in the above files sct question bank.

docx is the
question banks from that question bank answer
all the questions of unit 1, i have 20 min time to
complete the first lesson so give the answers as
easy and simple as possible and also each
question carries 10 marks so give the answers
according to it and highligh the side headings ,
dont give the answers too shortly and make them
easy and simple and also easy to remember and
undersand
Here are clear, easy-to-understand, and well-structured answers for all UNIT 1 questions from
the provided question bank. Each answer is designed to be concise, memorable, and well-suited
for a 10-mark response.

1. Different Types of Networks

Types of Networks:
PAN (Personal Area Network): Connects devices near one person, like mobiles, tablets, or
wireless peripherals. Used for syncing devices or sharing files at home. [1]
LAN (Local Area Network): Connects computers in a limited area like an office or school.
Used for sharing resources (files, printers) locally. Faster and more secure within the area. [1]
MAN (Metropolitan Area Network): Spans a whole city or campus, linking several LANs.
Used by companies or institutions across a region. [1]
WAN (Wide Area Network): Covers wide geographic areas, connecting multiple
MANs/LANs, often via the internet. Used for global business operations. [1]
Comparison Table:

Type Range Devices Speed Usage [1]

PAN 10 m Personal devices Medium Home, individual

LAN Building Computers, printers High Office, campus

MAN City LANs, routers Medium Colleges, city offices

 Type Range Devices Speed Usage [1]

WAN Global Networks Varies Internet, global firms

2. Network Components and Their Functions

Key Network Components:
Network Interface Card (NIC): Connects a computer to the network physically or wirelessly,
handling data exchange. [1]
Hub: Links multiple devices and repeats incoming signals to all ports, but can be inefficient.
[1]

Switch: Forwards data only to the intended device port, preserves bandwidth and improves
performance. [1]
Router: Directs data between different networks, manages traffic and addresses. [1]
Repeater: Amplifies and regenerates signals over longer distances. [1]
Server: Central device storing shared files and resources. [1]
Bridge: Connects and filters traffic between two networks. [1]
Modem: Converts signals to connect to the internet. [1]

3. Network Communication Types with Examples

Communication Types:
Simplex: Data flows in one direction only. Example: Keyboard to computer monitor. [1]
Half-Duplex: Data flows both ways, but not at the same time. Example: Walkie-talkies. [1]
Full-Duplex: Data flows both ways simultaneously. Example: Telephone call. [1]
Summary Table:

Type Direction Example [1]

Simplex One-way Keyboard to monitor

Half-Duplex Two-way (alternate) Walkie-talkie

Full-Duplex Two-way (simultaneous) Telephone

4. OSI and TCP/IP Model Relevance to Cybersecurity

OSI Model:
7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application)
separate how data travels for security and troubleshooting. [1]
TCP/IP Model:
 4 layers (Network Interface, Internet, Transport, Application). Used for practical network
communication. [1]
Relevance:
Both help identify where security should be applied (e.g., encrypting data at the Transport
layer or controlling access at the Application layer). [1]
They make it easier to spot network vulnerabilities and implement security controls.

5. Primary Cybersecurity Objectives and Services

Objectives (CIA Triad):
Confidentiality: Only authorized users access sensitive information. [1]
Integrity: Information remains accurate and unchanged. [1]
Availability: Data is accessible when needed by authorized users. [1]
Services:
Authentication: Confirm user identities.
Access Control: Restrict resource usage.
Non-repudiation: Prevent denial of actions.
Encryption: Protect data during transfer.
Logging & Monitoring: Detect and respond to incidents. [1]

6. Types of Cyber Attacks With Real-World Examples

Passive Attacks:
Snooping: Unauthorized reading of data (e.g., reading unencrypted emails). [1]
Traffic Analysis: Monitoring who talks to whom (e.g., patterns in message sending).
Active Attacks:
Modification: Changing transaction data (e.g., altering money transfer instructions). [1]
Masquerading: Impersonating another user (e.g., phishing scams).
Denial of Service (DoS): Flooding a website to crash it (recent hospital ransomware). [1]

7. Two Recent Cyber Attacks: Cause and Impact

Hot Topic Attack (Aug 2023):
Cause: Attackers used stolen credentials for automated logins.
Impact: Customers at risk of data theft; need for better password security. [1]
Prospect Medical Holdings Ransomware (Aug 2023):
Cause: Ransomware infection forced facilities offline.
 Impact: Hospitals reverted to manual processes; care and records disrupted. [1]

