Cloud Top Ten Risks Coursera Quiz Answers

Get Cloud Top Ten Risks Coursera Quiz Answers

After completing the course, the student should be able to do the following:

● Associate lists of OWASP Top Ten Risks with major cloud cybersecurity risks.

● Apply appropriate cryptographic techniques to secure authentication mechanisms and cloud data.

● Identify the most effective strategies for resisting injection attacks, cross-site scripting attacks, and object deserialization attacks.

● Assess strategies to address risks posed by administrative failures, including misconfiguration, broken access control, vulnerable software components, and security monitoring.

Enroll on Coursera

Week 1: Overview of the Top Ten Risks

Quiz 1: OWASP Top Ten Risks (practice)

Q1. Here is a list of OWASP Top Ten lists of risks. Which of the following lists are used to construct the Cloud Risks list used in this course?

  • Internet of Things Top Ten
  • Web Applications Top Ten
  • Mobile Top Ten
  • API Top Ten
  • Privacy Top Ten

Q2. Which of the following is also called “work factor?”

  • Prevalence
  • Exploitability
  • Technical Impact
  • Detectability

Q3. A malware script distributes itself via email. If a recipient executes the script upon receiving the infected email, the script re-sends itself to every email address in the recipient’s contact list. Which of the following are true statements about this attack?

  • This is a targeted attack
  • This is a focused attack
  • This is a wholesale attack

Quiz 2: Injection

Q1. Which of the following are vulnerable to injection attacks? Select all that apply.

  • Javascript
  • PHP
  • SQL
  • Command shells
  • LDAP

Q2. Which of the following are true about the attack on Sony’s PSN in 2008?

  • The attack used bogus anti-malware software to penetrate the PSN.
  • Because of the attack, visitors were subjected to SQL injection attacks on their browsers.
  • The attack used SQL injection to penetrate the PSN.
  • Because of the attack, visitors were invited to install bogus anti-malware software.

Q3. Given the summary of CWE weaknesses associated with injection, which of the following weaknesses is the best fit for the 2008 Sony PSN attack? [USED in the Risk #1 in-video question]

  • CWE-78
  • CVE-2004-366
  • CWE-88
  • CWE-89

Q4. The software collects two strings of user input text. Each resides in its own variable. The two variables are passed to an SQL stored procedure. Of which is this an example?

  • Command injection
  • Blacklisting
  • Parameterized interface
  • Whitelisting

Q5. The software collects two strings of user input text. Each resides in its own variable. A procedure is applied to each variable to insert an escape character before any special characters present. Then the two variables are passed to an SQL stored procedure. Of which is this an example?

  • Blacklisting
  • SQL injection
  • Whitelisting
  • Escaping

Q6. We need to make a list of “whitelisted” characters to be used when cleaning up user-supplied text strings to be passed to SQL. Select all sets of characters that should be whitelisted.

  • Upper and lower case letters
  • Non-printing control codes
  • Digits
  • Single and double quote marks

Q7. What is the level of exploitability of the injection risk?

  • 2
  • 3
  • 1

Q8. Which of the following are applied to source code to search for potential injection attacks?

  • SAST tools
  • Vulnerability scanning tools
  • DAST tools

Q9. Which of the following are true of fuzz testing?

  • Tests an application by varying the syntax in the source code.
  • A form of SAST
  • Tests an application by feeding it varying inputs
  • A form of DAST

Q10. What does it mean for an OWASP risk to be “easy” to detect?

  • Vulnerabilities associated with this risk are easy to detect during software testing, eliminating their risk to the running software.
  • An attacker can easily detect the presence of vulnerabilities associated with this risk.
  • Vulnerabilities associated with this risk are easy for system administrators to detect by observing the system’s routine behavior.

Week 2: Cloud Risks 2, 3, and 4

Quiz 1: Authentication

Q1. Select the best term to apply to spear phishing.

  • Targeted attack
  • Wholesale attack
  • Brute force attack
  • Session ID attack

Q2. Which of the following are true about the Firesheep software? Select all that apply.

  • Targets the session ID
  • Targets the victim’s user ID and password
  • Relies on plaintext network messages
  • Grants access to the user’s account

Q3. Kevin Mitnick gained fame through social engineering: he would break into computers by calling the help desk and begging for the admin to reset “his” password. What type of attack is this?

  • Credential recovery attack
  • Session ID attack
  • Credential stuffing attack
  • Interception attack

Q4. The NIST recommendations for password authentication released in 2017 (revised 2020) include one or more of the following. Check all that apply.

  • Numeric passwords selected by the server should contain at least 6 digits.
  • Sites should support password manager software.
  • A site may check a user-selected password against a blacklist of passwords before accepting it.
  • A site may check a user-selected password against a whitelist of passwords before accepting it.
  • Passwords should be replaced every 6 months.

Q5. The NIST recommendations for password authentication released in 2017 (revised 2020) include one or more of the following. Check all that apply.

