Domain 8 Exam.
A minimum of 70% is required to pass.
#1. Lisa learned that most databases implement concurrency control. What is concurrency? And why do we need to control it?
〇：A process that is running concurrently. If not properly controlled, the integrity of the database can be adversely affected.
Databases are used simultaneously by many different applications and many users interact with them at once. Concurrency means that different processes (applications and users) are accessing the database at the same time. If this is not properly controlled, processes can overwrite each other’s data or cause deadlock situations. The worst consequence of concurrency problems is poor integrity of the data held in the database. Database integrity is provided by concurrency protection mechanisms; one concurrency control is locking, which prevents users from accessing or modifying data being used by other users.
×：Processes running at different levels. If not properly controlled, they can adversely affect the integrity of the database.
Concurrency is incorrect because it refers to processes running at the same time, not at different levels. Concurrency problems occur when the database can be accessed simultaneously by different users or applications. If controls are not in place, two users can access and modify the same data at the same time, which can be detrimental to a dynamic environment.
×：The process of inferring new information from a review of accessible data. Inference attacks may occur.
The ability to infer new information from reviewing accessible data occurs when subjects at lower security levels indirectly infer data at higher levels. This can lead to an inference attack, but is not related to concurrency.
×：Storing data in multiple locations in the database. If not properly controlled, it can negatively impact database integrity.
Storing data in multiple locations is incorrect because there is no concurrency issue. Concurrency becomes an issue when two subjects or applications are trying to modify the same data at the same time.
#2. What type of database property ensures that a tuple is uniquely identified by its primary key value?
Entity integrity ensures that a tuple is uniquely identified by its primary key value. A tuple is a row in a two-dimensional database. The primary key is the corresponding column value that makes each row unique. For entity integrity, every tuple must contain one primary key. If a tuple does not have a primary key, the tuple will not be referenced by the database.
Concurrent integrity is not a formal term in database software and is therefore incorrect. There are three main types of integrity services: semantic, reference, and entity. Concurrency is software that is accessed by multiple users or applications simultaneously. Without controls in place, two users can access and modify the same data at the same time.
Referential integrity is incorrect because it references all foreign keys that refer to an existing primary key. There must be a mechanism to ensure that foreign keys do not contain references to non-existent records or null-valued primary keys. This type of integrity control allows relationships between different tables to work properly and communicate properly with each other.
The semantic integrity mechanism is incorrect because it ensures that the structural and semantic rules of the database are in place. These rules concern data types, boolean values, uniqueness constraints, and operations that may adversely affect the structure of the database.
#3. Robert is asked to increase the overall efficiency of the sales database by implementing procedures to structure the data to minimize duplication and inconsistencies. What procedure is that?
Normalization is the process of efficiently organizing data by eliminating redundancy, reducing the potential for anomalies during data manipulation, and improving data consistency within a database. It is a systematic method of ensuring that database structures are correctly designed so that undesirable characteristics (insert, update, and delete anomalies) do not occur and data integrity is lost.
Polymorphism is incorrect because different objects are given the same input and react differently.
×：Database View Implementation
A database view is a logical access control, implemented so that one group or specific user can see certain information and another group is restricted from seeing it completely, which is incorrect. For example, a database view could be implemented so that middle management can see the profits and expenses of a department without seeing the profits of the entire enterprise. Database views do not minimize duplicate data. Rather, it manipulates how the data is displayed by a particular user/group.
Schemas in database systems are incorrect because they are structures described in a formal language. In a relational database, a schema defines tables, fields, relationships, views, indexes, procedures, queues, database links, directories, etc. A schema describes the database and its structure, but not the data that exists in the database itself.
#4. There are many types of viruses that hackers can use to damage your system. Which of the following is NOT a correct description of a polymorphic type virus?
〇：Intercept anti-malware calls to the operating system for file system information.
This is a “no” question. Polymorphic viruses attempt to fool anti-malware scanners. In particular, they use methods to generate operational copies. Even if the anti-malware software detects and disables one or two copies, the other copies remain active in the system.
This problem must be solved by process of elimination. What definitions are polymorphic viruses? If you remember the word list “what is a polymorphic virus,” you may not understand what makes a polymorphic virus unique. The most striking feature of polymorphic viruses is that they repeatedly change entities.
×：Using noise, mutation engines, or random number generators to change the sequence of instructions.