8. Myths Around Cybersecurity Debunked

Myth 1: Only big businesses get attacked.
Truth: Small businesses are frequent targets; size doesn't protect anyone. [1]
Myth 2: Antivirus alone is enough.
Truth: Many threats (phishing, ransomware) bypass antivirus; holistic security is needed. [1]
Myth 3: Never attacked means always safe.
Truth: Threats change constantly; new attacks happen every day. Preventive security is
vital. [1]

9. Categorize Cyber Attacks by Intent and Method

Attack by Intent:
Data theft (Confidentiality): E.g., phishing, malware to steal info. [1]
System disruption (Availability): E.g., ransomware, DoS. [1]
Data tampering (Integrity): E.g., modification, spoofing.
Attack by Method:
Web-based attacks: SQL Injection, XSS, session hijacking.
System-based attacks: Virus, worms, trojans, backdoors. [1]

10. Layered Security Strategy for a Small Business Network

Steps for Strategy:
Physical Security: Lock rooms and devices.
Network Security: Use firewalls, secure WiFi, update router firmware. [1]
Endpoint Security: Install antivirus and keep devices patched.
Access Control: Use strong passwords, limit admin privileges.
Data Protection: Regular backups and encryption. [1]
Awareness: Train staff to spot scams and phishing.
Monitoring: Log access and watch for unusual activity.

All sections are crafted to be as simple and memorable as possible, with clear examples and
concise explanations suitable for quick study and effective exam writing. [1]
⁂
now give similar kind of answers for unit 2
questions
Here are easy, simple, and exam-oriented answers for all UNIT 2 questions from the question
bank, structured with highlighted side headings and focused explanations for each (10 marks
each):

1. A1 Injection Vulnerabilities: Risks, Causes, and Mitigation

What is Injection?
Injection occurs when an attacker sends malicious data, like SQL commands, into an application
to trick it into doing something harmful, such as leaking or altering data. [6]
Risks:
Data theft or manipulation
Unauthorized access to information
Full system compromise
Root Causes:
Lack of input validation
Directly using user input in database queries
Weak or missing security controls
Mitigation Strategies:
Always validate and sanitize all user inputs
Use parameterized queries or prepared statements in the database
Avoid using dynamic queries that mix user input with code
Minimize application privileges (least privilege principle)
Regularly update software and perform security testing
Use Web Application Firewalls (WAF) for extra protection
Examples:
SQL Injection: " OR '1'='1';--
OS/Command Injection: ; rm -rf /*

2. Compare A2 Broken Authentication with A5 Broken Access Control

Broken Authentication (A2):
Occurs when attackers can steal or bypass login details, lets them log in as a user or admin.
[6]
 Causes: Weak passwords, session IDs in URLs, poor session handling
Risks: Account takeover, data breaches
Mitigations: Strong passwords, multi-factor authentication, secure session tokens, limit login
attempts
Broken Access Control (A5):
Occurs when users can access parts of a system they shouldn’t, like an ordinary user
viewing admin data. [6]
Causes: Missing or weak permission checks, exposing sensitive URLs
Risks: Data leakage, privilege escalation
Mitigations: Always check user roles before actions, use role-based controls, protect hidden
URLs/resources
Comparison Table:

Aspect Broken Authentication Broken Access Control

Main Problem Logging in as others Doing unauthorized actions

Example Bypassing login Accessing admin panel

Fix Strong auth, secure sessions Authorization checks

3. How XSS Attacks Work and Their Prevention

What is XSS?
Cross-Site Scripting (XSS) lets attackers inject harmful scripts (usually JavaScript) into web
pages viewed by others. [6]
How XSS Attacks Work:
Attacker finds an input field (like a comment box) that doesn’t filter code
Injects a script tag (e.g., <script>alert('hack');</script>)
When another user loads the page, their browser runs the attacker’s script
Can steal cookies, perform actions as the victim, redirect users
Types:
Stored XSS: Malware saved in the database and sent to every user
Reflected XSS: Payload sent via a URL link
DOM-based XSS: Script manipulates the loaded web page
Prevention:
Validate and sanitize all user input
Encode data before displaying it in HTML, JS, CSS
Use security libraries/frameworks that auto-escape output
 Implement Content Security Policy (CSP) to limit allowed scripts

