E-Commerce Final Exam
In a path traversal attack, the attacker commonly uses ______ to navigate the directory tree to access files in other directories. A. Windows Explorer B. ../ C. Boolean Characters D. Filters
../
What is Common Gateway Interface (CGI)? A. A programming language B. Another name for JavaScript C. A type of Web-based attack D. A standard
A Standard
Which of the following statements best describes PCI DSS? A. A set of widely accepted requirements set by major credit card companies to enhance data security for online payments B. A federal law to enhance data security for online payments C. A standard set of requirements by credit card companies to enforce an encryption algorithm during online payments D. A federal law to enforce an encryption algorithm during online payments
A set of widely accepted requirements set by major credit card companies to enhance data security for online payments
What does a Web server require to create Secure Sockets Layer (SSL) connections? A) A certificate B) Internet Protocol Security (IPSec) C) Error-tracing functionality D) A stored cross-site scripting (XSS) script
A) A certificate
Which of the following is one method for mitigating error message handling errors? A) Apply adequate permissions to application logs on the server. B) Monitor the site navigational structure. C) Use input validation. D) Use Web site analytics.
A) Apply adequate permissions to application logs on the server.
_________ enables attackers to inject client-side scripts into Web pages. A) Cross-site scripting (XSS) B) Malicious file execution C) Unsecure direct object reference D) Cross-site request forgery (CSRF)
A) Cross-Site Scripting (XSS)
Your company's CEO suspects that an employee is e-mailing details of a new product development project to the competition. Which technique can you use to determine who is sharing the details via e-mail and prevent the information from leaving company servers? A) E-mail blocking B) Message priority C) Message archiving D) Keyword filtering
A) E-mail blocking
One of the advantages of doing business online is that business can be conducted 24 hours a day, 7 days a week. Which part of the architecture design allows this to happen? A) High availability B) Backups C) Accelerated routers D) Online data recovery
A) High Availability
Which of the following is NOT a common stage of customer life cycle management (CLM)? A) Inception B) Acquisition C) Conversion D) Retention
A) Inception
Which of the following describes a patch? A) Is a single software fix designed to fix a specific issue. B) Is a major upgrade to an application C) May provide enhanced features for an operating system D) Requires an administrator to take a performance baseline before applying
A) Is a single software fix designed to fix a specific issue.
Which of the following is NOT true of customer life cycle management (CLM)? A) Refers to the relationship established with online visitors from the time they add an item to a shopping cart until they checkout B) Is an essential part of an online marketing campaign C) Involves getting qualified traffic to a Web site D) Forms the foundation from which all marketing strategies are designed and applied
A) Refers to the relationship established with online visitors from the time they add an item to a shopping cart until they checkout
Which domain of an IT infrastructure primarily includes employees, consultants, contractors, and other third parties? A) User B) LAN-to-WAN C) WAN D) Remote Access
A) User
Which of the following protocols is NOT a Web communication protocol that authenticates users or computers? A) VOIP B) PPTP C) IPSec D) L2TP
A) VoIP
What does cross-site scripting (XSS) exploit in a Web application? A. Weak accountability B. Misconfigured servers C. Buffer overflows D. Access controls
Access Controls
Consider a person who logs into a Web site with a username and password. Which process tracks mechanisms used to keep a record of events on the system? A. Authorization B. Accountability C. Authentication D. Auditing
Accountability
Which of the following merchant levels must scan the networks at least quarterly to be in compliance with PCI DSS? A. Level 1 (more than 6 million transactions a year) B. Level 2 (1 million to 6 million transactions a year) C. Level 3 (20,000 to 1 million transactions a year) D. Level 4 (less than 20,000 transactions a year) E. All merchants, no matter the size, must scan at least quarterly
All merchants, no matter the size, must scan at least quarterly
What is NOT a secure coding practice? A. Pay attention to compiler warnings. B. Plan and design for security policies. C. Allow access by default. D. Sanitize data sent to other systems.
Allow access by default
To ensure confidentiality of customer data, e-commerce sites implement several protection measures. Which of the following is NOT one of those measures? A) Network security protocols B) Customer-service communications C) Data encryption services D) Network authentication services
B) Customer-service communications
Data Processing converts _________. A) Information into data B) Data into information C) Facts into conclusions D) Conclusions into facts
B) Data into information
What is the best method of mitigating unvalidated redirects and forwards in a Web application? A) Use a blacklist. B) Don't use redirects. C) Ensure the Web server is patched and up to date. D) Use permissions to lock down objects on the server.
