ITS 4050 - Internet and Web Security

Review for Second Test

The following questions are provided to help you study for the second test. Do not expect to see these exact questions on the test.

1. How does the need for a web server to use forms for user input contribute to the vulnerabilities of that server?
   
   
2. What are the three states in which we find data, and in which an attacker may try to obtain/alter/destroy that data?
   
   
3. How should fault tolerance policies affect new and existing systems?
   
   
4. Policies and systems should be reviewed when either are changed. Give an example of such a change in each of them.
   
   
5. The text reminds us that we are at risk for exploits that address each kind programming language we may be using. How might an attacker's tactics vary depending whether we are using a compiled language or a script in a web page?
   
   
6. How has the Internet changed transaction processing from batch processing to real-time processing?
   
   
7. PCI DSS is based on accepted standards from a trade association. How is this different from legal requirements? How does this approach lead to international standards that laws probably cannot? How is this less effective than laws would be?
   
   
8. According to PCI DSS, what is the number of annual transactions that qualifies an entity to do self assessment? At what level must there be a yearly audit of transactions? What must also be done by every entity?
   
   
9. What are some of the ways transaction processing entities are required to protect cardholder data?
   
   
10. Why do entities that write programs need to have separate development and production environments?
    
    
11. The text lists four stages of program development: pre-alpha, alpha, beta, and release candidate. Why is it likely that a large project will have more than four actual versions? Which stages are more likely to contain multiple versions?
    
    
12. In the hierarchy of principles, policies, standards, procedures, and guidelines, which is different from the others in terms of required behavior? Why is it part of the same hierarchy?
    
    
13. When we are testing a new application or web site, why should we pay attention to our own history and to recent exploits of similar sites?
    
    
14. Why should testing of our web sites and applications continue after we have corrected a major problem?
    
    
15. When examining an application, typically one we write in-house, we should ask several questions. Why is each important?
    Does the application meet the user requirements?
    Does the application work? (and how is this different from the question above?)
    Does the application have compatibility problems with other applications we use?
    
    
16. In addition to our applications, why should we be concerned with the web sever software on each web server we are using?
    
    
17. What tool did the text recommend to find live addresses in the network we are testing?
    What tools were recommended to find open ports on live devices?
    What tools were recommended to determine the operating systems on live devices?
    How about scanning for vulnerabilities?
    What other tools from the labs or your own work would you recommend for any of these tasks?
    
    
18. The text covers writing a formal report to upper management in four sections. What goes in each section?
• executive summary
• technical summary
• vulnerability assessment and security assessment
• recommendations
  
  
  
19. What is an endpoint device? What other kind of devices exist in a network?
    
    
20. What was the major improvement in system design going from 3G to 4G services? What primary security concern was addressed?
    
    
21. Why is HTTP a security concern, compared to HTTPS?
    
    
22. Why do we need virus protection on computers we use to browse the web? How does that argument apply to other endpoint devices?
    
    
23. What is store and forward? What kind of devices use this technique?