Polymorphic-type viruses may change the sequence of instructions by including noise or false instructions along with other useful instructions. They can also use mutation engines and random number generators to alter the sequence of instructions in the hope that they will not be detected. The original functionality remains intact, but the code is altered, making it nearly impossible to identify all versions of the virus using a fixed signature.
×：Different encryption schemes that require different decryption routines can be used.
Polymorphic-type viruses can use different encryption schemes that require different decryption routines. This requires an anti-malware scan to identify all copies of this type of virus, one for each possible decryption method. Polymorphic virus creators hide the encrypted virus payload and add decryption methods to the code. Once encrypted, the code becomes meaningless, but that does not necessarily mean that the encrypted virus is a polymorphic virus and thus escapes detection.
×：Create multiple and various copies.
Polymorphic viruses generate multiple, varied copies in order to avoid detection by anti-malware software.
#5. (A) provides a readable description of a particular operation provided by a particular web service (B) provides a method for registration by the service provider and placement by the consumer of the service.
〇：(A) Web Service Description Language – (B) Universal Description, Discovery and Integration
Services in service-oriented architectures (SOA) are typically provided via Web services, which enable Web-based communication to occur seamlessly using Web-based standards such as Simple Object Access Protocol (SOAP), HTTP, Web Service Description Language (WSDL), Universal Description, Discovery, and Integration （WSDL provides a machine-readable description of the specific operations provided by a service; UDDI is an XML-based registry that lists available services UDDI provides a way for services to be registered by service providers and deployed by service consumers.
×：(A) generic description, discovery and integration – (B) web service description language
Incorrect because the terms are not in the correct order and do not map to the definitions provided within the question.
×：(A) Web Service Description Language – (B) Simple Object Access Protocol
SOAP (Simple Object Access Protocol) is incorrect because it is an XML-based protocol that encodes messages in a Web services environment. SOAP defines an XML schema for how communication is actually going to take place. SOAP XML schema defines how objects communicate directly.
×：(A) Simple Object Access Protocol (B) Universal Description, Discovery and Integration
SOAP (Simple Object Access Protocol) is incorrect because it is an XML-based protocol that encodes messages in a Web services environment. SOAP defines the XML schema of how communication is actually going to take place. SOAP XML Schema defines how objects communicate directly.
#6. Drive mirroring is the ability to write data to two drives simultaneously for redundancy. What type of technology is used for this?
Information that is required to be available at all times must be mirrored or duplexed. In both mirroring (also called RAID 1) and duplexing, all data write operations are performed simultaneously or nearly simultaneously at multiple physical locations.
×：Direct Access Storage
Direct access storage is incorrect because it is a general term for magnetic disk storage devices traditionally used in mainframe and minicomputer (midrange computer) environments. RAID is a type of direct access storage device (DASD).
Incorrect because the technique of striping is used when data is written to all drives. This activity splits the data and writes it to multiple drives. Write performance is not affected, but read performance is greatly improved because multiple heads are getting data at the same time. Parity information is used to reconstruct lost or corrupted data. Striping simply means data; parity information may be written to multiple disks.
Parallel processing is incorrect because a computer has multiple processing units built into it to execute multiple streams of instructions simultaneously. While mirroring may be used to implement this type of processing, it is not a requirement.
#7. Which level in the software functional maturity model provides a “repeatable process that yields constant results”?
Level 2 of the software functional maturity model is reproducible. It is a maturity level where some processes are reproducible and produce constant results. The process discipline is not rigorous, but it helps to maintain existing processes. Therefore, the correct answer is Level 2.
At Level 1, the process is usually undocumented and dynamic. It tends to be driven by users and events in an ad hoc, uncontrolled, reactive manner. As a result, the process is chaotic and unstable.
At Level 2, at maturity, some processes are repeatable and will produce consistent results. Process discipline will not be rigid, but where it exists it will help ensure that existing processes are maintained.
At Level 3, a documented set of standard processes has been established and has improved somewhat over time.
At Level 4, the process is being evaluated to ensure that it is achieving its goals. Process users experience the process under multiple and varied conditions to demonstrate competence.
Level 5 focuses on continuous improvement of process performance through incremental and innovative technical changes/improvements.
#8. Which project management methodology is based on each phase leading to the next phase and not returning to the previous phase?
Waterfall is very unidirectional and each phase leads directly to the next phase. In a pure waterfall model, there is no way to return to the previous phase.
