Web Security Exam 1 study Guide
Which of the following can be used in a social engineering attack? (Select three.) A. Dumpster diving B. Shoulder surfing C. Trojan horse D. Persuasion
A. Dumpster diving B. Shoulder surfing D. Persuasion
Which of the following is a photoblogging Web site? A. Flickr B. Delicious C. Wordpress D. Wikipedia
A. Flickr
Rafael used a computer at a local Internet café to access his favorite social networking sites, and then left without logging out of the computer. Which OWASP top 10 threat to online privacy is he most likely at risk for? A. Missing or insufficient session expiration B. Operator-sided data leakage C. Outdated personal information D. Web application vulnerabilities
A. Missing or insufficient session expiration
Which of the following provides operating systems or platform applications over the Internet? A. SaaS B. PaaS C. IaaS D. IoT
B. PaaS
John recently received an e-mail that included a link to reset his PayPal password. This is likely a form of which of the following? A. Malware B. Phishing C. Cookies D. Insecure networks
B. Phishing
You have to connect three remote employees to the corporate network. Which of the following technologies would you use? A. SSL B. VPN C. One-way communication D. Remote acquisition
B. VPN
Greg has recently discovered that all of the files and folders on his laptop are encrypted. He is a victim of a ransomware attack. Which is the best way for Greg to get access to his files? A. Pay for the decryption key. B. Hire tech support to create a decryption key. C. Format, reinstall, and use backups. D. Buy a new laptop.
C. Format, reinstall, and use backups.
Which of the following delivers an infrastructure, including servers, storage, and networking components, over the Internet? A. SaaS B. PaaS C. IaaS D. IoT
C. IaaS
Which of the following has not been a factor in the development of the Internet of Things? A. Enhancements to networking infrastructure B. The relatively low cost of storage and computing power C. Stringent federal legislation requiring use of encryption on all "smart" devices D. Networking protocol advancement (IPv6)
C. Stringent federal legislation requiring use of encryption on all "smart" devices
What is NOT an example of cloud computing? A. Google Docs B. Online e-mail services C. Online data storage services D. A static Web page
D. A static Web page
Many security features are available for building a secure system. Which of the following is NOT is categories of security features? A. Authentication B. Auditing C. Authorization D. Integrity
D. Integrity
Packet-switched networks use independent routing, which allows which of the following? A. Networks to operate independently from each other B. Packets to seek the lowest bandwidth route C. Networks to better balance their bandwidth D. Packets to take an alternate route if a route is unavailable
D. Packets to take an alternate route if a route is unavailable
_____ is the protection of individual rights to nondisclosure. A. Integrity B. Nonrepudiation C. Authentication D. Privacy
D. Privacy
Describe Problems and possible solutions associated with Web site hosting?
Few reasons why an e-commerce site may fail even though it is available all the time. No visitor tracking —Web analytic tools help track and trace visitors, allowing e-business to watch for trends and patterns that help focus their site. For Example : Google Analytics provide a detailed look at the traffic flow at e-business website. Poor site design —An e-business site design may be unappealing and difficult to work with. Make sure your website is visually appealing and Easy to understand Confusing checkout procedures —If analytic software shows that visitors are leaving when they get to the checkout, you have a problem with checkout procedures. Make sure your checkout procedures are defined and not over-complicated
IoT looks like a feature technology that already entered. In that context what are the security concern emerges with that.
IoT privacy—With billions of interconnected devices each relaying a portion of data, privacy concerns become a significant issue. For example: medical information, daily habits and other personal data may be compromised, allowing snoops and hackers to develop patterns and profiles of person`s life. End-to-end encryption— Many of the devices that may be connected with the IoT framework, may not by default use end-to-end transport encryption. System administrators will need to determine the importance of particular data sets and ensure that critical data cannot be read during transport. For example, seemingly harmless data sent from a valve in a manufacturing environment or a heart monitor on an outpatient, to doctor. Authorization and authentication— When securing IoT devices, it will be necessary to maintain "Authorization" -- refers to access control permissions determining who is allowed to do what with data or a device. "Authentication" -- refers to passwords or other methods of identity verification. Software updates/patching—One other standard security consideration is the management of updates and patches. Developers may not be thinking security as they first bring their IoT devices to market. Patches will be needed later to plug any security holes. The system administrator managing IoT will need to ensure that all devices are patched securely. Security concern is Blind Patching.
