CSSLP Flashcards

Cert

1
Q

Confidentiality is used to

a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) all of the above

A

b) protect information from disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Integrity is used to

a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) both a and c

A

d) both a and c

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Integrity can be ensured by

a) redundancy
b) failover
c) clusters
d) none of the above

A

d) none of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Availability can be ensured by

a) encryption
b) revocation
c) clusters
d) hashing

A

c) clusters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Failover is applied

a) automatically
b) manually
c) never
d) none of the above

A

a) automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Separation of duties

a) breaks work into manageable parts
b) improves quality control
c) requires multiple parties
d) reduces the work week

A

c) requires multiple parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An audit is

a) a single point in time event
b) a continuous event
c) a subset of monitoring
d) an accounting task

A

a) a single point in time event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The KISS principle is demonstrated by

a) nonrepudiation
b) least privilege
c) defense in depth
d) economy of mechanism

A

d) economy of mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Secure configuration management (CM) is most useful for

a) organizing meetings
b) reviewing documentation
c) preventing integrity breaches
d) secure data repositories

A

c) Configuration management ensures against the unauthorized modification or destruction of data items

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which is not a secure configuration management and version control (CM/VC) process?

a) Planning
b) Identifying file security
c) Controlling configuration changes
d) Monitoring

A

b) CM/VC deals with monitoring data items, it does not implement file security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which methodology uses a security best practices approach whereby the best practices are mapped to each phase of a generic software development lifecycle (SDLC)?

a) Microsoft SDL
b) S-Scrum
c) CLASP
d) SALSA

A

c) CLASP is designed to insert security into SDLC phases, regardless of methodology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A disadvantage of agile methods is that

a) they map all requirements to a generic SDLC
b) they require fast computers for execution of the code
c) they do not work with older code
d) they do not allow sufficient time for detailed security planning or analysis

A

d) Agile is based on identifying just enough requirements for the next sprint, and executing those quickly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the difference between standards and frameworks?

a) Standards are accepted as best practices, whereas frameworks are practices that are generally employed
b) Standards are locality specific, whereas frameworks are international
c) Standards are specific while frameworks are general
d) Both A and C

A

d) both A and C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Attack surface analysis will

a) identify what functions and what parts of the system you need to review/test for security vulnerabilities
b) identify high-risk areas of code that require defense in depth protection - what parts of the system that you need to defend
c) identify when you have changed the attack surface and need to do some kind of threat assessment
d) do all of the above

A

d) do all of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

End-of-life policies apply when

a) users are retiring from the organization
b) users are transitioning to a newer platform
c) users need to update their policies and procedures
d) none of the above happens

A

b) users are transitioning to a newer platform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which is not a risk management strategy?

a) Mitigate
b) Accept
c) Transfer
d) Amend

A

d) Amend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following regulations include provisions to protect consumers’ personal financial information held by financial institutions?

a) Sarbanes-Oxley Act (SOX)
b) Payment Card Industry Data Security Standard (PCI-DSS)
c) Gramm-Leach-Bliley Act (GLBA)
d) Electronic Fund Transfer Act, Regulation E (EFTA)

A

c) GLBA deals with privacy requirements for financial information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which type of requirement is used to describe long-term goals?

a) Cosmic
b) Mission
c) Business
d) Technical

A

b) Mission requirements describe long term goals, business requirements describe mid-term goals, technical requirements describe short term goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is not a classification criterion for data?

a) usefulness of data
b) value of data
c) age of data
d) format of data

A

d) Classification deals with labeling data according to sensitivity; data format does not affect this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is not a mandatory document?

a) Standards
b) Baselines
c) Procedures
d) Guidelines

A

d) Guidelines are optional. Standards, baselines and procedures are mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is an anonymization approach for relational data?

a) Socialization
b) Perturbation
c) Derivation
d) Elicitation

A

b) There are 4 approaches to data anonymization; Generalization, Perturbation, Replacement and Suppression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following are used in the development of abuse cases?

a) Case Reports
b) Use Cases
c) Risk Results
d) Complaints

A

b) Abuse cases can be developed from the inverse of use cases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The requirements for a software security standard are comprised of which two subsets to enhance system protection and reduce the risk to the system?

a) Operational System and Organization
b) Operational System and Environment
c) Operational System and Development Process
d) none of the above

A

a) The requirements for a software security standard are drawn from operational system and organization requirements and development process and environment requirements

Why is this not all of the above?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which testing process is most commonly performed at the end of the SDLC?

a) Source Code Static Security Analysis
b) Binary Code Security Scanning
c) Byte Code Security Analysis
d) Source Code Security Fault Injection

A

c) Byte code security analysis can be performed in tandem with source code analysis at the end of the SDLC to improve overall accuracy of results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which principle states that a system should have simple, well-defined interfaces and functions?

a) Clear Abstractions
b) Least Common Mechanism
c) Modularity and Layering
d) Partially Ordered Dependencies

A

a) An abstraction is a technique for arranging complexity of computer systems; clear abstractions are those with simple, well-defined interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which principle states that the system design should be as simple and small as possible?

a) Efficiently Mediated Access
b) Minimized Sharing
c) Reduced Complexity
d) Secure Evolvability

A

c) Reduced Complexity means the design should be as simple and small as possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which principle states that each component should be allocated sufficient privileges to accomplish its specified functions, but no more?

a) Inverse Modification Threshold
b) Hierarchical Protection
c) Minimized Security Elements
d) Least Privilege

A

d) Security elements should enforce principles such as least privilege and separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is an advantage of using an SRTM?

a) It confirms 100 percent test coverage
b) It highlights any security flaws
c) It focuses only on business requirements
d) It replaces the need for analysis by the QA team

A

a) By being able to track the business requirement to the technical requirement to the test case; there is the assurance of 100% test coverage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following defines an entity that denies having performed an action?

a) Tampering
b) Repudiation
c) Information Disclosure
d) Denial of Service

A

b) Non-repudiation is tied to accountability and means an actor cannot deny performing an action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following potential mitigations is used if you want to leave the threat unmitigated?

a) Warn the User (W)
b) Disable the Feature (D)
c) Remove the Feature (R)
d) Technological Solution (T)

A

a) There are 4 potential mitigations; warn the user (which leaves the threat unmitigated), disable the feature (making it an optional application function), remove the feature (get rid of it), technological solution (use technological solutions to mitigate the threat)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

With which of the following does attack surface analysis help? (Select all that apply)

a) Identify what functions and what parts of the system you need to review/test for security vulnerabilities
b) Identify high-risk areas of code that require defense in depth protection and what parts of the system you need to defend
c) Identify what parts of the system need to be removed or turned off
d) Identify when you have changed the attack surface and need to perform a threat assessment

A

A, B and D - Attack surface analysis is an assessment of the total number of exploitable vulnerabilities in a system or network or other potential computer attack targets. So A, B and D all apply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following represent the steps in the attack surface analysis process? (Select all that apply)

a) Defining the attack surface of an application
b) Listing the components of the attack surface
c) Measuring and assessing the attack surface
d) Managing the attack surface

A

A, B and C - The attack surface analysis process steps are: Define the attack surface of an application, Identify and map the attack surface, Measure and assess the attack surface

https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which type of control is intended to limit the extent of any damage caused by an incident?

a) Limitation Controls
b) Preventive Controls
c) Detective Controls
d) Corrective Controls

A

d) Corrective controls restore the system or process back to the state prior to a harmful event. As such, they contain the damage and prevent further spread of the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is the definition of a Rich Internet Application (RIA)?

a) An expensive software based control implemented via a web service
b) A desktop application ported to a web server and run via a portal
c) A web application that has many of the characteristics of desktop application software
d) An internet application that can be used to create income using web services

A

c) A Rich Internet Application is a Web application that has many of the characteristics of desktop application software, and is typically delivered via a browser plug-in, an independent sandbox, JavaScript, or a virtual machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a multitenant cloud infrastructure where the cloud is shared by several IT organizations known as?

a) Shared Cloud
b) Organizational Cloud
c) Community Cloud
d) None of the above

A

c) A community cloud is a cloud computing solution provided to a specific computing community, and that is governed, managed and secured commonly by that participating community

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What must you be able to do when performing a design security review?

a) Attach performance metrics to the review process
b) Decompose your application and be able to identify key items
c) Highlight all security controls used in the system
d) Use standardized graphics to document the data flow

A

b) Decomposing the application allows for a more detailed understanding of the mechanics of the application makes it easier to uncover more relevant and more detailed threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the difference between provenance and pedigree?

a) Provenance is a place or source of origin, Pedigree is a chart, list or record of origin
b) Pedigree is systematically recorded while Provenance is left to chance
c) Provenance and Pedigree refer to the same concept
d) Pedigree is place or source of origin while Provenance is a chart, list or record of origin

A

a) The difference between Provenance and Pedigree is that Provenance is the place or source of origin; Pedigree is a chart, list or record of origin. The Pedigree is the basis for creating software supply chain paths

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following environment types include techniques that let users directly manipulate the structures?

a) Language-oriented Environments
b) Structure-oriented Environments
c) Toolkit Environments
d) Method-Based Environments

A

b) Language-oriented environments are developed around one language, thereby offering a tool set suitable for that particular language. They are very interactive and provide restricted support for programming-in-the-large. Structure-oriented environments include techniques that let users directly manipulate the structures. These techniques are language independent, which triggered the concept of generators for environments. Toolkit environments offer a set of tools that incorporate language independent support for programming-in-the-large tasks such as version control and configuration management. Method-based environments include support for a wide variety of routines involved in the software development process. This includes tasks such as team and project management. These environments also feature tools for certain specification and design techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

An agreement for all customers using the services being delivered by the service provider is an example of which of the following?

a) Customer Based SLA
b) Service Based SLA
c) Multilevel SLA
d) Customer Level SLA

A

b) A service level agreement (SLA) is an agreement between two or more parties where one is the customer and the others are service providers. This can be a formal (legally binding) or an informal (for example, internal department relationships) “contract”. The agreement may involve separate organizations or different teams within one organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is included in the terms and conditions of the GNU General Public License (GNU GPL)?

a) The license must be made available to anybody
b) Any licensee who adheres to the terms and conditions is given permission to modify the work
c) Free software should place restrictions on commercial use
d) A distributer may impose further restrictions on the rights granted by the GPL

A

b) The GNU General Public License (GNU GPL) is a freely available, copyleft license, a license that allows end users to execute, modify, and share the software to which the license applies, and which means that any software created or modified under that license must be distributed under the same license terms. The license allows for redistribution, either for a fee or free of charge, but cannot impose any constraints further than those already enforced by the parent GLP license, such as a nondisclosure agreement or contract. The only restriction on the use of the GLP license is that two licensees must use different names for the license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following is the most important use of input validation?

a) It ensures that input is readable
b) It can be used to design elegant interfaces
c) It ensures all of the required fields have been filled out and conform to your formats and business rules
d) It is the most effective way to stop the execution of common attacks

A

d) There are all sorts of other types of vulnerabilities that would be solved by input validation. If there is one thing that could solve a huge number of security vulnerabilities, including execution attacks, it would be input validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

In terms of output encoding, an XSL engine is used to do which of the following?

a) Load documents into memory
b) Convert text to XLS format
c) Convert the output to a different encoding
d) Perform the execution of the XSL commands

A

c) One way of performing output encoding is to use an Extensible Stylesheet Language (XSL) engine, which can convert the output to a different encoding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

In terms of malware, what is the definition of a worm?

a) A fragment of code that attaches itself to other executable computer instructions
b) A virus that is able to infect both boot sectors and program files
c) A stand-alone file that can be executed by an interpreter
d) A program that self-propagates from one computer to another over a network

A

d) A worm is a program that self-propagates from one computer to another over a network, using the resources on one machine to attack other machines. Worms differ from viruses in that they do not need input from users; worms are independently capable of transferring between computers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is the most important aspect of code signing?

a) Ensuring the code is in the correct format for the signing process
b) Ensuring the correct public keys are available to sign the code
c) Ensuring the integrity of the system relies on publishers securing their private keys against unauthorized access
d) Ensuring the hashing algorithm can perform both encryption and decryption

A

c) Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is software security testing mainly used to test against?

a) Software Security Enhancements
b) Functional Requirements
c) Nonfunctional Requirements
d) Attacker Heuristics

A

c) Nonfunctional refers to aspects of the software that may not be related to a specific function or user action such as scalability or security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which of the following is the correct sequence of execution for penetration testing?

a) Reconnaissance, Scanning, Attack, Vulnerability Mapping, and Reporting
b) Planning, Discovery, Vulnerability Mapping, Penetration, and Reporting
c) Planning, Discovery, Vulnerability Mapping, Attack, and Reporting
d) Planning, Vulnerability Mapping, Scanning, Attack, and Reporting

A

c) Penetrating testing is often executed in 5 phases: Planning, Discovery, Vulnerability Mapping, Attack and Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which of the following is the correct description for stress testing of software testing?

a) Large amounts of data
b) Large amounts of users
c) Too much data and too many users
d) Too many users, too much data and too little time and too little room

A

d) The difference between volume, load and stress testing is as follows: Volume testing uses large amounts of data, load testing uses a large amount of users, while stress testing uses too many users and too much data with too little time and too little room

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is the main difference between test harness / unit test framework tools and test execution tools?

a) Test harness tools need to be constrained during use
b) There is no capture / playback facility in unit test tools, and they tend to be used at a lower level
c) Test execution tools only run on compiled code
d) None of the above

A

b) Test execution tools are also known as capture - playback capture - replay tools. The test execution tools need a scripting language to create and modify the scripts to run the tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which of the following is an object that is verified when presented to the verifier in an authentication transaction?

a) Credential
b) Secret Key
c) Authenticator
d) Certificate

A

a) A credential is an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Why does security checking need to continue during distribution/deployment and after software has been tested?

a) The tester’s job is never done
b) The code needs a final check before delivery
c) Pre-deployment software is most vulnerable to unauthorized access
d) The test plan may have missed something

A

c) Once software has undergone all of its testing and mitigations or remediations of unacceptable test findings have been implemented, it is considered ready for release. Security checking does not stop here, however, because this is the point in the SDLC at which pre-deployment software is most vulnerable to unauthorized access when it is being staged for distribution/deployment, transferred from staging to the production environment, or in the process of being installed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

If code with a vulnerability is removed from the code base, which risk response was exercised?

a) Accepting
b) Avoiding
c) Transferring
d) Sharing

A

b) After a risk determination, organizations can respond to risk in a variety of ways: accepting risk, avoiding risk, mitigating risk, sharing risk, transferring risk, or a combination of the above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is the purpose of a data retention policy?

a) Describe the procedure to retain data
b) Determine where data should be stored
c) Determine which data is not subject to specific regulatory requirements
d) Determine the sequence by which the data should be deleted

A

c) A data retention policy, or records retention policy, is an organization’s established protocol for retaining information for operational or regulatory compliance needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which of the following access control types gives “UPDATE” privileges on Structured Query Language (SQL) database objects to specific users or groups?

a) Content dependent access control
b) Discretionary access control
c) Directory access control
d) Data Control Language (DCL) access control

A

b) Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The 3 primary methods for authentication of a user to a system or network are:

a) Passwords, tokens and biometrics
b) Authorization, identification and tokens
c) Passwords, encryption and identification
d) Identification, encryption and authorization

A

a) Passwords, tokens and biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

An access system that grants users only those rights necessary for them to perform their job is operating on which security principle?

a) Discretionary Access
b) Least Privilege
c) Mandatory Access
d) Separation of Duties

A

b) Least Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which one of the following can be used to increase the authentication strength of an access control system?

a) Multi-party
b) Two factor
c) Mandatory
d) Discretionary

A

b) Two factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What role do biometrics have in a logical access control?

a) Identification
b) Authorization
c) Authentication
d) Confirmation

A

c) Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

At what stage of the application development process should the security department first become involved?

a) Prior to the implementation
b) Prior to user acceptance testing
c) During unit testing
d) During requirements development

A

d) During requirements development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

All the following are purposes of the change control management process EXCEPT ensuring the changes are :

a) Properly authorized
b) Required by users
c) Fully documented
d) Performed correctly

A

b) Required by users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Security of an automated system is most effective and economical if the system is

a) Optimized prior to addition of security
b) Customized to meet a specific security threat
c) Subjected to intense security testing
d) Designed originally to provide the necessary security

A

d) Designed originally to provide the necessary security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Programmed procedures which ensure that valid transactions are processed accurately and only once are referred to as

a) Data installation controls
b) Application controls
c) Operation controls
d) Physical controls

A

c) Operation controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What common attack can be used against passwords if a copy of the password file can be obtained?

a) Birthday attack
b) Dictionary attack
c) Plaintext attack
d) Smurf attack

A

b) Dictionary attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Configuration management ensures that all changes to a computer system take place in an identifiable and controlled environment, and that the changes

a) to application software cannot bypass system security features
b) do not adversely affect implementation of the security policy
c) to the operating system are always subjected to independent validation and verification
d) in technical documentation maintain an accurate description of the Trusted Computing Base

A

b) do not adversely affect implementation of the security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Which of the following is the MAIN advantage of having an application gateway?

a) To perform change control procedures for applications
b) To provide a means for applications to move into production
c) To log and control incoming and outgoing application traffic
d) To audit and approve changes to applications

A

c) To log and control incoming and outgoing application traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

The best practice to prevent logging clutter in application security is to:

a) Log an exception when the exception is wrapped with another exception and propagate
b) Catch and log exceptions at every level in the software
c) Catch and log exceptions only at points which exceptions are actually handled
d) Disable debug level logging in a production environment

A

c) Catch and log exceptions only at points which exceptions are actually handled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Which of the following defines the intent of a system security policy?

a) A description of the settings that will provide the highest level of security
b) A brief high-level statement defining what is and is not permitted in the operation of a system
c) A definition of those items that must be denied on the system
d) A listing of tools and applications that will be used to protect the system

A

b) A brief high-level statement defining what is and is not permitted in the operation of a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What is one advantage of Content-Dependent Access Control of information?

a) It prevents data locking
b) It limits the user’s individual address space
c) It provides highly granular control
d) It confines access to authorized users of the system

A

c) It provides highly granular control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

The concept that all accesses must be mediated, protected from modification, and verifiable as correct is the concept of

a) Secure Model
b) Security Locking
c) Reference Monitor
d) Secure State

A

c) Reference Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which one of the following is the MAIN goal of a security awareness program when addressing senior management?

a) To provide a way to communicate security procedures
b) To provide a clear understanding of potential risk and exposure
c) To provide an opportunity to disclose exposures and risk analysis
d) To provide a forum to communicate user responsibilities

A

b) To provide a clear understanding of potential risk and exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

A worm most frequently spreads via :

a) User misuse
b) Vulnerabilities in software
c) Mobile code attacks
d) Infected USB drives and wireless access points

A

b) Vulnerabilities in software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Spoofing can be defined as

a) eavesdropping on communications between persons or processes
b) a person or process emulating another person or process
c) a hostile or unexpected entity concealed within another entity
d) the testing of all possibilities to obtain information

A

b) a person or process emulating another person or process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Which of the following represents an Annualized Loss Expectancy (ALE) calculation?

a) ALE = GLE * ARO
b) ALE = AV * EF
c) ALE = Risk - Countermeasures
d) ALE = SLE * ARO

A

d) ALE = SLE * ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Step by step instructions used to satisfy control requirements are called a

a) Policy
b) Standard
c) Guideline
d) Procedure

A

d) Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Separation of duties should be

a) Enforced in all organizational areas
b) Cost justified for the potential for loss
c) Enforced in the program testing phase of application development
d) Determined by the availability of trained staff

A

b) Cost justified for the potential loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What principle recommends the division of responsibilities to prevent a person from committing fraud?

a) Separation of duties
b) Mutual exclusion
c) Need to know
d) Least privilege

A

a) Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

A timely review of system access audit records would be an example of which basic security function?

a) Avoidance
b) Deterrence
c) Prevention
d) Detection

A

d) Detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

An advantage of asymmetric key cryptography is that

a) It is relatively easy to distribute keys
b) Both keys are the same
c) It can be easily implemented in hardware
d) Execution can be very fast

A

a) It is relatively easy to distribute keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Which trusted third party authenticates public encryption keys?

a) Public key notary
b) Certification Authority (CA)
c) Key Distribution Center (KDC)
d) Key revocation certificate

A

b) Certification Authority (CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Which one of the following is the best known example of a symmetric key cipher system?

a) Data Encryption Standard (DES)
b) Rivest-Shamir-Adleman (RSA)
c) ElGamel (ElG)
d) Message Digest 5 (MD5)

A

a) Data Encryption Standard (DES)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Which of the following describes the first process in the establishment of an encrypted session using a Data Encryption Standard (DES) key?

a) Key Clustering
b) Key Compression
c) Key Signing
d) Key Exchange

A

d) Key Exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Which of the following does a digital signature provide?

a) It provides the ability to encrypt an individual’s confidential data
b) It ensures an individual’s privacy
c) It identifies the source and verifies the integrity of data
d) It provides a framework for law and procedures

A

c) It identifies the source and verifies the integrity of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

The value of data or an information system to an organization should consider all of the following factors EXCEPT

a) the requirements of regulations or legislation
b) the number of people requiring access to the system or data
c) the sensitivity of the data or systems and risks associated with disclosure
d) whether access to the data or system is critical to business functions

A

b) the number of people requiring access to the system or data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What principal recommends the limitation of access permissions to select individuals?

a) Separation of Duties
b) Mutual Exclusion
c) Need to Know
d) Dual Control

A

c) Need to Know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Another name for a Virtual Private Network (VPN) is a :

a) Tunnel
b) Firewall proxy
c) Named-pipe
d) Domain

A

a) Tunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What type of subsystem is an application program that operates outside the operating system and carries out functions for a group of users, maintains some common data for all users in the group, and protects the data from improper access by users in the group?

a) Prevented subsystem
b) Protected subsystem
c) File subsystem
d) Directory subsystem

A

b) Protected subsystem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

One example of a security countermeasure against SQL injection attacks is

a) to deploy an IDS
b) to encrypt communications using SSL
c) Anti-virus deployment
d) User input validation

A

d) User input validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which one of the following is NOT a valid X.509 certificate field?

a) Subject’s public key information
b) Subject’s X.500 name
c) Issuer’s unique identifier
d) Subject’s digital signature

A

d) Subject’s digital signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

In what way can web applets pose a security threat?

a) Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP
b) Client execution environment may not provide the ability to limit system access that an applet could have on a client system
c) Executables from the Internet may attempt an unintentional attack when they are downloaded on a client system because of bad programming
d) Client execution environment will check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system

A

b) Client execution environment may not provide the ability to limit system access that an applet could have on a client system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?