Agile is the idea that system development should be done flexibly. It is a trial-and-error development method that emphasizes adaptive planning, evolutionary development, early delivery, and continuous improvement. Agile differs from the traditional approach of modeling a process, where principles and claims are shared by the entire team and an attempt is made to adapt to every situation.
The SASHIMI model is a model of the system development process that allows the end and beginning points of each phase to run concurrently. In many cases, a waterfall model is used, where the next phase is moved to the next phase with the submission and review of deliverables. This is also great, but in practice, there are times when the delivery is made but modified due to changing requirements.
The spiral model is a method of development that iterates from design to testing for each function. It is a method in which a series of processes consisting of planning, analysis, design, implementation, testing, and evaluation are repeated many times within a single project to gradually increase the degree of completion. In a software project, these phases are repeated.
#9. Fred is told that he needs to test components of a new content management application under development to validate data structures, logic, and boundary conditions. What tests should he perform?
Unit testing involves testing individual components in a controlled environment to verify data structures, logic, and boundary conditions. After the programmer develops a component, it is tested with several different input values and in a variety of situations. Unit testing can begin early in the development process and usually continues throughout the development phase. One of the benefits of unit testing is that it identifies problems early in the development cycle. It is easier and less expensive to make changes to individual units.
This is incorrect because acceptance testing is done to verify that the code meets the customer’s requirements. This test is applied to some or all of the application, but usually not individual components.
Regression testing is incorrect because it implies retesting a system after changes have been made to ensure its functionality, performance, and protection. Essentially, regression testing is done to identify bugs where functionality no longer works as intended as a result of a program change. It is not uncommon for developers to fix one problem, accidentally create a new problem, or fix a new problem and solve an old one. Regression testing involves checking for previously fixed bugs to ensure that they have not reappeared and re-running previous tests.
Integration testing is incorrect because it verifies that components work together as outlined in the design specification. After unit testing, individual components or units are tested in combination to verify that they meet functional, performance, and reliability requirements.
#10. Which of the following incorrectly describes a directory service?
〇：Conforms to the X.509 standard and assigns a namespace to each object accessed in the database by LDAP.
Most companies have directories that contain information about company network resources and users. Most directories use a hierarchical database format based on the X.500 standard (not X.509) and a type of protocol such as LDAP (Lightweight Directory Access Protocol) that allows subjects and applications to interact with the directory The application can then use LDAP to access the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a particular resource using a similar request. The directory service assigns an Distinguished Name (DN) to each object in the database based on the X.500 standard to be accessed. Each distinguished name represents a set of attributes about a particular object and is stored as an entry in the directory.
×：Namespaces are used to manage objects in the directory.
This is incorrect because objects in a hierarchical database are managed by a directory service. Directory services allow administrators to configure and manage identification, authentication, permissions, and access control for the network. Objects in the directory are labeled and identified by namespace, which is how the directory service keeps objects organized.
×：Enforce security policies by performing access control and identity management functions.
This is incorrect because directory services enforce the security policy set by performing access control and identity management functions. For example, when a user logs into a domain controller in a Windows environment, the directory service (Active Directory) determines which network resources are accessible and which are not.
×：Administrators can configure and manage how identification takes place within the network.
Directory service is incorrect because it allows the administrator to configure and manage identification within the network. It also allows for the configuration and management of authentication, authorization, and access control.
Secondary, or persistent XSS vulnerabilities are incorrect because they target websites that populate databases or data stored elsewhere, such as forums or message boards.
Persistent XSS vulnerability is incorrect because it is simply another name for a secondary vulnerability.
A non-persistent XSS vulnerability, called a reflection vulnerability, is incorrect because it uses a malicious script to open a programmed URL in order to steal sensitive information from someone who holds cookies, etc. The principle behind this attack lies in the lack of proper input or output validation on dynamic websites.
#12. Database software must meet a requirement called the ACID test. In OLTP, why does the database software perform one of the requirements of the ACID test, transaction atomicity?
〇：To allow the database to execute transactions as a single unit without interruption.
Online transaction processing (OLTP) is used when databases are clustered to provide high fault tolerance and performance. It provides a mechanism to monitor and address problems as they occur. For example, if a process stops functioning, the monitoring function within OLTP will detect and attempt to restart the process. If the process cannot be restarted, the transaction that occurred is rolled back to ensure that no data has been corrupted or that only a portion of the transaction occurred; OLTP records when the transaction occurred (in real time). Usually multiple databases in a distributed environment are updated.