Write on E-mail scam protection
Policies Documented acceptable use practices Prevents misuse of e-mail by employees Educates users to prevent e-mail scams Procedures Used to secure e-mail communications Firewalls, security protocols, and physical security measures Different types of e-mail scams. 1) to steal information, 2) are hoaxes, 3) some carry malware or 4) simply annoying. Corporate environments use e-mail filtering software, like, Spam Titan - https://www.titanhq.com/email-protection/ Solar Winds MSP Symantec ZeroSpam ScanMail Suite Despite these efforts, e-mail scammers have a way to getting through. Some are as follows: Charity contribution Sudden emergency False virus solutions Petitions and protests Chain letters
What are the main types of Cloud Computing? Briefly describe each one.
SaaS—A software delivery method in which the cloud servers distribute specific applications or services to the client, typically through the client's Web browser. PaaS—A method of distributing operating systems or platform applications over the Internet. These platforms are often used to run the SaaS. IaaS—A method of delivering an infrastructure, which includes servers, storage, and networking components, over the Internet. BaaS — (not new category but new service?) Backend-as-a-Service (BaaS) - Backend as a service (BaaS), or mobile backend as a service (mBaaS) is a model of cloud computing in which the vendor provides web and mobile application developers with tools and services to create a cloud backend for their applications. BaaS vendors typically use custom SDKs and APIs to give developers the ability to connect their applications to backend cloud storage and features such as user management, push notifications, and social network integration.
What are the main types of Virtulization ? Briefly describe each one.
Server Virtualization: Server virtualization enables multiple operating systems to run on a single physical server as highly efficient virtual machines. Network Virtualization: By completely reproducing a physical network, network virtualization allows applications to run on a virtual network as if they were running on a physical network — but with greater operational benefits and all the hardware independencies of virtualization. Thus it presents logical networking devices and services — logical ports, switches, routers, firewalls, load balancers, VPNs and more — to connected workloads. Desktop Virtualization: Deploying desktops as a managed service enables IT organizations to respond faster to changing workplace needs and emerging opportunities. Virtualized desktops and applications can also be quickly and easily delivered to branch offices, outsourced and offshore employees, and mobile workers using iPad and Android tablets.
Which of the following is a bookmarking Web site? A. Facebook B. Delicious C. Wordpress D. Wikipedia
B. Delicious
Mimic sites (or pharming) are examples of which of the following? A. Phishing attacks B. E-commerce scams C. Malware D. Cookies
B. E-commerce scams
_______ occurs when a cybercriminal acquires and then uses your personal information to effectively become you for conducting transactions. A. Eavesdropping B. Identity theft C. Social engineering D. Malware
B. Identity theft
Sarah has recently logged on a shopping site to purchase a new bicycle and bike shorts. She is concerned that the communication link is not secure. Which of the following could she check to verify a secure link? A. Contact the vendor via e-mail for a purchase policy B. Verify that HTTPS is being used in the URL C. Verify that HTTP is being used in the URL D. Uncheck the auto-fill option in the browser
B. Verify that HTTPS is being used in the URL
Describe briefly preventions against identity theft
Be very clear on what personal data can be used. Social Security or social insurance number, very rarely you need to put online. Monitor your credit report. Make it a habit to check your credit activity free of charge from the different credit bureaus. Create strong passwords. Use credit card numbers only on reputable sites. Verify secure transfers before entering credit card information. Clear the browser's cache if you are using a public computer. Do not use auto-fill forms on public computers. Use privacy controls on social networking sites. Ensure your home wireless access point is using strong encryption.
Describe briefly preventions against E-commerce scams
Be wary of unsolicited e-mail messages from charitable organization, auction sites, banks or others asking for money or personal information. Ensure that your antivirus software scans attachments for possible malware. Do not click links from unsolicited e-mail, as they may link to a mimic site. If you receive an e-mail request from a charity you'd like to support, Instead of clicking a link in the message, manually type the charity's Web address into your browser's address. Keep alert on sites pressuring you into providing sensitive information. Phishers like to use scare tactics to create a sense of urgency.
Which of the following is true of virtualization? A. You can build physical software versions of systems that behave like their virtual equivalents. B. A virtual machine is a physical implementation. C. A virtual machine can simulate a complete system or just one particular process. D. A host can run only a single virtual machine at one time.
