Chapter 9: Practice Test 1 417
- C. Test directories often include scripts that may have poor protections or may have other
data that can be misused. There is not a default test directory that allows administrative
access to PHP. Test directories are not commonly used to store sensitive data, nor is the
existence of a test directory a common indicator of compromise. - A. Directory indexing may not initially seem like an issue during a penetration test, but
simply knowing the name and location of files can provide an attacker with quite a bit of
information about an organization, as well as a list of potentially accessible files. XDRF
is not a type of attack, and indexing is not a denial of service attack vector. Directory
indexing being turned on is typically either due to misconfiguration or design, or because
the server was not properly configured at setup, rather than being a sign of attack. - B. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could
be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not
industry terms for web application or web server attacks or vulnerabilities. - D. The contents of RAM are volatile, meaning that they are only available while power is
applied to the memory chips. EPROM, EEPROM, and flash memory are all nonvolatile,
meaning that they retain their contents even when powered off. - C. Data loss prevention (DLP) systems specialize in the identification of sensitive
information. In this case, Ursula would like to identify the presence of this information
on endpoint devices, so she should choose an endpoint DLP control. Network-based
DLP would not detect stored information unless the user transmits it over the network.
Intrusion prevention systems (IPSs) are designed to detect and block attacks in progress,
not necessarily the presence of sensitive information. - B. In the private cloud computing model, the cloud computing environment is dedicated to
a single organization and does not follow the shared tenancy model. The environment may
be built by the company in its own data center or built by a vendor at a co-location site. - A. Load balancing helps to ensure that a failed server will not take a website or service
offline. Dual power supplies only work to prevent failure of a power supply or power
source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from
taking a system offline. - D. Integrity ensures that unauthorized changes are not made to data while stored or in
transit. - C. A star topology uses a central connection device. Ethernet networks may look like a
star, but they are actually a logical bus topology that is sometimes deployed in a physical
star. - C. Input validation ensures that the data provided to a program as input matches the
expected parameters. Limit checks are a special form of input validation that ensure that
the value remains within an expected range, as is the case described in this scenario. Fail
open and fail secure are options when planning for possible system failures. Buffer bounds
are not a type of software control.