Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier environment?
A. NoSQL databases are not vulnerable to XSRF attacks from the application server. B. NoSQL databases are not vulnerable to SQL injection attacks. C. NoSQL databases encrypt sensitive information by default. D. NoSQL databases perform faster than SQL databases on the same hardware.
Correct Answer: B Section: Application, Data and Host Security
NoSQL is a nonrelational database and does not use SQL. It is therefore not vulnerable to SQL injection attacks but is vulnerable to similar injection-type attacks.
A: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application’s trust of a user who known or is supposed to have been
authenticated. This is often accomplished without the user’s knowledge.
C: NoSQL databases do not offer default encryption.
D: NoSQL databases do not offer greater performance on the same hardware but it does offer an advantage for extremely large data structures.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 217, 335
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 230, 232-233
Which of the following types of application attacks would be used to specifically gain unauthorized information from databases that did not have any input validation implemented?
A. SQL injection B. Session hijacking and XML injection C. Cookies and attachments D. Buffer overflow and XSS
Correct Answer: A Section: Threats and Vulnerabilities
To access information in databases, you use SQL. To gain unauthorized information from databases, a SQL Injection attack is used.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
B: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return more data than it should. XML Injection is not used to gain unauthorized information from databases. This answer is therefore incorrect.
C: Cookies are used to store information about web browsing sessions. Cookies and attachments are not used to gain unauthorized information from databases. This answer is therefore incorrect.
D: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity.
Buffer overflow and XSS are not used to gain unauthorized information from databases. This answer is therefore incorrect.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, 337
Which of the following disaster recovery strategies has the highest cost and shortest recovery time?
A. Warm site B. Hot site C. Cold site D. Co-location site
Correct Answer: B Section: Compliance and Operational Security
A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. Databases can be kept up-to-date using network connections. These types of facilities are expensive, and they’re primarily suitable for short-term situations.
A: A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities.
C: A cold site is a facility that isn’t immediately ready to use. The organization using it must bring along its equipment and network. A cold site may provide network capability, but this isn’t usually the case; the site provides a place for operations to resume, but it doesn’t provide the infrastructure to support those operations.
D: A co-location site is type of site where your web hosting is done, e.g. an ISP, or a web hosting company where many different customers host their web presence.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 443-444
An advantage of virtualizing servers, databases, and office applications is:
A. Centralized management. B. Providing greater resources to users. C. Stronger access control. D. Decentralized management.
Correct Answer: A Section: Compliance and Operational Security
Virtualization consists of allowing one set of hardware to host multiple virtual Machines and in the case of software and applications; one host is all that is required. This makes centralized management a better prospect.
B: Virtualization does not necessarily mean providing greater resources to users, rather it makes it possible for the company to use fewer resources and spread it over more users.
C: Stronger access control is one aspect of the centralized management dilemma as virtualization may result in privilege escalation.
D: Decentralized management is the exact opposite of what virtualization accomplishes.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 19