilege moded. automatically reboot
A
B: After a failure state, the program or system should revert to a secure state.
16
Q
- Which of the following is not true about out of the box security?a. security and functionality are directly proportionalb. security is usually disabled for installationc. security must be configured for the environmentd. security is often a tradeoff for ease of use
A
A: Security and functionality are usually inversely proportional, the greater the security the less functionality a system offers.
17
Q
- What element of new robust software is considered a security failure or downfall?a. platform dependenceb. a wide range of features or functionalityc. interpreted vs. compiled languaged. implementation within a distributed computing environment
A
B: A wide range of features or functionality is considered a security failure or downfall. The more capabilities a system has, the greater the range of its vulnerabilities and risks.
18
Q
- What is the primary reason why so much software is unable to handle failures or errors in a secure fashion?a. use of interpreted languagesb. designed to be used in a distributed computing environmentc. circumstances of use are difficult to predict and plan ford. lack of software change management
A
C: The primary reason software is unable to handle failures is a secure fashion is that circumstances of use are difficult to predict and plan for.
19
Q
- Since all circumstances of use are difficult to predict and plan for, programmers should?a. not produce softwareb. use only fifth generation programming languagesc. avoid CGI scriptsd. design a general method for handling unexpected failures
A
D: Since all circumstances of use are difficult to predict and plan for, programmers should design into their software a general method for handling unexpected failures.
20
Q
- A reliable and controlled software development, design, and coding process is necessary to ensure?a. marketabilityb. securityc. interoperabilityd. compatibility
A
B: A reliable and controlled software development, design, and coding process is necessary to ensure security.
21
Q
- Buffer overflows are caused by a programmer failing to compensate for all but which of the following?a. input data block sizeb. ASCII vs. Binary inputc. English vs. Spanishd. alpha vs. numeric
A
C: Buffer overflows are not caused by differences in languages.
22
Q
- Failing to compensate for invalid or extensive values of data types, formats, or lengths in input to programs can cause?a. time of check/time of use attackb. aggregationc. unauthorized alterations of a configuration itemd. buffer overflows
A
D: Failing to compensate for invalid or extensive values of data types, formats, or lengths in input to programs can cause a buffer overflow.
23
Q
- Environmental controls and hardware devices cannot prevent problems created by?a. bad program codingb. unrestricted physical accessc. lack of boundary controlsd. poor air quality
A
A: Environmental controls and hardware devices cannot prevent problems created by bad program coding.
24
Q
- Which of the following is not one of the standard phases in a the system life cycle?a. penetration testingb. project initiationc. system design specificationsd. maintenance
A
A: Penetration testing is not one of the phases in the system life cycle.
25
25. Which of the following is not one of the standard phases in a the system life cycle? a. functional design analysis and planning b. risk assessment c. software development d. installation
B: Risk assessment is not one of the phases in the system life cycle.
26
26. Due care is not related to? a. Good faith b. Prudent man c. Profit d. Best interest
C: This is a term not related to Due Care, it’s going to give us the opposite.
27
27. If a system encounters a failure and it is prevented from rebooting, this will help avoid what? a. denial of service b. initial program load vulnerabilities c. time of check/time of use attacks d. inference
B: If a system encounters a failure and it is prevented from rebooting, this will help avoid IPL vulnerabilities.
28
28. _____________ is most effective if it is planned and managed throughout the lifecycle of a system or application. a. capability b. functionality c. security d. marketability
C: Security is most effective if it is planned and managed throughout the lifecycle of a system or application.
29
29. _________________ keeps the development project on target and moving toward the goal of a completed product. a. business continuity planning b. change control management c. facility design and construction d. project management
D: Project management keeps the development project on target and moving toward the goal of a completed product.
30
30. If a system should fail for any reason, it should always perform a ______________. a. fail safe operation b. self diagnostic c. fail over maneuver d. privileged restart function
A: If a system should fail for any reason, it should always perform a fail safe operation.
31
31. When testing a newly developed software, system, or solution, all but which of the following should be true? a. all aspects of the system should be testable b. testing should examine how incorrect values are handled c. testing should probe boundary conditions d. testing should use real or live data
D: Testing should never use real or live data. Testing using real data can result in disclosure or alteration of sensitive information.