C. A virtual machine can simulate a complete system or just one particular process.
Which e-commerce concern is the ability to verify a person or system's identity? A. Integrity B. Nonrepudiation C. Authentication D. Privacy
C. Authentication
You have been asked to reduce the number of applications you host on your internal network. You decide to use an online version of the company's accounting software. This may be an example of which of the following? A. Virtualization and SaaS B. Cloud computing and IaaS C. Cloud computing and SaaS D. Virtualization and IaaS
C. Cloud computing and SaaS
Small files containing information you enter on some Web pages, including username and password combinations, are called which of the following? A. Malware B. Phishing C. Cookies D. Viruses
C. Cookies
"Contact us" forms are an example of which of the following? A. One-way communication B. Full two-way communication C. Limited two-way communication D. Full one-way communication
C. Limited two-way communication
Which of the following are two of the most common online banking threats? A. Spoofing and ransomware B. Phishing and persuasion C. Spoofing and phishing D. Persuasion and shoulder surfing
C. Spoofing and phishing
Which OWASP top 10 threat to online privacy is most likely to be used by advertisers to develop a demographic profile and target ads to Web users? A. Insufficient deletion of personal data B. Web application vulnerabilities C. Outdated personal information D. Collection of data not required for the primary purpose
D. Collection of data not required for the primary purpose
Which of the following is NOT a common method used by identity thieves to gain a victim's personal information? A. Launching e-mail phishing attacks B. Exploiting unsecured social networking sites C. Scanning old computers D. Contacting law enforcement
D. Contacting law enforcement
Which of the following is NOT a key security concern regarding the Internet of Things? A. Privacy B. Authorization C. Encryption D. Efficiency
D. Efficiency
The following is NOT an effective method of mitigating e-mail scams? A. Creating acceptable use policies for e-mail usage B. Monitoring inbound and outbound messages C. Using e-mail filtering software D. Posting privacy policies on the company Web site
D. Posting privacy policies on the company Web site
Many people refer to the Semantic Web as ________. A. social networking B. social media C. Web 2.0 D. Web 3.0
D. Web 3.0
What are the Online Banking Threats/Risks and How to Mitigate Online Banking Risks?
Spoofing Fake Websites capture user info Also referred to as pharming Typosquatting or URL hijacking Demo :bankfoamerica.com Phishing attacks E-mails used to trick users into performing certain actions. Ex: Clicking on a link, that take you hackers website that delivers malware. Few best practices are follow, can make possible to increase your online banking security. Authentication security—Password management. Use strong passwords that are very difficult for password cracker applications to figure out. Develop a password rotation policy so that you change passwords periodically. Site encryption—When conducting an online transaction such as banking, make sure you see the "https" in the URL A dedicated computer—It is often a good idea to use a dedicated computer for online transactions. It is probably not a good idea to use a shared computer that your kids use to play online games, or watch downloaded movies or computers - systems are at hotel lobby.
Describe Risks / Threats of Business web sites, when connect to internet.
Threats for business websites: Web sites are prone to: Attacks from crackers, hackers, terminated employees, competitors, and others. Threats includes: Denial-of-service (DoS) attacks, stop access to authorized users of a Web site, so that the site is forced to offer a reduced level of service or, in some cases, stop completely. Data theft, which involves criminals gaining access to sensitive data such as price lists, catalogues, and valuable intellectual property, and altering, destroying or copying it. Alterations to your Web site by criminals who would damage your image or direct your customers to another site. Unauthorized access to financial information about your business or your customers, with a view to perpetrating fraud. Viruses that may be used to corrupt your business data.
Describe Vulnerabilities of web applications.
To mitigate these risks, you must consider several areas. Firmware: Need to check periodically if new firmware has been released; then update. Operating systems and applications: It is a best practice of security professional, to periodically check a software vendor's website for updates, service packs, and patches. Coding and PL/SQL vulnerabilities: Application may contain coding flaws. SQL injections allow an attacker to retrieve crucial information from a Web server's database by carefully crafted statements that an attacker can enter into the username or password fields.
Write on Virtualization v/s Cloud Computing with at least 2-2 examples of each.
Virtualization vs. Cloud Computing : Although equally buzz-worthy technologies, virtualization and cloud computing are not interchangeable. Virtualization is software that makes computing environments independent of physical infrastructure, while cloud computing is a service that delivers shared computing resources on demand via the Internet. A virtualized server can be ran alongside other virtualized servers while a cloud server is simply a server that can be accessed remotely without the need for the individual to have said infrastructure Virtual networks allow entire "Physical Networks" to be simulated in a single box while with cloud computing, the physical network aspect would still be required to be physical to an extent
Describe transition from web 2.0 to web 3.0 including idea of semantic web.