a) Security Manager
b) User
c) Owner
d) Auditor

A

c) Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

When basic standards for software development are implemented within an organization and are in common use (defined, established and documented), the organization has reached what level of CMMI for software engineering?

a) Level 1
b) Level 2
c) Level 3
d) Level 4

A

c) Level 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Computer security is the responsibility of

a) Everyone in the organization
b) Corporate management
c) The corporate security staff
d) Every with computer access

A

a) Everyone in the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

The MOST dangerous consequence of a buffer overflow vulnerability is

a) Denial of Service (DoS)
b) Arbitrary code execution
c) Disclosure of confidential information
d) Damage to the organizational branch

A

b) Arbitrary code execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Using an SDLC methodology in a software development project should

a) Improve the quality of the software product
b) Include an exact schedule for the project
c) Increase the number of software vulnerabilities
d) Decrease the complexity of the software code

A

a) Improve the quality of the software product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Many common vulnerabilities such as buffer overflows, SQL injection and command injections can be traced to failure to

a) install the latest vendor patches
b) maintain a hardened server configuration
c) validate user input
d) abide by organizational security policies

A

c) validate user input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

When dealing with intellectual property rights for software between nations, it is important to consider

a) information concerning the overall foreign trade agreements between two nations
b) the governing law in the agreements between two nations
c) foreign corrupt trading practices in the agreement between the two nations
d) information about the specific product liabilities the software has

A

b) the governing law in the agreements between two nations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Which of the following is the MOST important information to consider when writing a security policy?

a) The impact on the organization’s ability to achieve its goals
b) The acceptance by members of the IT department
c) The effect it could have on organizational morale
d) The degree to which it may affect the Business Continuity Plan (BCP)

A

a) The impact on the organization’s ability to achieve its goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Which of the following is the LEAST important information to record when logging a security violation?

a) User’s Name
b) UserID
c) Type of violation
d) Data and Time of the violation

A

a) User’s Name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

During the INITIAL stages of software development, a development team should analyze the vulnerabilities that could be encountered by the application. The method of analysis is termed

a) Audit Analysis
b) Threat Modeling
c) Cost Benefit Analysis
d) Software Development Life Cycle (SDLC)

A

b) Threat Modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Which of the following is MOST true about Management’s overarching security policy?

a) It details the organization’s security plan
b) It directly reflects management’s commitment to security
c) It should be published so it can be used
d) Copies should be controlled for ease of updating, accountability purposes, auditing and to demonstrate management’s commitment to security

A

b) It directly reflects management’s commitment to security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

All of the following are basic components of a security policy EXCEPT the

a) Definition of the issue being addressed and relevant terms
b) Statement of roles and responsibilities
c) Statement of applicability and compliance requirements
d) Statement of performance characteristics and requirements

A

d) Statement of performance characteristics and requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Which of the following provides for an effective security program?

a) A hierarchical definition of security policies, standards, and procedures
b) The identification, assessment and mitigation of vulnerabilities
c) A definition of program modules and procedures for data structures
d) The identification of organizational, procedural and administrative weaknesses

A

a) A hierarchical definition of security policies, standards and procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

Which of the following could BEST be utilized to validate the continued need for access to system resources?

a) Periodically review and recertify privileged users
b) Periodically review audit and access logs
c) Periodically review processes that grant access
d) Periodically review data classifications by management

A

b) Periodically review audit and access logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome?

a) Annualized Loss Expectancy
b) Single Loss Expectancy
c) Annualized Rate of Occurrence
d) Information Security Risk Management

A

b) Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

What is the PRIMARY reason for designing the security kernel to be as small as possible?

a) The operating system cannot be easily penetrated by users
b) Changes to the kernel are not required as frequently
c) Due to its compactness, the kernel is easier to formally verify
d) System performance and execution are enhanced as the kernel is faster

A

c) Due to its compactness, the kernel is easier to formally verify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

What should be the size of a Trusted Computer Base?

a) Small - In order to permit it to be implemented in all critical systems
b) Small - In order to facilitate the detailed analysis necessary to prove that it meets design requirements
c) Large - In order to accommodate the implementation of future updates without incurring the time and expense of recertification
d) Large - In order to enable it to protect the potentially large number of resources in a typical commercial system environment

A

b) Small - In order to facilitate the detailed analysis necessary to prove that it meets design requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

Which one of the following refers to a series of characters used to verify a user’s identity?

a) Token serial number
b) UserID
c) Password
d) Security ticket

A

c) Password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Which of the following MUST be true before the least privilege principle applies?

a) The individual must have a need to know
b) The object’s label must be updated with the subject’s clearance level
c) The object’s label must grant the subject access to the object
d) The individual must be assigned to a leadership position in the organization

A

a) The individual must have a need to know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

The core concepts of software security are based on

a) Availability, Confidentiality, Integrity
b) Risk, Architecture, User Requirements
c) Asset Value, Probability, Impact
d) Controls, Safeguards, Countermeasures

A

a) Availability, Confidentiality, Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

The purpose of a security baseline is to

a) create a standard configuration for all systems and applications on the network
b) enforce compliance with corporate IT guidelines
c) reduce total cost of ownership (TCO)
d) ensure that all processes are compliant with regulations

A

a) create a standard configuration for all systems and applications on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

An ideal security model is

a) centralized or decentralized according to business and security needs
b) always defaulted to a level of higher security not lower security
c) reviewed and approved by audit at least one per quarter
d) focused more on security standards that on business requirements

A

a) centralized or decentralized according to business and security needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

The concept of complete mediation is important in order to

a) ensure all unauthorized users are prevented from making improper modifications
b) protect all systems and procedures from unapproved changes
c) control all access by subjects requesting access to resources
d) only enforced at initial login and often subject to a time of use versus time of check (TOCTOU) attack

A

c) control all access by subjects requesting access to resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

An organization wants to protect its brand and reputation by designing a new style and color of packaging for its products, how would the organization protect this marketing technique?

a) Patent
b) Trademark
c) Copyright
d) Trade secret

A

b) Trademark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

Access controls refer to the responsibility to

a) protect data and systems from changes or modifications
b) log and audit all activities on a system
c) identify and label critical and sensitive data
d) permit authenticated personnel to perform authorized changes

A

d) permit authenticated personnel to perform authorized changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

The PRIMARY objective of security during the requirements phase of the SDLC is to

a) create awareness amongst all project team members of security risks and controls
b) develop the security controls according to best practice and design
c) ensure security controls are implemented and operating correctly
d) integrate security into the software development process

A

d) integrate security into the software development process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

In order to determine the security requirements for a secure systems architecture the security specialist must

a) focus on the specific security needs of the individual systems
b) understand both use and misuse case models
c) closely adhere to best practices and internationally recognized standards
d) develop a cost benefit calculation that justifies the cost of each control

A

b) understand both use and misuse case models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

One way to minimize the cost of protecting information is to

a) classify all information at a high level and strictly restrict access
b) ensure the organization has sufficient insurance to cover any loss or breach
c) encrypt all data and ensure that it is disposed of properly
d) develop an information classification procedure and ensure that appropriate handling procedures are in place

A

d) develop an information classification procedure and ensure that appropriate handling procedures are in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

Information classification requires

a) identifying an information owner
b) not mixing data of different classification levels on the same system
c) protecting the security kernel from unauthorized manipulation
d) locking all sensitive data in secure cabinets

A

a) identifying an information owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

Kerberos is an example of

a) Single Sign On (SSO)
b) Decentralized Access Control (DCO)
c) Implementation of LDAP (Lightweight Directory Access Protocol)
d) Intrusion Detection

A

a) Single Sign On

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

Software security design allocates

a) security requirements to the components that will deliver specific security functions
b) user functions to customize security controls
c) business requirements into security features and requirements
d) security standards into properly implemented security controls

A

a) security requirement to the components that will deliver specific security functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

Measuring the attack surface during the design phase is important to

a) define an ongoing metric for default security levels
b) prepare a business case for cost benefit analysis
c) ensure that layered defense (defense in depth) solutions are implemented correctly
d) discover new business or security requirements not documented in the requirements phase

A

a) define an ongoing metric for default security levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

The challenge of interconnecting systems and integrations with legacy equipment is due to the fact that

a) older systems were never built with adequate security controls
b) it can be extremely difficult to modernize older equipment to update it to new standards
c) there may be unknown alternate paths to information or systems through older systems or networks
d) legacy systems are inflexible and will not adjust to modern security needs

A

a) older systems were never built with adequate security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

Threat modeling determines

a) the resilience of the system to attack or compromise
b) the presence of any vulnerabilities in the systems design
c) the potential harm to each asset and the associated level of risk
d) the likelihood a control will not provide adequate protection in the event of an attack

A

d) the likelihood a control will not provide adequate protection in the event of an attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

The main purpose of code signing is to

a) protect the Intellectual Property (IP) of the organization from theft or copying
b) making the code unintelligible to prevent reverse engineering
c) ensuring no unauthorized changes are made to the code
d) protect code from being copied or used on unlicensed machines

A

c) ensuring no unauthorized changes are made to the code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

Identification of specific areas that will require additional code testing or examination of the code for vulnerabilities is facilitated through the use of

a) Code Analysis
b) Risk Management
c) Threat Modeling
d) Business Case and Reference Models (BRM)

A

c) Threat Modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

Software testing should focus on

a) testing the integration of each software component with the network security controls
b) the discovery of user requirements
c) ensuring the security controls are operating correctly
d) detecting potential security vulnerabilities not just software function and features

A

d) detecting potential security vulnerabilities not just software function and features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

The advantage of using “fuzzing” test techniques is that it

a) replaces the requirement to develop detailed and specific test cases
b) tests the ability of the software to handle common user exceptions
c) ensures tests will cover the entire range of allowable input values in a truly random manner
d) validates that input and output validation controls are set correctly

A

c) ensures tests will cover the entire range of allowable input values in a truly random manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

Automated code testing tools will allow the development team to

a) replace the existing manual testing procedures with more efficient automated processes
b) provide better assurance that code is error free than was possible with manual testing scenarios
c) allow more thorough testing when used in conjunction with manual testing
d) shorten the time required to do testing and may allow certain tests to be bypassed

A

c) allow more thorough testing when used in conjunction with manual testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

“Cold Booting” is an example of a security vulnerability that

a) indicates a system must only be operated at temperatures below thirty degrees Celsius (94 F)
b) attempts to read data from an integrated circuit chip by freezing it at extremely low temperatures
c) is the process of recovery following a system failure that requires a complete rebuilt of the system including operating systems, utilities and applications
d) when a development team is requested to (pushed into) work on a systems development project without having been provided detailed user specifications

A

b) attempts to read data from an integrated circuit chip by freezing it at extremely low temperatures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

Defensive coding practices include memory management, memory handling and

a) Stress and Performance Testing
b) Code Signing
c) Type Safety
d) Preventing Buffer Overflows

A

c) Type Safety

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

What is the goal of secure software testing?

a) To determine if the software meets requirements
b) To compare as-built functionality with the as-designed security framework
c) To prevent the introduction of a flawed program into production
d) To ensure the designed security controls were implemented correctly, operating correctly and providing the intended benefit

A

d) To ensure the designed security controls were implemented correctly, operating correctly and providing the intended benefit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

High priority code is listed in the CSSLP Candidate Information Bulletin (CIB) as

a) code that is designed for continuous or high availability
b) code that must be flexible enough to meet rapidly changing market conditions
c) code that is on the attack surface of the application
d) code that is executed in real time and therefore allows online interrupts to expedite processing

A

c) code that is on the attack surface of the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

Regression testing is testing that

a) ensures new changes do not unintentionally overwrite previous changes
b) ensures all code is compatible with legacy data and systems
c) uses older coding languages and techniques despite the availability of newer, more efficient tools
d) testing that discovers older, previously unknown vulnerabilities in re-used legacy code

A

a) ensures new changes do not unintentionally overwrite previous changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

Software acceptance must consider the approval to implement software from the perspective of the

a) Development Team
b) Configuration Management Team
c) Customers
d) Users

A

c) Customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

An organization is developing a new product for sale globally. Therefore, they may need to have the product tested to enable it to be sold to customers that require external validation. Which testing process may they use for the purpose?

a) ISO 15408
b) COBIT
c) ISO27001
d) CMMI

A

a) ISO 15408

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

A vulnerability has been found in a deployed system, what should the organization that developed the code do?

a) Market the vulnerability as a new “feature”
b) Ignore it and hope no one else finds it
c) Update the End User License Agreement (EULA) to refute any responsibility for operational problems whatever the cause
d) Aggressively attack the reputation and credibility of the individual or organization that disclosed the problem

A

c?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

Which of the following BEST describes something of value to an organization?

a) Agent
b) Asset
c) Control
d) Threat

A

b) Asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

Which of the following is comprised of the threats, vulnerabilities, and current value of an asset?

a) Attack Surface
b) Exposure
c) Residual Risk
d) Total Risk

A

d) Total Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

Taking advantage of a vulnerability is also known as a(n):

a) Attack
b) Control
c) Exploit
d) Threat

A

c) Exploit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

Which of the following BEST describes Residual Risk?

a) Risk remaining after all controls have been defined
b) Risk remaining after all controls have been applied
c) Risk remaining after an attack has been performed
d) Risk remaining after operations have been restored

A

b) Risk remaining after all controls have been applied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

In a Risk Calculation, Single Loss Expectancy (SLE) is the product of

a) Annual Loss Expectancy (ALE) * Annual Rate of Occurrence (ARO)
b) Annual Loss Expectancy (ALE) * Risk
c) Asset Value * Annual Loss Expectancy (ALE)
d) Asset Value * Exposure Factor

A

d) Asset Value * Exposure Factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

In a Risk Calculation, Annual Loss Expectancy (ALE) is the product of

a) Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE)
b) Asset Value * Exposure Factor
c) Probability * Impact
d) Risk * Annual Rate of Occurrence (ARO)

A

a) Annual Rate of Occurrence (ARO * Single Loss Expectancy (SLE)

Remember : ALE = ARO * SLE

-or- BEER = AROUSLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

Managing exposure before a threat takes advantage of a vulnerability is also known as

a) Evergreen
b) Risk Management
c) Security Tenets
d) Trustworthy Computing

A

b) Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

Which of the following is LEAST LIKELY to be a challenge to Software Risk Management?

a) Asset value can be subjective
b) Exposure Factor, Probability and Impact data can be limited
c) Not enough information about the threats
d) Sometimes difficult to quantify software assets

A

d) Sometimes difficult to quantify software assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
144
Q

Which of the following BEST describes the negative impact of adding new controls to an organization?

a) Controls may be intermittent
b) Controls may cause unintended results
c) Controls may not be available for use
d) Controls may be poorly documented or understood

A

b) Controls may cause unintended results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
145
Q

Who or what ultimately assumes all liability of the risks introduced by new software?

a) Developers
b) Security
c) The organization
d) The vendor

A

c) The organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
146
Q

Which of the following is NOT a way of handling risk?

a) Accept
b) Document
c) Mitigate
d) Transfer

A

b) Document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
147
Q

Which of the following is NOT a security tenet?

a) Availability
b) Avoidance
c) Authentication
d) Authorization

A

b) Avoidance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
148
Q

Which of the following is NOT a part of the Iron Triangle Challenge?

a) Budget
b) Schedule
c) Scope
d) Training

A

d) Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
149
Q

Which of the following is NOT a primary component of Quality Software?

a) Security
b) Privacy
c) Usability
d) Reliability

A

b) Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
150
Q

Which triad is at the foundation of secure software?

a) Budget, Schedule and Scope
b) Confidentiality, Integrity and Availability
c) Knowledge, Ownership and Characteristics
d) Something you have, something you know and something you are

A

b) Confidentiality, Integrity and Availability

Budget, Schedule and Scope are the 3 tiers of the Iron Triangle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
151
Q

In terms of the CSSLP, Auditing means

a) Logging
b) Notifying
c) Referencing
d) Reviewing

A

a) Logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
152
Q

Non-Repudiation ensures

a) Accountability
b) Confidentiality
c) Integrity
d) Reliability

A

a) Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
153
Q

Proper session management can BEST protect an application against which type of attack?

a) Cross-site scripting (CSS)
b) Denial of Service (DOS)
c) Man-in-the-Middle (MITM)
d) SQL Injection

A

b) Denial of Service (DOS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
154
Q

Which security tenet states that “mechanisms common to more than one user/process are not shared”?

a) Economy of Mechanism
b) Complete Mediation
c) Least Common Mechanism
d) Separation of Duties

A

c) Least Common Mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
155
Q

With Complete Mediation

a) authority to access objects is checked every time access is requested
b) authorization levels are defined by roles
c) components are reused whenever possible
d) countermeasures are implemented to avoid a single point of failure

A

a) authority to access objects is checked every time access is requested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
156
Q

Which of the following has been the biggest driver of information security initiatives in the past few years?

a) Weak economy
b) Maintain competitive advantage
c) Regulatory compliance
d) Reputation

A

c) Regulatory compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
157
Q

Which of the following is MOST critical to having an effective security policy?

a) Adequate documentation and training
b) Developer buy-in
c) Support of top management
d) User Acceptance

A

c) Support of top management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
158
Q

Which of the following does NOT drive a need for standards?

a) Adherence to policy
b) Boost customer confidence
c) Ease of maintenance
d) Use of popular methodologies

A

d) Use of popular methodologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
159
Q

Using instrumentation in coding may introduce which of the following security vulnerabilities?

a) Denial of Service
b) Information Disclosure
c) Lack of Standards
d) Performance Impairment

A

d) Performance Impairment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
160
Q

Overloaded operators are an example of

a) Least Common Mechanism
b) Least Privilege
c) Polyinstantiation
d) Polymorphism

A

d) Polymorphism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
161
Q

Which standard has blueprints for Information Security Management Systems (ISMS)?

a) DoD 8570.1
b) FIPS 140.2
c) ISO 27000 series
d) ISO 9126

A

c) ISO 27000 series

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
162
Q

Which standard is also known as The Common Criteria?

a) ISO 15408
b) ISO 27799
c) ISO 27000
d) ISO 9126

A

a) ISO 15408

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
163
Q

Which standard is for software product evaluation?

a) ISO 15408
b) ISO 27799
c) ISO 27000
d) ISO 9126

A

a) ISO 15408

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
164
Q

Which standard is titled “Security Considerations in the Information System Development Life Cycle”?

a) FIPS 140-2
b) FIPS 201
c) NIST SP 800-12
d) NIST SP 800-64

A

d) NIST SP 800-64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
165
Q

The type of questioning, where the original question is responded to as though it were an answer, is also known as

a) Flaw-hypothesis method
b) OCTAVE
c) Socratic method
d) Vulnerability remediation

A

c) Socratic method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
166
Q

Which of the following is a scoring system used to produce risk rankings?

a) COSO
b) CVSS
c) OCTAVE
d) OSSTMM

A

b) CVSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
167
Q

Which of the following analysis frameworks has a matrix with the column headers who, what, when, where, why and how?

a) COBIT
b) ITIL
c) SEI IDEAL
d) Zachman’s Framework

A

b) ITIL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
168
Q

Which business management strategy has the goal of 3.4 defects per million opportunities?

a) Six Sigma
b) SABSA
c) COBIT
d) CMMI

A

a) Six Sigma

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
169
Q

Which of the following is NOT one of the layers in the Sherwood Applied Business Security Architecture (SABSA) framework?

a) Physical (Security Mechanisms)
b) Psychological (User Acceptance)
c) Component (Tools and Products
d) Operational (Security Management)

A

b) Psychological (User Acceptance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
170
Q

Which regulation is concerned with protecting the customer’s personal financial information held by financial institutions?

a) Computer Misuse Act
b) Gramm-Leach Bliley Act (GLBA)
c) Sarbanes Oxley (SOX)
d) Title 21 Code of Federal Regulations (CFR) Part 11

A

b) Gramm-Leach Bliley Act (GLBA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
171
Q

The guideline “don’t collect information if you don’t need it” BEST applies to

a) Confidentiality
b) Integrity
c) Availability
d) Non-Repudiation

A

a) Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
172
Q

The Orange Book: A Guide to Understanding Discretionary Access Control in Trusted Systems is based on which of the following models?

a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Clark Wilson Integrity
d) Brewer Nash

A

a) Bell-LaPadula Confidentiality (BLP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
173
Q

Which of the following is NOT a property of the Bell-LaPadula Confidentiality model?

a) Star
b) Security
c) Strong Star
d) Simple Security

A

b) Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
174
Q

Which security model is concerned with preventing UNAUTHORIZED subjects from making modifications?

a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity

A

d) Clark Wilson Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
175
Q

Which security model is concerned with preventing AUTHORIZED subjects from making IMPROPER modification?

a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity

A

d) Clark Wilson Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
176
Q

Which security model uses rules to prevent conflicts of interest?

a) Bell-LaPadula Confidentiality (BLP)
b) Biba Integrity
c) Brewer Nash
d) Clark Wilson Integrity

A

c) Brewer Nash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
177
Q

Which type of testing might NOT be available if purchasing rather than building software?

a) Security testing
b) Usability testing
c) Black box testing
d) White box testing

A

d) White box testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
178
Q

In the four layers of Ring Protection, at which ring does the operating system kernel reside?

a) Ring 0
b) Ring 1
c) Ring 2
d) Ring 3

A

a) Ring 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
179
Q

Which of the following uses cryptographic modules and keys at the hardware level?

a) Trusted Computing Base (TCB)
b) Trusted Platform Module (TPM)
c) Reference Monitor Concept
d) Ring Protection

A

b) Trusted Platform Module (TPM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
180
Q

Which of the following does the Trusted Computing Base (TCB) NOT monitor?

a) Process Activation
b) User Activity Patterns
c) Input/output Operations
d) Execution Domain Switching

A

b) User Activity Patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
181
Q

Which of the following is the final maturity level of System Security Engineering Capability Maturity Model (SSE-CMM)?

a) Continuously Improving
b) Performed Informally
c) Qualitatively Controlled
d) Well Defined

A

a) Continuously Improving

This level is also known as Optimizing or Level 5. Qualitatively Controlled is actually Level 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
182
Q

Separation of Duties is also known as

a) Compartmentalization Principle
b) Defense in Depth
c) Economy of Mechanism
d) Single Point of Failure

A

a) Compartmentalization Principle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
183
Q

Which of the following is NOT part of secure Exception Management?

a) Fail Secure (Fail Safe)
b) Non-Verbose Messages
c) Complete Mediation
d) Handling Unexpected Behavior

A

c) Complete Mediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
184
Q

Which two frameworks are often used together to create a matrix to represent the whole model for the enterprise security architecture?

a) COSO and COBIT
b) COSO and Zachman
c) SABSA and COBIT
d) SABSA and Zachman

A

b) COSO and Zachman

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
185
Q

Which framework allows managers to bridge the gap between control requirements, technical issues, and business risks, and focuses more on regulatory compliance?

a) COSO
b) COBIT
c) SABSA
d) Zachman

A

b) COBIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
186
Q

Who is responsible for defining acceptable risk?

a) Lead Developer
b) Executive Sponsor
c) Architect
d) Information Security Group

A

b) Executive Sponsor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
187
Q

What are some controls to ensure data integrity?

a) Encryption and Masking
b) Load Balancing and Fault Tolerance
c) Denial of Service Prevention
d) Input Validation and Hashing

A

d) Input Validation and Hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
188
Q

What transactions should be audited?

a) Critical Business, Administrative and Authentication Attempts
b) Everything
c) Authentication attempts only
d) Authentication and Authorization requests only

A

a) Critical Business, Administrative and Authentication Attempts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
189
Q

Escrow protects whom?

a) Publisher
b) Acquirer
c) Acquirer and Publisher
d) Acquirer, Publisher and Escrow entity

A

b) Acquirer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
190
Q

Key factors to a successful risk data gathering exercise include which of the following?

a) Asking direct questions which require Yes/No responses to help expedite the engagement
b) Dictating security requirements
c) Interrogating stakeholders
d) Building support, meeting collaboratively with stakeholders, sharing information and being prepared

A

d) Build support, meeting collaboratively with stakeholders, sharing information and being prepared

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
191
Q

How does Basic Authentication transmit credentials?

a) Sending an MD5 hash / message digest
b) Encoded using Base-64 encoding
c) In plaintext over SSL
d) By sending an encrypted cipher used Advanced Encryption Standard (AES)

A

b) Encoded using Base-64 encoding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
192
Q

What are the race condition properties?

a) Infinite loops and deadlocks
b) Mutual exclusion and race windows
c) Concurrency, shared objects and state changes
d) Time of Check (TOC) / Time of Use (TOU)

A

d) Time of Check (TOC) / Time of Use (TOU)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
193
Q

What are some controls to ensure data confidentiality?

a) Encryption and masking
b) Load balancing and fault tolerance
c) Denial of service protection
d) Input validation and hashing

A

a) Encryption and masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
194
Q

The confidentiality, integrity and availability of audit information should be protected at which one of the following levels of security?

a) Medium
b) Low
c) High
d) Not necessary

A

c) High

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
195
Q

Mis-Actors in an abuse case usually have which one of the following characteristics?

a) Do no intend harm on the system
b) Are authorized users
c) Are not normally malicious
d) Are assumed malicious and labeled as such

A

d) Are assumed malicious and labeled as such

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
196
Q

Confidentiality requirements include all data EXCEPT which of the following?

a) In archives
b) In development
c) In storage
d) In transit

A

b) In development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
197
Q

Steganography helps ensure

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

a) Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
198
Q

Information that is timely, accurate, complete and consistent can be considered to enforce

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

b) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
199
Q

Software that works as expected meets which of the following tenets?