32
32. Which of the following is not one of the elements of the software maintenance phase and change control process? a. risk control b. request control c. change control d. release control
A: Risk control is not one of the elements of the software maintenance phase and change control process.
33
33. In what level of the software capability maturity model are project management practices institutionalized? a. initiating b. repeatable c. defined d. managed
B: Security requirements are institutionalized in the repeatable level of the software capability maturity model.
34
34. The waterfall models allows for what? a. improved management b. greater control over project progress toward objective completion c. creation of multiple prototypes d. modification only to the immediately previous stage of the life cycle process
D: The waterfall model of the life cycle development process allows for modifications only to the immediately previous stage of the life cycle process.
35
35. Which of the following life cycle phase models allows for all phases of the life cycle process to be repeated? a. spiral model b. waterfall model c. modified waterfall model d. Information security and life cycle model
A: The spiral model allows the phases of the life cycle process to be repeated as necessary.
36
36. Which life cycle model provides mechanisms for back verification and validation against defined baselines? a. Spiral model b. Modified waterfall model c. Clark Wilson model d. Information security and life cycle model
B: The modified waterfall model provides mechanisms for back verification and validation against defined baselines.
37
37. According to the Information security and life cycle model, security implemented early in the life cycle process results in all but which of the following? a. greater chance for success b. lower costs c. greater granularity d. reduced work
C: The Information security life cycle model does not indicate whether introducing security early in the life cycle process results in greater granularity.
38
38. The ability for one object to be removed from a system and replaced with another object is known as? a. polymorphism b. data diddling c. substitution property d. normalization
C: The ability for one object to be removed from a system and replaced with another object is known as the substitution property.
39
39. The communications sent to an object in order to instruct it to perform some operation is known as? a. method b. behavior c. delegation d. message
D: The communications sent to an object in order to instruct it to perform some operation is known as a message.
40
40. The code that defines the actions that an object performs in response to an instruction is known as? a. method b. behavior c. delegation d. message
A: The code that defines the actions that an object performs in response to an instruction is known as a method.
41
41. The forwarding of an instruction from one object to another is known as? a. method b. behavior c. delegation d. message
C: The forwarding of an instruction from one object to another is known as delegation.
42
42. Objects in an object oriented programming environment that are created on the fly by software as it executes are known as? a. dynamic lifetime objects b. transient elements c. volatile agents d. distributed computing applets
A: Objects in an object oriented programming environment that are created on the fly by software as it executes are known as dynamic lifetime objects.
43
43. The characteristic of objects in an object oriented programming environment of encapsulation means what? a. objects can produce multiple outputs from the same input b. objects are self-contained c. objects are more secure that compiled programs d. objects are transient
B: Encapsulation means that objects are self-contained.
44
44. What programming language can be used directly by computers? a. assembly language b. artificial intelligence languages c. machine language d. interpreted languages
C: A computer can only use machine language directly.
45
45. Which of the following is most susceptible to insertion of malicious code? a. assembly language b. compiled language c. commercial software d. CGI scripts
D: CGI scripts, being interpreted, are most susceptible to insertion of malicious code.
46
46. Which of the following is true regarding ActiveX? 1. Platform independent 2. Platform dependent 3. Language independent 4. Language dependent a. 1 and 3 b. 2 and 4 c. 2 and 3 d. 1 and 4
C: ActiveX is platform dependent (Windows only) and language independent.
47
47. Which of the following is true regarding Java? 1. Platform independent 2. Platform dependent 3. Language independent 4. Language dependent a. 1 and 3 b. 2 and 4 c. 2 and 3 d. 1 and 4
D: Java is platform independent and language dependent.
48
48. The primary security flaw of ActiveX is? a. It stores controls to the hard drive b. It uses a sandbox c. It is specific to Windows OSes d. It is not language dependant
A: The primary security flaw of ActiveX is that it stores controls to the hard drive.
49
49. Which of the following is not true about Java applets? a. It uses a sandbox b. It is stored on the hard drive c. It is multithreaded d. It is temporarily stored in memory
B: Java applets are not stored to the hard drive, ActiveX is stored to the hard drive.
