WGU Updated Secure-Software-Design Exam Questions and Answers by stella

To combat identity spoofing threats, a mitigation technique that is often used is requiring user authorization. This involves implementing strong authentication methods to verify the identity of users before granting access to sensitive information or systems. Techniques such as two-factor authentication (2FA) or multi-factor authentication (MFA) are effective in reducing the risk of unauthorized access, as they require users to provide multiple pieces of evidence to confirm their identity, making it much harder for attackers to spoof an identity successfully.

References:

Best practices for preventing spoofing attacks, including the use of antivirus and firewall tools, and the importance of strong authentication methods like 2FA and MFA1.

The National Security Agency’s guidance on identity theft threats and mitigations, emphasizing the need for personal protection and strong authentication measures2.

Discussion on the effectiveness of strong authentication methods in protecting against spoofing attacks3.

The role of comprehensive identity verification and authentication strategies in preventing AI-enhanced identity fraud4.

An intercept proxy, also known as a proxy server, sits between a web client (such as a browser) and an external server to filter, monitor, or manipulate the requests and responses passing through it. This can be used for legitimate purposes, such as security testing and user privacy, but it can also be exploited by attackers to alter web traffic in a way that the developer did not intend, potentially leading to security vulnerabilities.

References:

Understanding of HTTP and HTTPS protocols12.

Definition and role of proxy servers3.

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls.

Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:

B. Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.

C. Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats.

D. Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.

References:

NIST Special Publication 800-53 Revision 4, Access Control (AC) Family: (https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final ) Details the importance of RBAC as a cornerstone of access control.

The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en ) Outlines the ASF categories, with authentication being one of the primary areas.