CSSLP Flashcards
Cert
Confidentiality is used to
a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) all of the above
b) protect information from disclosure
Integrity is used to
a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) both a and c
d) both a and c
Integrity can be ensured by
a) redundancy
b) failover
c) clusters
d) none of the above
d) none of the above
Availability can be ensured by
a) encryption
b) revocation
c) clusters
d) hashing
c) clusters
Failover is applied
a) automatically
b) manually
c) never
d) none of the above
a) automatically
Separation of duties
a) breaks work into manageable parts
b) improves quality control
c) requires multiple parties
d) reduces the work week
c) requires multiple parties
An audit is
a) a single point in time event
b) a continuous event
c) a subset of monitoring
d) an accounting task
a) a single point in time event
The KISS principle is demonstrated by
a) nonrepudiation
b) least privilege
c) defense in depth
d) economy of mechanism
d) economy of mechanism
Secure configuration management (CM) is most useful for
a) organizing meetings
b) reviewing documentation
c) preventing integrity breaches
d) secure data repositories
c) Configuration management ensures against the unauthorized modification or destruction of data items
Which is not a secure configuration management and version control (CM/VC) process?
a) Planning
b) Identifying file security
c) Controlling configuration changes
d) Monitoring
b) CM/VC deals with monitoring data items, it does not implement file security
Which methodology uses a security best practices approach whereby the best practices are mapped to each phase of a generic software development lifecycle (SDLC)?
a) Microsoft SDL
b) S-Scrum
c) CLASP
d) SALSA
c) CLASP is designed to insert security into SDLC phases, regardless of methodology
A disadvantage of agile methods is that
a) they map all requirements to a generic SDLC
b) they require fast computers for execution of the code
c) they do not work with older code
d) they do not allow sufficient time for detailed security planning or analysis
d) Agile is based on identifying just enough requirements for the next sprint, and executing those quickly
What is the difference between standards and frameworks?
a) Standards are accepted as best practices, whereas frameworks are practices that are generally employed
b) Standards are locality specific, whereas frameworks are international
c) Standards are specific while frameworks are general
d) Both A and C
d) both A and C
Attack surface analysis will
a) identify what functions and what parts of the system you need to review/test for security vulnerabilities
b) identify high-risk areas of code that require defense in depth protection - what parts of the system that you need to defend
c) identify when you have changed the attack surface and need to do some kind of threat assessment
d) do all of the above
d) do all of the above
End-of-life policies apply when
a) users are retiring from the organization
b) users are transitioning to a newer platform
c) users need to update their policies and procedures
d) none of the above happens
b) users are transitioning to a newer platform
Which is not a risk management strategy?
a) Mitigate
b) Accept
c) Transfer
d) Amend
d) Amend
Which of the following regulations include provisions to protect consumers’ personal financial information held by financial institutions?
a) Sarbanes-Oxley Act (SOX)
b) Payment Card Industry Data Security Standard (PCI-DSS)
c) Gramm-Leach-Bliley Act (GLBA)
d) Electronic Fund Transfer Act, Regulation E (EFTA)
c) GLBA deals with privacy requirements for financial information
Which type of requirement is used to describe long-term goals?
a) Cosmic
b) Mission
c) Business
d) Technical
b) Mission requirements describe long term goals, business requirements describe mid-term goals, technical requirements describe short term goals
Which of the following is not a classification criterion for data?
a) usefulness of data
b) value of data
c) age of data
d) format of data
d) Classification deals with labeling data according to sensitivity; data format does not affect this
Which of the following is not a mandatory document?
a) Standards
b) Baselines
c) Procedures
d) Guidelines
d) Guidelines are optional. Standards, baselines and procedures are mandatory
Which of the following is an anonymization approach for relational data?
a) Socialization
b) Perturbation
c) Derivation
d) Elicitation
b) There are 4 approaches to data anonymization; Generalization, Perturbation, Replacement and Suppression
Which of the following are used in the development of abuse cases?
a) Case Reports
b) Use Cases
c) Risk Results
d) Complaints
b) Abuse cases can be developed from the inverse of use cases
The requirements for a software security standard are comprised of which two subsets to enhance system protection and reduce the risk to the system?
a) Operational System and Organization
b) Operational System and Environment
c) Operational System and Development Process
d) none of the above
a) The requirements for a software security standard are drawn from operational system and organization requirements and development process and environment requirements
Why is this not all of the above?
Which testing process is most commonly performed at the end of the SDLC?
a) Source Code Static Security Analysis
b) Binary Code Security Scanning
c) Byte Code Security Analysis
d) Source Code Security Fault Injection
c) Byte code security analysis can be performed in tandem with source code analysis at the end of the SDLC to improve overall accuracy of results
Which principle states that a system should have simple, well-defined interfaces and functions?
a) Clear Abstractions
b) Least Common Mechanism
c) Modularity and Layering
d) Partially Ordered Dependencies
a) An abstraction is a technique for arranging complexity of computer systems; clear abstractions are those with simple, well-defined interfaces
Which principle states that the system design should be as simple and small as possible?
a) Efficiently Mediated Access
b) Minimized Sharing
c) Reduced Complexity
d) Secure Evolvability
c) Reduced Complexity means the design should be as simple and small as possible
Which principle states that each component should be allocated sufficient privileges to accomplish its specified functions, but no more?
a) Inverse Modification Threshold
b) Hierarchical Protection
c) Minimized Security Elements
d) Least Privilege
d) Security elements should enforce principles such as least privilege and separation of duties
Which of the following is an advantage of using an SRTM?
a) It confirms 100 percent test coverage
b) It highlights any security flaws
c) It focuses only on business requirements
d) It replaces the need for analysis by the QA team
a) By being able to track the business requirement to the technical requirement to the test case; there is the assurance of 100% test coverage
Which of the following defines an entity that denies having performed an action?
a) Tampering
b) Repudiation
c) Information Disclosure
d) Denial of Service
b) Non-repudiation is tied to accountability and means an actor cannot deny performing an action
Which of the following potential mitigations is used if you want to leave the threat unmitigated?
a) Warn the User (W)
b) Disable the Feature (D)
c) Remove the Feature (R)
d) Technological Solution (T)
a) There are 4 potential mitigations; warn the user (which leaves the threat unmitigated), disable the feature (making it an optional application function), remove the feature (get rid of it), technological solution (use technological solutions to mitigate the threat)
With which of the following does attack surface analysis help? (Select all that apply)
a) Identify what functions and what parts of the system you need to review/test for security vulnerabilities
b) Identify high-risk areas of code that require defense in depth protection and what parts of the system you need to defend
c) Identify what parts of the system need to be removed or turned off
d) Identify when you have changed the attack surface and need to perform a threat assessment
A, B and D - Attack surface analysis is an assessment of the total number of exploitable vulnerabilities in a system or network or other potential computer attack targets. So A, B and D all apply.