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

b) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
200
Q

Which of the following is NOT one of the three ‘R’s of availability?

a) Recovery
b) Reliability
c) Repudiation
d) Resiliency

A

d) Resiliency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
201
Q

Which of the following is LEAST LIKELY to be an availability mechanism?

a) Centralized data
b) Defensive coding
c) End to end configuration
d) Load balancing

A

b) Defensive coding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
202
Q

Which authentication method sends a hash of the password instead of the actual password over the network?

a) Basic authentication
b) Biometrics
c) Client certificates
d) Digest authentication

A

d) Digest authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
203
Q

Which of the following is NOT a requirement of proper authorization?

a) Allows only specific actions
b) Grants admins full access
c) Layered on top of authentication
d) Used for resource access requests

A

b) Grants admins full access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
204
Q

The ability of a thread to execute in a security context different from that of the process owning the thread is known as

a) Access granularity
b) Authorization
c) Impersonation
d) Inversion

A

a) Access granularity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
205
Q

Which of the following elements is NOT essential to adequate logging?

a) What
b) When
c) Who
d) Why

A

d) Why

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
206
Q

The tier that separates an internal network from the internet is known as

a) Demilitarized Zone (DMZ)
b) Enclave
c) Extranet
d) Honeypot

A

a) Demilitarized Zone (DMZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
207
Q

Which type of vulnerability can be the result of software not properly handling conversions between different character sets?

a) Canonicalization
b) Naming conflicts
c) Obfuscation
d) Operator overloading

A

a) Canonicalization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
208
Q

Which of the following requirements is at the highest (least detailed) level of the decomposition level?

a) Regulatory Requirements
b) Identity Management Requirements
c) Output Encoding
d) User preferences

A

b) Identity Management Requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
209
Q

Which of the following is usually NOT collected during data gathering?

a) Current control environment
b) Organizational assets
c) Proposed controls
d) User preferences

A

a) Current control environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
210
Q

Controls such as input validation, CRUD roles and error handling can best be applied to

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

b) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
211
Q

Controls such as Recovery Time Objective (RTO) and Maximum Tolerable Downtime (MTD) can best be applied to

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

c) Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
212
Q

Which of the following is NOT usually part of a Use Case diagram?

a) Actions
b) Actors
c) Referential constraints
d) Relationships

A

c) Referential constraints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
213
Q

In use case diagrams, subflows

a) Can make a complex flow easier to follow
b) Illustrate all possible application flows
c) Provide alternate ways an action can be performed
d) Show flows with lower availability requirements

A

c) Provide alternate ways an action can be performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
214
Q

Which of the following is NOT a step in Use Case Modeling?

a) Identify actors
b) Identify use cases
c) Identify misuse cases
d) Generate sequence diagrams

A

d) Generate sequence diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
215
Q

In a Use Case Diagram, Alternative flows

a) Can be used as Business Continuity artifacts
b) Cater to variants and exceptions
c) Compare how different applications perform the same actions
d) Show how applications behave on different platforms

A

b) Cater to variants and exceptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
216
Q

Which of the following is MOST LIKELY NOT in a development team report?

a) Misuse case visualizations
b) Secure Code report
c) Security Design and Architecture report
d) Testing and validation results

A

a) Misuse case visualizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
217
Q

A data classification document, Use / Misuse cases and a Requirements Traceability Matrix (RTM) are part of

a) Development Team reports
b) Requirements documentation
c) A security Architecture and Design report
d) A secure Code report

A

c) A security Architecture and Design report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
218
Q

Which of the following is a Race Condition property?

a) Approximate Distance Property
b) Change State Property
c) Latency Property
d) Mutual Exclusion Property

A

d) Mutual Exclusion Property

Isn’t this NOT a property…look it up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
219
Q

Which of the following describes a possible cause of application misuse?

a) Coincidence
b) Apathy
c) Accident
d) Distrust

A

c) Accident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
220
Q

In a Trusted Subsystem Model

a) Clients are mapped to roles
b) Trust is inherited from the client
c) Permissions are assigned to the client
d) Objects inherit permissions from their subjects

A

c) Permissions are assigned to the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
221
Q

Which of the following is NOT directly associated with race conditions?

a) Log
b) Mutex
c) Semaphore
d) Thread

A

a) Log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
222
Q

In order for a race condition to be exploited, which of the following must exist?

a) Atomic transactions
b) Mutual exclusion (mutex)
c) Race window
d) Synchronicity

A

c) Race window

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
223
Q

Shares, patches and accounts would be included in which team report?

a) Test
b) Deployment
c) Secure Code
d) Development

A

d) Development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
224
Q

In use case diagrams, which of the following are used to define the roles that users and other systems play while interacting with the system?

a) Actors
b) Objects
c) Subjects
d) Relationships

A

d) Relationships

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
225
Q

A potential occurrence is a(n)

a) Attack
b) Threat
c) Opportunity
d) Vulnerability

A

b) Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
226
Q

In requirements gathering, threat models are developed by which group of stakeholders?

a) Business owners
b) Information Security Group
c) Architects and lead developers
d) Designers and business analysts

A

c) Architects and lead developers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
227
Q

The adverse effects of software downtime are documented in a

a) Use Case Diagram
b) Secure Software Design
c) Business Impact Analysis
d) Service Level Agreement

A

c) Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
228
Q

Which standard provides an information classification framework?

a) FIPS 140-2
b) NASD 3010
c) NIST SP 800-12
d) NIST SP 800-18

A

c) NIST SP 800-12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
229
Q

Clients that are mapped to roles and roles that have segmented identities with different access controls, is known as

a) Delegation
b) Impersonation
c) Role Base Model
d) Trusted Subsystem Model

A

c) Role Based Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
230
Q

When determining archiving requirements, which of the following should take precedence?

a) Organizational policy
b) Compliance requirements
c) Current security standards
d) Stakeholder recommendation

A

a) Organizational policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
231
Q

In a Use Case Diagram, an authentication system would be a(n)

a) Actor
b) Use Case
c) Relationship
d) System Boundary

A

a) Actor

An actor is some external entity that interacts with the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
232
Q

Which standard deals with Authentication?

a) FIPS 140-2
b) FIPS 201
c) NIST SP 800-16
d) NIST SP 800-18

A

b) FIPS 201

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
233
Q

Ensuring information and programs are changed only in a specified and authorized manner relates BEST to which of the following?

a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

A

b) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
234
Q

With International Domain Names (IDN), URLs translated from a non-English character set to an ASCII character set are prefaced by

a) Ansi:
b) idn–
c) Nothing
d) xn–

A

c) Nothing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
235
Q

Which process defines the extent to which data needs to be controlled and secured?

a) Security Testing
b) Data Classification
c) System Decomposition
d) Business Impact Analysis

A

b) Data Classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
236
Q

What is the difference between a bug and a flaw?

a) A bug is a design issue and a flaw is programmatic
b) A flaw is a subset of a bug
c) A bug is found in the business logic where a flaw is superficial
d) A bug is code-specific and a flaw is weakness in the logic

A

d) A bug is code-specific and a flaw is weakness in the logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
237
Q

What are some design considerations for Confidentiality?

a) Digital Signatures
b) Symmetric and Asymmetric encryption, Hashing and Masking
c) Resource Locking and Referential Integrity
d) Load Balancing and Denial of Service protection

A

b) Symmetric and Asymmetric encryption, Hashing and Masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
238
Q

What key would you use in an Asymmetric Encryption Algorithm to ensure confidentiality?

a) Recipient’s private key
b) Recipient’s public key
c) Sender’s private key
d) Sender’s public key

A

b) Recipient’s public key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
239
Q

What key should be used to ensure Non-Repudiation?

a) Recipient’s private key
b) Recipient’s public key
c) Sender’s private key
d) Sender’s public key

A

c) Sender’s private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
240
Q

What are the benefits of Digital Signatures?

a) Integrity, Availability and Non-Repudiation
b) Authentication
c) Authorization
d) Identification, Authentication and Authorization

A

a) Integrity, Availability and Non-Repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
241
Q

Resource locking assures which of the following?

a) Authentication
b) Integrity
c) Authorization
d) Confidentiality

A

b) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
242
Q

Common coding errors that may lead to Denial of Service (DoS) include which of the following?

a) Orphaned records and cascading operations
b) Single Sign On
c) Open connections, memory leaks and endless loops
d) Service Oriented Architceture

A

c) Open connections, memory leaks and endless loops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
243
Q

The Separation of Duties principle is also referred to as which of the following?

a) Keep it Simple Stupid
b) “Need to Know”
c) Layered Defense
d) Compartmentalization

A

d) Compartmentalization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
244
Q

The Complete Mediation design principle represents which security model?

a) Clark Wilson
b) Biba
c) Brewer Nash
d) Bell-LaPadula

A

a) Clark Wilson

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
245
Q

Using and interface to ensure abstraction best describes which of the following security models?

a) Clark Wilson
b) Biba
c) Brewer Nash
d) Bell-LaPadula

A

d) Bell-LaPadula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
246
Q

Which of the following is a risk calculation methodology created by Microsoft?

a) STRIDE
b) DREAD
c) OSSTMM
d) OWASP

A

b) DREAD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
247
Q

Which of the following is the best example of Pervasive Computing?

a) Mashups
b) Rich Internet Applications
c) Mobile Computing
d) Trusted Computing Base

A

b) Rich Internet Applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
248
Q

Which of the following is the best way to ensure confidentiality?

a) Encryption
b) Hashing
c) Recovery
d) Redundancy

A

a) Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
249
Q

Potential security disadvantages of virtualization include:

a) Hardware consolidation
b) Maintenance
c) Cost
d) Increased attack surface

A

d) Increased attack surface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
250
Q

Which of the following principles best describes what is affected by data-tampering?

a) Integrity
b) Availability
c) Auditing
d) Confidentiality

A

a) Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
251
Q

What is a technique for dealing with conflicting resource updates?

a) Locking to prevent inconsistent updates
b) Propagating security state changes
c) Addressing recovery failures
d) Using a clock synchronization protocol

A

a) Locking to prevent inconsistent updates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
252
Q

Which principle is the best match for the data disclosure threat type?

a) Integrity
b) Availability
c) Auditing
d) Confidentiality

A

d) Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
253
Q

Which principle is the best match for the elevation of privilege threat type?

a) Integrity
b) Availability
c) Auditing
d) Confidentiality

A

b) Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
254
Q

The following are benefits to threat modeling EXCEPT

a) Helps make secure design choices
b) Mitigates risk in implementation
c) Drives use and misuse cases
d) Identifies performance implications

A

d) Identifies performance implications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
255
Q

Identity management provides for which of the following?

a) Integrity
b) Deniability
c) Confidentiality
d) Non-Repudiation

A

d) Non-Repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
256
Q

Which of the following BEST describes a Bastion Host?

a) Proxy between the Internet and Intranet
b) Critical system exposed to the Internet
c) Decoy server used to attract attacks for analysis
d) Intrusion detection or intrusion prevention system

A

a) Proxy between the Internet and Intranet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
257
Q

Software hardening should include

a) Adding support comments to the code
b) Adding guest accounts for automated tasks
c) Removing maintenance hooks
d) Removing network segmentations

A

c) Removing maintenance hooks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
258
Q

Bootstrapping is also known as

a) Extract, Transform, Load (ETL)
b) Initial Program Load (IPL)
c) Platform Configuration Register (PCR)
d) Trusted Platform Module (TPM)

A

b) Initial Program Load (IPL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
259
Q

Which of the following is not part of the Change Control process?

a) Approvals
b) Design
c) Document
d) Test

A

c) Document

Answer key say E…but there is no E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
260
Q

Which of the following is not a type of penetration test?

a) Data and Logic
b) Environment
c) Input
d) Social

A

a) Data and Logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
261
Q

What type of testing causes system stress, including a slow network and / or low memory?

a) Data and Logic
b) Environment
c) Input
d) Social

A

c) Input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
262
Q

Key Performance Indicators (KPI) are also known as

a) Behaviors
b) Exceptions
c) Factors
d) Metrics

A

d) Metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
263
Q

What is the difference between Incident Management and Problem Management?

a) Incident Management works to improve service, Problem Management works to restore service
b) Incident Management works to restore service, Problem Management works to improve service
c) Problem Management prevents problems, Incident Management identifies incidents
d) Problem Management identifies problems, Incident Management prevents incidents

A

b) Incident Management works to restore service while Problem Management works to improve service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
264
Q

Applications that can no longer receive security patches should be

a) Hidden from users
b) Left alone until replaced
c) No longer monitored
d) Removed from service

A

d) Removed from service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
265
Q

Banner grabbing is also known as

a) Attacking
b) Fingerprinting
c) Footprinting
d) Scanning

A

b) Fingerprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
266
Q

Assurance Checks do which of the following?

a) Negatively tests the software’s functionality
b) Reviews and validates the software’s functionality
c) Tests the vendor’s incident response documentation
d) Validates and verifies the vendor’s claims of security

A

b) Reviews and validates the software’s functionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
267
Q

Which type of intellectual property would be used to protect a product’s signature/cornerstone algorithm?

a) Copyright
b) End User Licensing Agreement (EULA)
c) Trade Secret
d) Trademark

A

c) Trade secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
268
Q

The official management decision to operate a system, and to accept the risk associated with operating the system, is known as

a) Accreditation
b) Assurance
c) Certification
d) Continuity

A

a) Accreditation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
269
Q

What type of testing directly addresses identifying bugs fixed in previous versions of the code?

a) Integration Assessment
b) Regression Testing
c) Simulation Testing
d) Unit Testing

A

b) Regression Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
270
Q

Which of the following would MOST LIKELY NOT be included in a Non-Disclosure Agreement (NDA)?

a) Information to be protected
b) Length of the agreement
c) Parties involved
d) Performance measures

A

d) Performance measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
271
Q

An Integration Assessment includes all but which of the following?

a) Regression Testing
b) Simulation Testing
c) Support Verification
d) Vendor Evaluation

A

d) Vendor Evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
272
Q

Incident Response timeliness defines which of the following?

a) How quickly an incident is declared
b) How quickly the vendor will respond to an incident
c) How long it takes for an event to be elevated to an incident
d) How long it takes for an incident to be downgraded to an event

A

c) How long it take for an event to be elevated to an incident

273
Q

Verifying that software performs as required is known as

a) Assertion
b) Accreditation
c) Certification
d) Commissioning

A

c) Certification

274
Q

The “goodwill” of a vendor is protected by

a) Copyright
b) Patent
c) Trade Secret
d) Trademark

A

d) Trademark

275
Q

Compensating controls should be included in which of the following?

a) Completion Criteria
b) Exceptions to Policy
c) Functional Requirements
d) Service Level Agreements

A

b) Exceptions to Policy

276
Q

Which of the following tries to break the system?

a) Performance Testing
b) Stress Testing
c) Load Testing
d) Integration Testing

A

b) Stress Testing

277
Q

Zero-Knowledge Assessments are also known as

a) Root Cause Analysis
b) Source Code Analysis
c) White Box Testing
d) Black Box Testing

A

d) Black Box Testing

278
Q

Sending random data to application inputs is also known as

a) Tampering
b) Tainting
c) Fuzzing
d) Enumeration

A

c) Fuzzing

279
Q

When testing for vulnerabilities, a Type I error is a vulnerability that

a) Does not exist
b) Does exist
c) Sometimes exists
d) Always exists

A

a) Does not exist

280
Q

Which type of testing is best for identifying infinite loop conditions?

a) Black Box
b) White Box
c) Environment
d) Integration

A

d) Integration

281
Q

Domain Name Service (DNS) cache poisoning could result in which of the following?

a) Account lockouts
b) Denial of Service
c) Overflow attacks
d) False negatives

A

b) Denial of Service

282
Q

Which is the BEST type of testing for identifying information disclosure vulnerabilities?

a) Complete mediation
b) Input validation
c) Exception handling
d) Malicious file execution

A

c) Exception handling

283
Q

Which type of testing would include configuration testing?

a) Complete Mediation
b) Performance
c) Load
d) Integration

A

d) Integration

284
Q

Code escrow is a part of which type of testing?

a) Unit
b) Stress
c) Business Continuity
d) Performance

A

c) Business Continuity

285
Q

Semantic flaws are also known as

a) Coding bugs
b) Logic flaws
c) Poor session management
d) Structural flaws

A

a) Coding bugs

286
Q

Which of the following uses SMS (simple messaging service) as a key component of its attack?

a) Phishing
b) Smishing
c) Pharming
d) Vishing

A

b) Smishing

…and never heard of it

287
Q

Which of the following is an example of sandboxing?

a) Chroot jail
b) Indirect object reference
c) Turing test
d) Clipping levels

A

a) Chroot jail

…again, never heard of it

288
Q

Using a taint checker will BEST detect which of the following?

a) Insecure cryptographic storage
b) Poor exception handling
c) Insecure communications
d) Application injection flaws

A

d) Application injection flaws

289
Q

Which of the following BEST applies to bypassing an indirect object reference mechanism?

a) Authentication bypass flaw
b) Easily guessable IDs
c) Directory traversal flaw
d) Use of session cookies

A

b) Easily guessable IDs

290
Q

Put the following programming language generations in chronological order

a) Natural, Machine, Assembly, High Level
b) Assembly, Machine, Natural, High Level
c) Assembly, Machine, High Level, Natural
d) Machine, Assembly, High Level, Natural

A

d) Machine, Assembly, High Level, Natural

291
Q

In cryptography, which of the following is a side-channel attack?

a) TEMPEST
b) SQL Injection
c) Buffer Overflow
d) Impersonation

A

a) TEMPEST

292
Q

Which of the following would BEST mitigate an XPATH injection attack?

a) Bounds checking
b) Input validation
c) Fuzz testing
d) Taint checking

A

b) Input validation

293
Q

Canonicalization is also known as which of the following?

a) Fuzzing
b) Misuse
c) Masquerading
d) Obfuscation

A

d) Obfuscation

294
Q

Tricking a user to click a link in order to run code under that user’s identity is known as

a) XSS
b) CSRF
c) SQL Injection
d) Pharming

A

b) CSRF

295
Q

Which of the following code is sent directly to the CPU?

a) Assembly
b) Interpreted
c) Machine
d) Scripting

A

c) Machine

296
Q

Which BEST describes code that waits for a specific condition or time to execute?

a) Logic Bomb
b) Trapdoor
c) Worm
d) Trojan Horse

A

a) Logic Bomb

297
Q

Address Space Layout Randomization (ASLR) will BEST protect against which of the following?

a) Side channel attacks
b) Differential fault analysis
c) Mutex spoofing
d) System function exploits

A

d) System function exploits

298
Q

Manipulating variables in the URL field of a web application is known as

a) Session hijacking
b) Forced browsing
c) Side channel attack
d) Information harvesting

A

b) Forced browsing

Forced browsing is an umbrella answer in that it consists of Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

The SPECIFIC question refers to Predictable Resource Location

299
Q

Which of the following generations of programming languages offers type safety?

a) Assembly
b) Machine
c) High Level
d) Low Level

A

c) High Level

300
Q

Which of the following BEST describes the type of variable that ceases to exist once the function that created it completes?

a) Local
b) Global
c) Spatial
d) Temporal

A

d) Temporal

Both TEMPORAL and LOCAL variables are the same but because Temporal is SPECIFIC and Local is not…stupid question

301
Q

Which of the following methodologies is also an Agile methodology?

a) Clean-Room
b) Joint Analysis Development (JAD)
c) Waterfall
d) Extreme Programming (XP)

A

d) Extreme Programming

302
Q

Where is the BEST place for an application to perform input validation?

a) Client
b) Server
c) Client and Server
d) Database

A

c) Client and Server

303
Q

Leaving development comments in HTML code is an example of

a) Dangling pointers
b) Dangling code
c) Indirect object reference
d) Injection flaws

A

b) Dangling code

304
Q

Which analysis method would BEST detect code flaws?

a) Peer Review
b) Use Cases
c) Static Code Analysis
d) Dynamic Code Analysis

A

c) Static Code Analysis

305
Q

Which of the following is an example of mobile code?

a) Applet
b) Tablet
c) Smart Phone
d) Global Positioning System (GPS)

A

a) Applet

306
Q

Which of the following is NOT a countermeasure to insecure communications?

a) Secure Socket Layer (SSL)
b) Cryptographic Next Generation (CNG)
c) Transport Layer Security (TLS)
d) Network Layer Security (IPSec)

A

b) Cryptographic Next Generation (CNG)

307
Q

Targeted phishing is also known as

a) Vishing
b) Smishing
c) Spoofing
d) Spear Phishing

A

d) Spear Phishing

308
Q

Which of the following is NOT a countermeasure to phishing?

a) Input Validation
b) Disable Links
c) User Training
d) Spam Filtering

A

a) Input Validation

309
Q

Overflow vulnerabilities can BEST be prevented by using

a) Input Encoding
b) Parameterized Queries
c) Bounds Checking
d) Sandboxing

A

c) Bounds Checking

310
Q

Which of the following is NOT a type of injection attack?

a) CSRF
b) SQL
c) OS Command
d) LDAP

A

d) LDAP

311
Q

Performing an authorization check before allowing any object to be used is an example of

a) Obfuscation
b) Complete mediation
c) Forced browsing
d) Authentication bypass

A

b) Complete mediation

312
Q

An attack to trick a user into loading a page that contains a malicious request is also known as

a) Persistent Cross-Site Scripting (XSS)
b) Reflected Cross-Site Scripting (XSS)
c) Man-In-The-Middle (MITM)
d) Cross-Site Request Forgery (CSRF)

A

b) Reflected Cross-Site Scripting (XSS)

313
Q

Which of the following development approaches would include Entity-Relationship (ER) diagrams, Data Flow Diagrams (DFD) and structure charts?

a) Rapid Application Development (RAD)
b) Joint Analysis Development (JAD)
c) Upper Computer-Aided Software Engineering (CASE)
d) Lower Computer-Aided Software Engineering (CASE)

A

c) Upper Computer-Aided Software Engineering (CASE)

Note the ONLY difference between Upper and Lower is that of ANALYSIS versus DEVELOPMENT.