B) Don't use redirects
Which of the following is a technological barrier designed to prevent unauthorized access to a computer network? A) Honeypot B) Firewall C) Router D) Proxy Server
B) Firewall
Which security tenet emphasizes the need for the information to be delivered unaltered to the recipient? A) Confidentiality B) Integrity C) Availability D) Authorization
B) Integrity
Which of the following is NOT a level of e-business customer-service communication? A) One-way communication B) Limited one-way communication C) Limited two-way communication D) Full two-way communication
B) Limited one-way communication
Which of the following provides operating systems or platform applications over the Internet? A) SaaS B) PaaS C) IaaS D) IoT
B) Paas [Platform as a Service]
A(n) _______ targets a vulnerability. A) Risk B) Threat C) Hoax D) Protocol
B) Threat
_________ involves sensitive data that is stored without appropriate encryption. A) Broken authentication and session management B) Unsecure cryptographic storage C) Unsecure communications D) Failure to restrict URL access
B) Unsecure Cryptographic Storage
______ is a data associated with Web site domain owners. A) TCP/IP B) Whois C) ICANN D) HTTP
B) Whois
Which type of online perpetrator finds personal information about a person online, then threatens to release that information if demands are not met? A) Scammer B) Cyberstalker C) Blackmailer D) Online bully
Blackmailer
Password policies, such as account lockout duration and maximum password age, are helpful in protecting against what type of attack? A. Content spoofing B. Denial of service C. Brute force D. Fingerprinting
Brute Force
You are designing your first Web site and want to be sure your design is useful and appealing to the appropriate audience. Which tool is the best choice? A) Web site analytics B) A Contact Us form C) A customer profile D) An online survey
C) A customer Profile
______ is used for naming computers, services, and other objects on a computer network. A) TCP/IP B) Whois C) DNS D) HTTP
C) DNS
Establishing a virtual private network (VPN) connection includes the following EXCEPT: A) Client B) Server C) File Transfer Protocol (FTP) D) Transmission media
C) File Transfer Protocol (FTP)
_________ is associated with information leakage and improper error handling. A) Broken authentication and session management B) Unsecure cryptographic storage C) ID or password login failure D) Failure to restrict URL access
C) ID or password login failure
Which of the following delivers an infrastructure, including servers, storage, and networking components, over the internet? A) SaaS B) PaaS C) IaaS D) IoT
C) IaaS
Which of the following is NOT a method of mitigating the impact of broken authentication and session management on a Web application? A) Strong passwords B) Password rotation C) Input validation D) Session ID protection
C) Input Validation
What uses Authentication Header (AH) and Encapsulating Security Payload (ESP) to create secure data transmissions? A) Domain Name System (DNS) B) Secure Sockets Layer (SSL) C) Internet Protocol Security (IPSec) D) Cross-site scripting (XSS)
C) Internet Protocol Security (IPSec)
Which of the following helps to ensure the confidentiality and integrity of data communications? A) Domain Name System (DNS) B) Simple Network Management Protocol (SNMP) C) Internet Protocol Security (IPSec) D) Transmission Control Protocol/Internet Protocol (TCP/IP)
C) Internet Protocol Security (IPSec)
Although manually operated, what was one of the first complex data processing devices? A) The difference engine B) The Analytical Engine C) The abacus D) The punch card tabulating system
C) The Abacus
Which of the following is NOT true of Internet directory portals? A) They are not search engines B) They organize groups of links into a structure usually in categories and subcategories C) They began to appear during the Web 2.0 era D) Their structure emerged out of user tagging
C) They began to appear during the web 2.0 era
A _______ is a weakness that allows an attacker to reduce the information assurance of a system. A) risk B) threat C) vulnerability D) protocol
C) Vulnerability
Which of the following is NOT an advantage of software configuration management (SCM)? A. Ensures greater control B. Prevents unauthorized changes C. Allows easier management of the software D. Can be used in the place of traditional backups
Can be used in the place of traditional backups
You are designing a Web site that showcases and sells fine jewelry. Which of the following will be the most useful to your visitors? A. A benefits statement B. Clear images C. A link to the About Us tab D. A call to action
Clear images
Testing an application to verify how well it functions with other software is commonly referred to as ___________. A. regression testing B. unit testing C. compatibility testing D. software stress testing
Compatibility Testing
