Unit 5 MCQ

UNIT 5: Securing Applications and Data

Topic 5.1: Application and Data Vulnerabilities and Attacks

An adversary enters the following text into a search field on a poorly designed e-commerce website: `'; DROP TABLE products; --`. The website then deletes its entire product database. This is an example of what type of attack?

ASQL injection

BBuffer overflow

CDirectory traversal

DCross-site scripting (XSS)

A user visits a popular forum and reads a comment left by another user. Unbeknownst to them, the comment contains malicious JavaScript code. When the user's browser renders the comment, the script executes and steals the user's session cookie. This is a classic example of a:

ASQL injection attack

BReflected XSS attack

CDenial of service attack

DStored XSS attack

An adversary crafts a URL for a web application like `http://example.com/viewfile.php?file=../../../../etc/passwd`. They are attempting to access a sensitive system file located outside of the web server's root directory. This attack is known as:

ADirectory traversal

BBuffer overflow

CSQL injection

DCross-site scripting (XSS)

A program expects a user to enter their 10-digit phone number. The memory buffer allocated for this input is 11 bytes long. An adversary intentionally provides 100 bytes of data, which overwrites adjacent memory locations and causes the program to crash. This is a(n):

ABuffer overflow attack

BInjection attack

CDirectory traversal attack

DSocial engineering attack

What is the fundamental vulnerability that allows injection attacks like SQL injection and cross-site scripting to succeed?

AThe lack of a firewall on the network.

BThe use of an outdated operating system.

CThe use of weak encryption on the server.

DThe failure to sanitize user input.

An organization stores its employee salary data in an unencrypted spreadsheet on a shared network drive that all employees can access. This primarily represents a risk to which security principle?

AIntegrity

BAvailability

CConfidentiality

DPlausibility

In a reflected (Type I) XSS attack, where is the malicious script typically embedded?

AIn a database that the website queries.

BIn the website's source code by a developer.

CIn a crafted link sent to the victim.

DIn a file stored on the web server's drive.

Why is giving regular users administrative privileges on their computers a security risk?

AIt requires more frequent password resets.

BIt allows malware to run with elevated rights.

CIt prevents users from installing software.

DIt makes the computers run more slowly.

Topic 5.2: Protecting Applications and Data: Managerial Controls and Access Controls

Data that is currently stored on a hard drive or a backup tape is referred to as:

AData in transit

BData at rest

CData in use

DData in flux

The Bell-LaPadula model is a Mandatory Access Control (MAC) model that enforces the rule 'write up, read down.' What is the primary goal of this model?

ATo ensure data accuracy and integrity.

BTo ensure data is always available.

CTo enforce data confidentiality.

DTo track user actions for auditing.

An organization's policy dictates that employees should only be granted the minimum level of access to data and systems necessary to perform their job duties. This policy is an implementation of:

AA cryptography policy

BRole-based access control (RBAC)

CThe principle of least privilege

DA defense-in-depth strategy

Under a Role-Based Access Control (RBAC) model, how is a user's permission to access a file determined?

ABy rules based on environmental factors.

BBy the data owner's direct permission grants.

CBy permissions associated with a user's job function.

DBy security labels assigned to data and users.

A user runs the command `chmod 750 myfile.txt` on a Linux system. What permissions are set for the 'group' that owns the file?

ARead and execute

BRead and write

CRead, write, and execute

DNo permissions

Using the symbolic method in Linux, which command would remove write permission for 'others' (users not the owner and not in the group) on a file named `report.docx`?

A`chmod u-w report.docx`

B`chmod a-w report.docx`

C`chmod o-w report.docx`

D`chmod g-w report.docx`

A hospital must protect patient medical records. This type of data is classified as Protected Health Information (PHI) and is regulated by:

APCI-DSS

BHIPAA

CCOPPA

DFERPA

The concept of 'secure by default' means that:

AUsers must manually enable security features.

BSecurity is the sole responsibility of the user.

