Domain 8 Exam.
A minimum of 70% is required to pass.
#1. Lisa learned that most databases implement concurrency control. What is concurrency? And why do we need to control it?
〇:A process that is running concurrently. If not properly controlled, the integrity of the database can be adversely affected.
Databases are used simultaneously by many different applications and many users interact with them at once. Concurrency means that different processes (applications and users) are accessing the database at the same time. If this is not properly controlled, processes can overwrite each other’s data or cause deadlock situations. The worst consequence of concurrency problems is poor integrity of the data held in the database. Database integrity is provided by concurrency protection mechanisms; one concurrency control is locking, which prevents users from accessing or modifying data being used by other users.
×:Processes running at different levels. If not properly controlled, they can adversely affect the integrity of the database.
Concurrency is incorrect because it refers to processes running at the same time, not at different levels. Concurrency problems occur when the database can be accessed simultaneously by different users or applications. If controls are not in place, two users can access and modify the same data at the same time, which can be detrimental to a dynamic environment.
×:The process of inferring new information from a review of accessible data. Inference attacks may occur.
The ability to infer new information from reviewing accessible data occurs when subjects at lower security levels indirectly infer data at higher levels. This can lead to an inference attack, but is not related to concurrency.
×:Storing data in multiple locations in the database. If not properly controlled, it can negatively impact database integrity.
Storing data in multiple locations is incorrect because there is no concurrency issue. Concurrency becomes an issue when two subjects or applications are trying to modify the same data at the same time.
#2. Database software must meet a requirement called the ACID test. In OLTP, why does the database software perform one of the requirements of the ACID test, transaction atomicity?
〇:To allow the database to execute transactions as a single unit without interruption.
Online transaction processing (OLTP) is used when databases are clustered to provide high fault tolerance and performance. It provides a mechanism to monitor and address problems as they occur. For example, if a process stops functioning, the monitoring function within OLTP will detect and attempt to restart the process. If the process cannot be restarted, the transaction that occurred is rolled back to ensure that no data has been corrupted or that only a portion of the transaction occurred; OLTP records when the transaction occurred (in real time). Usually multiple databases in a distributed environment are updated.
This classification by the extent to which transaction processing is appropriate is very complex. Therefore, database software must implement ACID characteristics. Among them is atomicity, which means that the transaction is either executed entirely or not executed at all. It is the property that a transaction must either be executed completely or not at all.
When a question like this is answered incorrectly, judging that you could not solve it because you did not know OLTP will hinder your future study methods. Although the question text is worded in a complicated way, it is more important to understand what atomicity is in ACID than to memorize the definition of OLTP to solve the actual question.
×:To be able to establish database consistency rules.
It enforces the consistency rules as stated in the database security policy, but does not imply transaction atomicity.
×:To prevent rollbacks from occurring.
Transaction atomicity does not refer to suppressing rollbacks.
×:To prevent concurrent processes from interacting with each other.
This falls under independence, isolation, and segregation. Independence, isolation, and quarantine (isolation) means that the processes are hidden from other operations during processing. It is the property that even if multiple transactions are executed simultaneously, they must not produce the same processing results as if they were executed alone.
#3. Which is the appropriate period of time to use maintenance hooks?
〇:Only during code development.
Maintenance hoc refers to functions and tools that are temporarily used by the developer for testing purposes. In fact, in system development, tools are provided to assist in confirming that individual functions are working properly. However, if maintenance hocks are left in the production environment, they may be used by attackers and must be removed.
×:Maintenance hooks should not be used.
The use of maintenance hooks can make the work more efficient.
×:When you want to make the software available to administrators in a simplified manner.
In some cases, attackers can exploit tools that were supposed to be available only to administrators.
×:When you want users to be able to use the software in a simplified manner.
After the actual release of the software, maintenance hooks are not made available to users.
#4. A new software development company was set up to develop mobile device applications for a variety of clients. The company employs talented software programmers, but has failed to implement a standardized development process that can be improved over time. Which of the following is the best approach this company would take to improve its software development process?
〇:Capability Maturity Model Integration
Capability Maturity Model Integration (CMMI) is a comprehensive set of integration guidelines for developing products and software. It addresses the various phases of the software development life cycle, including concept definition, requirements analysis, design, development, integration, installation, operation, maintenance, and what should happen at each stage. The model describes the procedures, principles, and practices underlying the maturation of the software development process. It was developed to help software vendors improve their development processes. It will improve software quality, shorten the development life cycle, create and meet milestones in a timely manner, and adopt a proactive approach rather than a reactive approach that is less effective.