314
Q

Lightweight Directory Access Protocol (LDAP) deals with

a) Tables and Views
b) Users and Hosts
c) Objects and Classes
d) Functions and Methods

A

c) Objects and Classes

315
Q

What is the MAIN advantage of using ASLR?

a) Cryptographically secure memory
b) Secure exception handling
c) Reduced information disclosure
d) Unpredictable code memory locations

A

d) Unpredictable code memory locations

316
Q

Which of the following is a potential impact of a Cross-Site Scripting (CSS) attack?

a) Impersonation
b) Denial of Service (DOS)
c) Side channel attack
d) Obfuscation

A

a) Impersonation

317
Q

Allowing an attacker to execute commands directly on the server is an example of

a) Indirect object reference
b) Account hijacking
c) Operating System command injection
d) Cross-Site Request Forgery

A

c) Operating System command injection

318
Q

Which programming language would MOST LIKELY NOT include type safety?

a) COBOL
b) Java
c) C++
d) Visual Basic

A

c) C++

319
Q

The principle that items whose addresses are near one another tend to be referenced close together in time is known as

a) Temporal locality
b) Spatial locality
c) Parametric polymorphism
d) Arbitrary code execution

A

b) Spatial Locality

320
Q

Which of the following describes adding together the effective attack surface value for all root attack vectors?

a) THREAT
b) DREAD
c) RASQ
d) TEMPEST

A

c) RASQ

321
Q

Which of the following is NOT an impact of Insecure Direct Object Reference?

a) Injection attacks
b) Cyclomatic complexity
c) Information disclosure
d) Authorization bypass

A

a) Injection attacks

322
Q

Federal Information Processing Standard (FIPS) Publication 140-2 deals with

a) Cryptography
b) Session Management
c) Identification
d) Authorization

A

a) Cryptography

323
Q

Van Eck or radiation monitoring is also known as

a) Distant Observation
b) TEMPEST
c) RASQ
d) Taint checking

A

b) TEMPEST

324
Q

Maintenance hooks may provide which of the following to an attacker?

a) Trap Door
b) Root Kit
c) Logic Bomb
d) Back Door

A

d) Back Door

325
Q

Canonicalization is also known as

a) Transliteration
b) Obfuscation
c) Polymorphism
d) Instantiation

A

b) Obfuscation

326
Q

Which of the following describes representations of code that a compiler generates by processing a source code file?

a) Machine code
b) Source code
c) Object code
d) Interpreted code

A

a) Machine code

327
Q

The difference between static linked and dynamic linked libraries is that with static linking

a) All functions and variables are copied into a separate file used by the executable
b) All functions and variables are copied into the executable image
c) All functions and variables are defined at compile time
d) All functions and variables are defined at run time

A

b) All functions and variables are copied into the executable image

328
Q

In terms of memory, dynamic data is stored in the

a) Heap
b) Stack
c) Registry
d) Shell

A

a) Heap

329
Q

A reference to a destroyed object is

a) A conversion error
b) A buffer overflow
c) Dangling code
d) Dangling pointer

A

d) Dangling pointer

330
Q

A direct measure of the number of paths through a program’s source code is

a) Cyclomatic Complexity
b) Parametric Polymorphism
c) Least Common Mechanism
d) Complete Mediation

A

a) Cyclomatic Complexity

331
Q

Which of the following is a countermeasure to SQL Injection attacks?

a) Complete mediation
b) Parameterized queries
c) Dynamic linking
d) User awareness training

A

b) Parameterized queries

332
Q

Preventing a program from accessing memory outside the bounds of an object’s public properties is known as

a) Complete mediation
b) Input validation
c) Object reuse
d) Type safety

A

d) Type safety

333
Q

Using overly verbose errors can DIRECTLY lead to

a) Buffer overflow attacks
b) Resource contention issues
c) Sensitive information disclosure
d) Resource starvation attacks

A

c) Sensitive information disclosure

334
Q

A sprint is part of which development methodology?

a) Extreme Programming (XP)
b) SCRUM
c) Spiral
d) Waterfall

A

b) SCRUM

335
Q

For mobile code protection, Digital Shrink Wrap is also known as

a) Sandboxing
b) Delayed signing
c) Code signing
d) Using an installation wizard

A

c) Code signing

336
Q

Implementing a watchdog timer is part of what secure design principle?

a) Survivability
b) Secure failure
c) Redundancy
d) Open architecture

A

a) Survivability

337
Q

Which of the following principles best promotes “Security should not depend on security through obscurity”?

a) Defense in Depth
b) Complete Mediation
c) Open Design
d) Fail Safe

A

a) Defense in Depth

338
Q

Which of the following best describes the process for assessing and documenting the weaknesses or security risks associated with an application?

a) Control Enumeration
b) Control Prioritization
c) Threat Modeling
d) Attack Surface Evaluation

A

d) Attack Surface Evaluation

339
Q

Drawbacks of web application firewalls (WAF) include

a) Signature Based detection
b) Flexible policy enforcement
c) Configuration and performance
d) Specialized security knowledge

A

c) Configuration and performance

340
Q

Data Loss Prevention (DLP) DOES NOT include which of the following?

a) Egress filtering
b) Authorized data disclosure
c) Ingress filtering
d) Unauthorized data disclosure

A

b) Authorized data disclosure

341
Q

The following are properties of race conditions EXCEPT

a) Concurrency
b) Shared Object
c) Changed State
d) Mutual Exclusion

A

d) Mutual Exclusion

A race condition violates these properties, which are closely related:

Exclusivity - the code sequence is given exclusive access to the shared resource
Atomicity - the code sequence is behaviorally atomic

342
Q

Which of the following is a mechanism to ensure hash values are collision free?

a) Seeding
b) Salting
c) Masking
d) Input Validation

A

b) Salting

343
Q

Which attack BEST describes an entity using and correlating lower-level security information to uncover higher-level security information?

a) Inference
b) Reverse Engineering
c) Cryptanalysis
d) Covert Channels

A

a) Inference

344
Q

Which of the following is the BEST justification for using a Managed Programming Language?

a) Execution Speed
b) Memory Management
c) Popularity
d) Short Development Lifecycle

A

b) Memory Management

345
Q

The equation to determine the number of keys needed for symmetric encryption is

a) A^2 + B^2 = C^2
b) Delta of S = Q/T
c) N+2k
d) n(n-1)/2

A

d) n(n-1)/2

346
Q

Which of the following is considered a strength of asymmetric cryptography?

a) Key Management
b) Processing Speed
c) Scalability
d) Reliability

A

c) Scalability

347
Q

Which of the following BEST describes a security principle of Economy of Mechanism?

a) Deny by Default
b) Do not implement unnecessary security
c) Strive for Simplicity
d) Strive for operational ease of use

A

c) Strive for Simplicity

348
Q

The Primary reason for incorporating security into the software development life cycle is to protect:

A. the unauthorized disclosure of information.
B. the corporate brand and reputation.
C. against hackers who intend to misuse the software.
D. the developers from releasing software with security defects.

A

B. the corporate brand and reputation

When security is incorporated in to the software development life cycle, confidentiality, integrity and availability can be assured and external hacker and insider threat attempts thwarted. Developers will generate more hack-resilient software with fewer vulnerabilities, but protection of the organization’s reputation and corporate brand is the primary reason for software assurance.

349
Q

The resiliency of software to withstand attacks that attempt modify or alter data in an unauthorized manner is referred to as:

A. Confidentiality
B. Integrity
C. Availability
D. Authorization

A

B. Integrity

When the software program operates as it is expected to, it is said to be reliable or internally consistent. Reliability is an indicator of the integrity of software. Hack resilient software are reliable (functioning as expected), resilient (able to withstand attacks) and recoverable (capable of being restored to normal operations when breached or upon error).

350
Q

The MAIN reason as to why the availability aspects of software must be part of the organization’s software security initiatives is:

A. software issues can cause downtime to the business.
B. developers need to be trained in the business continuity procedures.
C. testing for availability of the software and data is often ignored.
D. hackers like to conduct Denial of Service (DoS) attacks against the organization

A

A. software issues can cause downtime to the business.

One of the tenets of software assurance is ‘availability’. Software issues can cause software unavailability and downtime to the business. This is often observed as a denial of service (DoS) attack.

351
Q

Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

A

C. Availability

Confidentiality controls assures protection against unauthorized disclosure.
Integrity controls assures protection unauthorized modificatons or alterations.
Availability controls assures protection against downtime/denial of service and destruction of information.
Authentication is the mechanism to validate the claims/credentials of an entity.
Authorization has to do with rights and privileges that a subject has upon requested objects.

352
Q

When a customer attempts to log into their bank account, the customer is required to enter a nonce from the token device that was issued to the customer by the bank. This type of authentication is known as which of the following?

A. Ownership based authentication
B. Two Factor authentication
C. Characteristic based authentication
D. Knowledge based authentication

A

A. Ownership based authentication

Authentication can be achieved in one or more of the following ways. Using something one knows (knowledge based), something one has (ownership based ) and something one is (characteristic based). Using a token device is ownership based authentication. When more than one way is used for authentication purposes, it is referred to as multifactor authentication and is recommended over single factor authentication.

353
Q

Multi-factor authentication is most closely related to which of the following security design principles?

A. Separation of Duties
B. Defense in depth
C. Complete mediation
D. Open Design

A

B. Defense in depth

Having more than one way of authentication provides for a layered defense which is the premise of the defense in depth security design principle.

354
Q

Audit logs can be used for all of the following except

A. providing evidentiary information
B. assuring that the user cannot deny their actions.
C. detecting the actions that were undertaken
D. preventing a user from performing some unauthorized operations.

A

D. preventing a user from performing some unauthorized operations.

Audit log information can be a detective control (providing evidentiary information), a deterrent control when the users know that they are being audited but it cannot prevent any unauthorized actions. When the software logs user actions, it also provides non-repudiation capabilities because the user cannot deny their actions.

355
Q

Organizations often pre-determine the acceptable number of user errors before recording them as security violations. This number is otherwise known as:

A. Clipping level
B. Known error
C. Minimum Security Baseline
D. Maximum Tolerable Downtime

A

A. Clipping level

The predetermined number of acceptable user errors before recording the error as a potential security incident is referred to as clipping level. For example is the number of allowed failed login attempts before the account is locked out is 3, then the clipping level for authentication attempts is 3.

356
Q

A security principle that maintains the confidentiality, integrity and availability of the software and data, besides allowing for rapid recovery to the state of normal operations, when unexpected events occur is the security design principle of:

A. defense in depth
B. economy of mechanisms
C. Fail secure
D. Psychological acceptability

A

C. Fail secure

Fail secure principle prescribes that access decisions must be based on permission rather than exclusion. This means that the default situation is a lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify condition under which access should be refused, presents the wrong psychological base for secure system design. As design or implementation mistake in the mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allow access, a failure which may go unnoticed in normal use. This principle applies to both the outward appearance of the protection mechanism and to its underlying implementation.

357
Q

Requiring the end user to accept an “As-Is” disclaimer clause before installation of your software is an example of risk:

A. Avoidance
B. Mitigation
C. Transference
D. Acceptance

A

C. Transference

When an “As-Is” disclaimer clause is used, the risk is transferred from the publisher of the software to the user of the software.

358
Q

An instrument that is used to communicate and mandate organizational and management goals and objectives at a high level is a:

A. standard
B. policy
C. baseline
D. guideline

A

B. Policy

Policies are high level documents that communicate the mandatory goals and objectives of company management. Standards are also mandatory but are not quite as high level as policy. Guidelines provide recommendations of how to implement a standard. Procedures are usually step by step instruction of how to perform an operation. A baseline is one that has the minimum levels of control or configuration that needs to be implemented.

359
Q

The Systems Security Engineering Capability Maturity Model (SSE-CMM) is an internationally recognized standard that publishes guidelines to

A. provide metrics for measuring the software and its behavior, and using the software in a specific context of use.
B. evaluate security engineering practices and organizational management processes.
C. support accreditation and certification bodies that audit and certify information security management systems.
D. ensure that the claimed identity of personnel are appropriately verified.

A

B. evaluate security engineering practices and organizational management processes.

The evaluation of security engineering practices and organizational management processes are provided as guidelines and prescribed in the Systems Security Engineering Capability Maturity Model (SSE-CMM). The SSE-CMM is an internationally recognized standard that is published as ISO 21827.

360
Q

Which of the following is a framework that can be used to develop a risk based enterprise security architecture by determining security requirements after analyzing the business initiatives.

A. Capability Maturity Model Integration (CMMI)
B. Sherwood Applied Business Security Architecture (SABSA)
C. Control Objectives for Information and related Technology (COBIT)
D. Zachman Framework

A

B. Sherwood Applied Business Security Architecture (SABSA)

SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.

361
Q

Which of the following is a PRIMARY consideration for the software publisher when selling Commercially Off the Shelf (COTS) software?

A. Service Level Agreements (SLAs)
B. Intellectual Property protection
C. Cost of customization
D. Review of the code for backdoors and Trojan horses.

A

B. Intellectual Property protection

All of the other answers are considerations for the software acquirer (purchaser)

362
Q

The Single Loss Expectancy can be determined using which of the following formula?

A. Annualized Rate of Occurrence (ARO) x Exposure Factor
B. Probability x Impact
C. Asset Value x Exposure Factor
D. Annualized Rate of Occurrence (ARO) x Asset Value

A

C. Asset Value x Exposure Factor

Single Loss Expectancy is the expected loss of a single disaster. It is computed as the product of asset value and the exposure factor. SLE = Asset Value x Exposure Factor.

363
Q

Implementing IPSec to assure the confidentiality of data when it is transmitted is an example of risk

A. avoidance
B. transference
C. mitigation
D. acceptance

A

C. Mitigation

The implementation of IPSec at the network layer helps to mitigate threats to the confidentiality of transmitted data.

364
Q

The Federal Information Processing Standard (FIPS) that prescribe guidelines for biometric authentication is

A. FIPS 140
B. FIPS 186
C. FIPS 197
D. FIPS 201

A

D. FIPS 201

Personal Identity Verification (PIV) of Federal Employees and Contractors is published as FIPS 201 and it prescribes some guidelines for biometric authentication.

365
Q

Which of the following is a multifaceted security standard that is used to regulate organizations that collects, processes and/or store cardholder data as part of their business operations?

A. FIPS 201
B. ISO/IEC 15408
C. NIST SP 800-64
D. PCI DSS

A

D. PCI DSS

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

366
Q

Which of the following is the current Federal Information Processing Standard (FIPS) that specifies and approved cryptographic algorithm to ensure the confidentiality of electronic data?

A. Security Requirements for Cryptographic Modules (FIPS 140)
B. Personal Identity Verification (PIV) of Federal Employees and Contractors (FIPS 201)
C. Advanced Encryption Standard (FIPS 197)
D. Digital Signature Standard (FIPS 186)

A

C. Advanced Encryption Standard (FIPS 197)

The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher than can encrypt (encipher) and decrypt (decipher) information. Encryption coverts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintest. The AES algorithm is capable of using cryptographic keys of 128, 192, 256 bits to encrypt and decrypt data in blocks of 128 bits.

367
Q

The organization that published the ten most critical web application security risks (Top Ten) is the

A. Computer Emergency Response Team (CERT)
B. Web Application Security Consortium (WASC)
C. Open Web Application Security Project (OWASP)
D. Forums for Incident Response and Security Teams (FIRST)

A

C. Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

368
Q

The process of removing private information from sensitive data sets is referred to as

A. Sanitation
B. Degaussing
C. Anonymization
D. Formatting

A

C. Anonymization

Anonymization is the process of removing private information from the data. Anonymization techniques such as replacement, suppression, generalization and perturbation are useful to assure data privacy. It is important that you are familiar with these techniques. Sanitation has to do with inputs and outputs as a defensive control and includes techniques such as escaping and encoding. Degaussing and Formatting are information and media sanitization techniques and they are not selective of what they remove/dispose.

369
Q

Which of the following MUST be addressed by software security requirements? Choose the BEST answer.

A. Technology used in building the application.
B. Goals and objectives of the organization.
C. Software quality requirements
D. External auditor requirements

A

B. Goals and objectives of the organization.

When determining software security requirements, it is imperative to address the goals and objectives of the organization. Management’s goals and objectives need to be incorporated into the organizational security policies. While external auditor, internal quality requirements and technology are factors that need consideration, compliance with organizational policies must be the foremost consideration.

370
Q

Which of the following types of information is exempt from confidentiality requirements?

A. Directory information
B. Personally identifiable information (PII)
C. User’s card holder data
D. Software architecture and network diagram

A

A. Directory information

Information that is public is also known as directory information. The name ‘directory’ information comes from the fact that such information can be found in a public directory like a phone book, etc. When information is classified as public information, confidentiality assurance protection mechanisms are not necessary.

371
Q

Requirements that are identified to protect against the destruction of information or the software itself are commonly referred to as

A. confidentiality requirements
B. integrity requirements
C. availability requirements
D. authentication requirements

A

C. availability requirements

Destruction is the threat against availability as disclosure is the threat against confidentiality and alternation being the threat against integrity.

372
Q

The amount of time by which business operations need to be restored to service levels as expected by the business when there is a security breach or disaster is known as

A. Maximum Tolerable Downtime (MTD)
B. Mean Time Before Failure (MTBF)
C. Minimum Security Baseline (MSB)
D. Recovery Time Objective (RTO)

A

D. Recovery Time Objective (RTO)

Maximum Tolerable Downtime (MTD) is the maximum length of time a business process can be interrupted or unavailable without causing the business itself to fail. Recover Time Objective (RTO) is the time period in which the organization should have the interrupted process running again, at or near the same capacity and conditions as before the disaster/downtime. MTD and RTO are part of availability requirements. It is advisable to set the RTO to be lesser than the MTD.

373
Q

The use of an individual’s physical characteristics such as retinal blood patterns and fingerprints for validating and verifying the user’s identity is referred to as

A. biometric authentication
B. forms authentication
C. digest authentication
D. integrated authentication

A

A. biometric authentication

Forms authentication has to do with usernames and passwords that are input into a for (like a web page/form). Basic authentication transmits credential s in a Base64 encoded form while digest authentication provides the credentials as a hash value (also known as a message digest). Token based authentication uses credentials in the form of specialized tokens which is often used with a token device. Biometric authentication uses physical characteristics to provide the credential information.

374
Q

Which of the following policies is MOST likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access”

A. Authorization
B. Authentication
C. Auditing
D. Availability

A

B. Authentication

When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication and when more than two factors are used for authentication purposes, it is referred to as multi-factor authentication. It is important to determine first, if there exists a need for two- or multi-factor authentication.

375
Q

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong, as mandated by the requested resource owner is the definition of

A. Non-discretionary Access Control (NDAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Role based Access Control

A

B. Discretionary Access Control (DAC)

Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource deciding who has access and their level of privileges or rights.

376
Q

Requirements which when implemented can help to build a history of events that occurred in the software are known as

A. authentication requirements
B. archiving requirements
C. accountability requirements
D. authorization requirements

A

C. accountability requirements

Accountability requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately. When auditing is combined with identification, it provides for accountability.

377
Q

Which of the following is the PRIMARY reason for an application to be susceptible to a Man-in-the-Middle (MITM) attack?

A. Improper session management
B. Lack of auditing
C. Improper archiving
D. Lack of encryption

A

A. Improper session management

Easily guessable and non-random session identifiers can be hijacked and replayed if not managed appropriately and this can lead to MITM attacks.

378
Q

The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as

A. threat modeling
B. policy decomposition
C. subject-object modeling
D. misuse case generation

A

B. policy decomposition

The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components.

379
Q

The FIRST step in the Protection Needs Elicitation (PNE) process is to

A. engage the customer
B. model information management
C. identify least privilege applications
D. conduct threat modeling and analysis

A

A. engage the customer

IT is there for the business and not the other way around. The first step when determining protection needs is to engage the customer followed by modeling the information and identifying least privilege scenarios. Once an application profile is developed, then we can undertake threat modeling and analysis to determine the risk levels which can be communicated to the business to prioritize the risk.

380
Q

A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following except

A. ensuring scope creep does not occur
B. validating and communicating user requirements
C. determining resource allocations
D. identifying privileged code sections

A

D. identifying privileged code sections

Identifying privileged code sections is part of threat modeling and not part of a RTM

381
Q

Parity bit checking mechanisms can be used for all of the following except

A. Error Detection
B. Message corruption
C. Integrity assurance
D. Input validation

A

D. Input validation

Parity bit checking is primarily used for error detection but it can be used for assuring the integrity of transferred files and messages.

382
Q

Which of the following is an activity that can be performed to clarify requirements with the business users using diagrams that model the expected behavior of the software?

