ITS 4050 - Internet and Web Security
Review for Second Test
The following questions are provided to help you study for the
second test. Do not expect to see these exact questions on the
- How does the need for a web server to use forms for user input
contribute to the vulnerabilities of that server?
- What are the three states in which we find data, and in which
an attacker may try to obtain/alter/destroy that data?
- How should fault tolerance policies affect new and existing
- Policies and systems should be reviewed when either are
changed. Give an example of such a change in each of them.
- The text reminds us that we are at risk for exploits that
address each kind programming language we may be using. How
might an attacker's tactics vary depending whether we are using
a compiled language or a script in a web page?
- How has the Internet changed transaction processing from
batch processing to real-time processing?
- PCI DSS is based on accepted standards from a trade
association. How is this different from legal requirements? How
does this approach lead to international standards that laws
probably cannot? How is this less effective than laws would be?
- According to PCI DSS, what is the number of annual
transactions that qualifies an entity to do self assessment? At
what level must there be a yearly audit of transactions? What
must also be done by every entity?
- What are some of the ways transaction processing entities are
required to protect cardholder data?
- Why do entities that write programs need to have separate
development and production environments?
- The text lists four stages of program development: pre-alpha,
alpha, beta, and release candidate. Why is it likely that a
large project will have more than four actual versions? Which
stages are more likely to contain multiple versions?
- In the hierarchy of principles, policies, standards,
procedures, and guidelines, which is different from the others
in terms of required behavior? Why is it part of the same
- When we are testing a new application or web site, why should
we pay attention to our own history and to recent exploits of
- Why should testing of our web sites and applications continue
after we have corrected a major problem?
- When examining an application, typically one we write
in-house, we should ask several questions. Why is each
Does the application meet the user requirements?
Does the application work? (and how is this different from the
Does the application have compatibility problems with other
applications we use?
- In addition to our applications, why should we be concerned
with the web sever software on each web server we are using?
- What tool did the text recommend to find live addresses in
the network we are testing?
What tools were recommended to find open ports on live devices?
What tools were recommended to determine the operating systems
on live devices?
How about scanning for vulnerabilities?
What other tools from the labs or your own work would you
recommend for any of these tasks?
- The text covers writing a formal report to upper management
in four sections. What goes in each section?
What is an endpoint device? What other kind of devices exist
in a network?
- executive summary
- technical summary
- vulnerability assessment and security assessment
What was the major improvement in system design going from 3G
to 4G services? What primary security concern was addressed?
Why is HTTP a security concern, compared to HTTPS?
Why do we need virus protection on computers we use to browse
the web? How does that argument apply to other endpoint devices?
What is store and forward? What kind of devices use this