Question 101: Which of the following is not best practice:
A. Identifying and reducing the number of privileged accounts.
B. Enforcing the principle of least privilege.
C. A well-documented off-boarding process.
D. Providing training covering the responsibilities that come with privileged access once a new employee has been added organization’s identity and access management system.
E. Routinely reviewing role-based privileges to ensure the associated privileges are still relevant and required.
Correct Answer: D. Providing training covering the responsibilities that come with privileged access once a new employee has been added organization’s identity and access management system.
Question 102: A privileged user is someone who:
A. Can access the customer database.
B. Deserves the latest and greatest technology.
C. C-Level management.
D. Has more authority and access to an information system than a general user.
Correct Answer: D. Has more authority and access to an information system than a general user.
Question 103: Privileged users can be trusted.
A. Yes – we have no other choice.
B. Never – we should not have privileged users.
C. Most of the time as they’re all carefully vetted.
D. Only to a certain degree so we trust but verify.
Correct Answer: D. Only to a certain degree so we trust but verify.
Question 104: Granting or denying privileges based on additional security checks such as the location of the user, status of their device, network address, the time of day, and the role of the user is called:
A. The two-man rule.
B. Context-aware privilege control.
C. Two-factor authentication.
D. Key sharing.
Correct Answer: B. Context-aware privilege control.
Question 105: In which of the following exploits does an attacker insert malicious code into a link that appears to be from a trustworthy source?
B. Command injection
C. Path traversal attack
D. Buffer overflow
Correct Answer: A. XSS
XSS attacks occur when an untrusted source injects code into an application or link that appears to be from a trusted source.
Question 106: In which of the following exploits does an attacker add SQL code to an application input form to gain access to resources or make changes to data?
B. Command injection
C. SQL injection
D. Buffer overflow
Correct Answer: C. SQL injection
SQL injection attacks involve attackers inputting SQL code into an application form — for example, a username or password — to gain unauthorized access to resources. With this access, attackers can view and alter sensitive data, execute admin privileges, or conduct DDoS and other detrimental attacks.
Question 107: Netsparker and Burp Suite Professional are examples of:
A. Web-focused vulnerability detection tools
C. Web application firewalls
Correct Answer: A. Web-focused vulnerability detection tools
Netsparker and Burp Suite Professional are both examples of web-focused vulnerability detection tools, a category of application security testing tools critical to detecting app issues.
Question 108: Which of the following is not on OWASP’s top 10 web application security risks?
A. Sensitive data exposure
B. XML external entities
D. Insecure deserialization
Correct Answer: C. Noncompliance
Sensitive data exposure, XML external entities and insecure deserialization are all included on OWASP’s top 10 list. Noncompliance is not on the list.
Question 109: Core Impact, Metasploit and w3af are all examples of:
A. Cybersecurity search engines
C. Password security tools
D. SQL injection tools
Correct Answer: B. Frameworks
These are all examples of security frameworks. Core Impact is a commercial pen testing framework, Metasploit is an open source pen testing framework, and w3af is a web application attack and audit framework。
Question 110: Web application firewalls (WAFs) help prevent which application layer attack?
B. SQL injection
D. All of the above
Correct Answer: D. All of the above
WAFs provide visibility into app data communicated via the HTTP app layer. A WAF can help prevent application attacks, including XSS, SQL injection and DDoS.