A. Threat modeling
B. Use case modeling
C. Misuse case modeling
D. Data modeling

A

B. Use case modeling

A use case models the intended behavior of the software or system. In other words, the use case describes behavior the system owner intended. This behavior describes the sequence of actions and events that are to be taken to address a business need. Use case modeling and diagramming is very useful for specifying requirements. It can be effective in reducing ambiguous and incompletely articulated business requirements by explicitly specifying exactly when and under what conditions certain behavior occurs. Use case modeling is meant to model only the most significant system behavior and not all of it and so should not be considered a substitute for requirements specification documentation.

383
Q

Which of the following is LEAST LIKELY to be identified by misuse case modeling?

A. Race conditions
B. Mis-actors
C. Attacker’s perspective
D. Negative requirements

A

A. Race conditions

Misuse cases, also known as abuse cases help identify security requirements by modeling negative scenarios. A negative scenario is an unintended behavior of the system, one that the system owner does not want to occur within the context of the use case. Misuse cases provide insight into the threats that can occur against the system or software. It provides the hostile users point of view and is an inverse of the use case. Misuse case modeling is similar to the use case modeling, except that in misuse case modeling, misactors and unintended scenarios or behavior are modeled. Misuse cases may be intentional or accidental. One of the most distinctive traits of misuse cases is that they can be used to elicit security requirements unlike other requirements determination methods that focus on end-user functional requirements.

384
Q

Data classification is a core activity that is conducted as part of which of the following?

A. Key Management Lifecycle
B. Information Lifecycle Management
C. Configuration Management
D. Problem Management

A

B. Information Lifecycle Management

Data classification is the conscious effort to assign a level of sensitivity to data assets, based on potential impact upon disclosure, alteration or destruction. The results of the classification exercise can then be used to categorize the data elements into appropriate buckets. Data classification is part of information lifecycle management.

385
Q

Web farm data corruption issues and card holder data encryption requirements need to be captured as part of which of the following requirements?

A. Integrity
B. Environment
C. International
D. Procurement

A

B. Environment

When determining requirements it is important to elicit requirements that are tied to the environment in which the data will be marshaled or processed. Viewstate corruption issues in web farm settings where all the servers were not configured identically or lack of card holder data encryption in public networks have been observed when the environmental requirements were not identified or taken into account.

386
Q

When software is purchased from a third party instead of being built in-house, it is imperative to have contractual protection in place and have the software requirements explicitly specified in which of the following?

A. Service Level Agreements (SLA)
B. Non-Disclosure Agreements (NDA)
C. Non-compete Agreements
D. Project plan

A

A. Service Level Agreements (SLA)

SLAs should contain the levels of service expected fro the software to provide and this becomes crucial when the software is not developed in-house.

387
Q

When software is able to withstand attacks from a threat agent and not violate the security policy it is said to be exhibiting which of the following attributes of software assurance?

A. Reliability
B. Resiliency
C. Recoverability
D. Redundancy

A

B. Resiliency

Software is said to be reliable when it is functioning as expected to. Resiliency is the measure of the software’s ability to withstand an attack. When the software is breach, its ability to restore itself back to normal operations is known as the recoverability of the software. Redundancy has to do with high availability.

388
Q

Infinite loops and improper memory calls are often known to cause threats to which of the following?

A. Availability
B. Authentication
C. Authorization
D. Accountability

A

A. Availability

Improper coding constructs such as infinite loops and improper memory management can lead to denial of service and resource exhaustion issues, which impacted availability.

389
Q

Which of the following is used to communicate and enforce availability requirements of the business or client?

A. Non-Disclosure Agreement (NDA)
B. Corporate Contract
C. Service Level Agreements (SLA)
D. Threat model

A

C. Service Level Agreements (SLA)

SLAs should contain the levels of service expected for the software to provide and this becomes crucial when the software is not developed in house.

390
Q

Software security requirements that are identified to protect against disclosure of data to unauthorized users is otherwise known as

A. integrity requirements
B. Authorization requirements
C. confidentiality requirements
D. non-repudiation requirements

A

C. confidentiality requirements

Destruction is the threat against availability as disclosure is the threat against confidentiality and alteration being the threat against integrity.

391
Q

The requirements that assure reliability and prevent alterations are to be identified in which section of the software requirements specifications (SRS) documentation?

A. Confidentiality
B. Integrity
C. Availability
D. Accountability

A

B. Integrity

Destruction is the threat against availability as disclosure is the threat against confidentiality and alteration being the threat against integrity.

392
Q

Which of the following is a covert mechanism that assures confidentiality?

A. Encryption
B. Steganography
C. Hashing
D. Masking

A

B. Steganography

Encryption and Hashing are overt mechanisms to assure confidentiality. Masking is an obfuscating mechanism to assure confidential. Steganography which is hiding information within other media is a cover mechanisms to assure confidentiality. Steganography is more commonly referred to as invisible ink writing and is the art of camouflaging or hidden writing, where the information is hidden and the existence of the message itself is concealed. Steganography is primarily useful for covert communications and is useful and prevalent in military espionage communications.

393
Q

As a means to assure confidentiality of copyright information, the security analyst identifies the requirement to embed information insider another digital audio, video or image signal. This is commonly referred to as

A. Encryption
B. Hashing
C. Licensing
D. Watermarking

A

D. Watermarking

Digital watermarking is the process of embedding information into a digital signal. These signals can be audio, video, or pictures.

394
Q

Checksum validation can be used to satisfy which of the following requirements?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

A

B. Integrity

Parity bit checking is useful in the detection of errors or changes made to data when it is transmitted. A common usage of parity bit checking is to do a Cyclic Redundancy Check (CRC) for data integrity as well, especially for messages longer than one bye (8bits) long. Upon data transmission, each block of data is given a computed CRC value, commonly referred to as a checksum. If there is an alteration between the origin of data and its destination, the checksum sent at the origin will not match with the one that is computed at the destination. Corrupted media (CDs, DVDs) and incomplete downloads of software yield CRC errors.

395
Q

A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following EXCEPT

A. Ensure scope creep does not occur
B. Validate and communicate user requirements
C. Determine resource allocations
D. Identifying privileged code sections.

A

D. Identifying privileged code sections.

Identifying privileged code sections is part of threat modeling and not part of a RTM.

396
Q

During which phase of the software development lifecycle (SDLC) is threat modeling initiated?

A. Requirements analysis
B. Design
C. Implementation
D. Deployment

A

B. Design

Although it is imperative to visit the threat model during the development, testing and deployment phase of the software development lifecycle (SDLC), the threat modeling exercise should commence in the design phase of the SDLC.

397
Q

Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of which of the following?

A. Advanced Encryption Standard (AES)
B. Steganography
C. Public Key Infrastructure (PKI)
D. Lightweight Directory Access Protocol (LDAP)

A

C. Public Key Infrastructure (PKI)

PKI makes it possible to securely exchange data by hiding or keeping secret a private key on one system while distributing the public key to the other systems participating in the exchange.

398
Q

The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design?

A. Speed of cryptographic operations
B. Confidentiality assurance
C. Key exchange
D. Non-repudiation

A

D. Non-repudiation

Nonrepudiation and proof of origin (authenticity) is provided by the certificate authority (CA) attaching its digital signature, encrypted with the private key of the sender, to the communication that is to be authenticated, and this attests the authenticity of both the document and the sender.

399
Q

When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using

A. encryption
B. masking
C. hashing
D. obfuscation

A

C. hashing

An important use for hashes is storing passwords. The actual password should never be stored in the database. Using hashing functions, you can store the hash value of the user password and use that value to authenticate the user. Because hashes are one-way (not reversible), they offer a heightened level of confidentiality assurance.

400
Q

Nicole is part of the ‘author’ role as well as she is included in the ‘approver’ role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of

A. least privilege
B. least common mechanisms
C. economy of mechanisms
D. separation of duties

A

D. separation of duties

Separation of duties or sometimes it is referred to as separation of privilege is the principle that it is better to assign tasks to several specific individuals so that no one user has total control over the task themselves. It is closely related to the principle of least privilege which is the ideas that minimum amount of privilege is granted for the minimum (shortest) amount of tie to individuals with a need to know.

401
Q

The primary reason for designing Single Sign On (SSO) capabilities is to

A. increase the security of authentication mechanisms.
B. simplify user authentication.
C. have the ability to check each access request.
D. allow for interoperability between wireless and wired networks.

A

B. simplify user authentication.

The design principle of economy of mechanism states that one must keep the design as simple and small as possible. This well known principle deserves emphasis for protection mechanisms because design and implementation errors that result in unwanted access paths will not be noticed during normal use. As a result, techniques such as line-by-line inspection of software that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential. SSO support this principle by simplifying the authentication process.

402
Q

Database triggers are primarily useful for providing which of the following detective software assurance capability?

A. Availability
B. Authorization
C. Auditing
D. Archiving

A

C. Auditing

All stored procedures could be updated to incorporate auditing logic; however a better solution is to use database triggers. You can use triggers to monitor actions performed on the database tables and automatically log auditing information.

403
Q

During a threat modeling exercise, the software architecture is reviewed to identify

A. attackers
B. business impact
C. critical assets
D. entry points

A

D. entry points

During threat modeling, the application is dissected into its functional components. The development team analyzes the components at every entry point and traces data flow through all functionality to identify security weaknesses.

404
Q

A Man-in-the-Middle (MITM) attack is PRIMARILY an expression of which type of the following threats?

A. Spoofing
B. Tampering
C. Repudiation
D. Information disclosure

A

A. Spoofing

Although it may seem that a MITM attack is an expression of the threat of repudiation, and it very well could be, it is PRIMARILY a spoofing threat. In a spoofing attack, an attacker impersonates a different person and pretends to be a legitimate user of the system. Spoofing attack is mitigated through authentication so that adversaries cannot be come any other user or assume the attributes of another user. When undertaking a threat modeling exercise, it is important to list all possible threats, regardless of whether they have been mitigated so that you can later generate test cases where necessary. If the threat is not documented, there is a high likelihood that the software will not be tested for those threats. Using a categorized list of threats (such as STRIDE which is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is useful to list all possible threats.

405
Q

IPSec technology which helps in the secure transmission of information operates in which layer of the Open Systems Interconnect (OSI) model?

A. Transport
B. Network
C. Session
D. Application

A

B. Network

Although software security has specific implications on layer 7, the application of the OSI stack, the security at the other levels of the OSI stack is also important and should be leveraged to provide defense in depth. The seven layers of the OSI stack are Physical (layer 1), Data Link (layer 2), Network (layer 3), Transport (layer 4), Session (layer 5), Presentation (layer 6), and Application (layer 7). SSL and IPSec can be used to assure confidentiality for data in motion. SSL operates at the Transport Layer (layer 4) and IPSec operate at the Network Layer (layer3).

406
Q

When internal business functionality is abstracted into service oriented contract based interfaces, it is PRIMARILY used to provide for

A. interoperability.
B. authentication.
C. authorization.
D. installation ease.

A

A. interoperability.

A distinctive characteristic of SOA is that the business logic is abstracted into discoverable and reusable contract based interfaces to promote interoperability between heterogeneous computing ecosystem.

407
Q

At which layer of the Open Systems Interconnect (OSI) model must security controls be designed to effectively mitigate side channel attacks?

A. Transport
B. Network
C. Data link
D. Physical

A

D. Physical

Side channel attacks use unconventional means to compromise the security of the system and in most cases require physical access to the device or system. Therefore, to mitigate side channel attacks, physical protection can be used.

408
Q

Which of the following software architectures is effective in distributing the load between the client and the server, but since it includes the client to be part of the threat vectors it increases the attack surface?

A. Software as a Servicer (SaaS)
B. Service Oriented Architecture (SOA)
C. Rich Internet Application (RIA)
D. Distributed Network Architecture (DNA)

A

C. Rich Internet Application (RIA)

RIAs require Internet Protocol (IP) connectivity to the backend server. Browser sandboxing is recommended since the client is also susceptible to attack now, but it is not a requirement. The workload is shared between the client and the server and the user experience and control is increased in RIA architecture.

409
Q

When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information?

A. Authorization
B. Identification
C. Archiving
D. Auditing

A

B. Identification

Trusted Platform Module (TPM) is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. It can be sued to protect mobile devices besdies personal computers. It is also used to provice identity information for authentication purposes in mobile computing. It also assures secure startup and integrity. The TPM can be used to generate values used with whole disk encryption such as the Windows Vista’s BitLocker.

410
Q

When two or more trivial pieces of information are brought together with the aim of gleaning sensitive information, it is referred to as what type of attack?

A. Injection
B. Inference
C. Phishing
D. Polyinstantiation

A

B. Inference

An inference attack is one in which the attacker combines information that is available in the database with a suitable analysis to glean information that is presumably hidden or not as evident. This means that individual data elements when viewed collectively can reveal confidential information. It is therefore, possible to have public elements in a database reveal private information by inference. The first thing to ensure is that the database administrator does not have direct access to the data in the database and that the administrator’s access of the database is mediated by a program the application) and audited. In situations, where direct database access is necessary, it is important to ensure that the database design is not susceptible to inference attacks. Inference attacks can be mitigated by polyinstantiation.

411
Q

The inner workings and internal structure of backend databases can be protected from disclosure using

A. triggers
B. normalization
C. views
D. encryption

A

C. views

Views provide a number of benefits with regard to security. They abstract the source of the data being presnted, keeping the internal structure of the source of the database hdden from the user. Furthermore, views can be created on a subset of columns in a table. This capability can allow users granular access to specific data elements. Views can also be used to limit access to specific rows of data as well.

412
Q

Choose the BEST answer. Configurable settings for logging exceptions, auditing and credential management must be part of

A. database views
B. security management interfaces
C. global files
D. exception handling

A

B. security management interfaces

Security management Interfaces (SMI) are administrative interfaces for your application which have the highest level of privileges on the system and can do tasks such as:
Users provisioning – adding/deleting/enabling user accounts
Granting rights to different user roles.
System restart
Changing system security settings
Accessing audit trails, user credentials, exception logs
Although SMIs are often not explicitly stated in the requirements, and subsequently not threat modeled, strong controls such as least privilege and access controls must be designed and built in when developing SMI because the compromise of a SMI can be devasting, ranging from complete compromise, installing backdoors, to disclosure, alteration and destruction (DAD) attacks on audit logs, user credentials, exception logs, etc. SMI need not be deployed always with the default accounts that is set by the software publisher, although it is often observed to be.

413
Q

The token that is PRIMARILY used for authentication purposes in a Single Sign (SSO) implementation between two different companies is

A. Kerberos
B. Security Assert Markup Language (SAML)
C. Liberty alliance ID-FF
D. One Time Password (OTP)

A

B. Security Assert Markup Language (SAML)

Federation technology is usually built on a centralized identity management architecture leveraging industry standard identity standard identity management protocols such as SAML, WS Federation (WS-*) or Liberty Alliance. Of the three major protocols familier associated with federation, SAML seems to be recognized as the de facto standard for enterprise to enterprise federation. SAML works in cross domain settings while Kerberos tokens are useful only within a single domain.

414
Q

Syslog implementations require which additional security protection mechanisms to mitigate disclosure attacks?

A. unique session identifier generation and exchange
B. transport layer security
C. digital rights management (DRM)
D. data loss prevention

A

B. transport layer security

The syslog network protocol has become a de facto standard for logging program and server information over the Internet. Many routers, switches and remote access devices will transmit system messages, and there are syslog servers available for Windows and UNIX operating systems. TLS protection mechanisms such as SSL wrappers are needed to protect syslog data in transmit as they are transmitted in the clear. SSL wrappers like stunnel provide transparent SSL functionality.

415
Q

Rights and privileges for a file can be granularly granted to each client using which of the following technologies.

A. Data Loss Prevention (DLP)
B. Software as a Service (SaaS)
C. Flow control
D. Digital Rights Management (DRM)

A

D. Digital Rights Management (DRM)

Digital Rights Management (DRM) solutions give copyright owners control over access and sue of the copyright protected material. When users want to access or sue digital copyrighted material, they can do so on the terms of the copyright owner.

416
Q

Which of the following is known to circumvent the ring protection mechanisms in operating systems?

A. Cross Site Request Forgery (CSRF)
B. Coolboot
C. SQL Injection
D. Rootkit

A

D. Rootkit

Rootkits are known to compromise the operating system ring protection mechanisms and masquerade as a legitimate operating system taking siege of it.

417
Q

When the software is designed using Representational State Transfer (REST) architecture, it promotes which of the following good programming practices?

A. High Cohesion
B. Low Cohesion
C. Tight Coupling
D. Loose Coupling

A

D. Loose Coupling

Since REST is a client/server model in which the requests and responses are built around transition state of resources, it promotes loose coupling between the client and server.

418
Q

Which of the following components of the Java architecture is primarily responsible to ensure type consistency, safety and assure that there are no malicious instructions in the code?

A. Garbage collector
B. Class Loader
C. Bytecode Verifier
D. Java Security Manager

A

C. Bytecode Verifier

Bytecode verifier is the most important component of the JVM from a type consistency viewpoint. The Bytecode Verifier checks to see if the .class files are in the Class file format and double checks to ensure that there aer no malicious instructions in the code that would compromise the rules of type safety in Java.

419
Q

The primary security concern when implementing cloud applications is related to

A. Insecure APIs
B. Data leakage and/or loss
C. Abuse of computing resources
D. Unauthorized access

A

D. Unauthorized access

Although the nefarious use of APIs, shared technologies issues that can be abused and unauthorized access of data and software hosted in the cloud, the primary security concern is related to data disclosure, which includes leakage and/or loss.

420
Q

The predominant form of malware that infects mobile apps is

A. Virus
B. Ransomware
C. Worm
D. Spyware

A

B. Ransomware

Ransomware that locks screens on mobile devices is on the rise and predominantly observed in mobile apps that don’t implement sufficient protection controls.

421
Q

Most Supervisory Control and Data Acquisition (SCADA) systems are susceptible to software attack because

A. they were not initially implemented with security in mind
B. the skills of a hacker has increased significantly
C. the data that they collect are of top secret classification.
D. the firewalls that are installed in front of these devices have been breached

A

A. they were not initially implemented with security in mind

Most SCADA systems were not originally designed with security in mind. Basic protection mechanisms like authentication and authorization to these systems is weak, if at all present.

422
Q

Software developers write software programs PRIMARILY to

A. create new products
B. capture market share
C. solve business problems
D. mitigate hacker threats

A

C. solve business problems

IT and software development teams function to provide solutions to the business Manual and inefficient business processes can be automated and made efficient using software programs.

423
Q

The process of combining necessary functions, variables and dependency files and libraries required for the machine to run the program is referred to as

A. compilation
B. interpretation
C. linking
D. instantiation

A

C. linking

Linking is the process of combining the necessary functions, variables, dependent files and libraries required for the machine to run the program. The output that results from the linking process is the executable program or machine code/file the machine can understand and process. In short, linked object code is the executable. Link editors that combine object codes are known as linkers. Upon completion of the compilation process, the compiler invokes the linker to perform its function. There are two types of linking: static linking and dynamic linking.

424
Q

Which of the following is an important consideration to manage memory and mitigate overflow attacks when choosing a programming language?

A. locality of reference
B. type safety
C. cyclomatic complexity
D. parametric polymorphism

A

B. type safety

Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the Just In Time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, it can lead to unpredictable results. The best example is that code can make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing”. Type safety must be one of the most important considerations in regards to security when selecting a programming language.

425
Q

Assembly and machine language are examples of

A. natural language
B. very high level language (VHLL)
C. high level language (HLL)
D. low level language

A

D. low level language

A programming language in which there is little to no abstraction from the native instruction codes that the computer can understand is also referred to as low-level language. There is no abstraction from native instruction codes in machine language. Assembly languages are the lowest level in the software chain, which makes it incredibly suitable for reversing. It is therefore important to have an understanding of low-level programming languages to understand how an attacker will attempt to circumvent the security of the application at its lowest level

426
Q

Using multifactor authentication is effective in mitigating which of the following application security risks?

A. injection flaws
B. cross site scripting (XSS)
C. buffer overflow
D. Man-in-the-Middle (MITM)

A

D. Man-in-the-Middle (MITM)

As a defense against a Main-in-the-middle (MITM) attack, authentication and session management needs to be in place. Multifactor authentication provides greater defense than single actor authentication and is recommended. Session identifiers that are generated should be unpredictable, random and non-guessable.

427
Q

Impersonation attacks such as Man-in-the-Middle (MITM) attacks in an internet application can be BEST mitigated using proper

A. configuration management
B. session management
C. patch management
D. exception management

A

B. session management

Internet application means that the ability to manage identities as would be possible in an intranet application is not easy or in some cases infeasible. Internet applications also use stateless protocols such as HTTP or HTTPS and this requires the management of user sessions.

428
Q

Implementing completely automated public turing to test to tell computers and humans apart (CAPTCHA) protection is a means of defending against

A. SQL Injection
B. Cross-Site Scripting (XSS)
C. Cross-Site Request Forgery (CSRF)
D. Insecure cryptographic storage

A

C. Cross-Site Request Forgery (CSRF)

In addition to assuring that the requestor is a human, CAPTCHA’s are useful mitigating CSRF attacks. Since CFR is dependent on a pre-authenticated token to be in place, using CAPTCHA as the anti-CSRF token is an effective way of dealing with the inherent XSS problems regarding anti-SCRF tokens a long as the CAPTHA image itself is not guessable, predictabl or reserved to the attacker.

429
Q

The findings of a code review indicate that cryptographic operations in code use the Rijndael cipher, which is the original publication of which of the following algorithms?

A. skipjack
B. data encryption standard (DES)
C. triple data encryption standard (3DES)
D. advanced encryption standard (AES)

A

D. advanced encryption standard (AES)

Advanced encryption standard (FIPS197) is published as the Rijndael cipher Software should be designed in such a way that you should be able to replace one cryptographic algorithm with a stronger one, when needed without much rework and recoding. This is referred to as cryptographic agility

430
Q

Which of the following transport layer technologies can BEST mitigate session hijacking and replay attacks in a local area network (LAN)?

A. data loss prevention (DLP)
B. internet protocol security (IPSec)
C. secure sockets layer (SSL)
D. digital rights management (DRM)

A

C. secure sockets layer (SSL)

SSL provides disclosure protection, and protection against session hijacking and replay at the transport layer (layer 4) while IPSec provides confidentiality and integrity assurance operating in the network layer (layer 3). DRM provides some degree of disclosure (primarily IP) protection and operates in the presentation layer (layer 6), and data loss prevention (DLP) technologies prevent the inadvertent disclosure of data to unauthorized individuals, predominantly who are external to the organization.

431
Q

Verbose error messages and unhandled exceptions can result in which of the following software security threats?

