Q1. Letters, telegrams, and other messages can sit in a pile to await delivery. Is there a way to do that with a circuit-oriented phone system?
No, because there is no way to “save” a two-way telephone conversation.
Yes, if the phone being called has a way to record a message spoken by the caller
No, because telephone systems were analog and practical storage is digital.
Yes, the phone company attached analog recorders to all phone lines for saving messages
Q2. Which of the following were true about both the ARPANET and ALOHANET? Select all that apply.
Both transmitted data in digital packets
Both provided reliable packet delivery to the connected host computers
Both were designed to support message oriented transmission
Both used analog communications links between endpoints
Q3. Each entry in the National Vulnerability Database has a one-to-one relationship to entries in which of the following databases?
OWASP Top Ten
Q4. How does an injection attack work in general? Pick the best explanation.
A user mistypes a text entry and causes a database to crash
An attacker uses a trial-and-error attack to find valid credentials to log in to a site. The attack uses a database of user IDs and passwords
An attacker sends specially designed text to a server, which the server assumes is a simple text parameter. The text passes through command interpreters that misinterpret its contents as commands
An attacker uses SQL command syntax to trick the login process. Instead of providing the correct password, the command syntax indicates that a guessed password is correct by using a logical expression
Q5. Which of the following are authentication problems, as opposed to session problems? Select all that apply.
Users receive emails claiming to be from the HR department, demanding that they log in and verify personal information. The login is bogus and steals their login credentials
Credential stuffing attack
A user visits a retail web site and finds the shopping cart already full, with name and address already filled out. The name and address do not belong to the user
A user logs in to a retail web site and puts items in the shopping cart. Somehow an attacker takes over the shopping cart, orders merchandise, and addresses the delivery elsewhere
Q6. Are failures to limit transaction rates the same as DDOS attacks, like flooding? Choose the best answer.
Yes, because both overwhelm the server with traffic it can’t possibly handle.
No, because the server can, by design, limit transaction rates and manage resources so that service is still provided.
Q7. Why do security configuration guidelines tell site administrators to disable, change, or restrict access to built-in user IDs wherever possible?
Popular built-in user IDs always appear in “credential stuffing” databases
It’s often necessary to provide a ‘back door’ login in a production system for debugging purposes, and such accounts should use hard-to-guess names
The administrator reduces the amount of system information visible to outsiders by changing the names
Q8. Which of the following are recognized types of XSS attacks? Select all that apply.
Q9. Which of the following could contain a significant deserialization risk? Select all that apply.
The server reads in an XML file stored with the server’s source code.
The server reads an XML file uploaded from the client.
Data is collected in a web form and saved directly into a JSON object that is sent to the server. The server reads the JSON into an object on the server.
The server creates JSON objects to associate user IDs with access rights to other objects. The JSON objects are saved in files on the server’s own, controlled storage area
Q10. In 2017, major software flaws reported and patched in two major software components: Apache Struts and Windows SMB. Which of the following are true about these patches?
A large series of attacks took place before the patches were released.
A large series of attacks took place within days of releasing the Apache Struts patch.
A large series of attacks took place within months of releasing the Apache Struts patch.
A large series of attacks took place within days of releasing the Windows SMB patch.
A large series of attacks took place within months of releasing the Windows SMB patch.
Week 2: Architecture and Authentication
Quiz: Module 2
Q1. Which of the following are kept secret to ensure accurate authentication? Select all that apply.
Q2. What is the difference between a credential and an authentication secret?
An authentication secret is used in one authentication operation while the credential is used over a long period of time.
A credential is a physical badge while an authentication secret is computer data.
A credential is used in one authentication operation while the authentication secret is used over a long period of time.
There is no difference: both contain exactly the same data.
Q3. This is an old-style ATM cash card that did not contain a smart card chip. Which of the following best describes it in terms of authentication factors?
One weak factor: the card
Two weak factors: the card + a PIN
Three strong factors: the card + a PIN + the card’s owner
Two strong factors: the card + a PIN
Q4. Which of the following provide a strong one-time passcode mechanism? Select all that apply.
A smart phone with one-time passcode software.
The mag stripe on the back of a credit card.
A SecurID token
A smart phone using SMS to collect a one-time passcode.
Q5. A smart phone unlocks with either a passcode or a biometric reading. Once it’s unlocked, we can use its OTP software to log in to a web site. How many factors are involved to log in to the web site with the phone?
Two factors: something you have (the OTP software) and either something you know (the PIN) or something you are (the biometric).
Three factors: something you have (the OTP software), something you know (the PIN), and something you are (the biometric).
Two factors: something you know (the PIN) and something you are (the biometric)
One factor: either something you know (the PIN) or something you are (the biometric)
Q6. We are using a low-entropy passcode to authenticate a handheld device. What can we do to increase its security strength? Select all that apply.
Limit the number of unsuccessful passcode guesses allowed
Make the passcode shorter
Reduce the false acceptance rate
Make the passcode longer
Q7. Are biometrics a good choice for remote authentication? Select the best answer.
Yes, because their credentials are hard to simulate across a network link.
Yes, because the corresponding human features are almost impossible for attackers to copy.
No, because biometric authentication either matches perfectly or not at all.
No, because they are especially vulnerable to replay attacks.
Q8. Why are authentication devices like one-time password tokens and compatible smartphone-based methods considered stronger than other techniques?
