WGU C836 FUNDAMENTALS OF INFORMATION
SECURITY EXAM
bounds checking - ✔to set a limit on the amount of data we expect to receive to set
aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions - ✔A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share access to a
particular resource, and the correct handling of that resource depends on the proper
ordering or timing of transactions
input validation - ✔a type of attack that can occur when we fail to validate the input to
our applications or take steps to filter out unexpected or undesirable content
format string attack - ✔a type of input validation attacks in which certain print functions
within a programming language can be used to manipulate or view the internal memory
of an application
authentication attack - ✔A type of attack that can occur when we fail to use strong
authentication mechanisms for our applications
authorization attack - ✔A type of attack that can occur when we fail to use authorization
best practices for our applications
cryptographic attack - ✔A type of attack that can occur when we fail to properly design
our security mechanisms when implementing cryptographic controls in our applications
client-side attack - ✔A type of attack that takes advantage of weaknesses in the
software loaded on client machines or one that uses social engineering techniques to
trick us into going along with the attack
XSS (Cross Site Scripting) - ✔an attack carried out by placing code in the form of a
scripting language into a web page or other media that is interpreted by a client browser
XSRF (cross-site request forgery) - ✔an attack in which the attacker places a link on a
web page in such a way that it will be automatically executed to initiate a particular
activity on another web page or application where the user is currently authenticated
clickjacking - ✔An attack that takes advantage of the graphical display capabilities of
our browser to trick us into clicking on something we might not otherwise
server-side attack - ✔A type of attack on the web server that can target vulnerabilities
such as lack of input validation, improper or inadequate permissions, or extraneous files
left on the server from the development process
, WGU C836 FUNDAMENTALS OF INFORMATION
SECURITY EXAM
Protocol issues, unauthenticated access, arbitrary code execution, and privilege
escalation - ✔Name the 4 main categories of database security issues
web application analysis tool - ✔A type of tool that analyzes web pages or web-based
applications and searches for common flaws such as XSS or SQL injection flaws, and
improperly set permissions, extraneous files, outdated software versions, and many
more such items
protocol issues - ✔unauthenticated flaws in network protocols, authenticated flaws in
network protocols, flaws in authentication protocols
arbitrary code execution - ✔An attack that exploits an applications vulnerability into
allowing the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - ✔An attack that exploits a vulnerability in software to gain access
to resources that the user normally would be restricted from accessing.
* via SQL injection or local issues
validating user inputs - ✔a security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) - ✔A web server analysis tool that performs checks for many
common server-side vulnerabilities & creates an index of all the files and directories it
can see on the target web server (a process known as spidering)
burp suite - ✔A well-known GUI web analysis tool that offers a free and professional
version; the pro version includes advanced tools for conducting more in-depth attacks
fuzzer - ✔A type of tool that works by bombarding our applications with all manner of
data and inputs from a wide variety of sources, in the hope that we can cause the
application to fail or to perform in unexpected ways
MiniFuzz File Fuzzer - ✔A tool developed by Microsoft to find flaws in file-handling
source code
BinScope Binary Analyzer - ✔A tool developed by Microsoft to examine source code for
general good practices
SDL Regex Fuzzer - ✔A tool developed by Microsoft for testing certain pattern-
matching expressions for potential vulnerabilities
, WGU C836 FUNDAMENTALS OF INFORMATION
SECURITY EXAM
good sources of secure coding guidelines - ✔CERT, NIST 800, BSI, an organization's
internal coding guidelines
OS hardening - ✔the process of reducing the number of available avenues through
which our OS might be attacked
attack surface - ✔The total of the areas through which our operating system might be
attacked
6 main hardening categories - ✔1. Removing unnecessary software
2. Removing or turning off unessential services
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely manner
6. Making use of logging and auditing functions
Principle of Least Privilege - ✔states we should only allow a party the absolute
minimum permission needed for it to carry out its function
stuxnet - ✔A particularly complex and impactful item of malware that targeted the
Supervisory Control and Data Acquisition (SCADA) systems that run various industrial
processes; this piece of malware raised the bar for malware from largely being a virtual-
based attack to actually being physically destructive
anti-malware tool - ✔A type of tool that uses signature matching or anomaly detection
(heuristics) to detect malware threats, either in real-time or by performing scans of files
and processes
heuristics - ✔the process of anomaly detection used by anti-malware tools to detect
malware without signatures
executable space protection - ✔A hardware and software-based technology that
prevents certain portions of the memory used by the operating system and applications
from being used to execute code
buffer overflow (overrun) - ✔The act of inputting more data than an application is
expecting from a particular input, creating the possibility of executing commands by
specifically crafting the excess data
ASLR (Address Space Layout Randomization) - ✔a security method that involves
shifting the contents of memory around to make tampering difficult
