IS3445 CHAP 6 MITIGATING WEB SITE RISKS, THREATS, AND VULNERABILITIES

Question 1

___ is a protocol primarily responsible for the authentication and integrity verification of data packets.

Answer 1

(AH) Authentication Header

Question 2

___ is the result when an attacker compromises authentication credentials, gaining access to all resources associated with those credentials.

Answer 2

Broken authentication

Question 3

___ exploits the trust a Web site has for a user’s browser. This can occur because once a visitor is authenticated and logged onto a particular Web site, that site trusts all requests that come from the browser.

Answer 3

(CSRF) Cross-site request forgery attack

Question 4

___ is a protocol that provides encryption services to network data. It can also be used for authentication and integrity services. This differs from AH authentication in the this protocol includes only the header, trailer, and payload portions of a data packet.

Answer 4

(ESP) Encapsulating Security Payload

Question 5

___ occurs when an attacker browses unprotected areas and data on a Web server. This attack is enabled by Web applications that fail to restrict vulnerabilities.

Answer 5

Failure to restrict URL access attack

Question 6

___ is the exploitation by an attacker of information found or gathered which was intended only for authorized users.

Answer 6

Information leakage

Question 7

___ enables an attacker to bypass an application’s access controls and create, change, delete, or read any data the application can access.

Answer 7

Injection flaw attack

Question 8

___ is the verification of all data that is received. This helps prevent malicious data from entering an application. This is a form of filtering in which unexpected or unwanted input is automatically rejected and the underlying database remains inaccessible.

Answer 8

Input validation

Question 9

___ is a threat that occurs when an administrator fails to secure directories and folders in a Web server. It enables an attacker to traverse through a Web server’s directories, leading to the access of sensitive resources and information leakage.

Answer 9

Insecure direct object reference vulnerability

Question 10

___ is an organization that researches and publishes known security threats to Web applications and Web services.

Answer 10

(OSWAP) Open Web Application Security Project

Question 11

___ uses social engineering to initiate an XSS attack. This uses a malicious script that is embedded in a URL link to target a single victim.

Answer 11

Reflected XSS attack

Question 12

___ is the standard security technology for establishing an encrypted link between a Web server and a Web browser. This link ensures that all data passed between the Web server and browsers remains private and intact.

Answer 12

(SSL) Secure Sockets Layer

Question 13

___ is a security agreement between two systems on a network that enables the secure exchange of data.

Answer 13

(SA) Security association

Question 14

___ is the tracking of requests and communications between a Web server and a user. Because HTML is “stateless” by design, Web applications and Web sites must create a session to pass information and authentication from page to page.

Answer 14

Session

Question 15

___ is a type of attack designed to break through database security and access the information.

Answer 15

SQL injection attack

Question 16

___ is an attack that embeds malicious script into a Web page that permits and stores user-sullied content, such as a social networking site or an online forums, where it will be accessible to multiple potential victims. The victim retrieves the malicious script from the Web server when it requests the stored information.

Answer 16

Stored XSS attack

Question 17

___ is a type of attack in which the attacker changes the appearance of a Web site. The attacker might replace a company’s home page, for example, with a Web page that displays messages from the attacker.

Answer 17

Web site defacement

Question 18

___ is an attack in which malicious scripts are saved to a Web server but run in a client browser. If the script code is executed, the attacker gains access to personal data on the Web server or the victim’s personal computer.

Answer 18

XSS attack

Question 19

1. Reflected and stored are types of XSS attacks.

TRUE OR FALSE

Answer 19

TRUE

Question 20

2. An attack has occurred on your network. An attacker was able to traverse several files and folders, looking for sensitive data. What type of attack has occurred?
3. Insecure direct object reference
4. XSS
5. CRFS
6. Injection flaw

Answer 20

Insecure direct object reference

Question 21

3. AH is the protocol within IPSec used for encryption services.
   TRUE OR FALSE

Answer 21

FALSE

Question 22

4. As network administrator, you are concerned with the plain text transmission of sensitive data on the network. Which of the following protocols are used to help secure communications? (Select three)
5. IPSec
6. HTTP
7. SSL
8. IKE

Answer 22

IPSec

SSL

IKE

Question 23

5. To increase network security, you have decided to use HTTPS on your shopping cart site. Which of the following ports does HTTPS use?
6. 80
7. 53
8. 443
9. 51

Answer 23

443

Question 24

6. ___ and AH are used to secure IPSec transmissions.

Answer 24

Encapsulating Security Payload or ESP

Question 25

7. CSRF attacks exploit the trust a Web site has for a user’s Web browser.
   TRUE OR FALSE

Answer 25

TRUE

Question 26

8. Kerberos is a(n) ___ protocol.

Answer 26

Authentication

Question 27

9. To increase overall communication security, you decide to implement 3DES encryption. Which of the following statements is true of 3DES?
10. Its key length is 168 bits
11. It cannot be used in a Windows-based environment
12. It uses 128 bit encryption
13. It has to be used with Kerberos

Answer 27

Its key length is 168 bits

Question 28

10. You are concerned about a cross-site forgery attack, Which of the following can you do to help prevent such an attack?
11. Ensure antivirus protection is up to date
12. Log out of Web sites when finished
13. Use stronger passwords
14. Encrypt stored passwords

Answer 28

Log out of Web sites when finished

Question 29

11. To establish IPSec encryption, two hosts must create a shared key with each other before SA negotiations can take place.
    TRUE OR FALSE

Answer 29

FALSE