50
50. What type of computer system exhibits the same reasoning capabilities as that of a human? a. expert system b. neural network c. object oriented system d. commodore 64
A: An expert system is a computer system that exhibits the same reasoning capabilities as that of a human.
51
51. What type of computer system mimics the functioning of biological neurons? a. expert system b. neural network c. object oriented system d. artifical intelligence system
B: A neural network is a computer system that mimics the functioning of biological neurons.
52
52. Expert systems function using all but which of the following? a. If-then statement rule databases b. Fuzzy logic c. Delta rule d. Inference engine
C: Expert systems do not use the delta rule. Neural networks use the delta rule, the learning rule.
53
53. Which of the following is not one of the steps used by expert systems when performing fuzzy logic operations? a. Fuzzification b. Inference c. Composition d. Normalization
D: Normalization is not one of the steps used in fuzzy logic operations. Normalization is the removal of errors from a database.
54
54. The most common example of a distributed computing environment (DCE) is which of the following? a. client/server b. terminal/host c. stand alone desktop system d. portable computers
A: A client/server system is the most common example of a DCE.
55
55. Which of the following is not an example of a mobile code language used in a distributed computing environment? a. ActiveX b. Fortran c. Java d. Macromedia Flash
B: Fortran is a 3rd generation programming language, but it is not a mobile code language used in DCE.
56
56. The results of communications sent to an object in order to instruct it to perform some operation is known as? a. method b. behavior c. delegation d. message
B: The result exhibited by an object upon receipt of an instruction is known as a behavior.
57
57. The ability for an object to produce different behaviors from the same message is known as? a. method b. data diddling c. electronic vaulting d. polymorphism
D: The ability for an object to produce different behaviors from the same message is known as polymorphism.
58
58. The number of rows in a relational database is known as? a. schema b. data dictionary c. cardinality d. degree
C: The cardinality is the number of rows in a relational database.
59
59. The number of columns in a relational database is known as? a. schema b. data dictionary c. cardinality d. degree
D: The degree is the number of columns in a relational database.
60
60. The data that defines the structure of the database is known as? a. schema b. data dictionary c. cardinality d. degree
A: The schema is the data that defines the structure of the database.
61
61. A relational database provides for what types of relationships? a. one-to-one b. one-to-many c. many-to-many d. many-to-one
C: A relational database provides for many to many relationships.
62
62. A hierarchical database provides for what types of relationships? a. one-to-one b. one-to-many c. many-to-many d. many-to-one
B: A hierarchical database provides for one-to-many relationships.
63
63. An intersection of a row and a column in a relational database is known as? a. file b. tuple c. cell d. attribute
C: A cell is the intersection of a row and a column.
64
64. Which of the following is not a means to aid in mitigating the threat of malicious code in a distributed computing environment? a. screen applets at firewalls b. configure browsers to accept code from trusted servers only c. avoid using FTP d. train users regarding mobile code
C: Avoiding the use of FTP is the least effective means to mitigate the threat of malicious code in a DCE.
65
65. Which of the following is not one of the three primary models of databases? a. hierarchical b. distributed c. relational d. dyanmic
D: There is no such database model as the dynamic model.
66
66. A row in a relational database table is known as? a. file b. tuple c. cell d. attribute
B: A tuple is a row of a relational database table.
67
67. The attribute that makes each tuple unique in relational database? a. domain b. candidate key c. primary key d. foreign key
C: The primary key is the attribute that makes each tuple unique in relational database.
68
68. A unique attribute from another relational database table is known as? a. domain b. candidate key c. primary key d. foreign key
D: A foreign key is a unique attribute from another relational database table.
69
69. The range of allowable or valid values for attributes is known as? a. domain b. candidate key c. primary key d. foreign key
A: The domain is the range of allowable or valid values for attributes.
70
70. Attributes in a relational database that provide a unique identifier for tuples is known as? a. domain b. candidate key c. primary key d. foreign key
B: A candidate key is any attribute in a relational database that provides a unique identifier for tuples.
71
71. A column in a relational database table is known as? a. file b. tuple c. cell d. attribute
D: An attribute is a column in a relational database table.
72
72. A collection of records of the same type is known as? a. file b. tuple c. cell d. attribute
A: A file is a collection of records of the same type.
