CISSP · Question #1379
Prohibiting which of the following techniques is MOST helpful in preventing users from obtaining confidential data by using statistical queries?
The correct answer is A. Sequences of queries that refer repeatedly to the same population. This question tests knowledge of statistical database inference attacks, where users exploit repeated queries against the same small population to deduce individual confidential records.
Question
Prohibiting which of the following techniques is MOST helpful in preventing users from obtaining confidential data by using statistical queries?
Options
- ASequences of queries that refer repeatedly to the same population
- BRepeated queries that access multiple databases
- CSelecting all records from a table and displaying all columns
- DRunning queries that access sensitive data
How the community answered
(49 responses)- A69% (34)
- B8% (4)
- C18% (9)
- D4% (2)
Why each option
This question tests knowledge of statistical database inference attacks, where users exploit repeated queries against the same small population to deduce individual confidential records.
Sequences of queries repeatedly targeting the same small population enable an inference attack: by running slightly varied statistical queries (e.g., SUM, COUNT, AVG) against an overlapping subset, an attacker can mathematically isolate and deduce individual confidential values. Prohibiting such sequences - a technique known as query set size control or query overlap restriction - directly mitigates this statistical inference threat by preventing the attacker from narrowing results to a single record.
Accessing multiple databases in repeated queries describes a distributed query pattern, not a statistical inference technique; it does not specifically enable deduction of individual records through aggregate statistics.
Selecting all records and displaying all columns is a direct data exposure issue (a SELECT * violation), not a statistical query inference attack, and is addressed by access controls and column-level permissions rather than query restriction policies.
Running queries that access sensitive data is a broad activity that normal authorized users must perform; restricting it entirely would prevent legitimate use and does not specifically address the statistical aggregation technique used in inference attacks.
Concept tested: Statistical database inference attack prevention via query restriction
Source: https://csrc.nist.gov/glossary/term/inference_attack
Topics
Community Discussion
No community discussion yet for this question.