A. spoofing
B. tampering
C. repudiation
D. information disclosure

A

D. information disclosure

Information disclosure is primarily a design issue and therefore is a language independent problem, although with accidental leakage, many newer high level languages can worsen the problem by providing verbose error messages that might be helpful to attack in their information gathering (reconnaissance) efforts. It must be recognized that there is a tricky balance between providing the user with the helpful information about errors and preventing attackers from learning about the internal details and architecture of the software. From a security standpoint, it is advisable to not disclose verbose error messages and still provide the users with a helpline to get additional support.

432
Q

Code signing can provide all of the following EXCEPT

A. anti tampering protection
B. authenticity of code origin
C. runtime permissions for code
D. authentication of users

A

D. authentication of users

Code signing can provide all of the following. Anti-tampering protection assuring integrity of code, Authenticity (not authentication) of code origin and runtime permissions for the code to access system resources. The primary benefit of code signing is that it provides users with the identity of the software’s creator, which is particularly important for mobile code i.e., that is downloaded from a remote location over the internet.

433
Q

When an attacker uses delayed error messages between successful and unsuccessful query probes, he is using which of the following side channel techniques to detect injection vulnerabilities?

A. distant observation
B. cold boot
C. power analysis
D. timing

A

D. timing

Poorly designed and implement systems are expected to be insecure, but most well designed and implemented systems also have subtle gaps between their abstract models and their physical realization due to the existence of side channels. A side channel is a potential source of information flow from a physical system to an adversary, beyond what is available via the conventional (abstract) model. These range from subtle observation of timing, electromagnetic radiations, power usage, analog signals, acoustic emanations, etc. the use of non-conventional and specialized techniques long with physical access to the target system to discover information is characteristic of side channel attacks. The analysis of delayed error messages between successful and unsuccessful query is a form of timing side channel attack.

434
Q

When the code is not allowed to access memory at arbitrary locations that is out of range of the memory address space that belong to the object’s publicly exposed fields, it is referred to as which of the following types of code?

A. object code
B. type safe code
C. obfuscated code
D. source code

A

B. type safe code

Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the Just In time (JIT) compilation phase and prevents unsafe code from becoming active although you can disable type safety verification, it can lead to unpredictable results. The best example is that code has malicious intent the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of ‘sandboxing’. Type safety must be one of the most important considerations in regards to security when selecting a programming language and phasing out older generation programming languages.

435
Q

When the runtime permissions of the code are defined as security attributes in the metadata of the code it is referred to as

A. imperative syntax security
B. declarative syntax security
C. code signing
D. code obfuscation

A

B. declarative syntax security

Declarative syntax address the ‘what’ part of an action whereas imperative syntax tries to deal with the ‘how’ part when security requests are made in the form of attributes (in the metadata of the code), it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. When security requests are made through programing logic within a function or method body, it is referred to as imperative security. Declarative security is an ‘all or nothin’ kind of implementation while imperative security offers greater levels of granularity and control, because the security requests runs as line of code intermixed with the application code.

436
Q

When an all or nothing approach to code access security is not possible and business rules and permissions need to be set and managed more granularly inline code functions and modules a programmer can leverage which of the following?

A. cryptographic agility
B. parametric polymorphism
C. declarative security
D. imperative security

A

D. imperative security

When security requests are made in the form of attributes, it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. Declarative syntax actions can be evaluated without running the code because attributes are stored as part of an assembly’s metadata while the imperative security actions are stored as Intermediary Language (IL). This means that imperative security actions can be evaluated only when the code is running. Declarative security actions are checks before a method is invoked and are placed at the class level being applicable to all methods in that class, unlike imperative security. Declarative security is an ‘all or nothing’ kind of implementation, while imperative security offers greater levels of granularity and control, because the security requests runs as lines of code intermixed with the application code.

437
Q

An understanding of which of the following programing concepts is necessary to protect against memory manipulation buffer overflow attacks? Choose the best answer.

A. error handling
B. exception management
C. locality of reference
D. generics

A

C. locality of reference

Computer processors tend to access memory in a very patterned way. For example, in the absence of branching, if memory location X is accessed at time t, there is a high probability that memory location X+1 will also be accessed in the near future. This kind of clustering of memory references into groups is referred to as locality of reference the basic forms of locality of reference are temporal (based on time), spatial (based on address space), branch conditional and equidistant(somewhere between spatial and branch using simple linear functions that look for equidistant locations of memory to predict which location will be accessed in the near future). While this is good from a performance vantage point, it can lead to an attacker predicting memory address spaces and causing memory corruption and buffer overflow.

438
Q

Exploit code attempt to take control of dangling pointers which

A. are references to memory locations of destroyed objects.
B. is the non-functional code that is left behind in the source.
C. is the payload code that the attacker uploads into memory to execute.
D. are references in memory locations that are used prior to being initialized.

A

A. are references to memory locations of destroyed objects.

A dangling pointer, also known as a stray pointer, occurs when a pointer points to an invalid memory address. This is often observed when memory management is left to the developer. Dangling pointers are usually created in one of two ways: an object is destroyed (freed) but the reference to the object is not reassigned and is late used or a local object is popped from the stack when the function returns but a reference to the stack allocated object is still maintained. Attackers write exploit code to take control of dangling pointers so that they can move the pointer to where their arbitrary shell code is injected.

439
Q

Which of the following is a feature of most recent operating systems (OS) that makes it difficult for an attacker to guess the memory address of the program as it makes the memory address different each time the program is executed?

A. data execution prevention (DEP)
B. executable space protection (ESP)
C. address space layout randomization (ASLR)
D. safe security exception handler (SAFESEH)

A

C. address space layout randomization (ASLR)

In the past, the memory manager would try to load binaries at the same location in the linear address space each time the program was urn. This behavior made it easier for shell coders by ensuring that certain modules of code wuld always reside at a fixed address and could b referenced in exploit code using raw numeric literals. The address space layout randomization (ASLR) is a feature in newer operating systems (introduced in Windows Vista) which deals with this predictable and direct referencing issue. ASLR make the binary load in random address space each time the program is run.

440
Q

When the source code is made obscure using special programs in order to make the readability of the code difficult when disclosed, the code is also known as

A. object code
B. obfuscated code
C. encrypted code
D. hashed code

A

B. obfuscated code

Reverse engineering is used to infer how a progam works by inspecting it. Code obfuscation which makes the readability of code extremely difficult and confusing, can be used to deter reverse (not prevent) engineering attacks. Obfuscating code is not detective or corrective in its implementation.

441
Q

The ability to track ownership changes in code and rollback abilities is possible because of which of the following configuration management processes?

A. version control
B. patching
C. audit logging
D. change control

A

A. version control

The ability to track ownership, changes in code and rollback abilities is possible because of versioning which is a configuration management process. Release management of software should include proper source code control and management of software should include proper source code control and versioning. A phenomenon known as ‘regenerative bugs’ is often observed when it comes to improper release management processes. Regenerative bugs are fixed software detects that reappear in subsequent releases of the software. This happens when the software coding defect (bug) is detected in the testing environment (such as user acceptance testing) and the fix is made in that test environment and promoted to production without retrofitting it into the development environment. The latest version in the developmnet environment does not have the fix and the issue reappears in subsequent versions of the software.

442
Q

The MAIN benefit of statically analyzing code is that

A. runtime behavior of code can be analyzed.
B. business logic flaws are more easily detectable.
C. the analysis is performed in a production or production-like environment.
D. errors and vulnerabilities can be detected earlier in the life cycle.

A

D. errors and vulnerabilities can be detected earlier in the life cycle.

The one thing that is common in all software is source code and this source code needs to be reviewed from a security perspective to ensure that security vulnerabilities are detected and addressed before the software is released into the production environment or to customers code review is the process of systematically analyzing the code for insecure and inefficient coding issues in addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools which conduct automated scans of applications in production to unearth vulnerabilities in other words, dynamic tools test from the outside in, which static tools test from the inside out. Just because the code compiles without any errors, it does not necessarily mean that is will run without errors at runtime. Dynamic tests are useful to get a quick assessment of the security of th4e applications. It comes in handy when source code is not available for review as well.

443
Q

Cryptographic protection includes all of the following EXCEPT

A. encryption of data when it is processed.
B. hashing of data when it is stored.
C. hiding of data within other media objects when it is transmitted.
D. masking of data when it is displayed.

A

D. masking of data when it is displayed.

Masking does not use any overt cryptography operations such as encryption, decryption, or hashing or covert operations such as data hiding as in the case of steganography to provide disclosure protection.

444
Q

Replacing the primary account number (PAN) with random or pseudo-random symbols that are uniquely identifiable and still assuring privacy is also known as

A. fuzzing
B. tokenization
C. encoding
D. canonicalization

A

B. tokenization

Tokenization is the process of replacing sensitive data with unique identification symbols that still retain the needed information about the data, without compromising its security.

445
Q

Which of the following is an implementation of the principle of least privilege?

A. sandboxing
B. tokenization
C. versioning
D. concurrency

A

A. sandboxing

Sandboxing is an example of the principle of least privilege running code in a sandbox (or jail) restricts the access that the code has on other system resources.

446
Q

The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as

A. redundancy
B. recoverability
C. resiliency
D. reliability

A

B. recoverability

When the software performs as it is expected to, it is aid to be reliable. When errors occur, the reliability of software is impacted and the software needs to be able to restore itself to expected operations the ability of the software to be restored to normal expected operations is referred to as recoverability. The ability of the software to withstand attacks against its reliability sis referred to as resiliency. Redundancy is about availability and reconnaissance is related to information gathering as in fingerprinting/footprinting.

447
Q

In which of the following software development methodologies does unit testing enable collective code ownerships and is critical to assure software assurance?

A. waterfall
B. agile
C. spiral
D. prototyping

A

B. agile

Unit testing enables collective code ownership. Collective code ownership encourages everyone to contribute new ideas to all segments of the project. Any developer can change any line of code to add functionality fix bugs or re-factor. No one person becomes a bottleneck for changes. The way this works is for each developer that work in concert (usually more in agile methodologies than the traditional model) create unit tests for his/her code as it is developed. All code that is released into the source code repository includes unit tests code that is added bugs as they are fixed and old functionality as it is changed will be covered by automated testing.

448
Q

Which of the secure design principles is promoted when test harnesses are used?

A. Least privilege
B. Separation of duties
C. leveraging existing components
D. psychological acceptability

A

C. leveraging existing components

Test harnesses promote the principle of leveraging existing components as it can be reused by multiple projects, once it is set up.

449
Q

The use of IF-THEN rules is characteristic of which of the following types of software testing?

A. logic
B. scalability
C. integration
D. unit

A

A. logic

IF-THEN rules are constructs of logic and when thes constructs are used for software testing it is generally referred to as logic testing.

450
Q

The implementation of secure features such as complete mediation and data replication needs to undergo which of the following types of tests to ensure that the software meets the service level agreements (SLA)?

A. stress
B. unit
C. integration
D. regression

A

A. stress

Tests that assure that the service level requirements are met is characteristic of performance testing. Load and stress testing are types of performance tests while stress testing is testing by starving the software load testing is done by subjecting the software to extreme volumes or load.

451
Q

Tests that are conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing?

A. regression
B. stress
C. integration
D. simulation

A

B. stress

The goal of stress testing is to determine if the software will continue to operate reliably under duress or extreme conditions often the resources that the software needs is taken away from the software and the software’s behavior observed as part of the stress test.

452
Q

Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats?

A. source code analyzers
B. fuzzers
C. banner grabbing software
D. scanners

A

A. source code analyzers

White box testing or structural analysis is about testing the software with prior knowledge of the code and configuration. Source code review is a type of white box testing. Embedded code issues such as Trojan horses, logic bombs etc. that are implanted by insiders can be detected using source code analyzers.

453
Q

When very limited or no knowledge of the software is made known to the software tester before she can test to its resiliency, it is characteristic of which of the following types of security tests?

A. white box
B. black box
C. clear box
D. glass box

A

B. black box

In black box or behavioral testing, test conditions are developed on the basis of the program’s or system’s functionality; that is the tester requires information about the input data and observed output, but does not know how the program or system works The tester focuses on testing the program’s behavior (or functionality) against the specification. With black box testing the tester views the program as a black box an is completely unconcerned with the internal structure of the program or system. White box testing is also referred to as clear box or glass box testing. Gray box testing is a software testing technique that uses a combination of black box and white box testing

454
Q

Penetration testing must be conducted with properly defined

A. rules of engagement.
B. role based access control mechanisms.
C. threat models.
D. use cases.

A

A. rules of engagement.

Penetration testing must be controlled and not ad hoc in nature with properly defined rules of engagement.

455
Q

Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls?

A. availability
B. authentication
C. non-repudiation
D. authorization

A

C. non-repudiation

When session management is in place it provides for authentication and when authentication is combined with auditing capabilities it provides nonrepudiation i.e., the authenticated user cannot claim broken sessions and intercepted authentication and deny their user actions due to the audit logs recording their actions

456
Q

Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities?

A. injection flaws
B. lack of reverse engineering protection
C. cross-site scripting
D. broken session management

A

B. lack of reverse engineering protection

Disassemblers, debuggers and decompilers are utilities that can be used for reverse engineering software and software tester should have these utilities in their list of tools to validate protection against reversing.

457
Q

When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined?

A. defect identifier
B. title
C. expected results
D. tester name

A

C. expected results

Knowledge of the expected results along with the defect information can be sued to determine the variance between what the result need to be and what is deficient.

458
Q

An attacker analyzes the response from the web server which indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0) but none of the IIS exploits that the attacker attempts to execute on the web server are successful. Which of the following is the MOST probable security control that is implemented?

A. hashing
B. cloaking
C. masking
D. watermarking

A

B. cloaking

Detection of web server versions is usually done by analyzing HTTP responses. This process is known as banner grabbing. But administrator can change the information that gets reported and this process is known as cloaking. Banner cloaking is a security through obscurity approach to protect against version enumeration.

459
Q

Smart fuzzing is characterized by injecting

A. truly random data without any consideration for the data structure
B. variations of data structures that are known
C. data that get interpreted as commands by a backend interpreter.
D scripts that are reflected and executed on the client browser.

A

B. variations of data structures that are known

The process of sending random data to test security of an application is referred to as ‘fuzzing’ or ‘fuzz testing’. There are two levels of fuzzing: dumb fuzzing and smart fuzzing. Sending truly random data, known as dumb fuzzing, often doesn’t yield great results and has the potential of bringing the software down, causing a Denial of Service (DoS). If the code being fuzzed required data to be in a certain format but the fuzzer does not create data in that format, most of the fuzzed data will be rejected by the application. The more knowledge the fuzzer has of the data format, the more intelligent it can be at creating data. These more intelligent fuzzers are known as smart fuzzers.

460
Q

Which of the following is the MOST important to ensure, as part of security testing, when the software is forced to fail? Choose the BEST answer.

A. normal operational functionality is not restored automatically.
B. access to all functionality is denied.
C. confidentiality, integrity and availability are not adversely impacted.
D. end users are adequately trained and self help is made available for the end user to fix the error on their own.

A

C. confidentiality integrity and availability are not adversely impacted.

As part of security testing, the principle of failsafe must be assured. This means confidentiality, integrity and availability are not adversely impacted when the software fails. As part of general software testing, the recoverability of the software i.e., restoration of the software to normal operation functionality is an important consideration, but it need not always be an automated process.

461
Q

Timing and synchronization issues such as race conditions and resource deadlocks can be MOST LIKELY identified by which of the following tests? Choose the BEST answer

A. integration
B. stress
C. unit
D. regression

A

B. stress

Race conditions and resource exhaustion issues are more likely to be identified when the software is starved of the resources that it expects as is done during stress testing.

462
Q

The PRIMARY objective of resiliency testing of software is to determine:

A. the point at which the software will break.
B. if the software can restore itself to normal business operations.
C. the presence and effectiveness of risk mitigation controls.
D. how a blackhat would circumvent access control mechanisms.

A

C. the presence and effectiveness of risk mitigation controls.

Security testing must include both external (blackhat) and insider threat analysis and it should be more than just testing for the ability to circumvent access control mechanisms. The resiliency of software is the ability of the software to be able to withstand attacks. The presence and effective of risk mitigate controls increase the resiliency of the software.

463
Q

The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as

A. redundancy.
B. recoverability.
C. resiliency.
D. reliability

A

C. resiliency.

Resiliency of software is defined as the ability of the software to withstand attacker attempts

464
Q

Drivers and stub based programming are useful to conduct which of the following tests?

A. integration
B. regression
C. unit
D. penetration

A

C. unit

In order for unit testing to be thorough, the unit/module and the environment for the execution of the module need to be complete. The necessary environment includes the modules that either call or are called by the unit of code being tested. Stubs and drivers are designed to provide the complete environment for a module so that unit testing can be carried out. A stub procedure is a dummy procedure that has the same input/output (I/O) parameters as the given procedure. A driver module should have the code to call the different functions of the module under test with appropriate parameter values for testing. In layman’s terms, the driver module is akin to the caller and the stub module can be seen as the callee.

465
Q

Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by which of the following types of tests?

A. unit
B. integration
C. performance
D. regression

A

C. performance

Assurance that the software meets the expectations of the business as defined in the service level agreements (SLA) can be demonstrated by performance testing. One the importance of the performance of an application is know, it is necessary to understand how various factors affect the performance. Security features can have an impact on performance and this must be checked to ensure that service level requirements can be met.

466
Q

Vulnerability scans are used to

A. measure the resiliency of the software by attempting to exploit weaknesses
B. detect the presence of loopholes and weaknesses in the software.
C. detect the effectiveness of security controls that are implemented in the software.
D. measure the skills and technical know-how of the security tester.

A

B. detect the presence of loopholes and weaknesses in the software.

A vulnerability is a weakness (or loophole) and vulnerability scans are sued to detect the presence of weaknesses in software.

467
Q

In the context of test data management, when a transaction which serves no business purpose is tested, it is referred to as what kind of transaction?

A. non-synthetic
B. synthetic
C. useless
D. discontinuous

A

B. synthetic

Synthetic transactions refer to transactions that serve no business value. Querying order information of a ‘dummy’ customer is an example of a synthetic transaction. They are not necessarily useless.

468
Q

As part of the test data management strategy, when a criteria is applied to export selective information from a production system to the test environment, it is also referred to as

A. subletting
B. filtering
C. validation
D. subsetting

A

D. subsetting

The defining of subset criteria to export only certain kinds of information from the production environment to the test environment is also known as subsetting.

469
Q

Your organization has the policy to attest the security of any software that will be deployed into the production environment. A third party vendor software is being evaluated for its readiness to be deployed. Which of the following verification and validation mechanism can be employed to attest the security of the vendor’s software?

A. source code review
B. threat modeling the software
C. black box testing
D. structural analysis

A

C. black box testing

Since third party vendor software is often received in object code form, access to source is usually not provided and structural analysis (white box) or source code analysis is not possible. Also looking into the source code or source-code look alike by reverse engineering without explicit permission can have legal ramifications. Additionally, without documentation on the architecture and software makeup, a threat modeling exercise would most likely be incomplete. License validation is primarily used for curtailing piracy and is a component of verification and validation mechanisms. Black security of third party vendor software.

470
Q

To meet goals of software assurance, when accepting software, the acquisition phase MUST include processes to

A. verify that installation guides and training manuals are provided.
B. assess the presence and effectiveness of protection mechanisms.
C. validate vendor’s software products.
D. assist the vendor in responding to the request for proposals.

A

B. assess the presence and effectiveness of protection mechanisms.

To maintain the confidentiality, integrity and availability of software and the data it processes, prior to the acceptance of software, vendor claims of security must be assessed not only for their presence but also their effectiveness within your computing ecosystem.

471
Q

The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as

A. verification
B. validation
C. authentication
D. authorization

A

A. verification

Verification is defined as the process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase. In other words, verification ensures that the software performs as required and designed to. Validation is the process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. In other words validation ensures that the software meets required specifications.

472
Q

When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance?

A. redundancy
B. reliability
C. resiliency
D. recoverability

A

B. reliability

Verification ensures that the software performs as required and designed to which is a measure of the software’s reliability.

473
Q

When procuring software the purchasing company can request the evaluation assurance levels (EALs) of the software product which is determined using which of the following evaluation methodologies?

A. Operationally Critical Assets Threats and Vulnerability Evaluation (OCTAVE)
B. Security Quality Requirements Engineering (SQUARE)
C. Common Criteria
D. Comprehensive, Lightweight Application Security Process (CLASP)

A

C. Common Criteria

The common criteria (ISO 15408) is a security product evaluation methodology with clearly defined ratings, such as Evaluation Assurance Levels (EALs). In addition to assurance validation, the common criteria also validates software functionality for the security target. EALs rating assure the owner of the assurance capability of the software/system and so the common criteria is also referred to as an owner assurance model.

474
Q

The FINAL activity in the software acceptance process is the go/no go decision that can be determined using

A. regression testing
B. integration testing
C. unit testing
D. user acceptance testing

A

D. user acceptance testing

The end users of the business have the final say on whether the software can be deployed or not. User acceptance testing (UAT) is used to determine the readiness of the software for deployment to the production environment or release to an external customer.

475
Q

Management’s formal acceptance of the system after an understanding of the residual risks to that system in the computing environment is also referred to as

A. patching
B. hardening
C. certification
D. accreditation

A

D. accreditation

While certification is the assessment of the technical and nontechnical security controls of the software, accreditation is a management activity that assures that the software has adequate levels of software assurance protection mechanisms.

476
Q

You determine that a legacy software running in your computing environment is susceptible to Cross Site Request Forgery (CSRF) attacks because of the way it manages sessions. The business has the need to continue use of this software but you do not have the source code available to implement security controls in code as mitigation measure against CSRF attack. What is the BEST course of action to undertake in such a situation?

A. avoid the risk by forcing the business to discontinue use of the software.
B. Accept the risk with a documented exception
C. Transfer the risk by buying insurance
D. Ignore the risk since it is legacy software.

A

B. Accept the risk with a documented exception

When there are known vulnerabilities in legacy software and there is not much you can do to mitigate the vulnerabilities, it is recommended that the business accepts the risk with a documented exception to the security policy. When accepting this risk, the exception to policy process must ensure that there is a contingency plan in place to address the risk by either replacing the software with a new version or discontinuing its use (risk avoidance). Transferring the risk may not be a viable option for legacy software that is already in your production environment and one must never ignore the risk or take the vulnerable software out of the scope of an external audit.

477
Q

As part of the accreditation process, the residual risk of a software evaluated for deployment must be accepted formally by the

A. board members and executive management
B. business owner
C. information technology (IT) management
D. security organization

A

B. business owner

Risk must always be accepted formally by the business owner.