Web 2.0 has changed the online experience. The new high-speed technologies have helped facilitate Web 2.0. Web 2.0, sites started providing user-generated content with tools for content creation, collaboration, and communication. While Web 3.0 is new vision of Tim Berners-Lee, who originally created the World Wide Web, in 1991. (or 1989 ?) Web 3.0 will be the transformation of the Web into one giant, online database. The Web could then be searched and categorized like any other database. This would allow greater control of searching and manipulation of information. Web 3.0 or the Semantic Web is all about information access, retention, organization, and categorization.
Describe any 4 from The OWASP Top 10 Privacyrisks
Web Application Vulnerabilities - Security flaws are often discovered in applications, and unless these programs are patched and updated, cybercriminals can take advantage of these flaws. Web application vulnerabilities are data leaks resulting from out-of-date or unpatched applications. Operator-Sided Data Leakage- Operator-sided data leakage refers to the accidental or neglectful release of personal information. Often operators (individual users) do this by unknowingly sharing personal information with malicious users. Insufficient Data Breach Response - When you fail to responsible reaction, once you know or suspect, the data breach happen to your system. Then it is referred as Insufficient data breach response. It is a risk you run - carry with it. Your data and that of other users might be compromised. Insufficient Deletion of Personal Data- Insufficient deletion of personal data refers to failure to remove sensitive data after its intended purpose has ended. Like from an old hard disk, on a backup tape, in an online Web form, social network site, cached online. It is important to know where sensitive data is in order to properly delete and remove it from potential threat. Non-transparent Policies, Terms, and Conditions- The terms and policies on websites (Social networking, online dating, online banking, investment, and online shopping) make clear (?), that your information may be shared with a third party. By signing up, you agree to this policy. This is the risk known as non-transparent policies, terms and conditions Collection of Data Not Required for the Primary Purpose- You may be giving out personal data for one purpose, suppose you list your graduation date on a social networking site, or the ages of your children or their gender. The site, though, is using it for another reason, like creating demographic tables for marketing. This is the risk known as collection of data not required for the primary purpose. Sharing of Data With Third Party- Some sites will share, your provided personal information, with another company for money, the data you assume will be kept private. This is common issue known as sharing of data with a third party. Mostly, this information is used primarily for advertising. Outdated Personal Data- Outdated personal information could be harmful to one`s reputation and breach of privacy. Missing or Insufficient Session Expiration- Privacy issues arise when users are not properly closed sessions or discontinued sessions, after use of financial, social networking sites. This is the risk known as missing or insufficient session expiration. Insecure Data Transfer- Private and personal data transmitted over networks and much of the data is sent over secure networks using encryption protocols. However, data continues to be sent over unsecured public wireless networks, as well. This is risk known as Insecure data transfer
Which of the following is NOT a mitigation best practice for online banking risks? A. A shared computer B. Authentication security C. Site encryption D. Virus scanning
A. A shared computer
Which of the following are included in CLM (Customer Life cycle) ? A. Acquisition B. Retention C. Suspension D. Conversion
A. Acquisition B. Retention D. Conversion
You run a service-oriented Web site aimed at consumers. You gather contact information from Web site visitors who order your service or who request to be put on your e-mail list. You have a privacy policy posted on your Web site, and you do not disclose the contact information to another business or party. Which security tenet are you upholding? A. Confidentiality B. Integrity C. Availability D. Authorization
A. Confidentiality
You are designing a customer-service strategy for a large company. The client has asked that you incorporate full two-way communication between service staff and the customer. Which of the following methods would you suggest? A. E-mail support B. FAQ C. Customer feedback forms D. VoIP
A. E-mail support D. VoIP
Blake is using a public computer in an Internet café to update personal information. Which of the following are steps he can take to ensure his privacy? (Select two.) A. Ensure no one is shoulder surfing B. Bookmark the site for faster retrieval C. Erase the browser history when finished D. Make sure auto-fill is enabled
A. Ensure no one is shoulder surfing C. Erase the browser history when finished
One of the advantages of doing business online is that business can be conducted 24 hours a day, 7 days a week. Which part of the architecture design allows this to happen? A. High availability B. Backups C. Accelerated routers D. Online data recovery