This classification by the extent to which transaction processing is appropriate is very complex. Therefore, database software must implement ACID characteristics. Among them is atomicity, which means that the transaction is either executed entirely or not executed at all. It is the property that a transaction must either be executed completely or not at all.
When a question like this is answered incorrectly, judging that you could not solve it because you did not know OLTP will hinder your future study methods. Although the question text is worded in a complicated way, it is more important to understand what atomicity is in ACID than to memorize the definition of OLTP to solve the actual question.
×：To be able to establish database consistency rules.
It enforces the consistency rules as stated in the database security policy, but does not imply transaction atomicity.
×：To prevent rollbacks from occurring.
Transaction atomicity does not refer to suppressing rollbacks.
×：To prevent concurrent processes from interacting with each other.
This falls under independence, isolation, and segregation. Independence, isolation, and quarantine (isolation) means that the processes are hidden from other operations during processing. It is the property that even if multiple transactions are executed simultaneously, they must not produce the same processing results as if they were executed alone.
#13. There are several attacks that programmers should be aware of. When an attacker attempts to execute arbitrary code, what type of attack is indicated?
A buffer is an area reserved by an application to store something in it, like some user input. After the application receives input, the instruction pointer is put into the buffer. A buffer overflow occurs when the application accidentally allows the input to overwrite the instruction pointer in the code and write it to the buffer area. Once the instruction pointer is overwritten, it can be executed under the application’s security context.
Traffic Analysis is incorrect because it is a method of revealing information by looking at traffic patterns on the network.
Incorrect because it does not indicate a race condition attack; if two different processes need to perform their tasks on a resource, they need to follow the correct order.
Incorrect because in a covert storage channel, processes are capable of communicating through some type of storage space on the system.
#14. Which option incorrectly describes SOAP and remote procedure calls?
〇：SOAP allows Remote Procedure Calls to be used to exchange information between applications over the Internet.
To allow applications to exchange information over the Internet, the Simple Object Access Protocol (SOAP) was created to be used instead of Remote Procedure Call (RPC). SOAP is an XML-based protocol that encodes messages in a Web service setting. It allows programs running on different operating systems to communicate using Web-based communication methods.
×：SOAP is designed to overcome compatibility and security issues associated with remote procedure calls.
Attempting to allow communication between objects of different applications over the Internet is incorrect because SOAP was created to overcome the compatibility and security issues introduced by RPC. SOAP is designed to work with multiple operating system platforms, browsers, and servers.
×：SOAP and remote procedure calls were created to enable application layer communication.
This is incorrect because both SOAP and RPC were created to enable application layer communication. SOAP is an XML-based protocol that encodes messages in a Web service setting. Therefore, if a Windows client needs to access a Windows server that provides a particular web service, programs on both systems can communicate using SOAP without running into interoperability problems.
×：HTTP is not designed to work with remote procedure calls, but SOAP is designed to work with HTTP.
HTTP is not designed to work with RPC, but SOAP is designed to work with HTTP. SOAP actually defines the structure of the XML schema or communication mechanism. The SOAP XML schema defines how objects communicate directly with each other. One of the advantages of SOAP is that program calls most likely get through firewalls, since HTTP communication is generally allowed. This ensures that the client/server model is not broken by getting denied by firewalls during the communication entity.
#15. Which of the following is the most effective method of identifying backup strategies?
〇：Test the restore procedure.
The ability to successfully restore from a backup must be tested periodically. Therefore, the correct answer is: “Test the restore procedure.” will be
×：Ensure that all user data is backed up.
Making copies of user data is important, but copies are useless unless it is ensured that the copies can be restored.
×：Back up the database management system (DBMS) to your own specifications.
While it is a good idea to use measures to meet the proprietary specifications of the DBMS to ensure that transactional copies are usable, those copies will not be trusted unless the restores are tested.
×：Ensure that the backup log files are complete.
Monitoring backup logs for completion is good operational practice, but it is wrong because it is no substitute for regular testing of the backups themselves and their ability to truly recover from data loss.
#16. In computer programming, coupling and condensing degrees are used. Which of the following is the preferred combination of coupling and condensing degree?