Which of the following represent the steps in the attack surface analysis process? (Select all that apply)
a) Defining the attack surface of an application
b) Listing the components of the attack surface
c) Measuring and assessing the attack surface
d) Managing the attack surface
A, B and C - The attack surface analysis process steps are: Define the attack surface of an application, Identify and map the attack surface, Measure and assess the attack surface
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
Which type of control is intended to limit the extent of any damage caused by an incident?
a) Limitation Controls
b) Preventive Controls
c) Detective Controls
d) Corrective Controls
d) Corrective controls restore the system or process back to the state prior to a harmful event. As such, they contain the damage and prevent further spread of the incident
What is the definition of a Rich Internet Application (RIA)?
a) An expensive software based control implemented via a web service
b) A desktop application ported to a web server and run via a portal
c) A web application that has many of the characteristics of desktop application software
d) An internet application that can be used to create income using web services
c) A Rich Internet Application is a Web application that has many of the characteristics of desktop application software, and is typically delivered via a browser plug-in, an independent sandbox, JavaScript, or a virtual machine
What is a multitenant cloud infrastructure where the cloud is shared by several IT organizations known as?
a) Shared Cloud
b) Organizational Cloud
c) Community Cloud
d) None of the above
c) A community cloud is a cloud computing solution provided to a specific computing community, and that is governed, managed and secured commonly by that participating community
What must you be able to do when performing a design security review?
a) Attach performance metrics to the review process
b) Decompose your application and be able to identify key items
c) Highlight all security controls used in the system
d) Use standardized graphics to document the data flow
b) Decomposing the application allows for a more detailed understanding of the mechanics of the application makes it easier to uncover more relevant and more detailed threats
What is the difference between provenance and pedigree?
a) Provenance is a place or source of origin, Pedigree is a chart, list or record of origin
b) Pedigree is systematically recorded while Provenance is left to chance
c) Provenance and Pedigree refer to the same concept
d) Pedigree is place or source of origin while Provenance is a chart, list or record of origin
a) The difference between Provenance and Pedigree is that Provenance is the place or source of origin; Pedigree is a chart, list or record of origin. The Pedigree is the basis for creating software supply chain paths
Which of the following environment types include techniques that let users directly manipulate the structures?
a) Language-oriented Environments
b) Structure-oriented Environments
c) Toolkit Environments
d) Method-Based Environments
b) Language-oriented environments are developed around one language, thereby offering a tool set suitable for that particular language. They are very interactive and provide restricted support for programming-in-the-large. Structure-oriented environments include techniques that let users directly manipulate the structures. These techniques are language independent, which triggered the concept of generators for environments. Toolkit environments offer a set of tools that incorporate language independent support for programming-in-the-large tasks such as version control and configuration management. Method-based environments include support for a wide variety of routines involved in the software development process. This includes tasks such as team and project management. These environments also feature tools for certain specification and design techniques.
An agreement for all customers using the services being delivered by the service provider is an example of which of the following?
a) Customer Based SLA
b) Service Based SLA
c) Multilevel SLA
d) Customer Level SLA
b) A service level agreement (SLA) is an agreement between two or more parties where one is the customer and the others are service providers. This can be a formal (legally binding) or an informal (for example, internal department relationships) “contract”. The agreement may involve separate organizations or different teams within one organization
Which of the following is included in the terms and conditions of the GNU General Public License (GNU GPL)?
a) The license must be made available to anybody
b) Any licensee who adheres to the terms and conditions is given permission to modify the work
c) Free software should place restrictions on commercial use
d) A distributer may impose further restrictions on the rights granted by the GPL
b) The GNU General Public License (GNU GPL) is a freely available, copyleft license, a license that allows end users to execute, modify, and share the software to which the license applies, and which means that any software created or modified under that license must be distributed under the same license terms. The license allows for redistribution, either for a fee or free of charge, but cannot impose any constraints further than those already enforced by the parent GLP license, such as a nondisclosure agreement or contract. The only restriction on the use of the GLP license is that two licensees must use different names for the license.
Which of the following is the most important use of input validation?
a) It ensures that input is readable
b) It can be used to design elegant interfaces
c) It ensures all of the required fields have been filled out and conform to your formats and business rules
d) It is the most effective way to stop the execution of common attacks
d) There are all sorts of other types of vulnerabilities that would be solved by input validation. If there is one thing that could solve a huge number of security vulnerabilities, including execution attacks, it would be input validation.
In terms of output encoding, an XSL engine is used to do which of the following?
a) Load documents into memory
b) Convert text to XLS format
c) Convert the output to a different encoding
d) Perform the execution of the XSL commands
c) One way of performing output encoding is to use an Extensible Stylesheet Language (XSL) engine, which can convert the output to a different encoding.
In terms of malware, what is the definition of a worm?
a) A fragment of code that attaches itself to other executable computer instructions
b) A virus that is able to infect both boot sectors and program files
c) A stand-alone file that can be executed by an interpreter
d) A program that self-propagates from one computer to another over a network
d) A worm is a program that self-propagates from one computer to another over a network, using the resources on one machine to attack other machines. Worms differ from viruses in that they do not need input from users; worms are independently capable of transferring between computers.
What is the most important aspect of code signing?
a) Ensuring the code is in the correct format for the signing process
b) Ensuring the correct public keys are available to sign the code
c) Ensuring the integrity of the system relies on publishers securing their private keys against unauthorized access
d) Ensuring the hashing algorithm can perform both encryption and decryption
c) Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.
What is software security testing mainly used to test against?
a) Software Security Enhancements
b) Functional Requirements
c) Nonfunctional Requirements
d) Attacker Heuristics
c) Nonfunctional refers to aspects of the software that may not be related to a specific function or user action such as scalability or security
Which of the following is the correct sequence of execution for penetration testing?
a) Reconnaissance, Scanning, Attack, Vulnerability Mapping, and Reporting
b) Planning, Discovery, Vulnerability Mapping, Penetration, and Reporting
c) Planning, Discovery, Vulnerability Mapping, Attack, and Reporting
d) Planning, Vulnerability Mapping, Scanning, Attack, and Reporting
c) Penetrating testing is often executed in 5 phases: Planning, Discovery, Vulnerability Mapping, Attack and Reporting
Which of the following is the correct description for stress testing of software testing?
a) Large amounts of data
b) Large amounts of users
c) Too much data and too many users
d) Too many users, too much data and too little time and too little room
d) The difference between volume, load and stress testing is as follows: Volume testing uses large amounts of data, load testing uses a large amount of users, while stress testing uses too many users and too much data with too little time and too little room
What is the main difference between test harness / unit test framework tools and test execution tools?
a) Test harness tools need to be constrained during use
b) There is no capture / playback facility in unit test tools, and they tend to be used at a lower level
c) Test execution tools only run on compiled code
d) None of the above
b) Test execution tools are also known as capture - playback capture - replay tools. The test execution tools need a scripting language to create and modify the scripts to run the tool.
Which of the following is an object that is verified when presented to the verifier in an authentication transaction?
a) Credential
b) Secret Key
c) Authenticator
d) Certificate
a) A credential is an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authentication.
Why does security checking need to continue during distribution/deployment and after software has been tested?
a) The tester’s job is never done
b) The code needs a final check before delivery
c) Pre-deployment software is most vulnerable to unauthorized access
d) The test plan may have missed something
c) Once software has undergone all of its testing and mitigations or remediations of unacceptable test findings have been implemented, it is considered ready for release. Security checking does not stop here, however, because this is the point in the SDLC at which pre-deployment software is most vulnerable to unauthorized access when it is being staged for distribution/deployment, transferred from staging to the production environment, or in the process of being installed.
If code with a vulnerability is removed from the code base, which risk response was exercised?
a) Accepting
b) Avoiding
c) Transferring
d) Sharing
b) After a risk determination, organizations can respond to risk in a variety of ways: accepting risk, avoiding risk, mitigating risk, sharing risk, transferring risk, or a combination of the above.
What is the purpose of a data retention policy?
a) Describe the procedure to retain data
b) Determine where data should be stored
c) Determine which data is not subject to specific regulatory requirements
d) Determine the sequence by which the data should be deleted
c) A data retention policy, or records retention policy, is an organization’s established protocol for retaining information for operational or regulatory compliance needs.
