A security analyst has been asked to perform a review of an organization’s software development lifecycle. The analyst reports that the lifecycle does not contain a phase in which team members evaluate and provide critical feedback of another developer’s code. Which of the following assessment techniques is BEST described in the analyst’s report?
A. Architecture evaluation B. Baseline reporting C. Whitebox testing D. Peer review
A programmer must write a piece of code to encrypt passwords and credit card information used by an online shopping cart. The passwords must be stored using one-way encryption, while credit card information must be stored using reversible encryption. Which of the following should be used to accomplish this task? (Select TWO)
A. SHA for passwords B. 3DES for passwords C. RC4 for passwords D. AES for credit cards E. MD5 for credit cards F. HMAC for credit cards
A rogue programmer included a piece of code in an application to cause the program to halt at 2:00 PM on Monday afternoon when the application is most utilized. This is Which of the following types of malware?
A. Trojan B. Virus C. Logic Bomb D. Botnets
The software developer is responsible for writing the code and promoting from the development network to the quality network. The network administrator is responsible for promoting code to the application servers. Which of the following practices are they following to ensure application integrity?
A. Job rotation B. Implicit deny C. Least privilege D. Separation of duties
A server administrator notes that a fully patched application often stops running due to a memory error. When reviewing the debugging logs they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describes?
A. Malicious add-on B. SQL injection C. Cross site scripting D. Zero-day
Which of the following would be a reason for developers to utilize an AES cipher in CCM mode (Counter with Chain Block Message Authentication Code)?
A. It enables the ability to reverse the encryption with a separate key B. It allows for one time pad inclusions with the passphrase C. Counter mode alternates between synchronous and asynchronous encryption D. It allows a block cipher to function as a steam cipher
One month after a software developer was terminated the helpdesk started receiving calls that several employees’ computers were being infected with malware. Upon further research, it was determined that these employees had downloaded a shopping toolbar. It was this toolbar that downloaded and installed the errant code. Which of the following attacks has taken place?
A. Logic bomb B. Cross-site scripting C. SQL injection D. Malicious add-on
A user ID and password together provide which of the following?
A. Authorization B. Auditing C. Authentication D. Identification
Correct Answer: C Section: Access Control and Identity Management
Authentication generally requires one or more of the following:
Something you know: a password, code, PIN, combination, or secret phrase.
Something you have: a smart card, token device, or key.
Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter.
Somewhere you are: a physical or logical location.
Something you do: typing rhythm, a secret handshake, or a private knock.
A: Authorization occurs after authentication, and ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.
Authorization indicates who is trusted to perform specific operations.
B: Auditing is generally used for compliance testing.
D: Identification is the claiming of an identity, only has to take place once per authentication or access process.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 118, 276, 280, 285
Which of the following can be implemented in hardware or software to protect a web server from cross-site scripting attacks?
A. Intrusion Detection System B. Flood Guard Protection C. Web Application Firewall D. URL Content Filter
Correct Answer: C Section: Application, Data and Host Security
Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated
by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.
A: An Intrusion Detection System (IDS) is used to detect attempts to access a system. It cannot be used to detect cross-site scripting attacks where a malicious user is injecting
malicious content into content being downloaded by a user.
B: Flood Guard Protection is used to prevent a network being flooded by data such as DoS, SYN floods, ping floods etc. The flood of data saturates the network and prevents the
successful transmission of valid data across the network. Flood Guard Protection is not used to prevent cross-site scripting attacks.
D. A URL Content Filter is used to permit access to allowed URLs (Websites) only or to block access to URLs that are not allowed according to company policy. For example, a
company might use a URL Content Filter to block access to social networking sites. A URL Content Filter is not used to prevent cross-site scripting attacks.