478
Q

When software that worked without any issues in the test environments fails to work in the production environment, it is indicative of

A. inadequate integration testing
B. incompatible environment configurations.
C. incomplete threat modeling
D. ignored code review

A

B. incompatible environment configurations.

When the production environment does not mirror the development or test environments, software that works fine in non-production environments are observed to experience issues when it is deployed into the production environment this stresses the need for simulation testing.

479
Q

Which of the following is not characteristic of good security metrics?

A. quantitatively expressed
B. objectively expressed
C. contextually relevant
D. collected manually

A

D. collected manually

A good security metric is expressed quantitatively and is contextually accurate. Irrespective of how many times the metrics is collected, the results are not significantly variant. Good metrics are usually collected in an automated manner so that the collector’s subjectivity does not come into effect.

480
Q

Removal of maintenance hooks, debugging code and flags, and unneeded documentation before deployment are all examples of software

A. hardening
B. patching
C. reversing
D. obfuscation

A

A. hardening

Locking down the software by reducing the attack surface of the software by removing unneeded code and documentation is referred to as software hardening. Before hardening the software, it is crucially important to harden the operating system of the host on which the software program will be run.

481
Q

Which of the following has the goal of ensuring that the resiliency levels of software is always above the acceptable risk threshold as defined by the business post deployment?

A. threat modeling
B. code review
C. continuous monitoring
D. regression testing

A

C. continuous monitoring

Operations security is about staying secure by keeping the resiliency levels of the software above the acceptable risk levels. It is the assurance the software will continue to function as expected in a reliable fashion for the business, without compromising its state of security by monitoring, managing and applying the needed controls to protect resources (assets).

482
Q

Logging application events such as failed login attempts, sales price updates and user roles configuration for audit review at a later time is an example of which of the following type of security control?

A. preventive
B. corrective
C. compensating
D. detective

A

D. detective

Audit logging is a type of detective control. When the users are made aware that their activities are logged, audit logging could function as a deterrent control, but it is primarily used for detective purposes. Audit logs can be used to control, but it is primarily used for detective purposes. Audit logs can be sued to build the sequence o historical events and give insight into who (subject such as user/process) did what (action), where (object) and when (timestamp).

483
Q

When a compensating control is to be used, the Payment Card Industry Data Security Standard (PCI DSS) prescribes that the compensating control must meet all of the following guidelines EXCEPT

A. meet the intent and rigor of the original requirement.
B. provide an increased level of defense than the original requirement.
C. be implemented as part of a defense in depth measure.
D. must commensurate with additional risk imposed by not adhering to the requirement.

A

B. provide an increased level of defense than the original requirement.

PCI DSS prescribes that the compensating control that is used must provide a similar level, not increased level of defense as the original requirement.

484
Q

Versioning, backups, check-in and check-out practices are all important components of

A. patch management
B. release management
C. problem management
D. incident management

A

B. release management

It is extremely important that versioning, backups, check-in and check-out practices are all managed as part of the release management process

485
Q

Software that is deployed in a high trust environment such as the environment within the organizational firewall when not continuously monitored is MOST susceptible to which of the following types of security attacks? Choose the BEST answer.

A. distributed denial of service (DDoS)
B. malware
C. logic bombs
D. DNS poisoning

A

C. logic bombs

Logic Bombs can be planted by an insider and when the internal network is not monitored, the likelihood of these are much higher.

486
Q

Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?

A. authentication
B. authorization
C. archiving
D. auditing

A

D. auditing

IDS and auditing are both detective types of controls which can be used to continuously monitor the security health of the computing environment.

487
Q

The FIRST step in the incident response process of a reported breach is to

A. notify management of the security breach.
B. research the validity of the alert or event further.
C. inform potentially affected customers of a potential breach.
D. conduct an independent third part evaluation to investigate the reported breach.

A

B. research the validity of the alert or event further.

Upon the report of a breach, it is important to go into a triaging phase in which the validity and severity of the alert/event is investigated further. This reduces the number of false positives that are reported to management

488
Q

Which of the following is the BEST recommendation to champion security objectives within the software development organization?

A. informing the developers that they could lose their jobs if their software is breached.
B. informing management that the organizational software could be hacked.
C. informing the project team about the recent breach of the competitor’s software.
D. informing the development team that there should be no injection flaws in the payroll application.

A

D. informing the development team that there should be no injection flaws in the payroll application.

Using security metrics over Fear, Uncertainty and Doubt (FUD) is the best recommendation to champion security objectives within the software development organization.

489
Q

Which of the following independent processes provide insight into the presence and effectiveness of security and privacy controls and is used to determine the organization’s compliance with the regulatory and governance (policy) requirements?

A. penetration testing
B. audits
C. threat modeling
D. code review

A

B. audits

Periodic audits (both internal and external) can be used to assess the overall state of security health of the organization.

490
Q

The process of using regular expressions to parse audit logs into information that indicate security incidents is referred to as

A. correlation
B. normalization
C. collection
D. visualization

A

B. normalization

To normalize logs means that duplicate and redundant information is removed from the logs after the time is synchronized for each log set and the logs are parsed to deduce patterns that are identified in the correlation phase.

491
Q

The FINAL stage of the incident management process is

A. detection
B. containment
C. eradication
D. recovery

A

D. recovery

The incident response process involves preparation, detection, analysis, containment, eradication and recovery. The goal of incident management is the restore (recover) service to normal business operations.

492
Q

Problem management aims to improve the value of Information Technology to the business because it improves service by

A. restoring service to the expectation of the business user.
B. determining the alerts and events that need to be continuously monitored.
C. depicting incident information in easy to understand user friendly format.
D. identifying and eliminating the root cause of the problem.

A

D. identifying and eliminating the root cause of the problem.

The goal of problem management is to identify and eliminate the root cause of the problem. All of the other definitions are related to incident management. The goal of incident management is to restore service while the goal of problem management is to improve service.

493
Q

The process of releasing software to fix a recently reported vulnerability without introducing any new features or changing hardware configuration is referred to as

A. versioning
B. hardening
C. patching
D. porting

A

C. patching

Patching is the process of applying updates and hot fixes. Porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed (e.g. different processor architecture, Operating System or third party software library)

494
Q

Fishbone diagramming is a mechanism that is PRIMARILY used for which of the following processes?

A. threat modeling
B. requirements analysis
C. network deployment
D. root cause analysis

A

D. root cause analysis

Ishikawa diagrams or fish bone diagrams are used to identify the cause and effect of a problem and are used commonly to determine the root cause of the problem.

495
Q

As a means to assure the availability of the existing software functionality after the application of a patch, the patch needs to be tested for

A. the proper functioning of new features.
B. cryptographic agility.
C. backward compatibility.
D. the enabling of previously disabled services.

A

C. backward compatibility.

Regression testing of patches are crucial to ensure that there were no newer side effects and that all previous functionality as expected were still available.

496
Q

Which of the following policies needs to be established to securely dispose of software and associated data and documents?

A. end-of-life
B. vulnerability management
C. privacy
D. data classification

A

A. end-of-life

End-of-Life (EOL) policies are used for disposing code configuration and documents based on organizational and regulatory requirements.

497
Q

Discontinuance of software with known vulnerabilities with a newer version is an example of risk

A. mitigation
B. transference
C. acceptance
D. avoidance

A

D. avoidance

When software with known vulnerabilities is replaced with a secure version, it is an example of avoiding the risk. It is not transference, as the new version may not have the same risks. It is not mitigation since no controls are implemented to address the risk of the old software. It is not acceptance, since the risk of the software is replaced with the risk of the newer version. It is not ignorance, because the risk is not left unhandled.

498
Q

Printer ribbons, facsimile transmissions and printed information when not securely disposed are susceptible to disclosure attacks by which of the following threat agents? Choose the BEST answer.

A. malware
B. dumpster divers
C. social engineers
D. script kiddies

A

B. dumpster divers

Dumpster divers are threat agents that can steal information from printed media (printer ribbons, facsimiles transmission and printed paper).

499
Q

System resources can be protected from malicious file execution attacks by uploading the user supplied file and running it in which of the following environments?

A. honeypot
B. sandbox
C. simulated
D. production

A

B. sandbox

Preventing malicious file execution attacks takes some careful planning during the architectural and design phases of the SDLC, through thorough testing. In general, a well-written application will not use user-supplied input or any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server. However, many legacy applications continue to have a need to accept user supplied input and files without the adequate levels of validation built in. When this is the case, it is advisable to separate the production environment and upload the files to a sandbox environment before the files can be processed.

500
Q

As a means to demonstrate the improvement in the security of code that is developed one must compute the relative attack surface quotient (RASQ)

A. at the end of development phase of the project
B. before and after the code is implemented
C. before and after the software requirements are complete
D. at the end of the deployment phase of the project

A

B. before and after the code is implemented

In order to understand if there is an improvement in the resiliency of the software code, the RASQ (which attempts to quantify the number and kinds of vectors available to an attacker) needs to be computed before and after code development is completed and the code is frozen.

501
Q

Modifications to data directly in the database by developers must be prevented by

A. periodically patching database servers
B. implementing source code version control
C. logging all database access requests
D. proper change control management

A

D. proper change control management

Proper change control management is useful to provide separation of duties as it can prevent direct access to backend databases by developers.

502
Q

Which of the following documents is the BEST source to contain damage and which needs to be referred to and consulted with upon the discovery of a security breach?

A. disaster recovery plan
B. project management plan
C. incident response plan
D. quality assurance and testing plan

A

C. incident response plan

An Incident Response Plan (IRP) must be developed and tested for completeness as it is the document that one should refer to and follow in the event of a security breach. The effectiveness of an IRP is dependent on the awareness of users on how to respond to an incident and increased awareness can be achieved by proper education and training.

503
Q

The increased need for security in the software supply chain is PRIMARILY attributed to

A. cessation of development activities within a company
B. increase in the number of foreign trade agreements
C. incidences of malicious code and logic found in acquired software
D. decrease in the trust of consumers on software developed within a company

A

C. incidences of malicious code and logic found in acquired software

Although there is an increase in the offshoring and outsourcing activities, complete cessation of software development activities within a company is not usually the case. Increases in foreign trade agreements have opened up markets, but this is not the primary driver for the increased need for security in the software supply chain. Software developed within a company is likely to be more trusted than ones developed outside the purview of a company’s control. An observable increase of malicious code and logic implanted in software that is acquired has made the need for security in the supply chain no longer optional.

504
Q

Which phase of the acquisition life cycle involves the issuance of advertisements to source and evaluate suppliers?

A. contracting
B. planning
C. development
D. delivery (Handover)

A

A. contracting

After the planning, and before the development phase of the acquisition life cycle is the sourcing of suppliers, evaluating their responses and issuance of a contract award to the winning supplier.

505
Q

Predictable execution means that the software demonstrates all the following qualities EXCEPT

A. authenticity
B. conformance
C. authorization
D. trustworthiness

A

C. authorization

The three goals of software supply chain includes conformance, trustworthiness and authenticity.

506
Q

Which of the following is a process threat in the software supply chain?

A. counterfeit software
B. insecure code transfer
C. subornation
D. piracy

A

B. insecure code transfer

Counterfeit and pirated software are product threats. Subornation is a people threat. Transferring code without appropriate security controls is indicative of a breakdown in the process and is deemed a process threat.

507
Q

In the context of the software supply chain, the principle of persistent protection is also known as

A. End-to-end encryption
B. location agnostic protection
C. locality of reference
D. cryptographic agility

A

B. location agnostic protection

End-to-end encryption and cryptographic agility are concepts that are tied to cryptography to assure protection against unauthorized disclosure. Locality of reference is a memory management concept. Location agnostic protection, means that the security of the software is not dependent on where (location) it is developed, but instead, it is dependent on the maturity of the software development practices. This Is the one concept that is related to the software supply chain.

508
Q

In pre-qualifying a supplier, which of the following must be assessed to ensure that the supplier can provide timely updates and hotfixes when an exploitable vulnerability in their software is report?

A. foreign ownership and control or influence
B. security track record
C. security knowledge of the supplier’s personnel
D. compliance with security policies, regulator and privacy requirements.

A

B. security track record

While all of the option choices need to be evaluated, the supplier’s past performance (track record) can be used to determine if he supplier is capable of providing timely updates and hotfixes.

509
Q

Which of the following can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security?

A. Key Performance Indicators (KPI)
B. Relative Attack Surface Quotient (RASQ)
C. Maximum tolerable Downtime (MTD)
D. Requirements Traceability Matrix (RTM)

A

A. Key Performance Indicators (KPI)

RASQ is computed to determine the attackability of software. MTD is a business continuity and disaster recovery concept. RTMs are used to trace deviations from expected functionality. When KPIs are evaluated and managed, they can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security.

510
Q

Which of the following contains the security requirements and the evidence needed to prove that the acquirer requirements are met as expected?

A. Software Configuration Management Plan
B. Minimum Security Baseline
C. Service Level Agreements
D. Assurance Plan

A

D. Assurance Plan

An assurance plan addresses the development and maintenance of an assurance case for software and the assurance case contains the required security requirements and the evidence needed to prove that the supplier meets the assurance needs of the acquirer.

511
Q

The difference between disclaimer-based protection and contracts-based is that

A. contracts-based protection is mutual
B. disclaimer-based protection is mutual
C. contracts-based protection is done by one-sided notification of terms
D. disclaimer-based protection is legally binding

A

A. contracts-based protection is mutual

Unlike disclaimer-based protection, wherein there exists only a one-sided notification of terms, contracts require that both parties engaged in the transaction mutually agree to abide by any terms of the agreement contracts are legally binding.

512
Q

Software programs, database models and images on a website can be protected using which of the following legal instrument?

A. patents
B. copyright
C. trademarks
D. trade secret

A

B. copyright

Patents protect an idea while copyrights protect the expression of an idea software programs, database models and images on a website are expressions of an idea trade secrets ensures that the company has a competitive advantage and is not disclosed while trademarks are disclosed to uniquely identify a manufacturer.

513
Q

You find out that employees in your company have been downloading software files and sharing them using peer-to-peer based torrent networks these software files are not free and need to be purchased from their respective manufacturers. Your employees are violating

A. trade secrets
B. trademarks
C. patents
D. copyrights

A

D. copyrights

Peer-to-peer torrent’s unauthorized sharing of copyrighted information such as a software or music files constitutes copyright violations.

514
Q

Which of the following legal instruments assures the confidentiality of software programs processing logic, database schema and internal organizational business processes and client lists?

A. standards
B. non-disclosure agreements (NDA)
C. service level agreements (SLA)
D. trademarks

A

B. non-disclosure agreements (NDA)

Non-disclosure agreements assure confidentiality of sensitive information such as software program processing logic, database schema and internal organizational business processes and client lists.

515
Q

When source code of Commercially Off-The- Shelf (COTS) software is escrowed and released under a free software or open source license when the original developer (or supplier) no longer continues to develop that software that software is referred to as

A. trialware
B. demoware
C. ransomware
D. freeware

A

C. ransomware

In some situations the source code of COTS may be escrowed and released under a free software or open source license when the original developer (supplier) no longer continues to develop that software or if stipulated fundraising conditions are met this model is referred to as the ransom model of software publishing and the software is known a ransomware.

516
Q

Improper implementation of validity periods using length-of-use checks in code can result in which of the following types of security issues for legitimate users?

A. tampering
B. denial of service
C. authentication bypass
D. spoofing

A

B. denial of service

If the validity period set in software is not properly implemented then legitimate users can be potentially denied service. It is therefore imperative to ensure that the duration and checking mechanism of validity periods is properly implemented.

517
Q

Your organization’s software is published as a trial version without any restricted functionality from the paid version. Which of the following MUST be designed and implemented to ensure that customers who have not purchased the software are limited in the availability of the software?

A. disclaimers
B. licensing
C. validity periods
D. encryption

A

C. validity periods

Software functionality can be restricted using validity period as is often observed in the ‘try-before you-buy’ or ‘demo’ versions of software. It is recommended to have a stripped down version of he software for the demo version and if feasible it is advisable to include the legal team to determine the duration of the validity period (especially in the context of digital signatures and Public Key Infrastructure solutions).

518
Q

When must the supplier inform the acquirer of any applicable export control and foreign trade regulatory requirements in the countries of export and import?

A. before delivery (handover)
B. before code inspection
C. after deployment
D. before retirement

A

A. before delivery (handover)

Prior to the delivery of the software, the supplier must provide the acquirer with all the applicable export compliance requirements.

519
Q

The disadvantage of using open source software from a security standpoint is

A. only the original publisher of the source code can modify the code.
B. open source software is not supported and maintained by mature companies or communities.
C. the attacker can look into the source code to determine its exploitability.
D. open source software can only be purchased using a piece-meal approach.

A

C. the attacker can look into the source code to determine its exploitability.

Some open source software are supported and maintained by very well established companies and communities and they don’t necessarily have to be purchased as components alone and integrated some open source software offer entire enterprise solutions which don’t require a piece-meal approach. Open source software is modifiable and while insight into how the software is architected can be viewed by the acquirer, an attacker also has the advantage of looking into the software and writing tailored exploits against it.

520
Q

Which of the following is the most important security testing process that validates and verifies the integrity of software code, components and configurations, in a software security chain?

A. threat modeling
B. fuzzing
C. penetration testing
D. code review

A

D. code review

Threat modeling primarily addresses the design aspects of software and fuzzing and penetration testing usually deals with the software after it deployed, the integrity of the code can be determined using code review.

521
Q

Which of the following is LEAST likely to be detected using a code review process?

A. backdoors
B. logic bombs
C. logic flaws
D. Trojan horses

A

C. logic flaws

Logic flaws or semantic issues are design related and can be detected using threat modeling. Backdoors, logic bombs and Trojan horses are code or syntactic issues are primarily detected using a code review process. When acquirer software from a supplier, it is imperative that a code review process is in place to detect malicious code that arises from the presence of backdoors, logic bomb and Trojan horses implanted in the code.

522
Q

Which of the following security principle is LEAST related to the securing of code repositories?

A. least privilege
B. access control
C. auditing
D. open design

A

D. open design

Developers should only have access to the version of code necessary to complete their responsibilities for only the time period that they need to complete their operation. In other works, least privilege must be enforced on a need-to-know basis. Source code control systems (or code repositories) can provide such granular levels of access control. Identity management with auditing in place can provide accountability and so any code changes that are made and checked back into the code repositories must be traceable and identifiable to individuals who are making the change this reduces the likelihood of malicious code implanted into the code.

523
Q

The integrity of build tools and the build environment is necessary to protect against

A. spoofing
B. tampering
C. disclosure
D. denial of service

A

B. tampering

If the integrity of the build process is questionable, and the build tools and environment not protected then the confidence of pristine untampered code is not assured and all efforts previously undertaken to protect the assurance of the software can be nullified.

524
Q

Which of the following kind of security testing tool detects the presence of vulnerabilities through disassembly and pattern recognition?

A. source code scanners
B. binary code scanners
C. byte code scanners
D. compliance validators

A

B. binary code scanners

Source code and byte code scanners detect the presence of vulnerabilities in source or byte code form of code while binary code scanners have to disassemble the object code form while analyzing, executables for vulnerabilities. Compliance validators primarily use an interview format to detect non-compliance.

525
Q

When software is developed by multiple suppliers, the genuineness of the software can be attested using which of the following processes?

A. code review
B. code signing
C. encryption
D. code scanning

A

B. code signing

Code signing is the process of encrypting the hash value of software with the publisher’s (or suppliers) private key. This creates a unique digital signature which can be used to attest the genuineness of the software encryption alone cannot provide such pedigree attestation. Code review and code scanning are primarily detective in nature and are used to detect the presence of vulnerabilities in the software and not proof of origin or authenticity.

526
Q

Which of the following must be controlled during handoff of software from one supplier to the next, so that no unauthorized tampering of the software can be done?

A. chain of custody
B. separation of privileges
C. system logs
D. application data

A

A. chain of custody

As software code or components move from supplier to supplier in a software supply chain, it is extremely important to make sure that the chain of custody is controlled, until the software reaches the final user or acquirer of the software, so that unauthorized tampering of the software is mitigated.

527
Q

Which of the following risk management concepts is demonstrated when using code escrows?

A. avoidance
B. transference
C. mitigation
D. acceptance

A

B. transference

Code escrows can be regarded as a form of risk transference by insurance, because it insures the licensee continued business operations, should the licensor be no longer alive (in case of a sole proprietorship), go out of business, or file for bankruptcy (in case of a Corporation).

528
Q

Which of the following types of testing is crucial to conduct to determine single points of failure in a system-of-systems (SoS)?

A. unit
B. integration
C. regression
D. logic

A

B. integration

Integration testing s useful to test the interfaces and interdependencies between components that are integrated in an SoS to reveal single points of failure or weak links that can render the entire SoS exploitable.

529
Q

When software is handed from one supplier to the next, the following operational process needs to be in place so that the supplier from whom the software is acquired can no longer modify the software?

A. runtime integrity assurance
B. patching
C. termination access control
D. custom code extension checks

A

C. termination access control

Once software is handed over from one supplier to another or to the acquirer, only the receiving part’s personnel should be allowed to access and/or modify the software code components and configuration.

530
Q

The primary reason for incorporating security into the software development life cycle is to protect

A. Unauthorized disclosure of information
B. Corporate brand and reputation
C. Against hackers who intend to misuse the software
D. Developers from releasing software with security defects

A

B. Corporate brand and reputation

When security is incorporated into the software development life cycle, confidentiality, integrity, and availability can be assured and external hacker and insider threat attempts thwarted. Developers will generate more hack-resilient software with fewer vulnerabilities, but protection of the organization’s reputation and corporate brand is the primary reason for software assurance.

531
Q

The resiliency of software to withstand attacks that attempt to modify or alter data in an unauthorized manner is referred to as

A. Confidentiality
B. Integrity
C. Availability
D. Authorization

A

B. Integrity

When the software program operates as expected, it is said to be reliable or internally consistent. Reliability is an indicator of the integrity of software. Hack-resilient software are reliable (functioning as expected), resilient (able to withstand attacks), and recoverable (capable of being restored to normal operations when breached or upon error).

532
Q

The main reason as to why the availability aspects of software must be part of the organization’s software security initiatives is:

A. Software issues can cause downtime to the business.
B. Developers need to be trained in the business continuity procedures.
C. Testing for availability of the software and data is often ignored.
D. Hackers like to conduct denial of service attacks against the organization.

A

A. Software issues can cause downtime to the business.

One of the tenets of software assurance is “availability.” Software issues can cause software unavailability and downtime to the business. This is often observed as a denial of service (DoS) attack.

533
Q

Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

A

C. Availability

Confidentiality controls assure protection against unauthorized disclosure.
Integrity controls assure protection against unauthorized modifications or alterations.
Availability controls assure protection against downtime/denial of service and destruction of information.
Authentication is the mechanism to validate the claims/credentials of an entity.
Authorization covers the subject’s rights and privileges upon requested objects.