73
73. Hiding specific cells in a database to prevent against inference attacks is known as? a. polyinstantiation b. database partitioning c. cell suppression d. perturbation
C: Cell suppression is the technique of hiding specific cells in a database to prevent against inference attacks.
74
74. A centralized repository of normalized information from various databases that is made available to users to perform queries against is known as? a. data mining b. data mart c. data dictionary d. data warehouse
D: A data warehouse is a centralized repository of normalized information from various databases that is made available to users to perform queries against.
75
75. What type of virus requires just a host program to replicate and distribute itself? a. common virus b. boot virus c. multi-part virus d. macro virus
A: A common virus, also known as a file virus, needs only a host program to replicate and distribute itself.
76
76. The mechanism that ensures that every tuple has a primary key and that primary key is related to an existing record is known as? a. referential integrity mechanism b. concurrency c. semantic integrity rules d. transaction management
A: The mechanism that ensures that every tuple has a primary key and that that primary key is related to an existing record is the referential integrity mechanism.
77
77. Which of the following are not elements of transaction management for databases? a. Rollback statement b. Normalization c. Commit statement d. Checkpoints
B: Normalization is a process used on databases to ensure that the attributes of a table depend upon the primary key. However, normalization is not part of transaction management.
78
78. At what layer of the OSI model does SQL, as a service protocol, operate? a. Layer 3 b. Layer 4 c. Layer 5 d. Layer 6
C: SQL operates at layer 5 the Session layer.
79
79. The central repository for the data elements and their relationships is known as? a. schema b. data dictionary c. cardinality d. degree
B: The data dictionary is the central repository for the data elements and their relationships.
80
80. Which of the following is not one of the steps or elements in data normalization? a. eliminating repeating groups b. eliminating redundant data c. eliminating the possibility of corrupted data by locking cells while they are being edited d. eliminating attributes that are not dependant on the primary key
C: Locking cells is an aspect of concurrency protection, not normalization.
81
81. Semantic integrity rules ensure that all structural and semantic rules of the database are not violated. Which of the following is not something that these rules would examine? a. data type b. logical value c. uniqueness constraints d. relevance
D: The semantic integrity rules would not address or examine the relevance of the data.
82
82. What is concurrency? a. A mechanism used to ensure the integrity of database information. b. A mechanism to ensure that structural and semantic rules are not violated. c. A mechanism that ensures that no record contains references to a primary key of a non-existent record. d. A mechanism that terminates the current transaction and cancels all changes made to the database.
A: Concurrency is a mechanism used to ensure the integrity of database information.
83
83. The act of deducing information from higher sensitivity levels from data at their own lower sensitivity level is known as? a. Aggregation b. Inference c. Suppression d. Perturbation
B: Inference is the act of deducing information from higher sensitivity levels from data at their own lower sensitivity level
84
84. Which of the following is not considered a valid safeguard against viruses? a. file hash values b. biometric authentication c. strong DACL access controls d. scanning for e-mail born viruses on e-mail gateway systems
B: Biometric authentication has no bearing on virus protection.
85
85. What model of database is useful for mapping or creating many to many relationships? a. Flux model b. Hierarchical model c. Distributed Data model d. Reflective model
C: A distributed data model uses many to many relationships.
86
86. Which of the following conditions indicate that the integrity of an entity has been violated? a. A random value in a cell b. A reoccurring value in a tuple c. A duplicate value in the foreign key d. A null value in the primary key
D: This indicates that the integrity of an entity has been violated.
87
87. SQL server is not vulnerable to which of the following types of attacks? a. aggregation b. inference c. salami technique d. dead lock
D: SQL is not vulnerable to dead locks since it supports concurrent transaction through transaction management.
88
88. When a database system supports transaction management, which of the following is it still vulnerable to, because users have access to data cells? a. inference b. deadlock c. denial of service d. data integrity loss
A: Databases may be still vulnerable to inferencing even with transaction management.
89
89. The user interface for a database enforces indirect access. This type of restricted interface or controlled view provides all but which of the following? a. support for confidentiality b. providing availability c. protection from unauthorized disclosure d. maintaining integrity
B: Database views and client interfaces do not provide availability.
