ITS 4050 - Internet and Web Security
Review for Second Test
The following questions are provided to help you study for the second
test. Do not expect to see these exact questions on the test.
- How does the need for a web server to use forms for user input contribute
to the vulnerabilities of that server?
- What are the three states in which we find data, and in which an
attacker may try to obtain/alter/destroy that data?
- How should fault tolerance policies affect new and existing systems?
- Policies and systems should be reviewed when either are changed.
Give an example of such a change in each of them.
- The text reminds us that we are at risk for exploits that address
each kind programming language we may be using. How might an attacker's
tactics vary depending whether we are using a compiled language or a
script in a web page?
- How has the Internet changed transaction processing from batch processing
to real-time processing?
- PCI DSS is based on accepted standards from a trade association.
How is this different from legal requirements? How does this approach
lead to international standards that laws probably cannot? How is this
less effective than laws would be?
- According to PCI DSS, what is the number of annual transactions that
qualifies an entity to do self assessment? At what level must there
be a yearly audit of transactions? What must also be done by every entity?
- What are some of the ways transaction processing entities are required
to protect cardholder data?
- Why do entities that write programs need to have separate development
and production environments?
- The text lists four stages of program development: pre-alpha, alpha,
beta, and release candidate. Why is it likely that a large project will
have more than four actual versions? Which stages are more likely to
contain multiple versions?
- In the hierarchy of principles, policies, standards, procedures,
and guidelines, which is different from the others in terms of required
behavior? Why is it part of the same hierarchy?
- When we are testing a new application or web site, why should we
pay attention to our own history and to recent exploits of similar sites?
- Why should testing of our web sites and applications continue after
we have corrected a major problem?
- When examining an application, typically one we write in-house, we
should ask several questions. Why is each important?
Does the application meet the user requirements?
Does the application work? (and how is this different from the question
Does the application have compatibility problems with other applications
- In addition to our applications, why should we be concerned with
the web server software on each web server we are using?
- What tool did the text recommend to find live addresses in the network
we are testing?
What tools were recommended to find open ports on live devices?
What tools were recommended to determine the operating systems on live
How about scanning for vulnerabilities?
What other tools from the labs or your own work would you recommend
for any of these tasks?
- The text covers writing a formal report to upper management in four
sections. What goes in each section?
What is an endpoint device? What other kind of devices exist in a
- executive summary
- technical summary
- vulnerability assessment and security assessment
What was the major improvement in system design going from 3G to 4G
services? What primary security concern was addressed?
Why is HTTP a security concern, compared to HTTPS?
Why do we need virus protection on computers we use to browse the
web? How does that argument apply to other endpoint devices?
What is store and forward? What kind of devices use this technique?