A. High availability
Which of the following describes the connection of everyday devices and appliances to the Internet? A. Internet of Things (IoT) B. Virtualization C. Protocol computing D. World Wide Web
A. Internet of Things (IoT)
Which of the following describes a patch? A. Is a single software fix designed to fix a specific issue B. Is a major upgrade to an application C. May provide enhanced features for an operating system D. Requires an administrator to take a performance baseline before applying
A. Is a single software fix designed to fix a specific issue
Daniel is an avid user of social networking sites. He continues to post detailed information about upcoming trips, personal photos showing children, and his phone number and contact information. Which of the following OWASP privacy threats refers to his situation? A. Operator-sided data leakage B. Web application vulnerabilities C. Outdated personal information D. Insecure data transfer
A. Operator-sided data leakage
Which protocol is used by HTTPS for encrypting data between the client and the host? A. SSL B. SSH C. RSH D. TFTP
A. SSL
Which of the following provides specific applications or services to a client over the Internet? A. SaaS B. PaaS C. IaaS D. IoT
A. SaaS
Which of the following are required to establish a VPN connection? A. VPN client B. VPN server C. SSL D. Transmission media
A. VPN client B. VPN server D. Transmission media
Which of the following protocols is NOT a Web communication protocol that authenticates users or computers? A. VoIP B. PPTP C. IPSec D. L2TP
A. VoIP
Suppose you are in charge for defining and updating web polices guide for e-commerce web sites. Explain with "example web policies guide" - having detail of how data is secured and managed.
Authentication-Verification of the identity of the user Authorization-Allowing manipulation of resources in a specific way Encryption-Hiding information by making it not readily understandable to unauthorized users Auditing-Keeping records of operations and transactions
Despite the overwhelming trend of companies having an online presence, some companies do not see an adequate return on investment from a Web site; or their Web site generates very little interest. Which of these following characteristics might not be a factor for poor performance by a Web site? A. Poor visitor tracking B. 7/24/365 availability C. Poor site design D. Confusing checkout procedures
B. 7/24/365 availability
Tim Berners-Lee, the original creator of the World Wide Web, envisions the future Web 3.0 more resembling which of the following? A. A dynamic document B. A database C. A fully redundant network D. A user-generated social network
B. A database
What is qualified Web traffic? A. Any visitor who clicks ads on your Web site B. Any visitor who fits your desired demographic C. All Web traffic that is reported on in Google Analytics D. All Web traffic that comes to your site from a social networking site
B. Any visitor who fits your desired demographic
Describe Risk Inherent in Unsecure Systems and How to Manage that Risks.
1. System protocol security Transmission Control Protocol/Internet Protocol (TCP/IP) TCP: Responsible for providing reliable transmissions between systems. IP: Responsible for addressing and route selection of individual packets of data. Some protocols in TCP/IP suite are highly insecure FTP, HTTP, more Use SFTP, HTTPS, etc. instead 2. Securing IP communications: When data is sent over the network, it is assumed that it will reach its intended destination without being accessed and viewed by anyone it is not intended for. But, issue is basic IP transmissions lack security. One of the Solution : Internet Protocol Security (IPSec) Operates at the IP Layer. Encrypts most network communications transparently. Provides a way to protect sensitive data as it travels within a LAN. Guards against eavesdropping, address spoofing, man-in-the-middle attacks, denial of service (DoS) attacks, sniffer attacks. 3. Managing application and coding security A lot of software today is released with security flaws. Browsers, operating systems, and office applications are examples of software that has been released with significant security concerns. Countermeasure is to continuously apply patches and/or service packs. Patch is a single software fix designed to fix a specific issue. For example, a patch may be released to plug a security flaw in a browser. 4. Using Service Packs Service pack is a major upgrade to an application. Check the manufacturer's Web site : Whether it is Microsoft Windows, Linux, or any other software vendor, their respective websites keep listing the latest service pack, instructions for installation, and any known compatibility issues. Verify resources: Does your system have enough hard disk space or memory to accommodate the new service pack? Back up the system Take a performance baseline May require to reconfigure the system, as per need.
Which of the following is true of the Internet and the World Wide Web? A. The Internet is the largest private network. B. The Internet is a mass interconnected collection of computer networks. C. The primary communications protocol suite used on the World Wide Web is Hypertext Transfer Protocol (HTTP). D. The Internet is a secure medium.
B. The Internet is a mass interconnected collection of computer networks.