Which of the following access control types gives “UPDATE” privileges on Structured Query Language (SQL) database objects to specific users or groups?
a) Content dependent access control
b) Discretionary access control
c) Directory access control
d) Data Control Language (DCL) access control
b) Discretionary Access Control
The 3 primary methods for authentication of a user to a system or network are:
a) Passwords, tokens and biometrics
b) Authorization, identification and tokens
c) Passwords, encryption and identification
d) Identification, encryption and authorization
a) Passwords, tokens and biometrics
An access system that grants users only those rights necessary for them to perform their job is operating on which security principle?
a) Discretionary Access
b) Least Privilege
c) Mandatory Access
d) Separation of Duties
b) Least Privilege
Which one of the following can be used to increase the authentication strength of an access control system?
a) Multi-party
b) Two factor
c) Mandatory
d) Discretionary
b) Two factor
What role do biometrics have in a logical access control?
a) Identification
b) Authorization
c) Authentication
d) Confirmation
c) Authentication
At what stage of the application development process should the security department first become involved?
a) Prior to the implementation
b) Prior to user acceptance testing
c) During unit testing
d) During requirements development
d) During requirements development
All the following are purposes of the change control management process EXCEPT ensuring the changes are :
a) Properly authorized
b) Required by users
c) Fully documented
d) Performed correctly
b) Required by users
Security of an automated system is most effective and economical if the system is
a) Optimized prior to addition of security
b) Customized to meet a specific security threat
c) Subjected to intense security testing
d) Designed originally to provide the necessary security
d) Designed originally to provide the necessary security
Programmed procedures which ensure that valid transactions are processed accurately and only once are referred to as
a) Data installation controls
b) Application controls
c) Operation controls
d) Physical controls
c) Operation controls
What common attack can be used against passwords if a copy of the password file can be obtained?
a) Birthday attack
b) Dictionary attack
c) Plaintext attack
d) Smurf attack
b) Dictionary attack
Configuration management ensures that all changes to a computer system take place in an identifiable and controlled environment, and that the changes
a) to application software cannot bypass system security features
b) do not adversely affect implementation of the security policy
c) to the operating system are always subjected to independent validation and verification
d) in technical documentation maintain an accurate description of the Trusted Computing Base
b) do not adversely affect implementation of the security policy
Which of the following is the MAIN advantage of having an application gateway?
a) To perform change control procedures for applications
b) To provide a means for applications to move into production
c) To log and control incoming and outgoing application traffic
d) To audit and approve changes to applications
c) To log and control incoming and outgoing application traffic
The best practice to prevent logging clutter in application security is to:
a) Log an exception when the exception is wrapped with another exception and propagate
b) Catch and log exceptions at every level in the software
c) Catch and log exceptions only at points which exceptions are actually handled
d) Disable debug level logging in a production environment
c) Catch and log exceptions only at points which exceptions are actually handled
Which of the following defines the intent of a system security policy?
a) A description of the settings that will provide the highest level of security
b) A brief high-level statement defining what is and is not permitted in the operation of a system
c) A definition of those items that must be denied on the system
d) A listing of tools and applications that will be used to protect the system
b) A brief high-level statement defining what is and is not permitted in the operation of a system
What is one advantage of Content-Dependent Access Control of information?
a) It prevents data locking
b) It limits the user’s individual address space
c) It provides highly granular control
d) It confines access to authorized users of the system
c) It provides highly granular control
The concept that all accesses must be mediated, protected from modification, and verifiable as correct is the concept of
a) Secure Model
b) Security Locking
c) Reference Monitor
d) Secure State
c) Reference Monitor
Which one of the following is the MAIN goal of a security awareness program when addressing senior management?
a) To provide a way to communicate security procedures
b) To provide a clear understanding of potential risk and exposure
c) To provide an opportunity to disclose exposures and risk analysis
d) To provide a forum to communicate user responsibilities
b) To provide a clear understanding of potential risk and exposure
A worm most frequently spreads via :
a) User misuse
b) Vulnerabilities in software
c) Mobile code attacks
d) Infected USB drives and wireless access points
b) Vulnerabilities in software
Spoofing can be defined as
a) eavesdropping on communications between persons or processes
b) a person or process emulating another person or process
c) a hostile or unexpected entity concealed within another entity
d) the testing of all possibilities to obtain information
b) a person or process emulating another person or process
Which of the following represents an Annualized Loss Expectancy (ALE) calculation?
a) ALE = GLE * ARO
b) ALE = AV * EF
c) ALE = Risk - Countermeasures
d) ALE = SLE * ARO
d) ALE = SLE * ARO
Step by step instructions used to satisfy control requirements are called a
a) Policy
b) Standard
c) Guideline
d) Procedure
d) Procedure
Separation of duties should be
a) Enforced in all organizational areas
b) Cost justified for the potential for loss
c) Enforced in the program testing phase of application development
d) Determined by the availability of trained staff
b) Cost justified for the potential loss
What principle recommends the division of responsibilities to prevent a person from committing fraud?
a) Separation of duties
b) Mutual exclusion
c) Need to know
d) Least privilege
a) Separation of duties
A timely review of system access audit records would be an example of which basic security function?
a) Avoidance
b) Deterrence
c) Prevention
d) Detection
d) Detection
An advantage of asymmetric key cryptography is that
a) It is relatively easy to distribute keys
b) Both keys are the same
c) It can be easily implemented in hardware
d) Execution can be very fast
a) It is relatively easy to distribute keys
Which trusted third party authenticates public encryption keys?
a) Public key notary
b) Certification Authority (CA)
c) Key Distribution Center (KDC)
d) Key revocation certificate
b) Certification Authority (CA)
Which one of the following is the best known example of a symmetric key cipher system?
a) Data Encryption Standard (DES)
b) Rivest-Shamir-Adleman (RSA)
c) ElGamel (ElG)
d) Message Digest 5 (MD5)
a) Data Encryption Standard (DES)
Which of the following describes the first process in the establishment of an encrypted session using a Data Encryption Standard (DES) key?
a) Key Clustering
b) Key Compression
c) Key Signing
d) Key Exchange
d) Key Exchange
Which of the following does a digital signature provide?
a) It provides the ability to encrypt an individual’s confidential data
b) It ensures an individual’s privacy
c) It identifies the source and verifies the integrity of data
d) It provides a framework for law and procedures
c) It identifies the source and verifies the integrity of data
The value of data or an information system to an organization should consider all of the following factors EXCEPT
a) the requirements of regulations or legislation
b) the number of people requiring access to the system or data
c) the sensitivity of the data or systems and risks associated with disclosure
d) whether access to the data or system is critical to business functions
b) the number of people requiring access to the system or data
What principal recommends the limitation of access permissions to select individuals?
a) Separation of Duties
b) Mutual Exclusion
c) Need to Know
d) Dual Control
c) Need to Know
Another name for a Virtual Private Network (VPN) is a :
a) Tunnel
b) Firewall proxy
c) Named-pipe
d) Domain
a) Tunnel
What type of subsystem is an application program that operates outside the operating system and carries out functions for a group of users, maintains some common data for all users in the group, and protects the data from improper access by users in the group?
a) Prevented subsystem
b) Protected subsystem
c) File subsystem
d) Directory subsystem
b) Protected subsystem
One example of a security countermeasure against SQL injection attacks is
a) to deploy an IDS
b) to encrypt communications using SSL
c) Anti-virus deployment
d) User input validation
d) User input validation
Which one of the following is NOT a valid X.509 certificate field?
a) Subject’s public key information
b) Subject’s X.500 name
c) Issuer’s unique identifier
d) Subject’s digital signature
d) Subject’s digital signature
In what way can web applets pose a security threat?
a) Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP
b) Client execution environment may not provide the ability to limit system access that an applet could have on a client system
c) Executables from the Internet may attempt an unintentional attack when they are downloaded on a client system because of bad programming
d) Client execution environment will check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system
b) Client execution environment may not provide the ability to limit system access that an applet could have on a client system
Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?
a) Security Manager
b) User
c) Owner
d) Auditor
c) Owner
When basic standards for software development are implemented within an organization and are in common use (defined, established and documented), the organization has reached what level of CMMI for software engineering?
a) Level 1
b) Level 2
c) Level 3
d) Level 4
c) Level 3
Computer security is the responsibility of
a) Everyone in the organization
b) Corporate management
c) The corporate security staff
d) Every with computer access
a) Everyone in the organization
The MOST dangerous consequence of a buffer overflow vulnerability is
a) Denial of Service (DoS)
b) Arbitrary code execution
c) Disclosure of confidential information
d) Damage to the organizational branch
b) Arbitrary code execution
Using an SDLC methodology in a software development project should
a) Improve the quality of the software product
b) Include an exact schedule for the project
c) Increase the number of software vulnerabilities
d) Decrease the complexity of the software code
a) Improve the quality of the software product
Many common vulnerabilities such as buffer overflows, SQL injection and command injections can be traced to failure to
a) install the latest vendor patches
b) maintain a hardened server configuration
c) validate user input
d) abide by organizational security policies
c) validate user input
When dealing with intellectual property rights for software between nations, it is important to consider
a) information concerning the overall foreign trade agreements between two nations
b) the governing law in the agreements between two nations
c) foreign corrupt trading practices in the agreement between the two nations
d) information about the specific product liabilities the software has
b) the governing law in the agreements between two nations
Which of the following is the MOST important information to consider when writing a security policy?
a) The impact on the organization’s ability to achieve its goals
b) The acceptance by members of the IT department
c) The effect it could have on organizational morale
d) The degree to which it may affect the Business Continuity Plan (BCP)
a) The impact on the organization’s ability to achieve its goals
Which of the following is the LEAST important information to record when logging a security violation?
a) User’s Name
b) UserID
c) Type of violation
d) Data and Time of the violation
a) User’s Name
During the INITIAL stages of software development, a development team should analyze the vulnerabilities that could be encountered by the application. The method of analysis is termed
a) Audit Analysis
b) Threat Modeling
c) Cost Benefit Analysis
d) Software Development Life Cycle (SDLC)
b) Threat Modeling
Which of the following is MOST true about Management’s overarching security policy?
a) It details the organization’s security plan
b) It directly reflects management’s commitment to security
c) It should be published so it can be used
d) Copies should be controlled for ease of updating, accountability purposes, auditing and to demonstrate management’s commitment to security
b) It directly reflects management’s commitment to security
All of the following are basic components of a security policy EXCEPT the
a) Definition of the issue being addressed and relevant terms
b) Statement of roles and responsibilities
c) Statement of applicability and compliance requirements
d) Statement of performance characteristics and requirements
d) Statement of performance characteristics and requirements
Which of the following provides for an effective security program?
a) A hierarchical definition of security policies, standards, and procedures
b) The identification, assessment and mitigation of vulnerabilities
c) A definition of program modules and procedures for data structures
d) The identification of organizational, procedural and administrative weaknesses
a) A hierarchical definition of security policies, standards and procedures
Which of the following could BEST be utilized to validate the continued need for access to system resources?
a) Periodically review and recertify privileged users
b) Periodically review audit and access logs
c) Periodically review processes that grant access
d) Periodically review data classifications by management
b) Periodically review audit and access logs
Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome?
a) Annualized Loss Expectancy
b) Single Loss Expectancy
c) Annualized Rate of Occurrence
d) Information Security Risk Management
b) Single Loss Expectancy
What is the PRIMARY reason for designing the security kernel to be as small as possible?
a) The operating system cannot be easily penetrated by users
b) Changes to the kernel are not required as frequently
c) Due to its compactness, the kernel is easier to formally verify
d) System performance and execution are enhanced as the kernel is faster
c) Due to its compactness, the kernel is easier to formally verify
What should be the size of a Trusted Computer Base?
a) Small - In order to permit it to be implemented in all critical systems
b) Small - In order to facilitate the detailed analysis necessary to prove that it meets design requirements
c) Large - In order to accommodate the implementation of future updates without incurring the time and expense of recertification
d) Large - In order to enable it to protect the potentially large number of resources in a typical commercial system environment
b) Small - In order to facilitate the detailed analysis necessary to prove that it meets design requirements
Which one of the following refers to a series of characters used to verify a user’s identity?
a) Token serial number
b) UserID
c) Password
d) Security ticket
c) Password
Which of the following MUST be true before the least privilege principle applies?
a) The individual must have a need to know
b) The object’s label must be updated with the subject’s clearance level
c) The object’s label must grant the subject access to the object
d) The individual must be assigned to a leadership position in the organization
a) The individual must have a need to know
The core concepts of software security are based on
a) Availability, Confidentiality, Integrity
b) Risk, Architecture, User Requirements
c) Asset Value, Probability, Impact
d) Controls, Safeguards, Countermeasures
a) Availability, Confidentiality, Integrity
The purpose of a security baseline is to
a) create a standard configuration for all systems and applications on the network
b) enforce compliance with corporate IT guidelines
c) reduce total cost of ownership (TCO)
d) ensure that all processes are compliant with regulations
a) create a standard configuration for all systems and applications on the network
An ideal security model is
a) centralized or decentralized according to business and security needs
b) always defaulted to a level of higher security not lower security
c) reviewed and approved by audit at least one per quarter
d) focused more on security standards that on business requirements
a) centralized or decentralized according to business and security needs
The concept of complete mediation is important in order to
a) ensure all unauthorized users are prevented from making improper modifications
b) protect all systems and procedures from unapproved changes
c) control all access by subjects requesting access to resources
d) only enforced at initial login and often subject to a time of use versus time of check (TOCTOU) attack
c) control all access by subjects requesting access to resources
An organization wants to protect its brand and reputation by designing a new style and color of packaging for its products, how would the organization protect this marketing technique?