Which of the following is NOT a common method used by identity thieves to gain a victim's personal information? A) Launching e-mail phishing attacks B) Exploiting unsecured social networking sites C) Scanning old computers D) Contacting law enforcement
Contacting Law Enforcement
WHat is NOT an example of cloud computing? A) Google Docs B) Online e-mail services C) Online Data Storage Services D) A Static Web Page
D) A Static Web Page
Software that executes on two or more computers in a network is a __________ application. A) Single-Point-Of-Failure B) Mainframe C) Client/Server D) Distributed
D) Distributed
Which of the following is NOT a key security concern regarding the Internet of Things? A) Privacy B) Authorization C) Encryption D) Efficiency
D) Efficiency
Which of the following is employed to monitor and detect possible attacks to a network? A) Demilitarized Zone (DMZ) B) Proxy Server C) Router D) Intrusion Detection System (IDS)
D) Intrusion Detection System
Which of the following detects suspicious network traffic and alerts the administrator but does NOT deter attacks? A) Domain Name System (DNS) B) Proxy Server C) Intrusion Prevention System (IPS) D) Intrusion Detection System (IDS)
D) Intrusion Detection System (IDS)
Which domain of an IT infrastructure primarily includes the equipment and data an organization uses to support its IT infrastructure? A) User B) Workstation C) LAN D) System/Application
D) System/Application
Many refer to the Semantic Web as A) Social Networking B) Social Media C) Web 2.0 D) Web 3.0
D) Web 3.0
Which type of endpoint communication is NOT susceptible to malware (virus) infection? A. E-Mail B. Instant Messaging/chat C. Internet Browsing D. SMS Messaging
D. SMS Messaging
Marta, a programmer, is aware of an authorization weakness in the company's human resources system. She uses that knowledge to access the system and change her pay grade to a higher salary level. Which of the following best describes this situation? A. Elevation of privilege B. Disclosure of confidential data C. Data tampering D. Luring attack
Data Tampering
What type of network protection does PCI DSS recommend for servers that need to be accessed by both internal and external sources? A. Switches B. Hubs C. Demilitarized zone (DMZ) D. Virtual local area network (VLAN)
Demilitarized Zone (DMZ)
Which of the following attacks does NOT use impersonation Techniques? A. Credential/Session Prediction B. Cross-Site Scripting C. Session Fixation D. Denial of Service
Denial of Service
During which stage of the software development life cycle do developers clearly establish an application's features and operational functions? A. Maintenance B. Designing C. Implementation D. Testing
Designing
Which of the following is a common feature of limited two-way customer-service communication for a Web site? A) Customer survey B) Feedback form C) E-mail support links D) Downloadable product documentation
Downloadable product documentation
You are a disgruntled software coder. You are designing an authentication process for a Linux-driven Web application that will allow commands to run the application as the account with the highest privileges—the root user in Linux. After you leave the company, you plan to sabotage the company's data. What is this type of access called? A. Elevation of privilege B. Data tampering C. Run as administrator D. Session privilege
Elevation of privilege
Which of the following is true of ransomware? A) Encrypts files and folders on a computer system B) Affects consumers but not businesses C) Victim has no choice but to pay the ransom D) Reformatting an infected hard drive can re-encrypt the data
Encrypts files and folders on a computer system
Which type of attack primarily gathers information about a target system, such as the operating system version and network architecture? A. Cross-site scripting B. Content spoofing C. Denial of service D. Fingerprinting
Fingerprinting
What is the secure version of Hypertext Transfer Protocol? A. SFTP B. SNMP C. SSH D. HTTPS
HTTPS
What protocol should be used when transferring confidential data between a client and a Web server? A. HTTP B. SMTP C. HTTPS D. FTP
HTTPS
Secure Sockets Layer (SSL) uses what type of process to authenticate a service to a client? A. Handshake B. High Five C. Accounting D. Labeling
Handshake
A bank that offers online banking should use which of the following to secure communications between the bank's server and customer Web browsers? A) Hypertext Transfer Protocol (HTTP) B) File Transfer Protocol (FTP) C) Hypertext Transfer Protocol Secure (HTTPS) D) Telnet
Hypertext Transfer Protocol Secure (HTTPS)
_______ occurs when a cybercriminal acquires and then uses your personal information to effectively become you for conducting transactions. A) Eavesdropping B) Identity theft C) Social engineering D) Malware
Identity Theft
Which of the following is a best practice for coding in HTML? A. Do not encrypt the HTML code. B. Keep the code clean and simple. C. Constantly check all source code for unexpected changes. D. For efficiency, validate forms or URLs, but not both.