The devices carry an extremely large authentication secret that defies attempts at trial-and-error guessing.
One-time password mechanisms are themselves immune to trial-and-error attacks.
Physical devices always provide a stronger authentication mechanism.
Q9. How does the software architecture REST address security?
The architecture assumes that the modeled services are protected by security measures wrapped around the services.
Security is enforced through the CRUD API definitions.
Sessions are explicitly represented in the architectural model
Generic data states, like those described in Course 2, are made part of the architectural model.
Q10. Service security relies on which of the following features? Select all that apply.
Client authentication with SSL/TLS
Server authentication with SSL/TLS
Week 3: Session Management
Quiz: Module 3
Q1. This session ID is not tied to a particular user ID. Which of the following terms best describes it?
Q2. This session ID was provided by the user to the server. Which of the following terms best describes it?
Q3. If the session management software renews a session, which of the following are true? Select all that apply.
The session always receives a new session ID.
The session is always re-authenticated
Session communications are encrypted using SSL/TLS
The new session ID is derived from the previous session ID
Q4. Which of the following are preferred for sharing session IDs?
Proprietary HTTP headers
Q5. Which of the following attributes prevent a session ID from being shared with other sites? Select all that apply.
Q6. Which of the following situations make a cookie persistent? Select all that apply.
When the browser exits
Q7. What is a session fixation attack?
The attacker provides the session ID used by the client, and the server accepts permissive session IDs
The attacker guesses or intercepts the session ID established by the server
The attacker retrieves the session ID using cross-site scripting
The attacker changes the Max-Age attribute to an extremely high value
Q8. The users of the application under development are likely to use the application more-or-less continuously during their office hours. The principal risk is sidejacking. Individual computers and mobile devices are locked when idle. Which of the following is the best strategy for handling session expiration?
Make the absolute expiration time as high as possible
Renew sessions periodically
Never expire sessions during office hours
Disable timeouts on the client host
Q9. Which of the following methods are recommended for preserving session ID security? Select all that apply.
Protect all transmissions containing the session ID with SSL/TLS
Use a cryptographically secure random number generator when generating the session ID.
The session ID should be no more than 64 bits long.
The session ID should contain the user’s ID to protect against hijacking
Q10. Which of the following mechanisms ensure the encryption of the Session ID? Select all that apply
Don’t mix HTTP and HTTPS on a page, but allow all-HTTP pages
Week 4: Providers, Crypto, and Scripts
Quiz: Module 4
Q1. The video on trusting cloud providers suggests four roles for onsite personnel. Given those suggestions, which of the following tasks are performed by system administrators? Select all that apply.
Review security logs and alerts
Install or replace software
Install or replace hardware
Control physical access by other personnel
Q2. The video on trusting cloud providers suggests four roles for onsite personnel. Given those suggestions, which of the following tasks are performed by system operators and monitors? Select all that apply.
Install or replace software
Control physical access by other personnel
Manage network and server operations
Review security logs and alerts
Q3. A potential cloud consumer wants to review a cloud provider’s security measures. Which of the following provides the consumer with the most relevant details?
SOC 3 report
SOC 1 report
SOC 2 report
Q4. Which of the following help a cloud provider ensure “Trust, but verify” onsite? Select all that apply.
Separation of duties
Protected event logging
SOC 3 report
Redundant network firewalls
Q5. Which of the following is a crypto key used to encrypt other crypto keys?
Q6. Is there a difference between key encapsulation and key wrapping? Select the best answer below.
Yes: encapsulation requires an HSM while wrapping can be performed in RAM.
Yes, encapsulation uses a secret key while wrapping uses a public key.
Yes: encapsulation uses a public key while wrapping uses a secret key.
No, both encrypt a crypto key to make it safe for storage and distribution.
Q7. NIST recommends changing a crypto key periodically if it encrypts a lot of data. What is the maximum recommended “age” for such a key?
Q8. Which of the following are true of reflected, server-side XSS attacks? Select all that apply.
The attack is delivered through a URL containing the malicious script
The server executes the attack script
The attacker stores the attack script on the server
The client executes the attack script
The attack uses a malicious script stored on an unsuspecting server host
Q9. What server error is primarily responsible for XSS attacks? Choose the best response.
The server fails to authenticate users before accepting text in critical server functions.
The server fails to validate text provided by the user before using it in an interpreted command or programming language statement.
The server allows non-ASCII characters to be used in web or API service arguments.
Q10. Which of the following performs the “reflection” in an XSS reflection attack. Select the best response.
The targeted client
The targeted server
The attacker’s host computer
The host containing the URL the client clicks on.
Q11. In the course video illustrating reflected XSS, the attacker wants to collect session IDs of legitimate logged-in users, and purchase merchandise using the users’ credentials. If a user clicks on the attack URL without logging in first, what is most likely to happen? Select the best answer.
The server rejects the attempt to use the search function.
The server reflects the script, it executes on the client, and forwards the victim’s logged-in session ID to the attacker
The server reflects the script, it executes on the client, and forwards a useless session ID to the attacker
The server reflects the script, it executes on the client, and fails because there is no session ID
I hope this Cloud Application Security Coursera Quiz Answers would be useful for you to learn something new from this problem. If it helped you then don’t forget to bookmark our site for more Coding Solutions.
This Problem is intended for audiences of all experiences who are interested in learning about Data Science in a business context; there are no prerequisites.