a) Patent
b) Trademark
c) Copyright
d) Trade secret
b) Trademark
Access controls refer to the responsibility to
a) protect data and systems from changes or modifications
b) log and audit all activities on a system
c) identify and label critical and sensitive data
d) permit authenticated personnel to perform authorized changes
d) permit authenticated personnel to perform authorized changes
The PRIMARY objective of security during the requirements phase of the SDLC is to
a) create awareness amongst all project team members of security risks and controls
b) develop the security controls according to best practice and design
c) ensure security controls are implemented and operating correctly
d) integrate security into the software development process
d) integrate security into the software development process
In order to determine the security requirements for a secure systems architecture the security specialist must
a) focus on the specific security needs of the individual systems
b) understand both use and misuse case models
c) closely adhere to best practices and internationally recognized standards
d) develop a cost benefit calculation that justifies the cost of each control
b) understand both use and misuse case models
One way to minimize the cost of protecting information is to
a) classify all information at a high level and strictly restrict access
b) ensure the organization has sufficient insurance to cover any loss or breach
c) encrypt all data and ensure that it is disposed of properly
d) develop an information classification procedure and ensure that appropriate handling procedures are in place
d) develop an information classification procedure and ensure that appropriate handling procedures are in place
Information classification requires
a) identifying an information owner
b) not mixing data of different classification levels on the same system
c) protecting the security kernel from unauthorized manipulation
d) locking all sensitive data in secure cabinets
a) identifying an information owner
Kerberos is an example of
a) Single Sign On (SSO)
b) Decentralized Access Control (DCO)
c) Implementation of LDAP (Lightweight Directory Access Protocol)
d) Intrusion Detection
a) Single Sign On
Software security design allocates
a) security requirements to the components that will deliver specific security functions
b) user functions to customize security controls
c) business requirements into security features and requirements
d) security standards into properly implemented security controls
a) security requirement to the components that will deliver specific security functions
Measuring the attack surface during the design phase is important to
a) define an ongoing metric for default security levels
b) prepare a business case for cost benefit analysis
c) ensure that layered defense (defense in depth) solutions are implemented correctly
d) discover new business or security requirements not documented in the requirements phase
a) define an ongoing metric for default security levels
The challenge of interconnecting systems and integrations with legacy equipment is due to the fact that
a) older systems were never built with adequate security controls
b) it can be extremely difficult to modernize older equipment to update it to new standards
c) there may be unknown alternate paths to information or systems through older systems or networks
d) legacy systems are inflexible and will not adjust to modern security needs
a) older systems were never built with adequate security controls
Threat modeling determines
a) the resilience of the system to attack or compromise
b) the presence of any vulnerabilities in the systems design
c) the potential harm to each asset and the associated level of risk
d) the likelihood a control will not provide adequate protection in the event of an attack
d) the likelihood a control will not provide adequate protection in the event of an attack
The main purpose of code signing is to
a) protect the Intellectual Property (IP) of the organization from theft or copying
b) making the code unintelligible to prevent reverse engineering
c) ensuring no unauthorized changes are made to the code
d) protect code from being copied or used on unlicensed machines
c) ensuring no unauthorized changes are made to the code
Identification of specific areas that will require additional code testing or examination of the code for vulnerabilities is facilitated through the use of
a) Code Analysis
b) Risk Management
c) Threat Modeling
d) Business Case and Reference Models (BRM)
c) Threat Modeling
Software testing should focus on
a) testing the integration of each software component with the network security controls
b) the discovery of user requirements
c) ensuring the security controls are operating correctly
d) detecting potential security vulnerabilities not just software function and features
d) detecting potential security vulnerabilities not just software function and features
The advantage of using “fuzzing” test techniques is that it
a) replaces the requirement to develop detailed and specific test cases
b) tests the ability of the software to handle common user exceptions
c) ensures tests will cover the entire range of allowable input values in a truly random manner
d) validates that input and output validation controls are set correctly
c) ensures tests will cover the entire range of allowable input values in a truly random manner
Automated code testing tools will allow the development team to
a) replace the existing manual testing procedures with more efficient automated processes
b) provide better assurance that code is error free than was possible with manual testing scenarios
c) allow more thorough testing when used in conjunction with manual testing
d) shorten the time required to do testing and may allow certain tests to be bypassed
c) allow more thorough testing when used in conjunction with manual testing
“Cold Booting” is an example of a security vulnerability that
a) indicates a system must only be operated at temperatures below thirty degrees Celsius (94 F)
b) attempts to read data from an integrated circuit chip by freezing it at extremely low temperatures
c) is the process of recovery following a system failure that requires a complete rebuilt of the system including operating systems, utilities and applications
d) when a development team is requested to (pushed into) work on a systems development project without having been provided detailed user specifications
b) attempts to read data from an integrated circuit chip by freezing it at extremely low temperatures
Defensive coding practices include memory management, memory handling and
a) Stress and Performance Testing
b) Code Signing
c) Type Safety
d) Preventing Buffer Overflows
c) Type Safety
What is the goal of secure software testing?
a) To determine if the software meets requirements
b) To compare as-built functionality with the as-designed security framework
c) To prevent the introduction of a flawed program into production
d) To ensure the designed security controls were implemented correctly, operating correctly and providing the intended benefit
d) To ensure the designed security controls were implemented correctly, operating correctly and providing the intended benefit
High priority code is listed in the CSSLP Candidate Information Bulletin (CIB) as
a) code that is designed for continuous or high availability
b) code that must be flexible enough to meet rapidly changing market conditions
c) code that is on the attack surface of the application
d) code that is executed in real time and therefore allows online interrupts to expedite processing
c) code that is on the attack surface of the application
Regression testing is testing that
a) ensures new changes do not unintentionally overwrite previous changes
b) ensures all code is compatible with legacy data and systems
c) uses older coding languages and techniques despite the availability of newer, more efficient tools
d) testing that discovers older, previously unknown vulnerabilities in re-used legacy code
a) ensures new changes do not unintentionally overwrite previous changes
Software acceptance must consider the approval to implement software from the perspective of the
a) Development Team
b) Configuration Management Team
c) Customers
d) Users
c) Customers
An organization is developing a new product for sale globally. Therefore, they may need to have the product tested to enable it to be sold to customers that require external validation. Which testing process may they use for the purpose?
a) ISO 15408
b) COBIT
c) ISO27001
d) CMMI
a) ISO 15408
A vulnerability has been found in a deployed system, what should the organization that developed the code do?
a) Market the vulnerability as a new “feature”
b) Ignore it and hope no one else finds it
c) Update the End User License Agreement (EULA) to refute any responsibility for operational problems whatever the cause
d) Aggressively attack the reputation and credibility of the individual or organization that disclosed the problem
c?
Which of the following BEST describes something of value to an organization?
a) Agent
b) Asset
c) Control
d) Threat
b) Asset
Which of the following is comprised of the threats, vulnerabilities, and current value of an asset?
a) Attack Surface
b) Exposure
c) Residual Risk
d) Total Risk
d) Total Risk
Taking advantage of a vulnerability is also known as a(n):
a) Attack
b) Control
c) Exploit
d) Threat
c) Exploit
Which of the following BEST describes Residual Risk?
a) Risk remaining after all controls have been defined
b) Risk remaining after all controls have been applied
c) Risk remaining after an attack has been performed
d) Risk remaining after operations have been restored
b) Risk remaining after all controls have been applied
In a Risk Calculation, Single Loss Expectancy (SLE) is the product of
a) Annual Loss Expectancy (ALE) * Annual Rate of Occurrence (ARO)
b) Annual Loss Expectancy (ALE) * Risk
c) Asset Value * Annual Loss Expectancy (ALE)
d) Asset Value * Exposure Factor
d) Asset Value * Exposure Factor
In a Risk Calculation, Annual Loss Expectancy (ALE) is the product of
a) Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE)
b) Asset Value * Exposure Factor
c) Probability * Impact
d) Risk * Annual Rate of Occurrence (ARO)
a) Annual Rate of Occurrence (ARO * Single Loss Expectancy (SLE)
Remember : ALE = ARO * SLE
-or- BEER = AROUSLE
Managing exposure before a threat takes advantage of a vulnerability is also known as
a) Evergreen
b) Risk Management
c) Security Tenets
d) Trustworthy Computing
b) Risk Management
Which of the following is LEAST LIKELY to be a challenge to Software Risk Management?
a) Asset value can be subjective
b) Exposure Factor, Probability and Impact data can be limited
c) Not enough information about the threats
d) Sometimes difficult to quantify software assets
d) Sometimes difficult to quantify software assets
Which of the following BEST describes the negative impact of adding new controls to an organization?
a) Controls may be intermittent
b) Controls may cause unintended results
c) Controls may not be available for use
d) Controls may be poorly documented or understood
b) Controls may cause unintended results
Who or what ultimately assumes all liability of the risks introduced by new software?
a) Developers
b) Security
c) The organization
d) The vendor
c) The organization
Which of the following is NOT a way of handling risk?
a) Accept
b) Document
c) Mitigate
d) Transfer
b) Document
Which of the following is NOT a security tenet?
a) Availability
b) Avoidance
c) Authentication
d) Authorization
b) Avoidance
Which of the following is NOT a part of the Iron Triangle Challenge?
a) Budget
b) Schedule
c) Scope
d) Training
d) Training
Which of the following is NOT a primary component of Quality Software?
a) Security
b) Privacy
c) Usability
d) Reliability
b) Privacy
Which triad is at the foundation of secure software?
a) Budget, Schedule and Scope
b) Confidentiality, Integrity and Availability
c) Knowledge, Ownership and Characteristics
d) Something you have, something you know and something you are
b) Confidentiality, Integrity and Availability
Budget, Schedule and Scope are the 3 tiers of the Iron Triangle.