It is a good thing for a module to have low coupling and high condensibility. The higher the degree of condensation, the easier it is to update and modify, and it does not affect other modules with which it interacts. This also means that modules are easier to reuse and maintain. Coupling degree is a measure of the amount of interaction a single module requires to perform its task. If a module’s coupling is low, it means that the module does not need to communicate with many other modules to perform its job. It is easier to understand and reuse than a module that depends on many other modules to perform its tasks. It will also be easier to modify modules without affecting the many modules around them. Therefore, the correct answer is “low-coupling, high-cohesion”.
#17. A new software development company was set up to develop mobile device applications for a variety of clients. The company employs talented software programmers, but has failed to implement a standardized development process that can be improved over time. Which of the following is the best approach this company would take to improve its software development process?
〇：Capability Maturity Model Integration
Capability Maturity Model Integration (CMMI) is a comprehensive set of integration guidelines for developing products and software. It addresses the various phases of the software development life cycle, including concept definition, requirements analysis, design, development, integration, installation, operation, maintenance, and what should happen at each stage. The model describes the procedures, principles, and practices underlying the maturation of the software development process. It was developed to help software vendors improve their development processes. It will improve software quality, shorten the development life cycle, create and meet milestones in a timely manner, and adopt a proactive approach rather than a reactive approach that is less effective.
×：Software Development Life Cycle
Incorrect because the Software Development Life Cycle (SDLC) describes how a system should be developed and maintained throughout its life cycle and does not involve process improvement.
Incorrect because ISO/IEC 27002 is an international standard that outlines how the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) create and maintain an organizational information security management system (ISMS). ISO/IEC 27002 has a section dealing with the acquisition, development, and maintenance of information systems, but does not provide a process improvement model for software development.
×：Certification and Accreditation Process
This is incorrect because the certification and accreditation (C&A) process handles testing and evaluation of systems against predefined criteria. This has nothing to do with improving the software development process.
#18. Which is the appropriate period of time to use maintenance hooks?
〇：Only during code development.
Maintenance hoc refers to functions and tools that are temporarily used by the developer for testing purposes. In fact, in system development, tools are provided to assist in confirming that individual functions are working properly. However, if maintenance hocks are left in the production environment, they may be used by attackers and must be removed.
×：Maintenance hooks should not be used.
The use of maintenance hooks can make the work more efficient.
×：When you want to make the software available to administrators in a simplified manner.
In some cases, attackers can exploit tools that were supposed to be available only to administrators.
×：When you want users to be able to use the software in a simplified manner.
After the actual release of the software, maintenance hooks are not made available to users.
#19. At Sally’s company, when software programmers made changes to software components, they did not document those changes and uploaded them to the main software repository. This has caused some teams to use outdated versions of software. Which of the following would be the best solution for this situation?
〇：Software Configuration Management
Products that provide software configuration management (SCM) identify software attributes at various points in time and provide systematic control of change to maintain software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release. During a software development project, it is stored in a system that can be managed as a centralized code repository and perform SCM functions to track revisions made by multiple people to a single master set.
×：Software Change Control Management
This is incorrect as it is not an official term for this type of function. Software Change Control Management is only part of Software Configuration Management. Software configuration management systems provide concurrency management, version control, and synchronization.
A software escrow framework in which a third party holds a copy of the source code that will be released to the customer in the event of certain circumstances, such as bankruptcy of the vendor who developed the code.
×：Software Configuration Management Escrow
Incorrect, as this is not an official term for this type of functionality.
#20. Which of the following is a correct description of the advantages and disadvantages associated with third generation programming languages?
〇：Used in structured languages, it decreases development time but is somewhat resource intensive.
Third generation programming languages are easier to deal with than their predecessors. They reduce program development time and allow for simplified and quick debugging. However, these languages are more resource intensive when compared to second generation programming languages.
×：Intuitive manipulation of programming reduces effort, but the amount of manual coding for specific tasks tends to be greater than in previous generations.
The advantages and disadvantages of 4th generation programming are explained below. It is true that the use of heuristics in fourth generation programming languages has greatly reduced programming effort and errors in the code. However, there is something untrue about the fact that the amount of manual coding is more than required of 3rd generation languages.
×：The use of binaries for coding is very time consuming, but the potential for errors is reduced.
This is incorrect because it is a description of a machine language and implies the advantages and disadvantages of a first generation programming language.
×：It contributes to decreasing programming processing time, but knowledge of machine structures is essential.
Incorrect because it describes second generation programming languages. These languages require extensive knowledge of machine architecture and the programs written in them are only for specific hardware.