2. 计算机
  3. The following scenario will be used for questions 26, 27, and 28. Trent is the new manager of his company’s internal software de

The following scenario will be used for questions 26, 27, and 28. Trent is the new manager of his company’s internal software de

admin2013-12-19  65
问题 The following scenario will be used for questions 26, 27, and 28.
Trent is the new manager of his company’s internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the Web Application Security Consortium, and Trent just received an e-mail stating that one of the company’s currently deployed applications has a zero day vulnerability.
Which of the following best describes the type of vulnerability mentioned in this scenario?
选项 A、Dynamic vulnerability that is polymorphic
B、Static vulnerability that is exploited by server-side injection parameters
C、Vulnerability that does not currently have an associated solution
D、Database vulnerability that directly affects concurrency
答案C
解析 C正确。零日漏洞指的是目前还没有解决方法的漏洞。如果某个漏洞被识别,并且没有预先建立好的修复程序(补丁、配置、更新),它就可以被看成零口漏洞。零日攻击指的是一种利用系统中先前不知道的漏洞的攻击,这意味着攻击发生的时间位于它被确认和解决方案准备好之间——即在此漏洞被发现之前。它给受害者留下零日作出反应和为漏洞打上补丁。
A不正确。因为零日漏洞是受害者和可能的受害者目前不能通过现存解决方案弥补的任何类型的漏洞。零口漏洞与动态多态漏洞一样,本身没什么特殊之处,它只是包含这种类型的漏洞和其他漏洞的一个通用类。多态攻击仅仅意味着它会改变自身,从而达到防止被检测到的目的。
B不正确。因为零日漏洞是受害者和可能的受害者目前不能通过现存的解决方案弥补的任何类型的漏洞。零日漏洞本质上并不像服务器端的注入一样是特定的,它只是一个包含这种漏洞和其他漏洞的一个通用类。服务器端包含(Server-Side Include,SSI)注入攻击允许通过在HTML页面中注入代码或远程执行任意代码来利用Web应用程序。
D不正确。因为数据库内的并发专门针对的是同时执行若干个事务。如果某个漏洞直接影响了数据库中事务的成功执行,那么就说明存在一个负面影响数据库软件所存储和处理的数据的完整性的风险。这与零日漏洞没有任何关系。
转载请注明原文地址:https://kaotiyun.com/show/vNhZ777K
0

CISSP认证

相关试题推荐
随机试题
最新回复(0)