In terms of the CSSLP, Auditing means
a) Logging
b) Notifying
c) Referencing
d) Reviewing
a) Logging
Non-Repudiation ensures
a) Accountability
b) Confidentiality
c) Integrity
d) Reliability
a) Accountability
Proper session management can BEST protect an application against which type of attack?
a) Cross-site scripting (CSS)
b) Denial of Service (DOS)
c) Man-in-the-Middle (MITM)
d) SQL Injection
b) Denial of Service (DOS)
Which security tenet states that “mechanisms common to more than one user/process are not shared”?
a) Economy of Mechanism
b) Complete Mediation
c) Least Common Mechanism
d) Separation of Duties
c) Least Common Mechanism
With Complete Mediation
a) authority to access objects is checked every time access is requested
b) authorization levels are defined by roles
c) components are reused whenever possible
d) countermeasures are implemented to avoid a single point of failure
a) authority to access objects is checked every time access is requested
Which of the following has been the biggest driver of information security initiatives in the past few years?
a) Weak economy
b) Maintain competitive advantage
c) Regulatory compliance
d) Reputation
c) Regulatory compliance
Which of the following is MOST critical to having an effective security policy?
a) Adequate documentation and training
b) Developer buy-in
c) Support of top management
d) User Acceptance
c) Support of top management
Which of the following does NOT drive a need for standards?
a) Adherence to policy
b) Boost customer confidence
c) Ease of maintenance
d) Use of popular methodologies
d) Use of popular methodologies
Using instrumentation in coding may introduce which of the following security vulnerabilities?
a) Denial of Service
b) Information Disclosure
c) Lack of Standards
d) Performance Impairment
d) Performance Impairment
Overloaded operators are an example of
a) Least Common Mechanism
b) Least Privilege
c) Polyinstantiation
d) Polymorphism
d) Polymorphism
Which standard has blueprints for Information Security Management Systems (ISMS)?
a) DoD 8570.1
b) FIPS 140.2
c) ISO 27000 series
d) ISO 9126
c) ISO 27000 series
Which standard is also known as The Common Criteria?
a) ISO 15408
b) ISO 27799
c) ISO 27000
d) ISO 9126
a) ISO 15408
Which standard is for software product evaluation?
a) ISO 15408
b) ISO 27799
c) ISO 27000
d) ISO 9126
a) ISO 15408
Which standard is titled “Security Considerations in the Information System Development Life Cycle”?
a) FIPS 140-2
b) FIPS 201
c) NIST SP 800-12
d) NIST SP 800-64
d) NIST SP 800-64
The type of questioning, where the original question is responded to as though it were an answer, is also known as
a) Flaw-hypothesis method
b) OCTAVE
c) Socratic method
d) Vulnerability remediation
c) Socratic method
Which of the following is a scoring system used to produce risk rankings?
a) COSO
b) CVSS
c) OCTAVE
d) OSSTMM
b) CVSS
Which of the following analysis frameworks has a matrix with the column headers who, what, when, where, why and how?
a) COBIT
b) ITIL
c) SEI IDEAL
d) Zachman’s Framework
b) ITIL
Which business management strategy has the goal of 3.4 defects per million opportunities?
a) Six Sigma
b) SABSA
c) COBIT
d) CMMI
a) Six Sigma
Which of the following is NOT one of the layers in the Sherwood Applied Business Security Architecture (SABSA) framework?
a) Physical (Security Mechanisms)
b) Psychological (User Acceptance)
c) Component (Tools and Products
d) Operational (Security Management)
b) Psychological (User Acceptance)
Which regulation is concerned with protecting the customer’s personal financial information held by financial institutions?
a) Computer Misuse Act
b) Gramm-Leach Bliley Act (GLBA)
c) Sarbanes Oxley (SOX)
d) Title 21 Code of Federal Regulations (CFR) Part 11
b) Gramm-Leach Bliley Act (GLBA)
The guideline “don’t collect information if you don’t need it” BEST applies to
a) Confidentiality
b) Integrity
c) Availability
d) Non-Repudiation
a) Confidentiality
The Orange Book: A Guide to Understanding Discretionary Access Control in Trusted Systems is based on which of the following models?
a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Clark Wilson Integrity
d) Brewer Nash
a) Bell-LaPadula Confidentiality (BLP)
Which of the following is NOT a property of the Bell-LaPadula Confidentiality model?
a) Star
b) Security
c) Strong Star
d) Simple Security
b) Security
Which security model is concerned with preventing UNAUTHORIZED subjects from making modifications?
a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity
d) Clark Wilson Integrity
Which security model is concerned with preventing AUTHORIZED subjects from making IMPROPER modification?
a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity
d) Clark Wilson Integrity
Which security model uses rules to prevent conflicts of interest?
a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity
c) Brewer Nash
Which type of testing might NOT be available if purchasing rather than building software?
a) Security testing
b) Usability testing
c) Black box testing
d) White box testing
d) White box testing
In the four layers of Ring Protection, at which ring does the operating system kernel reside?
a) Ring 0
b) Ring 1
c) Ring 2
d) Ring 3
a) Ring 0
Which of the following uses cryptographic modules and keys at the hardware level?
a) Trusted Computing Base (TCB)
b) Trusted Platform Module (TPM)
c) Reference Monitor Concept
d) Ring Protection
b) Trusted Platform Module (TPM)
Which of the following does the Trusted Computing Base (TCB) NOT monitor?
a) Process Activation
b) User Activity Patterns
c) Input/output Operations
d) Execution Domain Switching
b) User Activity Patterns
Which of the following is the final maturity level of System Security Engineering Capability Maturity Model (SSE-CMM)?
a) Continuously Improving
b) Performed Informally
c) Qualitatively Controlled
d) Well Defined
a) Continuously Improving
This level is also known as Optimizing or Level 5. Qualitatively Controlled is actually Level 4
Separation of Duties is also known as
a) Compartmentalization Principle
b) Defense in Depth
c) Economy of Mechanism
d) Single Point of Failure
a) Compartmentalization Principle
Which of the following is NOT part of secure Exception Management?
a) Fail Secure (Fail Safe)
b) Non-Verbose Messages
c) Complete Mediation
d) Handling Unexpected Behavior
c) Complete Mediation
Which two frameworks are often used together to create a matrix to represent the whole model for the enterprise security architecture?
a) COSO and COBIT
b) COSO and Zachman
c) SABSA and COBIT
d) SABSA and Zachman
b) COSO and Zachman
Which framework allows managers to bridge the gap between control requirements, technical issues, and business risks, and focuses more on regulatory compliance?
a) COSO
b) COBIT
c) SABSA
d) Zachman
b) COBIT
Who is responsible for defining acceptable risk?
a) Lead Developer
b) Executive Sponsor
c) Architect
d) Information Security Group
b) Executive Sponsor
What are some controls to ensure data integrity?
