Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
com final
| Question | Answer |
|---|---|
| A stack buffer overflow is also referred to as (BLANK) | stack smashing |
| The function of (BLANK) was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program | shellcode |
| (BLANK) aim to prevent or detect buffer overflows by instrumenting programs when they are compiled | Compile-time defenses |
| (BLANK) can prevent buffer overflow attacks, typically of global data, which attempt to overwrite adjacent regions in the processes address space, such as the global offset table | guard pages |
| The (BLANK) used a buffer overflow exploit in “fingerd” as one of its attack mechanisms | The Morris Internet Worm |
| (BLANK) is a tool used to automatically identify potentially vulnerable programs | fuzzing |
| Traditionally the function of (BLANK) was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program | shellcode |
| (BLANK) attacks are one of the most common attacks seen | buffer overflow attacks |
| Buffer overflow exploits are (BLANK) a major source of concern to security practitioners | still |
| A buffer overflow error is (BLANK) likely to lead to eventual program termination | very |
| To (BLANK) any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control | identify |
| At the basic (BLANK), all of the data manipulated by machine instructions executed by the computer processor are stored in either the processor’s registers or in memory | machine level |
| Java (BLANK) suffer from buffer overflows because it permits more data to be saved into a buffer than it has space for | don’t |
| Stack buffer overflow attacks were first seen in the (BLANK) | Morris Internet Worm (1988) |
| A stack overflow can result in some form of a (BLANK) attack on a system | denial-of-service |
| An attacker is more interested in (BLANK) to a location and code of the attacker’s choosing rather than immediately crashing the program | control |
| The potential for a buffer overflow exists anywhere that data is copied or merged into a (BLANK), where at least some of the data are read from outside the program | buffer |
| Shellcode (BLANK) specific to a particular processor architecture | is |
| There are several (BLANK) restrictions on the content of shellcode | generic |
| An attacker (BLANK) generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined | cannot |
| Shellcode (BLANK) be able to run no matter where in memory it is located | must |
| Buffer overflows (BLANK) be found in a wide variety of programs, processing a range of different input, and with a variety of possible responses | can |
| “Incorrect Calculation of Buffer Size” is in the (BLANK) software error category | Risky Resource Management |
| “Improper Access Control (Authorization)” is in the (BLANK) software error category | Porous Defenses |
| Defensive programming is sometimes referred to as (BLANK) | Secure Programming |
| Incorrect handling of program (BLANK) is one of the most common failings in software security | input |
| (BLANK) is a program flaw that occurs when program input data can accidentally or deliberately influence the flow of execution of the program | injection attack |
| A (BLANK) attack occurs when the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server | command injection |
| A (BLANK) attack is where the input includes code that is then executed by the attacked system | code injection |
| Blocking assignment of form field values to global variables is one of the defenses available to prevent a (BLANK) attack | code injection |
| (BLANK) attacks are vulnerabilities involving the inclusion of script code in the HTML content of a Web page displayed by a user’s browser | cross-site scripting (XSS) attacks |
| A (BLANK) is a pattern composed of a sequence of characters that describe allowable input variants | regular expression |
| The intent of (BLANK) is to determine whether the program or function correctly handles all abnormal inputs or whether it crashes or otherwise fails to respond appropriately | fuzzing |
| A steady reduction in memory available on the heap to the point where it is completely exhausted is known as a (BLANK) | memory leak |
| The most common technique for using an appropriate synchronization mechanism to serialize the accesses to prevent errors is to acquire a (BLANK) on the shared file, ensuring that each process has appropriate access in turn | lock |
| (BLANK) are a collection of string values inherited by each process from its parent that can affect the way a running process behaves | Environment variables |
| The most common variant of injecting malicious script content into pages returned to users by the targeted sites is the (BLANK) vulnerability | XSS reflection |
| Many computer security vulnerabilities result from (BLANK) | poor programming practices |
| Security flaws occur as a consequence of (BLANK) checking and validation of data and error codes in programs | insufficient |
| Software (BLANK) is closely related to software quality and reliability | Software security |
| A difference between defensive programming and normal practices is that (BLANK) is assumed | nothing |
| Programmers often make (BLANK) about the type of inputs a program will receive | assumptions |
| Defensive programming requires a changed mindset to (BLANK) | traditional programming practice |
| To counter (BLANK) attacks a defensive programmer needs to explicitly identify any assumptions as to the form of input and to verify that any input data conform to those assumptions before any use of the data | command injection |
| (BLANK) can occur whenever one program invokes the services of another program, service, or function and passes to it externally sourced, potentially untrusted information without sufficient inspection and validation of it | New injection attacks variants |
| (BLANK) attacks attempt to bypass the browser’s security checks to gain elevated access privileges to sensitive data belonging to another site | Cross-site scripting |
| To prevent (BLANK) attacks any user supplied input should be examined and any dangerous code removed or escaped to block its execution | XSS attacks |
| A(n) (BLANK) character can be encoded as a 1 to 4 byte sequence using the UTF-8 encoding | Unicode |
| Without suitable (BLANK) it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values | synchronization of accesses |