Keep the code clean and simple
Which of the following merchant levels requires an annual onsite audit and quarterly network scans? A. Level 1 B. Level 2 C. Level 3 D. Level 4
Level 1
A malicious user tries to gain access to a Web application by using an account with few privileges to coerce an entity with more privileges to perform an action on behalf of the malicious user. Which of the following best describes this situation? A. Elevation of privilege B. Disclosure of confidential data C. Data tampering D. Luring attack
Luring Attack
An e-mail spammer exploits Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) injection vulnerabilities to obtain e-mail addresses. Which attack is being described? A. SQL injection B. Fingerprinting C. Mail command injection D. HTTP request splitting
Mail command injection
During which stage of the software development life cycle do developers create service packs, review logs, and review error reports? A. Maintenance B. Designing C. Implementation D. Testing
Maintenance
_________ is an all-encompassing term referring to all forms of malicious software. A) Ransomware B) Malware C) Phishing D) Persuasion
Malware
Which access control method assigns sensitivity labels to objects and compares them to the user's assigned level of sensitivity? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control
Mandatory Access Control (MAC)
Marilyn used a computer at a local Internet café to access her favorite social networking sites, and then left without logging out of the computer. Which OWASP top 10 threat to online privacy is she most likely at risk for? A) Missing or insufficient session expiration B) Operator-sided data leakage C) Outdated personal information D) Web application vulnerabilities
Missing or insufficient session expiration
You are a systems administrator of a Windows Server computer. You want to allow a group of users to create new files and folders, list and view the contents of a folder, and delete files, but not be able to change permissions on the files or folders. Which NTFS permission do you assign? A. Full Control B. Modify C. Read & Execute D. Write
Modify
Which of the following will result in noncompliance with the requirements of PCI DSS? A. Not storing card account number in an unreadable format B. Not maintaining a password change policy C. Not encrypting transmission when a user changes his or her e-mail preferences on the Web site D. Not providing the ability to refund card charges on the Web site
Not storing card account numbers in an unreadable format
You tested an application and found security holes. What is the first step you should take to mitigate the security deficiencies? A. Develop a mitigation plan. B. Outline vulnerabilities. C. Classify vulnerabilities and establish a priority. D. Retest.
Outline vulnerabilities
Which term refers to the way an application controls the data it produces, such as log data, error messages, or raw data passed to another application A. Input Handling B. Whitelisting C. Output Handling D. Output Stripping
Output Handling
Which of the following could be the end result for a Web application that doesn't have proper Transport Layer protection? A. Personal data sent from the browser could be intercepted and read by others. B. IP addresses could be redirected to a malicious Web site. C. The Web site is vulnerable to cross-site scripting attacks. D. The Web site is vulnerable to SQL injection attacks.
Personal data sent from the browser could be intercepted and read by others.