×:Software Development Life Cycle
Incorrect because the Software Development Life Cycle (SDLC) describes how a system should be developed and maintained throughout its life cycle and does not involve process improvement.
×:ISO/IEC 27002
Incorrect because ISO/IEC 27002 is an international standard that outlines how the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) create and maintain an organizational information security management system (ISMS). ISO/IEC 27002 has a section dealing with the acquisition, development, and maintenance of information systems, but does not provide a process improvement model for software development.
×:Certification and Accreditation Process
This is incorrect because the certification and accreditation (C&A) process handles testing and evaluation of systems against predefined criteria. This has nothing to do with improving the software development process.
#5. Which of the following are ways to defend against cross-site tracing?
Cross-site tracing is an attack to obtain authentication information by embedding TRACE method HTTP communication in a web page. Suppose the TRACE method is embedded in the login screen by XSS. After the password to log in is sent, it is returned by TRACE and comes back. The password that has just been sent is returned to the browser, leading to a compromise.
#6. I am looking to mitigate injection attacks on my web server. What advice should I give?
Injection attacks are cracking attacks in which special strings are embedded in user forms and submitted to malfunction the receiving user’s information processing. Sufficiently strong input validation and data type restrictions on input fields, input length limits, and modifications are to do it. Only allow users to enter appropriate data into fields. Limit the number of characters a user can use, and possibly restrict by character type, allowing only letters in names, numbers in phone numbers, and displaying country and state drop-downs.
#7. Which of the following incorrectly describes a directory service?
〇:Conforms to the X.509 standard and assigns a namespace to each object accessed in the database by LDAP.
Most companies have directories that contain information about company network resources and users. Most directories use a hierarchical database format based on the X.500 standard (not X.509) and a type of protocol such as LDAP (Lightweight Directory Access Protocol) that allows subjects and applications to interact with the directory The application can then use LDAP to access the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a particular resource using a similar request. The directory service assigns an Distinguished Name (DN) to each object in the database based on the X.500 standard to be accessed. Each distinguished name represents a set of attributes about a particular object and is stored as an entry in the directory.
×:Namespaces are used to manage objects in the directory.
This is incorrect because objects in a hierarchical database are managed by a directory service. Directory services allow administrators to configure and manage identification, authentication, permissions, and access control for the network. Objects in the directory are labeled and identified by namespace, which is how the directory service keeps objects organized.
×:Enforce security policies by performing access control and identity management functions.
This is incorrect because directory services enforce the security policy set by performing access control and identity management functions. For example, when a user logs into a domain controller in a Windows environment, the directory service (Active Directory) determines which network resources are accessible and which are not.
×:Administrators can configure and manage how identification takes place within the network.
Directory service is incorrect because it allows the administrator to configure and manage identification within the network. It also allows for the configuration and management of authentication, authorization, and access control.
#8. Which of the following markup languages is used to allow sharing of application security policies and ensure that all applications follow the same security rules?
〇:XACML
XACML allows two or more companies to have a trust model set up to share identity, authentication, and authorization methods. This means that when you authenticate against your own software, you can pass the authentication parameters to your partner. This allows them to interact with their partner’s software without having to authenticate more than once. This is done via XACML (Extensible Access Control Markup Language), which allows multiple organizations to share application security policies based on a trust model XACML is a markup language and processing model implemented in XML XACML is a markup language and processing model implemented in XML. It declares access control policies and describes how to interpret access control policies.
×:XML (Extensible Markup Language)
XML (Extensible Markup Language) is incorrect because it is a way to electronically code documents and represent data structures such as web services. XML is not used to share security information. XML is an open standard that is more robust than traditional HTML. In addition to serving as a markup language, XML also serves as the foundation for other industry-specific XML standards. With XML, companies can communicate with each other while using a markup language that meets their specific needs.
×:SPML
Service Provisioning Markup Language (SPML) is incorrect because it is used by companies to exchange user, resource, and service provisioning information rather than application security information. SPML is an XML-based framework developed by OASIS that allows enterprise platforms, such as web portals and application servers, to provision requests to multiple companies for the purpose of securely and quickly setting up web services and applications. It is intended to enable the generation of.
×:GML
Incorrect because GML (Generalized Markup Language) is a method created by IBM for document formatting. It describes a document in terms of parts (chapters, paragraphs, lists, etc.) and their relationships (heading levels). GML was the predecessor of SGML (Standard Generalized Markup Language) and HTML (Hypertext Markup Language).