a) Encryption and Masking
b) Load Balancing and Fault Tolerance
c) Denial of Service Prevention
d) Input Validation and Hashing
d) Input Validation and Hashing
What transactions should be audited?
a) Critical Business, Administrative and Authentication Attempts
b) Everything
c) Authentication attempts only
d) Authentication and Authorization requests only
a) Critical Business, Administrative and Authentication Attempts
Escrow protects whom?
a) Publisher
b) Acquirer
c) Acquirer and Publisher
d) Acquirer, Publisher and Escrow entity
b) Acquirer
Key factors to a successful risk data gathering exercise include which of the following?
a) Asking direct questions which require Yes/No responses to help expedite the engagement
b) Dictating security requirements
c) Interrogating stakeholders
d) Building support, meeting collaboratively with stakeholders, sharing information and being prepared
d) Build support, meeting collaboratively with stakeholders, sharing information and being prepared
How does Basic Authentication transmit credentials?
a) Sending an MD5 hash / message digest
b) Encoded using Base-64 encoding
c) In plaintext over SSL
d) By sending an encrypted cipher used Advanced Encryption Standard (AES)
b) Encoded using Base-64 encoding
What are the race condition properties?
a) Infinite loops and deadlocks
b) Mutual exclusion and race windows
c) Concurrency, shared objects and state changes
d) Time of Check (TOC) / Time of Use (TOU)
d) Time of Check (TOC) / Time of Use (TOU)
What are some controls to ensure data confidentiality?
a) Encryption and masking
b) Load balancing and fault tolerance
c) Denial of service protection
d) Input validation and hashing
a) Encryption and masking
The confidentiality, integrity and availability of audit information should be protected at which one of the following levels of security?
a) Medium
b) Low
c) High
d) Not necessary
c) High
Mis-Actors in an abuse case usually have which one of the following characteristics?
a) Do no intend harm on the system
b) Are authorized users
c) Are not normally malicious
d) Are assumed malicious and labeled as such
d) Are assumed malicious and labeled as such
Confidentiality requirements include all data EXCEPT which of the following?
a) In archives
b) In development
c) In storage
d) In transit
b) In development
Steganography helps ensure
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
a) Confidentiality
Information that is timely, accurate, complete and consistent can be considered to enforce
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
b) Integrity
Software that works as expected meets which of the following tenets?
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
b) Integrity
Which of the following is NOT one of the three ‘R’s of availability?
a) Recovery
b) Reliability
c) Repudiation
d) Resiliency
d) Resiliency
Which of the following is LEAST LIKELY to be an availability mechanism?
a) Centralized data
b) Defensive coding
c) End to end configuration
d) Load balancing
b) Defensive coding
Which authentication method sends a hash of the password instead of the actual password over the network?
a) Basic authentication
b) Biometrics
c) Client certificates
d) Digest authentication
d) Digest authentication
Which of the following is NOT a requirement of proper authorization?
a) Allows only specific actions
b) Grants admins full access
c) Layered on top of authentication
d) Used for resource access requests
b) Grants admins full access
The ability of a thread to execute in a security context different from that of the process owning the thread is known as
a) Access granularity
b) Authorization
c) Impersonation
d) Inversion
a) Access granularity
Which of the following elements is NOT essential to adequate logging?
a) What
b) When
c) Who
d) Why
d) Why
The tier that separates an internal network from the internet is known as
a) Demilitarized Zone (DMZ)
b) Enclave
c) Extranet
d) Honeypot
a) Demilitarized Zone (DMZ)
Which type of vulnerability can be the result of software not properly handling conversions between different character sets?
a) Canonicalization
b) Naming conflicts
c) Obfuscation
d) Operator overloading
a) Canonicalization
Which of the following requirements is at the highest (least detailed) level of the decomposition level?
a) Regulatory Requirements
b) Identity Management Requirements
c) Output Encoding
d) User preferences
b) Identity Management Requirements
Which of the following is usually NOT collected during data gathering?
a) Current control environment
b) Organizational assets
c) Proposed controls
d) User preferences
a) Current control environment
Controls such as input validation, CRUD roles and error handling can best be applied to
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
b) Integrity
Controls such as Recovery Time Objective (RTO) and Maximum Tolerable Downtime (MTD) can best be applied to
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
c) Availability
Which of the following is NOT usually part of a Use Case diagram?
a) Actions
b) Actors
c) Referential constraints
d) Relationships
c) Referential constraints
In use case diagrams, subflows
a) Can make a complex flow easier to follow
b) Illustrate all possible application flows
c) Provide alternate ways an action can be performed
d) Show flows with lower availability requirements
c) Provide alternate ways an action can be performed
Which of the following is NOT a step in Use Case Modeling?
a) Identify actors
b) Identify use cases
c) Identify misuse cases
d) Generate sequence diagrams
d) Generate sequence diagrams
In a Use Case Diagram, Alternative flows
a) Can be used as Business Continuity artifacts
b) Cater to variants and exceptions
c) Compare how different applications perform the same actions
d) Show how applications behave on different platforms
b) Cater to variants and exceptions
Which of the following is MOST LIKELY NOT in a development team report?
a) Misuse case visualizations
b) Secure Code report
c) Security Design and Architecture report
d) Testing and validation results
a) Misuse case visualizations
A data classification document, Use / Misuse cases and a Requirements Traceability Matrix (RTM) are part of
a) Development Team reports
b) Requirements documentation
c) A security Architecture and Design report
d) A secure Code report
c) A security Architecture and Design report
Which of the following is a Race Condition property?
a) Approximate Distance Property
b) Change State Property
c) Latency Property
d) Mutual Exclusion Property
d) Mutual Exclusion Property
Isn’t this NOT a property…look it up
Which of the following describes a possible cause of application misuse?
a) Coincidence
b) Apathy
c) Accident
d) Distrust
c) Accident
In a Trusted Subsystem Model
a) Clients are mapped to roles
b) Trust is inherited from the client
c) Permissions are assigned to the client
d) Objects inherit permissions from their subjects
c) Permissions are assigned to the client
Which of the following is NOT directly associated with race conditions?
a) Log
b) Mutex
c) Semaphore
d) Thread
a) Log
In order for a race condition to be exploited, which of the following must exist?
a) Atomic transactions
b) Mutual exclusion (mutex)
c) Race window
d) Synchronicity
c) Race window
Shares, patches and accounts would be included in which team report?
a) Test
b) Deployment
c) Secure Code
d) Development
d) Development
In use case diagrams, which of the following are used to define the roles that users and other systems play while interacting with the system?
a) Actors
b) Objects
c) Subjects
d) Relationships
d) Relationships
A potential occurrence is a(n)
a) Attack
b) Threat
c) Opportunity
d) Vulnerability
b) Threat
In requirements gathering, threat models are developed by which group of stakeholders?
a) Business owners
b) Information Security Group
c) Architects and lead developers
d) Designers and business analysts
c) Architects and lead developers
The adverse effects of software downtime are documented in a
a) Use Case Diagram
b) Secure Software Design
c) Business Impact Analysis
d) Service Level Agreement
c) Business Impact Analysis
Which standard provides an information classification framework?
a) FIPS 140-2
b) NASD 3010
c) NIST SP 800-12
d) NIST SP 800-18
c) NIST SP 800-12
Clients that are mapped to roles and roles that have segmented identities with different access controls, is known as
a) Delegation
b) Impersonation
c) Role Base Model
d) Trusted Subsystem Model
c) Role Based Model
When determining archiving requirements, which of the following should take precedence?
a) Organizational policy
b) Compliance requirements
c) Current security standards
d) Stakeholder recommendation
a) Organizational policy
In a Use Case Diagram, an authentication system would be a(n)
a) Actor
b) Use Case
c) Relationship
d) System Boundary
a) Actor
An actor is some external entity that interacts with the system
Which standard deals with Authentication?
a) FIPS 140-2
b) FIPS 201
c) NIST SP 800-16
d) NIST SP 800-18
b) FIPS 201
Ensuring information and programs are changed only in a specified and authorized manner relates BEST to which of the following?