| The correct implementation in the case of an atomic operation is to (BLANK) for the presence of the lockfile and to not always attempt to create it | not to test separately |
| The first step in deploying new systems is (BLANK) | planning |
| The first critical step in securing a system is to secure the (BLANK) | base operating system |
| (BLANK) applications is a control that limits the programs that can execute on the system to just those in an explicit list | white-list applications |
| Cryptographic file systems are another use of (BLANK) | encryption |
| Once the system is appropriately built, secured, and deployed, the process of maintaining security is (BLANK) | continuous |
| The range of logging data acquired should be determined (BLANK) | during the system planning stage |
| The (BLANK) process makes copies of data at regular intervals for recovery of lost or corrupted data over short time periods | Backup |
| The (BLANK) process retains copies of data over extended periods of time in order to meet legal and operational requirements | Archive |
| The needs and policy relating to backup and archive should be determined (BLANK) | during the system planning stage |
| (BLANK) systems should not run automatic updates because they may possibly introduce instability | Change controlled |
| Most large software systems (BLANK) have security weaknesses | will |
| Each layer of code needs appropriate (BLANK) measures in place to provide appropriate security services | hardening |
| Lower layer security (BLANK) impact upper layers | does |
| It is (BLANK) for a system to be compromised during the installation process | quite possible |
| A plan needs to identify appropriate (BLANK) to install and manage the system, noting any training needed | personnel |
| The purpose of the system (BLANK) need to be taken into consideration during the system security planning process | does |
| The default configuration for many operating systems usually maximizes (BLANK) | ease of use and functionality, rather than security |
| Ideally new systems should be constructed on a(n) (BLANK) network in order to prevent installation restrictions | protected network |
| A (BLANK) can potentially bypass many security controls to install malware | malicious driver |
| Passwords installed by default (BLANK) secure and need to be changed | are not |
| A very common configuration fault seen with Web and file transfer servers is for all the files supplied by the service to be owned by the same (BLANK) account that the server executes as | “user” |
| Manual analysis of logs (BLANK) a reliable means of detecting adverse events | is tedious and is not |
| Performing regular (BLANK) of data on a system is a critical control that assists with maintaining the integrity of the system and user data | backups |
| Backup and archive processes are (BLANK) linked and managed together | often |
| Measured service and rapid elasticity are essential characteristics of (BLANK) | cloud computing |
| A (BLANK) cloud provides service to customers in the form of a platform on which the customer’s applications can run | PaaS |
| The use of (BLANK) avoids the complexity of software installation, maintenance, upgrades, and patches | SaaS |
| A (BLANK) infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services | public cloud |
| Examples of services delivered through the (BLANK) include database on demand, e-mail on demand, and storage on demand | private cloud |
| The (BLANK) cloud deployment model is the most secure option | Private |
| A (BLANK) is an entity that manages the use, performance and delivery of cloud services, and negotiates relationships between CSPs and cloud consumers | Cloud broker |
| A (BLANK) is a person or organization that maintains a business relationship with, and uses service from, cloud providers | Cloud service consumer (CSC) |
| (BLANK) is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use | Data loss prevention (DLP) |
| The core of (BLANK) is the implementation of intrusion detection systems and intrusion prevention systems at entry points to the cloud and on servers in the cloud | Intrusion management |
| (BLANK) comprise measures and mechanisms to ensure operational resiliency in the event of any service interruptions | Business continuity and disaster recovery |
| (BLANK) is the management software module that controls VMs within the IaaS cloud computing platform | Nova |
| A (BLANK) interconnects the IoT-enabled devices with the higher-level communication networks | gateway |
| The most vulnerable part of an IoT is the (BLANK) | Smart objects/embedded systems |
| (BLANK) has two operating modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication | MiniSec |
| (BLANK) gives you the ability to expand and reduce resources according to your specific service requirement | Cloud computing |
| (BLANK) provides service to customers in the form of software, specifically application software, running on and accessible in the cloud | SaaS |
| There is an increasingly prominent trend in many organizations to move a substantial portion or even all IT operations to enterprise (BLANK) | cloud computing |
| In a (BLANK) the provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud | cloud provider |
| The major advantage of the public cloud is (BLANK) | cost |
| The three areas of support that a cloud broker can offer are (BLANK) | Service intermediation, Service aggregation, Service arbitrage |
| (BLANK) recommends selecting cloud providers that support strong encryption, have appropriate redundancy mechanisms in place, employ authentication mechanisms, and offer subscribers sufficient visibility about mechanisms [...] | NIST |
| Data must be secured while (BLANK) | at rest, in transit, and in use |
| The term (BLANK) has generally meant a package of security services offered by a service provider that offloads much of the security responsibility from an enterprise to the security service provider | security as a service (SaaS) |
| (BLANK) are third-part audits of cloud services | Security assessments |
| An (BLANK) is a set of automated tools designed to detect unauthorized access to a host system | IDS |
| The security module for OpenStack is (BLANK) | Keystone |
| The “smart” in a smart device is provided by a deeply embedded (BLANK) | Microcontroller |
| A key element in providing security in an IoT deployment is the (BLANK) | gateway |
| The buffer overflow type of attack has been known since it was first widely used by the (BLANK) in 1988. | Morris Internet Worm |
Created by:
Catst