CProducts ship with secure settings enabled.

DThe default password for all devices is 'password'.

Topics 5.3 & 5.4: Symmetric and Asymmetric Cryptography

A user wants to encrypt a file on their hard drive so that only they can read it. They use a password to generate a single key that is used for both encrypting and decrypting the file. This is an example of:

ASymmetric encryption

BA digital signature

CA cryptographic hash function

DAsymmetric encryption

Alice wants to send a secure message to Bob using asymmetric encryption. Which key does Alice use to encrypt the message?

AAlice's private key

BAlice's public key

CBob's public key

DBob's private key

After receiving the encrypted message from Alice, which key does Bob use to decrypt it?

ABob's private key

BAlice's private key

CAlice's public key

DBob's public key

The security of asymmetric encryption relies on which of the following principles?

AThe public key is kept secret by the owner.

BThe public and private keys are identical.

CBoth keys are shared publicly for transparency.

DThe private key is kept secret by the owner.

A security administrator is choosing an encryption algorithm. They note that AES can use keys of 128, 192, or 256 bits. Why would they choose a 256-bit key over a 128-bit key?

AIt provides a larger keyspace.

BIt is required for asymmetric encryption.

CIt encrypts data much faster.

DIt results in a smaller encrypted file.

Which of the following is a primary disadvantage of symmetric encryption compared to asymmetric encryption?

AIt cannot be used to encrypt data at rest.

BIt requires secure key distribution.

CThe keys are much longer and harder to manage.

DIt is significantly slower.

AES is a block cipher. What does this mean?

AIt encrypts data one bit at a time.

BIt physically blocks unauthorized users.

CIt processes data in fixed-size chunks.

DIt can only encrypt text blocks, not files.

The primary difference between symmetric and asymmetric encryption is:

AThe overall level of security provided.

BThe type of data they can encrypt.

CThe number of keys used for the process.

DThe speed at which they operate.

Topic 5.6: Detecting Attacks on Data and Applications

A security analyst places a file named `All_User_Passwords.xlsx` on a server. The file contains fake, but realistically formatted, data. An automated alert is configured to trigger if any user attempts to access this file. This security control is a(n):

AAccess control list

BHoneypot

CFirewall

DAntivirus scanner

A system administrator calculates the SHA256 hash of a critical configuration file and records it. A week later, they recalculate the hash and find that it is different. What can they conclude?

AThe file was accessed by an authorized user.

BThe file has been modified or corrupted.

CThe server was rebooted during the week.

DThe hashing algorithm has been updated.

A company wants to ensure that a critical financial report has not been altered since it was created. Which cryptographic tool should they use to verify the report's integrity?

AA Virtual Private Network (VPN)

BA cryptographic hash function

CAsymmetric encryption

DSymmetric encryption

What is a primary limitation of using cryptographic hashes to detect attacks on data?

AAn adversary can easily reverse a hash.

BA hash only verifies data integrity, not confidentiality.

CCalculating hashes is too slow to be practical.

DHashes can only be used for small text files.

An organization's incident response plan includes a step to 'contain' a security breach. What is the primary goal of this step?

ATo prevent the threat from causing further damage.

BTo analyze the root cause of the incident.

CTo completely remove the threat from all systems.

DTo notify law enforcement and customers.

A security analyst is reviewing logs and sees a series of HTTP GET requests for URLs containing sequences of `../`. This is a strong indicator of an attempted:

ASQL injection attack

BSmurf attack

CCross-site scripting attack

DDirectory traversal attack

A user's input to a web application is a very long string of 2,000 characters being submitted to a field that should only contain a 5-digit zip code. This could be an indicator of an attempted:

AData exfiltration event

BPhishing attack

CHoneypot access

DBuffer overflow attack

The primary purpose of a honeypot is to:

AFilter out spam and phishing emails.

BAct as a decoy to attract and detect adversaries.

CAuthenticate users before they access resources.

DEncrypt all sensitive data on a network.