SECURITY EXAM
bounds checking - ✔to set a limit on the amount of data we expect to receive to set
aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions - ✔A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share access to a
particular resource, and the correct handling of that resource depends on the proper
ordering or timing of transactions
input validation - ✔a type of attack that can occur when we fail to validate the input to
our applications or take steps to filter out unexpected or undesirable content
format string attack - ✔a type of input validation attacks in which certain print functions
within a programming language can be used to manipulate or view the internal memory
of an application
authentication attack - ✔A type of attack that can occur when we fail to use strong
authentication mechanisms for our applications
authorization attack - ✔A type of attack that can occur when we fail to use authorization
best practices for our applications
cryptographic attack - ✔A type of attack that can occur when we fail to properly design
our security mechanisms when implementing cryptographic controls in our applications
client-side attack - ✔A type of attack that takes advantage of weaknesses in the
software loaded on client machines or one that uses social engineering techniques to
trick us into going along with the attack
XSS (Cross Site Scripting) - ✔an attack carried out by placing code in the form of a
scripting language into a web page or other media that is interpreted by a client browser
XSRF (cross-site request forgery) - ✔an attack in which the attacker places a link on a
web page in such a way that it will be automatically executed to initiate a particular
activity on another web page or application where the user is currently authenticated
clickjacking - ✔An attack that takes advantage of the graphical display capabilities of
our browser to trick us into clicking on something we might not otherwise
server-side attack - ✔A type of attack on the web server that can target vulnerabilities
such as lack of input validation, improper or inadequate permissions, or extraneous files
left on the server from the development process
, WGU C836 FUNDAMENTALS OF INFORMATION
SECURITY EXAM
Protocol issues, unauthenticated access, arbitrary code execution, and privilege
escalation - ✔Name the 4 main categories of database security issues
web application analysis tool - ✔A type of tool that analyzes web pages or web-based
applications and searches for common flaws such as XSS or SQL injection flaws, and
improperly set permissions, extraneous files, outdated software versions, and many
more such items
protocol issues - ✔unauthenticated flaws in network protocols, authenticated flaws in
network protocols, flaws in authentication protocols
arbitrary code execution - ✔An attack that exploits an applications vulnerability into
allowing the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - ✔An attack that exploits a vulnerability in software to gain access
to resources that the user normally would be restricted from accessing.
* via SQL injection or local issues
validating user inputs - ✔a security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) - ✔A web server analysis tool that performs checks for many
common server-side vulnerabilities & creates an index of all the files and directories it
can see on the target web server (a process known as spidering)
burp suite - ✔A well-known GUI web analysis tool that offers a free and professional
version; the pro version includes advanced tools for conducting more in-depth attacks
fuzzer - ✔A type of tool that works by bombarding our applications with all manner of
data and inputs from a wide variety of sources, in the hope that we can cause the
application to fail or to perform in unexpected ways
MiniFuzz File Fuzzer - ✔A tool developed by Microsoft to find flaws in file-handling
source code
BinScope Binary Analyzer - ✔A tool developed by Microsoft to examine source code for
general good practices
SDL Regex Fuzzer - ✔A tool developed by Microsoft for testing certain pattern-
matching expressions for potential vulnerabilities
, WGU C836 FUNDAMENTALS OF INFORMATION
SECURITY EXAM
good sources of secure coding guidelines - ✔CERT, NIST 800, BSI, an organization's
internal coding guidelines
OS hardening - ✔the process of reducing the number of available avenues through
which our OS might be attacked
attack surface - ✔The total of the areas through which our operating system might be
attacked
6 main hardening categories - ✔1. Removing unnecessary software
2. Removing or turning off unessential services
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely manner
6. Making use of logging and auditing functions
Principle of Least Privilege - ✔states we should only allow a party the absolute
minimum permission needed for it to carry out its function
stuxnet - ✔A particularly complex and impactful item of malware that targeted the
Supervisory Control and Data Acquisition (SCADA) systems that run various industrial
processes; this piece of malware raised the bar for malware from largely being a virtual-
based attack to actually being physically destructive
anti-malware tool - ✔A type of tool that uses signature matching or anomaly detection
(heuristics) to detect malware threats, either in real-time or by performing scans of files
and processes
heuristics - ✔the process of anomaly detection used by anti-malware tools to detect
malware without signatures
executable space protection - ✔A hardware and software-based technology that
prevents certain portions of the memory used by the operating system and applications
from being used to execute code
buffer overflow (overrun) - ✔The act of inputting more data than an application is
expecting from a particular input, creating the possibility of executing commands by
specifically crafting the excess data
ASLR (Address Space Layout Randomization) - ✔a security method that involves
shifting the contents of memory around to make tampering difficult