#9. There are several attacks that programmers should be aware of. When an attacker attempts to execute arbitrary code, what type of attack is indicated?
〇:Buffer overflow
A buffer is an area reserved by an application to store something in it, like some user input. After the application receives input, the instruction pointer is put into the buffer. A buffer overflow occurs when the application accidentally allows the input to overwrite the instruction pointer in the code and write it to the buffer area. Once the instruction pointer is overwritten, it can be executed under the application’s security context.
×:Traffic Analysis
Traffic Analysis is incorrect because it is a method of revealing information by looking at traffic patterns on the network.
×:Race Condition
Incorrect because it does not indicate a race condition attack; if two different processes need to perform their tasks on a resource, they need to follow the correct order.
×:Covert Storage
Incorrect because in a covert storage channel, processes are capable of communicating through some type of storage space on the system.
#10. Which option best describes the role of the Java Virtual Machine in the execution of Java applets?
〇:Converts bytecode to machine-level code.
Java is an object-oriented, platform-independent programming language. It is used as a full-fledged programming language to write programs called applets that run in the user’s browser. java is platform independent because it creates intermediate code that is not processor-specific bytecode. java virtual machine (JVM) converts bytecode into machine-level code that can be understood by processors on a particular system.
×:Converts source code to bytecode and blocks the sandbox.
Incorrect because the Java Virtual Machine converts bytecode to machine-level code. The Java compiler does not convert source code to bytecode. The JVM also creates a virtual machine in an environment called the sandbox. This virtual machine is the enclosed environment in which the applet executes its activities. The applet is typically sent via HTTP within the requested web page and is executed as soon as the applet arrives. If the applet developer fails to function properly, it may intentionally or accidentally perform a malicious act. Therefore, the sandbox strictly limits the applet’s access to system resources. The JVM mediates access to system resources to ensure that applet code runs and works within its own sandbox.
×:It runs only on specific processors within a specific operating system.
This is incorrect because Java is an object-oriented, platform-independent programming language. Other languages are compiled into object code for specific operating systems and processors. Thus, a particular application can run on Windows, but not on the Mac OS. Intel processors do not necessarily understand machine code compiled for Alpha processors. Java is platform independent because it creates intermediate code bytecode. It is not processor-specific code bytecode.
×:Develop an applet that runs in the user’s browser.
This is incorrect because the Java Virtual Machine does not create applets. Java is adopted as a full-fledged programming language and is used to write complete and short programs called applets that run in the user’s browser. Programmers create Java applets and run them through a compiler. The Java compiler converts the source code into byte code. The user then downloads the Java applet. The bytecode is converted to machine-level code by the JVM. Finally, the applet is executed when invoked.
#11. In computer programming, coupling and condensing degrees are used. Which of the following is the preferred combination of coupling and condensing degree?
It is a good thing for a module to have low coupling and high condensibility. The higher the degree of condensation, the easier it is to update and modify, and it does not affect other modules with which it interacts. This also means that modules are easier to reuse and maintain. Coupling degree is a measure of the amount of interaction a single module requires to perform its task. If a module’s coupling is low, it means that the module does not need to communicate with many other modules to perform its job. It is easier to understand and reuse than a module that depends on many other modules to perform its tasks. It will also be easier to modify modules without affecting the many modules around them. Therefore, the correct answer is “low-coupling, high-cohesion”.
#12. Which option incorrectly describes SOAP and remote procedure calls?
〇:SOAP allows Remote Procedure Calls to be used to exchange information between applications over the Internet.
To allow applications to exchange information over the Internet, the Simple Object Access Protocol (SOAP) was created to be used instead of Remote Procedure Call (RPC). SOAP is an XML-based protocol that encodes messages in a Web service setting. It allows programs running on different operating systems to communicate using Web-based communication methods.
×:SOAP is designed to overcome compatibility and security issues associated with remote procedure calls.
Attempting to allow communication between objects of different applications over the Internet is incorrect because SOAP was created to overcome the compatibility and security issues introduced by RPC. SOAP is designed to work with multiple operating system platforms, browsers, and servers.
×:SOAP and remote procedure calls were created to enable application layer communication.
This is incorrect because both SOAP and RPC were created to enable application layer communication. SOAP is an XML-based protocol that encodes messages in a Web service setting. Therefore, if a Windows client needs to access a Windows server that provides a particular web service, programs on both systems can communicate using SOAP without running into interoperability problems.
×:HTTP is not designed to work with remote procedure calls, but SOAP is designed to work with HTTP.