  • Passwords should be able to contain any combination of characters
  • Passwords should never contain spaces
  • Passwords should always contain a combination of letters, digits, and one or more special characters
  • The better passwords are the longer passwords

Q6. We want to strengthen a site’s authentication process by adding a second factor. Which of the following is the strongest factor?

  • Facial recognition
  • A physical device associated with a specific user
  • A cell phone that handles SMS messages
  • A fingerprint reader

Q7. Why could Firesheep allow a user to masquerade someone else? Select the best answer.

  • Because Firesheep could forge the browser’s Internet address and masquerade as the other user’s computer
  • Because the session ID is tied to the logged-in user’s ID
  • Because on many sites the session ID matches a user’s hashed password

Quiz 2: Sensitive Data Exposure (practice)

Q1. For which of the following cloud service models must the cloud consumer implement the access controls, if any, between the end users? Select all that apply.

  • Infrastructure as a service
  • Software as a service
  • Platform as a service

Q2. Cryptography protects data in which of the following states of the data life cycle? Select all that apply.

  • Data at rest
  • Data in motion
  • Data in use

Q3. Which of the data spills highlighted in the article summarizing the “15 major data breaches” is reported to have spilled the most records?

  • Sina Weibo
  • Yahoo
  • Equifax
  • Adobe

Quiz 3: Risks #3 & 4

Q1. For which of the following cloud service models does the cloud provider typically take responsibility for implementing access controls between the cloud consumer’s end users? Select all that apply.

  • Software as a service
  • Platform as a service
  • Infrastructure as a service

Q2. Which of the following is the safest method for storing passwords?

  • Apply encryption to the entire password database. Decrypt the database when authentication is being performed.
  • Apply a salted one way hash to each password in the database. Re-hash a user’s plaintext password, combined with the salt, when authenticating.
  • Keep the passwords individually encrypted. Decrypt a password when it is needed during authentication or during maintenance operations (i.e. updating).
  • Apply a salted one-way hash to the entire password database. This detects unauthorized changes to the password database.

Q3. Which of the following is the closest value for the “typical” number of users and/or records compromised by the data spills highlighted in the article summarizing the “15 major data breaches.”

  • 25 million
  • 50 million
  • 150 million
  • 200 million

Q4. Here is a list of defenses against brute force password guessing attacks. Which one is the least recommended defense?

  • Increase the delay incrementally after each incorrect password guess
  • Use a device cookie to associate password guessing with a particular host
  • Use a captcha
  • Lock out the user’s account after a limited number of failed attempts

Q5. A site defends itself from flooding attacks by blocking the IP address it finds on the flooding packets. How can the attacker bypass this defense? Select all that apply.

  • Route the flood packets through a variety of proxy addresses
  • Use a captcha
  • Issue ‘half open’ TCP requests
  • Use an army of ‘bots’ to host the flooding attack

Q6. Which of the following are examples of “graceful degradation?” Select all that apply.

  • Keep a queue of requested activities in arrival order. If the queue fills up due to lack of response by clients and subsequent requests must be discarded, delete the oldest waiting request in the queue.
  • Set a timeout on waiting responses. When a response takes longer than typical, discard it to make room for newer requests.
  • Keep a queue of incoming requests. If the queue fills up due to lack of response by clients and subsequent requests must be discarded, don’t start any new requests until the outstanding clients complete their activities.
  • Use virtual server technology to clone new servers whenever existing servers are too busy. The service should always be able to handle additional requests.

Q7. What was the target of the most significant attack associated with the Mirai botnet?

  • Brian Krebs, a cybersecurity journalist
  • OHV, a French telecom provider
  • The FBI field office in Anchorage, AK
  • Dyn, a domain name service

Q8. What team was responsible for the Mirai botnet?

  • The operators of the “Qbot” botnet army
  • Two teens running a DDOS-for-hire service called “vDOS”
  • A group supported by Russia or China
  • Three college-age youths with connections to Rutgers University

Week 3.1: Cloud Risks 5, 6, and 7

Quiz 1: Access Control Risks (practice)

Q1. Referring to the video on broken access control, and its analysis of Wikipedia access control, how do we most accurately characterize the statement “Anyone can read wiki entries.”

  • An access control principle
  • A security mechanism or control
  • A policy statement

Q2. Which of the following is the best description of “zero trust networking” as presented in the video?

  • Zero trust networking reduces risk by reducing the physical distance between policy enforcement points and resources protected by them.
  • Zero trust networking tries to eliminate internal local networks whose traffic carries any amount of implicit trust.
  • Zero trust networking tries to ensure that implicit trust networks always contain less infrastructure than the networks exterior to them.

Q3. Which of the following access control principles are emphasized both in the video on broken access control and in the OWASP article “Enforce Access Controls?”

  • Don’t hardcode roles
  • Least privilege
  • Separation of Duty
  • Deny by default

Quiz 2: Module 3

Q1. In the video analysis of Wikipedia access control, how do we most accurately characterize the statement “All editing users are identified by either user ID or IP address.”

  • A security mechanism or control
  • An access control principle
  • A policy statement

Q2. In the four phases of a cyberattack, in which is the attacker’s behavior most evident?