4. Sensitive Data Exposure and Mitigation Strategies

What is Sensitive Data Exposure?
Sensitive data exposure happens when private info (like passwords, credit cards) is not properly
protected and gets out. [6]
How It Happens:
Data stored in plain text
Weak encryption methods
Sending sensitive data over insecure channels (HTTP instead of HTTPS)
Impacts:
Data theft
Identity fraud or financial loss
Reputation damage
Mitigation:
Encrypt sensitive data both when stored and when sent
Never store passwords in plain text. Use strong hashes
Only use secure channels (HTTPS/TLS) for data transfer
Restrict access to data (use permissions/Audit logs)

5. Summarize XML External Entity (XXE) Vulnerability with Example

What is XXE?
XML External Entity (XXE) happens when apps process XML input insecurely, letting attackers
access files or internal systems. [6]
How XXE Works:
Attackers create XML data referencing external files/entities
Application’s XML parser opens the file, exposing its content
Example: Sending XML with <!ENTITY xxe SYSTEM "[Link]

The app exposes contents of files like passwords

Mitigation:
Disable external entity processing in XML parsers
Use safe XML libraries
Validate and sanitize XML input
 Keep XML parsers updated

6. Analyze A6 Security Misconfiguration in Web Applications

What is Security Misconfiguration?
It means systems/apps aren’t set up securely—for example, using default passwords, exposing
sensitive error messages, or running unnecessary services. [6]
Risks:
Unauthorized access
Data leaks
Complete takeover of the server
Examples:
Leaving admin pages open
Showing detailed error messages
Not patching software
Mitigation:
Change defaults immediately
Remove unused services/plugins
Regularly patch and update all components
Review settings often and follow security best practices
Use principle of least privilege (give only needed permissions)

7. CSRF Attacks and Prevention Techniques With Real Examples

What is CSRF? (Cross Site Request Forgery)
An attacker tricks a user into unknowingly performing actions (like transferring money) while
logged in, by submitting requests as the user. [6]
How CSRF Works:
User logs into a site (like a bank)
Attacker sends user a malicious link or form on another site
When user clicks, browser sends request with user’s credentials to original site
Example: Hidden form on blog that submits a bank transfer
Prevention Techniques:
Use CSRF tokens: Unique values in each form/request
Check the Origin and Referer headers
 Require re-authentication for critical actions
Don’t allow GET requests to change data

8. Dangers of Using Components With Known Vulnerabilities

Why is this Dangerous?
If an app uses old or vulnerable software libraries, attackers can exploit these known
weaknesses easily. [6]
Risks:
Hackers gain control through bugs that are public knowledge
Unauthorized access, data loss, system compromise
Best Practices:
Update all libraries regularly
Use only trusted sources for code
Check for and monitor vulnerabilities using security tools
Remove unused dependencies

9. Role of Secure Design Principles in Modern Software Development

Why Use Secure Design Principles?
Secure design helps prevent vulnerabilities before writing code, making apps safer from the
start. [6]
Key Principles:
Defense in Depth: Use layers of security (not just one)
Least Privilege: Give minimal rights needed
Secure Defaults: Start with the safest settings
Fail Securely: Block access if there's a problem
Separation of Duties: Split responsibilities
Regularly review and test security even after release

10. Secure Application Plan Using Threat Modeling and Microsoft SDL
Threat Modeling:
Identify important assets (data, users, systems)
List possible threats (e.g., data theft, user impersonation)
Analyze risks: How likely/easy, and what’s the possible damage
 Prioritize which risks get fixed first
Create countermeasures (encrypt, restrict access, monitoring) [6]
Microsoft SDL (Secure Development Lifecycle):
A set of steps for integrating security into software development
Includes requirements, threat modeling, secure design, code analysis, testing, and response
plans [6]
Use automated tools to scan code for vulnerabilities
Train developers regularly on security best practices
Outcome:
Build secure, reliable, and trustworthy applications
Reduce risk of breaches, easier compliance, happier users

All points are kept easy, focused, and exam-friendly for maximum exam marks. [6]
⁂

now give the similar kind of answers for unit 3

Here are well-structured, concise, and exam-friendly answers for all Unit 3 questions from the
question bank, covering each topic with clear examples and key points:

1. Define Declarative and Programmatic Security. How Do They Differ?

Declarative Security:
Is defined by specifying security policies using high-level, configuration-based statements like
role assignments or access rules, without writing explicit code. Examples: XML config files,
annotations like @RolesAllowed in Java EE. [11]
Programmatic Security:
Security enforcement directly coded into the application logic. Examples include coding
authentication checks, input validation, or authorization inside methods.
Difference:
Declarative is easier to maintain and separates security from business logic.
Programmatic requires custom coding and provides fine-grained control.
2. Explain the Importance of Input Validation and Sanitization
Input validation ensures that only properly formatted, expected inputs are accepted, protecting
against attacks like SQL injection and cross-site scripting (XSS). Sanitization removes or
encodes malicious characters from inputs. [12]
Importance:
Protects from injection attacks.
Helps enforce data integrity.
Prevents malicious data from entering the system.
Good practices include whitelisting allowed inputs, length checks, regex validation, and
encoding output.