HTTP is not designed to work with RPC, but SOAP is designed to work with HTTP. SOAP actually defines the structure of the XML schema or communication mechanism. The SOAP XML schema defines how objects communicate directly with each other. One of the advantages of SOAP is that program calls most likely get through firewalls, since HTTP communication is generally allowed. This ensures that the client/server model is not broken by getting denied by firewalls during the communication entity.
#13. Which project management methodology is based on each phase leading to the next phase and not returning to the previous phase?
〇:Waterfall
Waterfall is very unidirectional and each phase leads directly to the next phase. In a pure waterfall model, there is no way to return to the previous phase.
×:Agile
Agile is the idea that system development should be done flexibly. It is a trial-and-error development method that emphasizes adaptive planning, evolutionary development, early delivery, and continuous improvement. Agile differs from the traditional approach of modeling a process, where principles and claims are shared by the entire team and an attempt is made to adapt to every situation.
×:SASHIMI
The SASHIMI model is a model of the system development process that allows the end and beginning points of each phase to run concurrently. In many cases, a waterfall model is used, where the next phase is moved to the next phase with the submission and review of deliverables. This is also great, but in practice, there are times when the delivery is made but modified due to changing requirements.
×:Spiral
The spiral model is a method of development that iterates from design to testing for each function. It is a method in which a series of processes consisting of planning, analysis, design, implementation, testing, and evaluation are repeated many times within a single project to gradually increase the degree of completion. In a software project, these phases are repeated.
#14. What is the difference between freeware and shareware?
Freeware is free software and can be used for free. Shareware is fully functional proprietary software that is initially free to use. Often a trial to test the software requires a fee to continue using it after 30 days. Thus, the correct answer is, “Freeware is free in perpetuity, while shareware is free for a set period of time.” will be.
#15. There are many types of viruses that hackers can use to damage your system. Which of the following is NOT a correct description of a polymorphic type virus?
〇:Intercept anti-malware calls to the operating system for file system information.
This is a “no” question. Polymorphic viruses attempt to fool anti-malware scanners. In particular, they use methods to generate operational copies. Even if the anti-malware software detects and disables one or two copies, the other copies remain active in the system.
This problem must be solved by process of elimination. What definitions are polymorphic viruses? If you remember the word list “what is a polymorphic virus,” you may not understand what makes a polymorphic virus unique. The most striking feature of polymorphic viruses is that they repeatedly change entities.
×:Using noise, mutation engines, or random number generators to change the sequence of instructions.
Polymorphic-type viruses may change the sequence of instructions by including noise or false instructions along with other useful instructions. They can also use mutation engines and random number generators to alter the sequence of instructions in the hope that they will not be detected. The original functionality remains intact, but the code is altered, making it nearly impossible to identify all versions of the virus using a fixed signature.
×:Different encryption schemes that require different decryption routines can be used.
Polymorphic-type viruses can use different encryption schemes that require different decryption routines. This requires an anti-malware scan to identify all copies of this type of virus, one for each possible decryption method. Polymorphic virus creators hide the encrypted virus payload and add decryption methods to the code. Once encrypted, the code becomes meaningless, but that does not necessarily mean that the encrypted virus is a polymorphic virus and thus escapes detection.
×:Create multiple and various copies.
Polymorphic viruses generate multiple, varied copies in order to avoid detection by anti-malware software.
#16. Which of the following is the most effective method of identifying backup strategies?
〇:Test the restore procedure.
The ability to successfully restore from a backup must be tested periodically. Therefore, the correct answer is: “Test the restore procedure.” will be
×:Ensure that all user data is backed up.
Making copies of user data is important, but copies are useless unless it is ensured that the copies can be restored.
×:Back up the database management system (DBMS) to your own specifications.
While it is a good idea to use measures to meet the proprietary specifications of the DBMS to ensure that transactional copies are usable, those copies will not be trusted unless the restores are tested.
×:Ensure that the backup log files are complete.
Monitoring backup logs for completion is good operational practice, but it is wrong because it is no substitute for regular testing of the backups themselves and their ability to truly recover from data loss.
#17. What type of database property ensures that a tuple is uniquely identified by its primary key value?
〇:Entity integrity
Entity integrity ensures that a tuple is uniquely identified by its primary key value. A tuple is a row in a two-dimensional database. The primary key is the corresponding column value that makes each row unique. For entity integrity, every tuple must contain one primary key. If a tuple does not have a primary key, the tuple will not be referenced by the database.