90
90. What level of the Carnegie Mellon University Software Engineering Institute (SEI)'s Software Capability Maturity Model (CMM) represents the project management processes and ensures that practices are institutionalized? a. Level 5 - Optimized b. Level 4 - Managed c. Level 3 - Defined d. Level 2 - Repeatable
D: Level 2 - Repeatable is focused on the project management processes and ensures that practices are institutionalized.
91
91. Objects are ___________ of classes that contain their methods. a. Instances b. Behaviors c. Aspects d. Elements
A: Objects are instances of classes that contain their methods.
92
92. The forwarding of a request by an object to another object is known as? a. Inheritance b. Delegation c. Method d. Behavior
B: Delegation is the forwarding of a request by an object to another object.
93
93. Within configuration management, what is a component whose state is recorded and changes are measured against that saved state? a. Building b. Configuration item c. Build list d. Software library
B: Configuration item is a component whose state is recorded and changes are measured against that saved state.
94
94. Which procedure of configuration management is responsible for recording the processing of changes? a. Configuration Identification b. Configuration Control c. Configuration Status Accounting d. Configuration Audit
C: Configuration Status Accounting is the procedure that records the processing of changes.
95
95. In a relational database, mandatory access controls are imposed by using which of the following mechanisms? a. Access based on subject and object classification levels b. Access based on subject role c. Access based on a tuples in an access control matrix d. Access based on biometrics
A: Mandatory access control is based on classification levels.
96
96. What is normalization? a. The process of removing duplicate or redundant data from a database b. Is the standardization of all security baselines within an organization. c. A function of fuzzy logic that converts fuzzy output into quantitative numbers. d. Is the process of resetting all security systems to their installed defaults
A: Normalization is the process of removing duplicate or redundant data from a database.
97
97. Which of the following is not true? a. Applets are a form of mobile code distributed via the Web. b. Browsers may assign different security or trust levels to various applets. c. It is easy to alter or duplicate the signature on an applet. d. A signature on an applet informs you about the source of the applet but not the content or quality of the applet
C: This is not true. It is not possible to alter or duplicate the signature on an applet.
98
98. Inference engines are able to manage uncertainty using all but which of the following means? a. Fuzzy logic b. Direct reasoning c. Probability factors d. Bayesian network theory
B: Direct reasoning is not a feature or capability of inference engines.
99
99. The fineness of access control specification within a database is known as? a. Accuracy b. Granularity c. Cardinality d. Bayesian Theory
B: Granularity is the fineness of access control specification within a database.
100
100. What is polyinstantiation? a. A mechanism that prevents the creation of entities within a database at a lower sensitivity level when that entity already exists at a higher sensitivity level. b. A mechanism that allows a database table to contain two primary keys. c. A mechanism that allows a duplicate primary key to be created at a lower sensitivity level when the same key already exists at a higher sensitivity level. d. A mechanism for entering the same information into multiple databases simultaneously.
C: Polyinstantiation is a mechanism that allows a duplicate primary key to be created at a lower sensitivity level when the same key exists at a higher sensitivity level. This prevents inference.
101
101. Which software life cycle models allows for modifications to the project to travel only to the previous development stage? a. Spiral model b. Referential model c. Series model d. Waterfall model
D: The waterfall model allows for modifications to the project to travel only to the previous development stage.
102
102. Which of the following is not true when performing testing during product development? a. Testing should use real or live data b. Testing should ensure that only valid value ranges are accepted c. Testing should verify that incorrect input types are rejected d. Testing should verify all bounds and conditions of input
A: Testing should never use real or live data.
103
103. What is polymorphism? a. The ability for a block of code to alter itself based on its environment b. The ability of a database to allow the creation of a duplicate entity at a lower sensitivity level when one already exists at a higher sensitivity level in order to prevent inference attacks. c. The ability of an object to respond differently to the same message. d. The ability for a distributed data model database to integrate information from multiple locations into a single view.
C: Polymorphism is the ability of an object to respond differently to the same message.
104
104. Formerly known as OLE, what object oriented system standard defines the exchange of objects between programs executing on the same system? a. COBRA b. ORB c. DCOM d. COM
D: COM or Common Object Model is the standard that defines the exchange of objects between programs executing on the same system.