3. Demonstrate Logging and Auditing in a Secure Web Application

Logging: Captures security-relevant events like login attempts, authorization failures, and data
changes.
Auditing: Analyzes logs to detect suspicious activity and ensure compliance.
Secure Practices:
Avoid logging sensitive data (passwords, tokens).
Use consistent, structured logging formats.
Protect log integrity with access controls.
Monitor in real-time and alert on anomalies. [12]
Example: Logging login success/failure with timestamps and user IDs.

4. Discuss How Cryptography Ensures Data Confidentiality and Integrity

Confidentiality: Encryption algorithms like AES transform data into unreadable form for
unauthorized users. Only holders of keys can decrypt.
Integrity: Hash functions and digital signatures ensure data is unaltered. Receiving parties verify
hashes or signatures.
Best practices:
Use strong, tested algorithms (AES, RSA, SHA-256).
Store keys securely and rotate periodically.
Use protocols like TLS for data in transit. [12]
5. Illustrate Error Handling Best Practices with Examples
Best Practices:
Avoid detailed error messages that reveal internals (e.g., SQL errors).
Show generic user-friendly messages (e.g., "Invalid input").
Log detailed errors internally securely.
Differentiate errors (authentication errors shouldn't say which part failed).
Ensure system fails securely and remains stable.
Example:

try:
process()
except Exception as e:
[Link]("Processing failed", exc_info=e)
return "An error occurred. Please try again."

6. Compare Static vs Dynamic Testing in Secure Coding

Static Testing: Analyzes source code without execution. Finds vulnerabilities like input validation
flaws, insecure coding patterns. Examples: Code review, static analysis tools.
Dynamic Testing: Tests running application to find run-time bugs, logic flaws, and behavior
under attack. Examples: Penetration testing, fuzzing.
Comparison: Static is faster and early-stage, but Dynamic mimics real attack scenarios and
finds environmental issues. [12]

7. Evaluate the Effectiveness of Penetration Testing in the SDLC

Penetration Testing: Simulates attacks on the application to uncover vulnerabilities before
deployment.
Effectiveness:
Identifies weaknesses missed by static analysis.
Provides real-world risk assessment.
Helps improve security posture and compliance.
Drawbacks: Costly and done late is less effective; should be combined with other measures early
in SDLC. [12]
8. Design a Secure Session Management Mechanism for a Web App
Secure Session Management Includes:
Use secure, random session tokens (e.g., cryptographically strong RNG).
Transmit session cookies over HTTPS with Secure and HttpOnly flags.
Set reasonable session timeouts and logout after inactivity.
Regenerate session ID after login to prevent fixation.
Store minimal necessary data in sessions. [12]

9. Analyze Memory Management Issues in Unsafe Languages

Issues in Languages like C/C++:
Buffer overflows due to lack of bounds checking.
Use-after-free or dangling pointers causing info leaks or crashes.
Memory leaks degrading performance.
Mitigations:
Implement bounds checking and safe libraries.
Use smart pointers and automatic memory management where possible.
Regular static and dynamic analysis to detect leaks and vulnerabilities. [12]

10. Propose a Secure Coding Checklist for Enterprise Applications

Enforce input validation & output encoding.
Use authentication & authorization best practices.
Keep software and dependencies up-to-date.
Use encryption for sensitive data in rest and transit.
Protect error messages and handle exceptions securely.
Implement logging and enable real-time monitoring.
Conduct regular code reviews and security tests.
Manage secrets securely (no hardcoding).
Implement session management securely.
Follow principle of least privilege throughout the app. [12]

All these answers draw from the detailed lecture notes and best practices in attached
documents [attached_file:4, attached_file:3, attached_file:2]. They offer clear and exam-oriented
responses to grasp each topic effectively.
⁂
 1. [Link]
2. [Link]
3. [Link]
4. [Link]
5. [Link]
6. [Link]
7. [Link]
8. [Link]
9. [Link]
10. [Link]
11. [Link]
12. [Link]
13. [Link]
14. [Link]
15. [Link]