Which of the following is social engineering A) Phishing B) Ransomware C) Wi-Fi Eavesdropping D) Use of cookies
Phishing
Which of the following is NOT a form of social engineering? A) Phishing B) Shoulder surfing C) Ransomware D) Dumpster diving
Ransomware
A consumer purchases downloadable music from an e-commerce Web site and the credit card is credited immediately. What is the name of this process? A. Batch processing B. Real-time processing C. Cash processing D. Delayed processing
Real-time processing
Testing modified applications to ensure that no new errors have been introduced in the process of upgrading or patching is commonly referred to as ___________. A. regression testing B. unit testing C. penetration testing D. vulnerability testing
Regression Testing
Which PCI DSS requirement addresses patching, monitoring, and automatic updates? A. Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data B. Requirement 2: Don't Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters C. Requirement 3: Protect Stored Cardholder Data D. Requirement 6: Develop and Maintain Secure Systems and Applications
Requirement 6: Develop and Maintain Secure Systems and Applications
After deploying a Web site application in a production environment, which of the following requires the quickest response time by developers? A. Responding to intermittent error messages about a resource limitation B. Responding to user feedback regarding a usability suggestion C. Responding to a security breach D. Enhancing features
Responding to a security breach
You configured a firewall to reject all addresses in the 192.166.x.x range of Internet Protocol (IP) addresses. Anything using that address that attempts to get through the firewall will be denied. What type of access control method are you using? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control
Rule-Based Access Control
During a PCI DSS compliance audit, the auditor selects representative elements of all the computer components in a merchant's network and tests them for compliance. What is the name of this process? A. Imaging B. Batching C. Sampling D. Transactional Metering
Sampling
What type of validation is more important from a security perspective for a Web application? A. Server side B. Client side C. Browser side D. Network side
Server Side
Within a Web application, _________ occurs when a hacker uses network monitoring software to steal the authentication tokens (cookies) that are used to represent an authenticated user's session. With the stolen cookies, the malicious user spoofs the Internet browser and gains access to the application. A. session hijacking B. session replay C. a man-in-the-middle attack D. SQL injection
Session Hijacking
Clickjacking is a form of ________. A) Social Network Scam B) Social Engineering C) Wi-Fi Eavesdropping D) Pretexting
Social Network Scam
Testing an application by pushing it to its limits to detect breaking points is commonly referred to as ___________. A. regression testing B. unit testing C. compatibility testing D. software stress testing
Software Stress Testing
Which of the following is generally NOT a result of a buffer overflow attack? A. The attacker crashes an application or process. B. The attacker modifies an application or process. C. The attacker takes temporary ownership of an application or process. D. The attacker upgrades the application.
The attacker upgrades the application
Which of the following best describes the integration testing methodology? A. The person testing assumes no knowledge of the inner code or application processing. B. The person testing examines the code of an application. C. The person testing checks for additional errors that may have been introduced in the process of upgrading or patching to fix other problems. D. The person testing combines individual software modules and tests as a group.
The person testing combines individual software modules and tests as a group
Which best describes the white box testing methodology? A. The tester assumes no knowledge of the inner code or application processing. B. The tester examines the code of an application. C. The tester checks for additional errors that may have been introduced in the process of upgrading or patching to fix other problems. D. The tester combines individual software modules and tests as a group
The tester examines the code of an application
What is the primary purpose of the headline on a Web page? A. To attract visitors' attention and entice them to keep reading B. To improve functionality of the Web site C. To show how your product or service solves an immediate problem D. To tell your visitors what to do on your Web site
To attract visitors' attention and entice them to keep reading
Which of the following is NOT a best practice for maintaining PCI DSS compliance? A. Use firewalls. B. Use complex firewall rules to reduce or eliminate passage of malicious traffic. C. Maintain current documentation for policies and systems. D. Monitor internal PCI DSS processes daily.
Use complex firewall rules to reduce or eliminate passage of malicious traffic
Which of the following is NOT a fundamental aspect of JavaScript secure coding standards? A. The goal is to have obviously no flaws than no obvious flaws. B. Avoid duplication. C. Restrict privileges. D. Use dynamic SQL.
Use dynamic SQL
Which of the following is part of both PCI DSS Requirement 3: Protect Stored Cardholder Data and Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks? A. Store only necessary cardholder data. B. Develop a cardholder data retention policy. C. Use encryption. D. Develop disposal policies.
Use encryption
You want to know which geographic areas your Web site visitors come from. Which Web site analytic statistic can provide this information? A. Visitor location B. Browser statistics C. Bounce rate D. Visitor path
Visitor Location
Which of the following techniques would help a Web application properly validate user input? A. Cleansing all data in the database B. Blacklisting unknown IP addresses C. Whitelisting and accepting only known good characters D. Using Secure Sockets Layer (SSL) for all user input
Whitelisting and accepting only known good characters
Which of the following is true of Common Gateway Interface (CGI)? A. It is a programming language. B. It is type of encrypted communication. C. You can create CGI scripts in C, C++, Perl, Java, and ASP. D. You use CGI mainly to create static Web pages.
You can create CGI scripts in C, C++, Perl, Java, and ASP
