Data Security

Question 1

Types of SQL Injection

Answer 1

1. Query Modification.
2. Union Attack.
3. Stacked Queries.

Question 2

Query Modification

Answer 2

The attacker modifies the original query and then Ignores the rest of the original by adding – at the end of their addition to comment it out.

Question 3

Union Attack

Answer 3

The attacker creates a UNION with an existing query that returns results from their query mixed with results of a legitimate query.

Question 4

Stacked Queries

Answer 4

The attacker ends the original query with a ; and then appends their own query onto the original.

Question 5

Preventing SQL Injection

Answer 5

1. Parameterized Queries.
2. Input Validation.
3. Limit Database User Privileges.

Question 6

Preventing SQL Injection

Answer 6

1. Parameterized Queries.
2. Input Validation.
3. Limit Database User Privileges.

Question 7

Parameterized Queries

Answer 7

The single most effective thing you can do to prevent SQL injection is to use parameterized queries. If this is done consistently, SQL injection will not be possible.

Question 8

Input Validation

Answer 8

Limiting the data that can be input by a user can certainly be helpful in preventing SQL Injection, but is by no means effective prevention by itself.

Question 9

Limit Database User Privileges

Answer 9

A web application should always use a database user to connect to the database that has as few permissions as necessary.

Question 10

Hash Function

Answer 10

Is one that can map input data of arbitrary size to a fixed size output.

Question 11

Hashing characteristics

Answer 11

Hashing is 1-way, meaning that once data is hashed, the hash cannot be reversed back into the original data

Question 12

Salt

Answer 12

Is a fixed-length cryptographically-strong random value that is added to a password as input to a hash function..

Question 13

Encryption

Answer 13

is the most effective way to achieve data security. When data is sent between two parties or stored, it is stored in an encrypted non-human readable format that requires the key to properly decrypt and understand.

Question 14

Encrypting Data at Rest

Answer 14

1. Data at rest can use a form of encryption called symmetric key encryption.
2. Requires both parties to use the key to encrypt and decrypt data.
3. Any party possessing the key can read the data.
4. Has difficulties securing the symmetric key amongst multiple parties.

Question 15

Securing Data in Transit

Answer 15

1. Data in transit can use a form of encryption called asymmetric key encryption.
2. Uses a Private and Public Key.
3. Any party can be sent the public key. It can encrypt the data, but not decrypt it.
4. Only the key owner has the private key. It can decrypt data encrypted by the public key.
5. Has difficulties securing the symmetric key amongst multiple parties.

Question 16

Asymmetric Encryption Common Usages

Answer 16

1. Communication/Network Security: Digital Certificates.
2. Web: HTTPS (SSL (Secure Socket Layer) /TLS (Transport Layer Security) ).
3. Java: Bouncy Castle.

Question 17

Communication/Network Security Asymmetric Encryption

Answer 17

Normally a paid subscription
OpenSSL - Open Source / Free Certificates
http://dashboard.techelevator.com vs https://dashboard.techelevator.com

Question 18

Web Asymmetric Encryption

Answer 18

HTTPS Everywhere Project - movement to make all communication on the internet encrypted using OpenSSL.

Question 19

Java Asymmetric Encryption

Answer 19

An open-source library that provides asymmetric encryption for Java.

Question 20

Man In The Middle Attack

Answer 20

Performed by a local malicious network connection, for example, in a coffee shop or hotel.

Question 21

Man In The Middle Attack characteristics

Answer 21

1. Attacker provides a fake wifi connection.
2. Victim connects and establishes a secure connection with the fake wifi connection.
3. The attacker establishes a secure connection on behalf of the victim to the intended destination.
4. Communication then transmits encrypted from the user to the attacker’s device and from the attacker’s device to the destination but is unencrypted while on the attacker’s device.