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation
b) Integrity
With International Domain Names (IDN), URLs translated from a non-English character set to an ASCII character set are prefaced by
a) Ansi:
b) idn–
c) Nothing
d) xn–
c) Nothing
Which process defines the extent to which data needs to be controlled and secured?
a) Security Testing
b) Data Classification
c) System Decomposition
d) Business Impact Analysis
b) Data Classification
What is the difference between a bug and a flaw?
a) A bug is a design issue and a flaw is programmatic
b) A flaw is a subset of a bug
c) A bug is found in the business logic where a flaw is superficial
d) A bug is code-specific and a flaw is weakness in the logic
d) A bug is code-specific and a flaw is weakness in the logic
What are some design considerations for Confidentiality?
a) Digital Signatures
b) Symmetric and Asymmetric encryption, Hashing and Masking
c) Resource Locking and Referential Integrity
d) Load Balancing and Denial of Service protection
b) Symmetric and Asymmetric encryption, Hashing and Masking
What key would you use in an Asymmetric Encryption Algorithm to ensure confidentiality?
a) Recipient’s private key
b) Recipient’s public key
c) Sender’s private key
d) Sender’s public key
b) Recipient’s public key
What key should be used to ensure Non-Repudiation?
a) Recipient’s private key
b) Recipient’s public key
c) Sender’s private key
d) Sender’s public key
c) Sender’s private key
What are the benefits of Digital Signatures?
a) Integrity, Availability and Non-Repudiation
b) Authentication
c) Authorization
d) Identification, Authentication and Authorization
a) Integrity, Availability and Non-Repudiation
Resource locking assures which of the following?
a) Authentication
b) Integrity
c) Authorization
d) Confidentiality
b) Integrity
Common coding errors that may lead to Denial of Service (DoS) include which of the following?
a) Orphaned records and cascading operations
b) Single Sign On
c) Open connections, memory leaks and endless loops
d) Service Oriented Architceture
c) Open connections, memory leaks and endless loops
The Separation of Duties principle is also referred to as which of the following?
a) Keep it Simple Stupid
b) “Need to Know”
c) Layered Defense
d) Compartmentalization
d) Compartmentalization
The Complete Mediation design principle represents which security model?
a) Clark Wilson
b) Biba
c) Brewer Nash
d) Bell-LaPadula
a) Clark Wilson
Using and interface to ensure abstraction best describes which of the following security models?
a) Clark Wilson
b) Biba
c) Brewer Nash
d) Bell-LaPadula
d) Bell-LaPadula
Which of the following is a risk calculation methodology created by Microsoft?
a) STRIDE
b) DREAD
c) OSSTMM
d) OWASP
b) DREAD
Which of the following is the best example of Pervasive Computing?
a) Mashups
b) Rich Internet Applications
c) Mobile Computing
d) Trusted Computing Base
b) Rich Internet Applications
Which of the following is the best way to ensure confidentiality?
a) Encryption
b) Hashing
c) Recovery
d) Redundancy
a) Encryption
Potential security disadvantages of virtualization include:
a) Hardware consolidation
b) Maintenance
c) Cost
d) Increased attack surface
d) Increased attack surface
Which of the following principles best describes what is affected by data-tampering?
a) Integrity
b) Availability
c) Auditing
d) Confidentiality
a) Integrity
What is a technique for dealing with conflicting resource updates?
a) Locking to prevent inconsistent updates
b) Propagating security state changes
c) Addressing recovery failures
d) Using a clock synchronization protocol
a) Locking to prevent inconsistent updates
Which principle is the best match for the data disclosure threat type?
a) Integrity
b) Availability
c) Auditing
d) Confidentiality
d) Confidentiality
Which principle is the best match for the elevation of privilege threat type?
a) Integrity
b) Availability
c) Auditing
d) Confidentiality
b) Availability
The following are benefits to threat modeling EXCEPT
a) Helps make secure design choices
b) Mitigates risk in implementation
c) Drives use and misuse cases
d) Identifies performance implications
d) Identifies performance implications
Identity management provides for which of the following?
a) Integrity
b) Deniability
c) Confidentiality
d) Non-Repudiation
d) Non-Repudiation
Which of the following BEST describes a Bastion Host?
a) Proxy between the Internet and Intranet
b) Critical system exposed to the Internet
c) Decoy server used to attract attacks for analysis
d) Intrusion detection or intrusion prevention system
a) Proxy between the Internet and Intranet
Software hardening should include
a) Adding support comments to the code
b) Adding guest accounts for automated tasks
c) Removing maintenance hooks
d) Removing network segmentations
c) Removing maintenance hooks
Bootstrapping is also known as
a) Extract, Transform, Load (ETL)
b) Initial Program Load (IPL)
c) Platform Configuration Register (PCR)
d) Trusted Platform Module (TPM)
b) Initial Program Load (IPL)
Which of the following is not part of the Change Control process?
a) Approvals
b) Design
c) Document
d) Test
c) Document
Answer key say E…but there is no E
Which of the following is not a type of penetration test?
a) Data and Logic
b) Environment
c) Input
d) Social
a) Data and Logic
What type of testing causes system stress, including a slow network and / or low memory?
a) Data and Logic
b) Environment
c) Input
d) Social
c) Input
Key Performance Indicators (KPI) are also known as
a) Behaviors
b) Exceptions
c) Factors
d) Metrics
d) Metrics
What is the difference between Incident Management and Problem Management?
a) Incident Management works to improve service, Problem Management works to restore service
b) Incident Management works to restore service, Problem Management works to improve service
c) Problem Management prevents problems, Incident Management identifies incidents
d) Problem Management identifies problems, Incident Management prevents incidents
b) Incident Management works to restore service while Problem Management works to improve service
Applications that can no longer receive security patches should be
a) Hidden from users
b) Left alone until replaced
c) No longer monitored
d) Removed from service
d) Removed from service
Banner grabbing is also known as
a) Attacking
b) Fingerprinting
c) Footprinting
d) Scanning
b) Fingerprinting
Assurance Checks do which of the following?
a) Negatively tests the software’s functionality
b) Reviews and validates the software’s functionality
c) Tests the vendor’s incident response documentation
d) Validates and verifies the vendor’s claims of security
b) Reviews and validates the software’s functionality
Which type of intellectual property would be used to protect a product’s signature/cornerstone algorithm?
a) Copyright
b) End User Licensing Agreement (EULA)
c) Trade Secret
d) Trademark
c) Trade secret
The official management decision to operate a system, and to accept the risk associated with operating the system, is known as
a) Accreditation
b) Assurance
c) Certification
d) Continuity
a) Accreditation
What type of testing directly addresses identifying bugs fixed in previous versions of the code?
a) Integration Assessment
b) Regression Testing
c) Simulation Testing
d) Unit Testing
b) Regression Testing
Which of the following would MOST LIKELY NOT be included in a Non-Disclosure Agreement (NDA)?
a) Information to be protected
b) Length of the agreement
c) Parties involved
d) Performance measures
d) Performance measures
An Integration Assessment includes all but which of the following?
a) Regression Testing
b) Simulation Testing
c) Support Verification
d) Vendor Evaluation
d) Vendor Evaluation