Network-based IDS is incorrect because it indicates which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access servers may record information similar to that logged by network-based firewalls.
60. Media sanitization activity is usually most intense during which of the following phases of the system development life cycle (SDLC)?
a. Development/acquisition
b. Implementation
c. Operation/maintenance
d. Disposal
60. d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.
61. The security certification assessor is involved with which of the following activities?
a. System development
b. System controls
c. System implementation
d. System operations
61. b. The security certification assessor is involved in assessing security controls in an information system to provide an unbiased opinion. The assessor’s independence implies that he is not involved in the information system development, implementation, or operation.
62. Which of the following threats rely entirely on social engineering techniques?
1. Trojan horse
2. Mobile code
3. Phishing
4. Virus hoaxes
a. 1 and 2
b. 2 and 3
c. 1 and 3
d. 3 and 4
62. d. Both phishing and virus hoaxes rely entirely on social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. Phishing refers to using deceptive computer-based means to trick individuals into disclosing sensitive personal information. Virus hoaxes are false virus warnings. The majority of virus alerts that are sent via e-mail among users are actually hoaxes.
Trojan horse is incorrect because it is a nonreplicating program that appears to be benign but actually has a hidden malicious purpose.
Mobile code is incorrect because it is software that is transmitted from a remote system to be executed on a local system, typically without the user’s explicit instruction. Trojan horse and mobile code do not rely on social engineering.
63. Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist in analyzing routers?
a. Security administrators
b. System administrators
c. Network administrators
d. Desktop administrators
63. c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of administrators defined in the other three choices are different due to separation of duties, independence, and objectivity viewpoints.
64. Which of the following is not a part of software and information integrity for commercial off-the-shelf application security?
a. Parity checks
b. Cyclical redundancy checks
c. Failed security tests
d. Cryptographic hashes
64. c. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions.
The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.
65. Attackers can exploit which of the following flaws to access user accounts, view sensitive files, or use unauthorized functions?
a. Broken access control
b. Invalidated input
c. Broken authentication
d. Cross-site scripting flaws
65. a. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.
66. What do you call an attacker who can embed malicious commands in application parameters resulting in an external system executing those commands on behalf of the Web application?
a. Buffer overflows
b. Injection flaws
c. Denial-of-service
d. Improper error handling
66. b. Web applications pass parameters when they access external systems or the local operating system. Injection flaws occur when an attacker can embed malicious commands in these parameters; the external system may execute those commands on behalf of the Web application. The other three choices do not apply here because they do not embed malicious commands.
67. Both black-box and white-box testing are performed during which of the following?
a. Unit testing
b. Integration testing
c. System testing
d. Acceptance testing
67. a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box.