105
105. What type of system demonstrates reasoning abilities similar to humans? a. Expert system b. Artificial Intelligence systems c. Neural networks d. Clustered networks
A: Expert systems demonstrate reasoning abilities similar to humans.
106
106. Which of the following is correlations between data or data about data? a. Data mart b. Metadata c. Data dictionary d. Data warehouse
B: Metadata is correlations between data or data about data.
107
107. What type of virus attaches itself to a program so it is activated whenever the software is executed? a. Boot virus b. Macro virus c. File virus d. Companion virus
C: A file virus attaches itself to a program so it is activated whenever the software is executed.
108
108. Which of the following is true for centralized systems? a. Numerous platforms execute independent copies of software against independent sets of data b. Easily accommodates change to DCOM objects c. Protection is afforded by the OS or the platform d. Combines processing capabilities from various platforms
C: This is a benefit of centralized systems.
109
109. Java and ActiveX are both examples of? a. Code that can be run on any platform b. Interpreted programming language c. Programming languages that operate within a sandbox d. Mobile code
D: ActiveX and Java are examples of mobile code.
110
110. Which of the following is not a countermeasure against malicious code? a. Screening applets at the firewall b. Requiring strong passwords c. Require signed applets from trusted servers d. Train users for safe Internet usage
B: This is not a countermeasure against malicious code.
111
111. Which of the following is a mandatory access control model for object-oriented systems? a. View Mechanism b. Positive/Negative Authorizations c. SORION d. Methods Data Hiding
C: SORION is a mandatory access control model for object-oriented systems.
112
112. An unapproved method of gaining access to a system is known as? a. Least privilege b. Network access c. Physical access d. Backdoor
D: An unapproved method of gaining access to a system is known as a backdoor.
113
113. The biggest issue related to database security is? a. Logic bombs b. Human errors c. Inference attacks d. Validation errors
B: Human errors are the biggest issue related to database security. All other problems can be addressed and countered.
114
114. Which of the following is not an example of a programming or data attack? a. Brute force b. Covert channels c. Logic bombs d. Salami attack
A: Brute force is a password attack, not a programming or data attack.
115
115. What is the most significant disadvantage of using compiled mobile code? a. It can contain hidden malicious code b. It employs run-time binding c. It operates very fast d. It is limited to single thread execution
A: Compiled code can contain hidden malicious code.
116
116. A __________ is a form of malicious code that is triggered to perform an activity once a specific event occurs, such as a time period, accessing a online resource, or launching a program. a. Logic bomb b. Worm c. Macro virus d. Trojan horse
A: A logic bomb is a form of malicious code that is triggered to perform an activity once a specific event occurs, such as a time period, accessing a online resource, or launching a program.
117
117. Accreditation is what? a. A structured examination of a system's security policy b. An institutionalized assessment program for the design specifications of a security product c. A formal acceptance of a security certification d. The degree of confidence that a security measure will work as designed and intended.
C: Accreditation is a formal acceptance of a security certification.
118
118. The primary difference between a virus and a worm is? a. A virus always infects executable programs b. A worm only attempts to replicate itself rather than cause damage c. A virus always destroys data on the infected system d. A worm seeks to spread itself to other systems
D: The primary difference between a virus and a worm is that a worm primarily seeks to spread itself to other systems while a virus seeks to replicate itself within a system.
119
119. Which of the following is not considered a denial of service attack? a. Consuming bandwidth from a victim b. Sending a limited amount of spam to a victim c. Blocking the ability to respond to legitimate traffic d. Consuming all computing resources
B: While spam is unwanted and a large amount can result in a DoS attack, a limited amount of spam is little more than annoying.
120
120. Countermeasures to the Smurf Denial of Service attack include all but which of the following? a. Disable broadcast capabilities on border routers b. Block spoofed internal packets c. Deploy host-based IDS d. Disable ICMP traffic
C: A network-based IDS may have some affect as a countermeasure against Smurf, but a host-based IDS is ineffective against any DoS.
121
121. At what point in a product's development cycle should infosec be introduced? a. Evaluation and testing b. Inception c. Design specification d. Software development
B: InfoSec should be introduced into a product's development cycle from inception.
