CPE Quiz

Prepared by Smita Totade, Ph.D., CISA, CISM, CgeIT,CrISC

Take the quiz online: QUIZ #141

SOOD AnD enBODy Ar TICLe

1. There are a number of cross-site request forgery (CSRF) vulnerabilities that have occurred in network devices, but most of them follow a similar pattern, requiring exploitation of browser inefficiencies.

2. CSRF is a class of attacks in which the attacker exploits the user session to execute commands on the running server or in the application itself.

3. The attacker can inject code to execute drive-by download attacks or further exploit the vulnerabilities of the running web server to increase the infection rate.

4. The Hypertext Transmission Protocol (HTTP) specification does not allow for the effective use of iFrame to embed one web page into another web page.

5. A black-list approach should be followed at the protocol level to reduce the impact of exploitation.

geLBSTeIn Ar TICLe

6. The Stuxnet worm reported in 2010 altered the operation of an industrial process and was designed to damage physical equipment and modify the operator’s monitoring indications to show that the equipment was working normally.

7. Web site defacements have affected many organizations in the private and public sectors the over last few years, and apart from reputational damage, most of them could be considered as having been catastrophic.

8. Unauthorized modifications of operating systems (server and network) and/or applications software (such as undocumented backdoors), database tables, production data, and infrastructure configuration are not considered to be attacks on data integrity.

9. It can be assumed that the findings of IT audits regularly include weaknesses in all processes, particularly the management of privileged access, change management, SoD and the monitoring of logs.

10. A program of data integrity assurance needs to address Detect, Deter (2D); Prevent, Prepare (2P); and Respond, Recover (2R).

11. Social networks and the concept that everyone is an information producer push for greater openness and sharing, and social networks are becoming a force that resists and challenges the implementation of NtK and LP.

PAreeKh Ar TICLe

12. A measure of exposure could include the number of sensitive data records, the number of critical applications exposed to the Internet, the number of corporate e-mail accounts and the number of servers hosting critical applications.

13. Operational risk is a bottom-up approach largely regarded as connected with the realities of everyday technology risk management.

MATTSSOn Ar TICLe

14. Masking is a two-way transformation used to hide or mask information that is presented to users or protected in test databases.

15. Formatted encryption is a type of encryption that generates cipher tests of the same length and data type as the input and is typically based on encryption modes that are not standardized.

16. Strong encryption provides strong protection of individual data fields by encrypting sensitive data throughout most of their life cycle—from capture to disposal—and it is a great way to protect highly sensitive data that need continuous protection in a data flow.

17. Tokenization is ideal when applying a risk-adjusted data security approach because it has an extra layer of security that other data security solutions, such as encryption, do not have.

18. To obtain sensitive data through tokenization, hackers would have to obtain the token lookup table, whereas with encryption, a hacker would only need to obtain an encryption key.