  • Disappearance
  • Penetration
  • Scanning
  • Exploitation

Q3. Jan shares a file with Kim, giving Kim read-only access to the file. Which type of access control does this fit most closely?

  • RBAC
  • DAC
  • ABAC
  • MAC

Q4. From a cybersecurity perspective, which of the following is the best strategy for handling debugging software and settings in a deployed system?

  • Remove all debugging software and disable all debugging features, since debugging access may violate security objectives
  • Leave debugging software installed but set internal flags to disable the debugging features so that they are not available to end users.
  • Remove debugging software since it unnecessarily wastes resources in the deployed system

Q5. Which of the following are true of stored, server-side XSS attacks? Select all that apply.

  • The server executes the attack script.
  • The attack is delivered through a URL containing the malicious script
  • The client executes the attack script
  • The attack uses a malicious script stored on an unsuspecting server host

Q6. Which of the following are recommended defenses against XSS vulnerabilities? Select all that apply

  • Whitelisting characters allowed to appear in parameters
  • Blacklisting characters forbidden from appearing in parameters
  • Encoding potentially risky characters that appear in a parameter
  • User-supplied input may appear anywhere in the HTML document if it has been properly cleaned up

Q7. User input includes quotation marks. How do we encode it for use in an HTML text but prevent it from being interpreted as a quotation mark?

  • Substitute " for every individual quotation mark.
  • Insert an ampersand character & before each quotation mark
  • Put two quotation marks in a row wherever a single quotation mark appears
  • Insert the backslash character \ before each quotation mark

Q8. Which of the following character types may be copied from user input into HTML without encoding?

  • Letters
  • Digits
  • Special characters except ‘ & “ < >
  • Characters ‘ & “ < >

Q9. Which of the following locations is it relatively safe to insert user-supplied text into HTML while minimizing the risk of XSS attacks?

  • HTML width attribute values
  • HTML href attribute values
  • HTML name attribute values
  • HTML tag names

Week 3.2: Cloud Risks 8, 9, and 10

Quiz: Module 4

Q1. Which of the following OWASP Top Ten Web Application Risks are associated with parsing objects or entities? Select all that apply. Reminder: The list of Top Ten Web Application Risks is different from the list of Top Ten Cloud Risks discussed in this particular course.

  • Web Application Risk #3
  • Web Application Risk #4
  • Web Application Risk #8
  • Web Application Risk #9

Q2. How do XXE attacks work? Select the best description.

  • A malicious XML document is decoded by the client.
  • A malicious XML document is decoded by the server, which performs the attack by decoding the document.
  • A malicious XML document is decoded by the server, which sends an attack script to the client who retrieved the document.

Q3. Which of the following strategies help a developer locate library dependencies in a software package? Select all that apply.

  • Digitally signed packages
  • CVSS scores
  • A SAST that scans a code tree makes a list of library references and other software dependencies
  • The National Vulnerability Database

Q4. The enterprise relies heavily on an obsolete software package. The vendor went out of business and software updates are no longer available. Which of the following is the best strategy to manage the risk posed by this obsolete software?

  • Embed the package in other software that filters all inputs and outputs to ensure proper behavior
  • Continuously run vulnerability scans on the obsolete software
  • Plan to hire the original developers to maintain the software

Q5. Which of the following provides the best description of “dependency confusion?”

  • A software package requests a particular library, and two or more libraries are available with that same name.
  • A newly-developed software package relies on an obsolete library package
  • A development organization can not track down all of the dependencies in their software project

Q6. Which of the following data items should be collected in an event log entry? Select all that apply.

  • Application and/or process identifier
  • Date and time of event
  • ID of user running the process/application
  • Credit card number
  • Session ID

Q7. What is an intrusion detection system (IDS)? Select the best answer.

  • A monitoring system that looks for patterns suggesting that an intrusion has occurred
  • A system that scans network hosts searching for evidence of vulnerabilities that could allow an intrusion
  • A system for logging events related to intrusions
  • An antivirus program

Q8. According to industry reports, how long does it take for a typical site to detect an intrusion? Select the most accurate answer.

  • Hours
  • Months
  • Weeks
  • Days

Q9. Here are some strategies for handling the problem of too many false positives in a security monitoring system. Select the ones most likely to work.

  • Measure and display event statistics instead of individual events.
  • Alert the operators to every event that might suggest an intrusion, since the potential damage may be high.
  • Distribute event logs to several separate systems so that one system is not overloaded with alerts.
  • Collect processor load and data traffic measurements as well as security monitoring.
Conclusion:

I hope this Cloud Top Ten Risks Coursera Quiz Answers would be useful for you to learn something new from this problem. If it helped you then don’t forget to bookmark our site for more Coding Solutions.

This Problem is intended for audiences of all experiences who are interested in learning about Data Science in a business context; there are no prerequisites.

Keep Learning!

More Coding Solutions >>

LeetCode Solutions

Hacker Rank Solutions

CodeChef Solutions

Leave a Reply

Your email address will not be published.