×:Concurrent Maintainability
Concurrent integrity is not a formal term in database software and is therefore incorrect. There are three main types of integrity services: semantic, reference, and entity. Concurrency is software that is accessed by multiple users or applications simultaneously. Without controls in place, two users can access and modify the same data at the same time.
×:Referential Integrity
Referential integrity is incorrect because it references all foreign keys that refer to an existing primary key. There must be a mechanism to ensure that foreign keys do not contain references to non-existent records or null-valued primary keys. This type of integrity control allows relationships between different tables to work properly and communicate properly with each other.
×:Semantic Integrity
The semantic integrity mechanism is incorrect because it ensures that the structural and semantic rules of the database are in place. These rules concern data types, boolean values, uniqueness constraints, and operations that may adversely affect the structure of the database.
#18. Drive mirroring is the ability to write data to two drives simultaneously for redundancy. What type of technology is used for this?
〇:Disk Redundancy
Information that is required to be available at all times must be mirrored or duplexed. In both mirroring (also called RAID 1) and duplexing, all data write operations are performed simultaneously or nearly simultaneously at multiple physical locations.
×:Direct Access Storage
Direct access storage is incorrect because it is a general term for magnetic disk storage devices traditionally used in mainframe and minicomputer (midrange computer) environments. RAID is a type of direct access storage device (DASD).
×:Striping
Incorrect because the technique of striping is used when data is written to all drives. This activity splits the data and writes it to multiple drives. Write performance is not affected, but read performance is greatly improved because multiple heads are getting data at the same time. Parity information is used to reconstruct lost or corrupted data. Striping simply means data; parity information may be written to multiple disks.
×:Parallel Processing
Parallel processing is incorrect because a computer has multiple processing units built into it to execute multiple streams of instructions simultaneously. While mirroring may be used to implement this type of processing, it is not a requirement.
#19. Mary is creating malicious code to steal user cookies by modifying client-side JavaScript. Which type of cross-site scripting vulnerability does she exploit?
〇:DOM-based
Mary exploits a cross-site scripting (XSS) vulnerability called Document Object Model (DOM) Local Cross-Site Scripting.The DOM is a standard structural layout for representing HTML and XML documents in a browser. In such attacks, components of the document such as form fields and cookies can be referenced via JavaScript. The attacker uses the DOM environment to modify the client-side JavaScript. The result is to cause the victim’s browser to execute malicious JavaScript code. The most effective way to prevent these attacks is to disable scripting support in the browser.
×:Secondary
Secondary, or persistent XSS vulnerabilities are incorrect because they target websites that populate databases or data stored elsewhere, such as forums or message boards.
×:Persistent
Persistent XSS vulnerability is incorrect because it is simply another name for a secondary vulnerability.
×:Non-Persistent
A non-persistent XSS vulnerability, called a reflection vulnerability, is incorrect because it uses a malicious script to open a programmed URL in order to steal sensitive information from someone who holds cookies, etc. The principle behind this attack lies in the lack of proper input or output validation on dynamic websites.
#20. Brian has been asked to create a virtual directory for the company’s new identity management system. Which of the following best describes the virtual directory?
〇:Virtual Container for Data from Multiple Sources
Network directories are containers for users and network resources. Because one directory does not contain all the users and resources in an enterprise, a collection of directories must be used. A virtual directory collects the necessary information used from sources scattered throughout the network and stores it in a central virtual directory (virtual container). This provides a unified view of digital identity information for all users across the enterprise. The virtual directory is regularly synchronized with all identity stores (individual network directories) to ensure that up-to-date information is being used by all applications and identity management components in the enterprise.
×:Metadirectory
Virtual directories are similar to metadirectories, but incorrect because metadirectories work with one directory and virtual directories work with multiple data sources. When the Identity Management component calls the virtual directory, it can scan different directories across the enterprise, but the metadirectory only has the ability to scan one directory it is associated with.
×:User attribute information stored in the HR database
Incorrect because it describes an identity store. Much of the information stored in identity management directories is scattered throughout the enterprise. User attribute information (employee status, job description, department, etc.) is typically stored in the HR database. Authentication information can be stored in a Kerberos server, and resource-oriented authentication information can be stored in the domain controller’s Active Directory. These are commonly referred to as identity stores and are located elsewhere on the network. Many identity management products use virtual directories to call up the data in these identity stores.
×:Services that allow administrators to configure and manage the way identities are
This is incorrect because it describes a directory service. Directory services allow administrators to configure and manage how identification, authentication, permissions, and access control are performed within a network. It uses namespaces to manage objects in the directory and enforces security policies configured by performing access control and identity management functions.