534
Q

When a customer attempts to log into his bank account, he is required to enter a number that is used only once (nonce) from the token device that was issued to the customer by the bank. This type of authentication is also known as which of the following?

A. Ownership-based authentication
B. Two factor authentication
C. Characteristic-based authentication
D. Knowledge-based authentication

A

A. Ownership-based authentication

Authentication can be achieved in one or more of the following ways: using something one knows (knowledge-based), something one has (ownership-based), and something one is (characteristic-based). Using a token device is ownership-based authentication. When more than one way is used for authentication purposes, it is referred to as multifactor authentication, and this is recommended over single-factor authentication.

535
Q

Multifactor authentication is most closely related to which of the following security design principles?

A. Separation of duties
B. Defense in-depth
C. Complete mediation
D. Open design

A

B. Defense in-depth

Having more than one way of authentication provides for a layered defense, which is the premise of the defense in depth security design principle.

536
Q

Audit logs can be used for all of the following except

A. Providing evidentiary information
B. Assuring that the user cannot deny their actions
C. Detecting the actions that were undertaken
D. Preventing a user from performing some unauthorized operations

A

D. Preventing a user from performing some unauthorized operations

Audit log information can be a detective control (providing evidentiary information) and a deterrent control when the users know that they are being audited, but it cannot prevent any unauthorized actions. When the software logs user actions, it also provides nonrepudiation capabilities because the user cannot deny their actions.

537
Q

Impersonation attacks such as man-in-the-middle (MITM) attacks in an Internet application can be best mitigated using proper

A. Configuration management
B. Session management
C. Patch management
D. Exception management

A

B. Session management

An Internet application means that the ability to manage identities as would be possible in an Intranet application is not easy and, in some cases, infeasible. Internet applications also use stateless protocols, such as HTTP or HTTPS, and this requires the management of user sessions.

538
Q

Organizations often predetermine the acceptable number of user errors before recording them as security violations. This number is otherwise known as

A. Clipping level
B. Known error
C. Minimum security baseline
D. Maximum tolerable downtime

A

A. Clipping level

The predetermined number of acceptable user errors before recording the error as a potential security incident is referred to as the clipping level. For example, if the number of allowed failed login attempts before the account is locked out is three, then the clipping level for authentication attempts is three.

539
Q

A security principle that maintains the confidentiality, integrity, and availability of the software and data, besides allowing for rapid recovery to the state of normal operations, when unexpected events occur is the security design principle of

A. Defense in-depth
B. Economy of mechanisms
C. Fail safe
D. Psychological acceptability

A

C. Fail safe

The failsafe principle prescribes that access decisions must be based on permission rather than exclusion. This means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, which is a safe situation since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure that may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.

540
Q

Requiring the end user to accept an “as-is” disclaimer clause before installation of your software is an example of risk

A. Avoidance
B. Mitigation
C. Transference
D. Acceptance

A

C. Transference

When an “as is” disclaimer clause is used, the risk is transferred from the publisher of the software to the user of the software.

541
Q

An instrument that is used to communicate and mandate organizational and management goals and objectives at a high level is a

A. Standard
B. Policy
C. Baseline
D. Guideline

A

B. Policy

Policies are high-level documents that communicate the mandatory goals and objectives of company management. Standards are also mandatory, but not quite at the same high level as policy. Guidelines provide recommendations on how to implement a standard. Procedures are usually step-by-step instructions of how to perform an operation. A baseline has the minimum levels of controls or configurations that need to be implemented.

542
Q

The Systems Security Engineering Capability Maturity Model is an internationally recognized standard that publishes guidelines to

A. Provide metrics for measuring the software and its behavior and using the software in a specific context of use
B. Evaluate security engineering practices and organizational management processes
C. Support accreditation and certification bodies that audit and certify information security management systems
D. Ensure that the claimed identity of personnel are appropriately verified

A

B. Evaluate security engineering practices and organizational management processes

The evaluation of security engineering practices and organizational management processes are provided as guidelines and prescribed in the Systems Security Engineering Capability Maturity Model (SSE-CMM®). The SSE-CMM is an internationally recognized standard that is published as ISO 21827.

543
Q

Which of the following is a framework that can be used to develop a risk-based enterprise security architecture by determining security requirements after analyzing the business initiatives?

A. Capability Maturity Model Integration (CMMI)
B. Sherwood Applied Business Security Architecture (SABSA)
C. Control Objectives for Information and related Technology (COBIT®)
D. Zachman Framework

A

B. Sherwood Applied Business Security Architecture (SABSA)

SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered, and supported as an integral part of your business and IT management infrastructure.

544
Q

The property of this Biba security model prevents the contamination of data assuring its integrity by

A. Not allowing the process to write above its security level
B. Not allowing the process to write below its security level
C. Not allowing the process to read above its security level
D. Not allowing the process to read below its security level

A

A. Not allowing the process to write above its security level

The Biba integrity model prevents unauthorized modification. It states that the maintenance of integrity requires that data not flow from a receptacle of a given integrity to a receptacle of higher integrity. If a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data.

545
Q

Which of the following is known to circumvent the ring protection mechanisms in operating systems?

A. Cross Site Request Forgery (CSRF)
B. Coolboot
C. SQL injection
D. Rootkit

A

D. Rootkit

Rootkits are known to compromise the operating system ring protection mechanisms and masquerade as a legitimate operating system taking control of it.

546
Q

Which of the following is a primary consideration for the software publisher when selling commercial off-the-shelf (COTS) software?

A. Service level agreements
B. Intellectual property protection
C. Cost of customization
D. Review of the code for backdoors and Trojan horses

A

B. Intellectual property protection

All of the other options are considerations for the software acquirer (purchaser).

547
Q

The single loss expectancy can be determined using which of the following formulae?

A. Annualized rate of occurrence (ARO) × exposure factor
B. Probability × impact
C. Asset value × exposure factor
D. Annualized rate of occurrence (ARO) × asset value

A

C. Asset value × exposure factor

Single loss expectancy is the expected loss of a single disaster. It is computed as the product of asset value and the exposure factor. SLE = asset value ⨯ exposure factor.

548
Q

Implementing IPSec to assure the confidentiality of data when it is transmitted is an example of which type of risk?

A. Avoidance
B. Transference
C. Mitigation
D. Acceptance

A

C. Mitigation

The implementation of IPSec at the network layer helps to mitigate threats to the confidentiality of transmitted data.

549
Q

The Federal Information Processing Standard (FIPS) that prescribe guidelines for biometric authentication is

A. FIPS 46-3
B. FIPS 140-2
C. FIPS 197
D. FIPS 201

A

D. FIPS 201

Personal identity verification (PIV) of federal employees and contractors is published as FIPS 201, and it prescribes some guidelines for biometric authentication.

550
Q

Which of the following is a multifaceted security standard that is used to regulate organizations that collects, processes, and/or stores cardholder data as part of their business operations?

A. FIPS 201
B. ISO/IEC 15408
C. NIST SP 800-64
D. PCI DSS

A

D. PCI DSS

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

551
Q

Which of the following is the current Federal Information Processing Standard (FIPS) that specifies an approved cryptographic algorithm to ensure the confidentiality of electronic data?

A. Security Requirements for Cryptographic Modules (FIPS 140-2)
B. Data Encryption Standard (FIPS 46-3)
C. Advanced Encryption Standard (FIPS 197)
D. Digital Signature Standard (FIPS 186-3)

A

C. Advanced Encryption Standard (FIPS 197)

The advanced encryption standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into their original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

552
Q

The organization that publishes the 10 most critical Web application security risks (Top Ten) is the

A. U.S. Computer Emergency Readiness Team (US-CERT)
B. Web Application Security Consortium (WASC)
C. Open Web Application Security Project (OWASP)
D. Forums for Incident Response and Security Teams (FIRST)

A

C. Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) Top Ten provides a powerful awareness document for Web application security. The OWASP Top Ten represents a broad consensus about what the most critical Web application security flaws are.

553
Q

Which of the following must be addressed by software security requirements? Choose the best answer.

A. Technology used in building the application
B. Goals and objectives of the organization
C. Software quality requirements
D. External auditor requirements

A

B. Goals and objectives of the organization

When determining software security requirements, it is imperative to address the goals and objectives of the organization. Management’s goals and objectives need to be incorporated into the organizational security policies. While external auditor, internal quality requirements, and technology are factors that need consideration, compliance with organizational policies must be the foremost consideration.

554
Q

Which of the following types of information is exempt from confidentiality requirements?

A. Directory information
B. Personally identifiable information (PII)
C. User’s card holder data
D. Software architecture and network diagram

A

A. Directory information

Information that is public is also known as directory information. The name “directory” information comes from the fact that such information can be found in a public directory, such as a phone book. When information is classified as public information, confidentiality assurance protection mechanisms are not necessary.

555
Q

Requirements that are identified to protect against the destruction of information or the software itself are commonly referred to as

A. Confidentiality requirements
B. Integrity requirements
C. Availability requirements
D. Authentication requirements

A

C. Availability requirements

Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

556
Q

The amount of time by which business operations need to be restored to service levels as expected by the business when there is a security breach or disaster is known as

A. Maximum tolerable downtime (MTD)
B. Mean time before failure (MTBF)
C. Minimum security baseline (MSB)
D. Recovery time objective (RTO)

A

D. Recovery time objective (RTO)

The maximum tolerable downtime (MTD) is the maximum length of time a business process can be interrupted or unavailable without causing the business itself to fail. The recovery time objective (RTO) is the time period in which the organization should have the interrupted process running again at or near the same capacity and conditions as before the disaster/downtime. MTD and RTO are part of availability requirements. It is advisable to set the RTO to be less than the MTD.

557
Q

The use of an individual’s physical characteristics such as retinal blood patterns and fingerprints for validating and verifying the user’s identity is referred to as

A. Biometric authentication
B. Forms authentication
C. Digest authentication
D. Integrated authentication

A

A. Biometric authentication

Forms authentication has to do with usernames and passwords that are input into a form (e.g., a Web page/form). Basic authentication transmits the credentials in Base64 encoded form, while digest authentication provides the credentials as a hash value (also known as a message digest). Token-based authentication uses credentials in the form of specialized tokens and is often used with a token device. Biometric authentication uses physical characteristics to provide the credential information.

558
Q

Which of the following policies is most likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access.”

A. Authorization
B. Authentication
C. Auditing
D. Availability

A

B. Authentication

When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication, and when more than two factors are used for authentication purposes, it is referred to as multifactor authentication. It is important to determine first whether if there exists a need for two- or multifactor authentication.

559
Q

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong is the definition of

A. Nondiscretionary access control (NDAC)
B. Discretionary access control (DAC)
C. Mandatory access control (MAC)
D. Rule-based access control

A

B. Discretionary access control (DAC)

Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the decision of the owner of the resource regarding who has access and their level of privileges or rights.

560
Q

Requirements that when implemented can help to build a history of events that occurred in the software are known as

A. Authentication requirements
B. Archiving requirements
C. Auditing requirements
D. Authorization requirements

A

C. Auditing requirements

Auditing requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control, but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately.

561
Q

Which of the following is the primary reason for an application to be susceptible to a man-in-the-middle (MITM) attack?

A. Improper session management
B. Lack of auditing
C. Improper archiving
D. Lack of encryption

A

A. Improper session management

Easily guessable and nonrandom session identifiers can be hijacked and replayed if not managed appropriately, and this can lead to MITM attacks.

562
Q

The process of eliciting concrete software security requirements from high-level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as

A. Threat modeling
B. Policy decomposition
C. Subject–object modeling
D. Misuse case generation

A

B. Policy decomposition

The process of eliciting concrete software security requirements from high-level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components.

563
Q

The first step in the protection needs elicitation (PNE) process is to

A. Engage the customer
B. Model information management
C. Identify least privilege applications
D. Conduct threat modeling and analysis

A

A. Engage the customer

IT is there for the business and not the other way around. The first step when determining protection needs is to engage the customer, followed by modeling the information and identifying least privilege scenarios. Once an application profile is developed, we can undertake threat modeling and analysis to determine the risk levels, which can be communicated to the business to prioritize the risk.

564
Q

A requirements traceability matrix (RTM) that includes security requirements can be used for all of the following EXCEPT

A. Ensuring scope creep does not occur
B. Validating and communicating user requirements
C. Determining resource allocations
D. Identifying privileged code sections

A

D. Identifying privileged code sections

Identifying privileged code sections is part of threat modeling and not part of an RTM.

565
Q

Parity bit checking mechanisms can be used for all of the following EXCEPT

A. Error detection
B. Message corruption
C. Integrity assurance
D. Input validation

A

D. Input validation

Parity bit checking is primarily used for error detection, but it can be used for assuring the integrity of transferred files and messages.

566
Q

Which of the following is an activity that can be performed to clarify requirements with the business users using diagrams that model the expected behavior of the software?

A. Threat modeling
B. Use case modeling
C. Misuse case modeling
D. Data modeling

A

B. Use case modeling

A use case models the intended behavior of the software or system. In other words, the use case describes behavior that the system owner intended. This behavior describes the sequence of actions and events that are to be taken to address a business need. Use case modeling and diagramming are very useful for specifying requirements. It can be effective in reducing ambiguous and incompletely articulated business requirements by explicitly specifying exactly when and under what conditions certain behaviors occur. Use case modeling is meant to model only the most significant system behavior, not all, and so it should not be considered a substitute for requirements specification documentation.

567
Q

Which of the following is least likely to be identified by misuse case modeling?

A. Race conditions
B. Mis-actors
C. Attacker’s perspective
D. Negative requirements

A

A. Race conditions

Misuse cases, also known as abuse cases, help identify security requirements by modeling negative scenarios. A negative scenario is an unintended behavior of the system, one that the system owner does not want to have occur within the context of the use case. Misuse cases provide insight into the threats that can occur to the system or software. It provides the hostile users’ point of view and is an inverse of the use case. Misuse case modeling is similar to the use case modeling, except that the former models misactors and unintended scenarios or behavior. Misuse cases may be intentional or accidental. One of the most distinctive traits of misuse cases is that they can be used to elicit security requirements, unlike other requirements determination methods that focus on end user functional requirements.

568
Q

Data classification is a core activity that is conducted as part of which of the following?

A. Key Management Life Cycle
B. Information Life Cycle Management
C. Configuration management
D. Problem management

A

B. Information Life Cycle Management

Data classification is the conscious effort to assign a level of sensitivity to data assets based on potential impact upon disclosure, alteration, or destruction. The results of the classification exercise can then be used to categorize the data elements into appropriate buckets. Data classification is part of information life cycle management.

569
Q

Web farm data corruption issues and card holder data encryption requirements need to be captured as part of which of the following requirements?

A. Integrity
B. Environment
C. International
D. Procurement

A

B. Environment

When determining requirements, it is important to elicit requirements that are tied to the environment in which the data will be marshaled or processed. Viewstate corruption issues in Web farm settings where all the servers were not configured identically or lack of card holder data encryption in public networks have been observed when the environmental requirements were not identified or taken into account.

570
Q

When software is purchased from a third party instead of being built in-house, it is imperative to have contractual protection in place and have the software requirements explicitly specified in which of the following?

A. Service level agreements (SLAs)
B. Nondisclosure agreements (NDA)
C. Noncompete agreements
D. Project plan

A

A. Service level agreements (SLAs)

SLAs should contain the levels of service expected for the software to provide, and this becomes crucial when the software is not developed in-house.

571
Q

When software is able to withstand attacks from a threat agent and not violate the security policy it is said to be exhibiting which of the following attributes of software assurance?

A. Reliability
B. Resiliency
C. Recoverability
D. Redundancy

A

B. Resiliency

Software is said to be reliable when it is functioning as expected. Resiliency is the measure of the software’s ability to withstand an attack. When the software is breached, its ability to restore itself back to normal operations is known as the recoverability of the software. Redundancy has to do with high availability.

572
Q

Infinite loops and improper memory calls are often known to cause threats to which of the following?

A. Availability
B. Authentication
C. Authorization
D. Auditing

A

A. Availability

Improper coding constructs such as infinite loops and improper memory management can lead to denial of service and resource exhaustion issues, which impact availability.

573
Q

Which of the following is used to communicate and enforce availability requirements of the business or client?

A. Nondisclosure agreement (NDA)
B. Corporate contract
C. Service level agreements
D. Threat model

A

C. Service level agreements

SLAs should contain the levels of service the software is expected to provide, and this becomes crucial when the software is not developed in-house.

574
Q

Software security requirements that are identified to protect against disclosure of data to unauthorized users is otherwise known as

A. Integrity requirements
B. Authorization requirements
C. Confidentiality requirements
D. Nonrepudiation requirements

A

C. Confidentiality requirements

Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

575
Q

The requirements that assure reliability and prevent alterations are to be identified in which section of the software requirements specifications (SRS) documentation?

A. Confidentiality
B. Integrity
C. Availability
D. Auditing

A

B. Integrity

Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

576
Q

Which of the following is a covert mechanism that assures confidentiality?

A. Encryption
B. Steganography
C. Hashing
D. Masking

A

B. Steganography

Encryption and hashing are overt mechanisms to assure confidentiality. Masking is an obfuscating mechanism to assure confidentiality. Steganography is hiding information within other media as a cover mechanism to assure confidentiality. Steganography is more commonly referred to as invisible ink writing and is the art of camouflaging or hidden writing, where the information is hidden and the existence of the message itself is concealed. Steganography is primarily useful for covert communications and is prevalent in military espionage communications.

577
Q

As a means to assure confidentiality of copyright information, the security analyst identifies the requirement to embed information insider another digital audio, video, or image signal. This is commonly referred to as

A. Encryption
B. Hashing
C. Licensing
D. Watermarking

A

D. Watermarking

Digital watermarking is the process of embedding information into a digital signal. These signals can be audio, video, or pictures.

578
Q

Checksum validation can be used to satisfy which of the following requirements?

A. Confidentiality
B. Integrity
C. Availability
D. Authentication

A

B. Integrity

Parity bit checking is useful in the detection of errors or changes made to data when they are transmitted. A common use of parity bit checking is to do a cyclic redundancy check (CRC) for data integrity as well, especially for messages longer than one byte (8 bits) long. Upon data transmission, each block of data is given a computed CRC value, commonly referred to as a checksum. If there is an alteration between the origin of data and their destination, the checksum sent at the origin will not match the one computed at the destination. Corrupted media (CDs, DVDs) and incomplete downloads of software yield CRC errors.

579
Q

During which phase of the software development lifecycle (SDLC) is threat modeling initiated?

A. Requirements analysis
B. Design
C. Implementation
D. Deployment

A

B. Design

Although it is important to visit the threat model during the development, testing, and deployment phase of the software development life cycle (SDLC), the threat modeling exercise should commence in the design phase of the SDLC.

580
Q

Certificate authority, registration authority, and certificate revocation lists are all part of which of the following?

A. Advanced Encryption Standard (AES)
B. Steganography
C. Public Key Infrastructure (PKI)
D. Lightweight Directory Access Protocol (LDAP)

A

C. Public Key Infrastructure (PKI)

PKI makes it possible to exchange data securely by hiding or keeping secret a private key on one system while distributing the public key to the other systems participating in the exchange.

581
Q

The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design?

A. Speed of cryptographic operations
B. Confidentiality assurance
C. Key exchange
D. Nonrepudiation

A

D. Nonrepudiation

Nonrepudiation and proof of origin (authenticity) are provided by the certificate authority’s (CA) attaching its digital signature, encrypted with the private key of the sender, to the communication that is to be authenticated, and this attests to the authenticity of both the document and the sender.

582
Q

When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using

A. Encryption
B. Masking
C. Hashing
D. Obfuscation

A

C. Hashing

An important use for hashes is storing passwords. The actual password should never be stored in the database. Using hashing functions, you can store the hash value of the user password and use that value to authenticate the user. Because hashes are one-way (not reversible), they offer a heightened level of confidentiality assurance.

583
Q

Nicole is part of the “author” role as well as she is included in the “approver” role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of

A. Least privilege
B. Least common mechanisms
C. Economy of mechanisms
D. Separation of duties

A

D. Separation of duties

Separation of duties, or separation of privilege, is the principle that it is better to assign tasks to several specific individuals so that no one user has total control over the task. It is closely related to the principle of least privilege, the idea that a minimum amount of privilege is granted to individuals with a need to know for the minimum (shortest) amount of time.

584
Q

The primary reason for designing single sign-on (SSO) capabilities is to

A. Increase the security of authentication mechanisms
B. Simplify user authentication
C. Have the ability to check each access request
D. Allow for interoperability between wireless and wired networks

A

B. Simplify user authentication

The design principle of economy of mechanism states that one must keep the design as simple and small as possible. This well known principle deserves emphasis for protection mechanisms because design and implementation errors that result in unwanted access paths will not be noticed during normal use. As a result, techniques that implement protection mechanisms, such as line-by-line inspection of software, are necessary. For such techniques to be successful, a small and simple design is essential. SSO supports this principle by simplifying the authentication process.

585
Q

Database triggers are primarily useful for providing which of the following detective software assurance capability?

A. Availability
B. Authorization
C. Auditing
D. Archiving

A

C. Auditing

All stored procedures could be updated to incorporate auditing logic, but a better solution is to use database triggers. You can use triggers to monitor actions performed on the database tables and automatically log auditing information.

586
Q

During a threat modeling exercise, the software architecture is reviewed to identify

A. Attackers
B. Business impact
C. Critical assets
D. Entry points

A

D. Entry points

During threat modeling, the application is dissected into its functional components. The development team analyzes the components at every entry point and traces data flow through all functionality to identify security weaknesses.

587
Q

A man-in-the-middle (MITM) attack is primarily an expression of which type of the following threats?

A. Spoofing
B. Tampering
C. Repudiation
D. Information disclosure

A

A. Spoofing

Although it may seem that an MITM attack is an expression of the threat of repudiation, and it can be, it is primarily a spoofing threat. In a spoofing attack, an attacker impersonates a legitimate user of the system. A spoofing attack is mitigated through authentication so that adversaries cannot become any other user or assume the attributes of another user. When undertaking a threat modeling exercise, it is important to list all possible threats, regardless of whether they have been mitigated, so that you can later generate test cases where necessary. If the threat is not documented, there is a high likelihood that the software will not be tested for those threats. Using a categorized list of threats (such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege [STRIDE]) is useful to address all possible threats.

588
Q

IPSec technology, which helps in the secure transmission of information, operates in which layer of the Open Systems Interconnect (OSI) model?

A. Transport
B. Network
C. Session
D. Application

A

B. Network

Although software security has specific implications on layer seven, the application of the OSI stack, the security at other levels of the OSI stack is also important and should be leveraged to provide defense in depth. The seven layers of the OSI stack are physical (1), data link (2), network (3), transport (4), session (5), presentation (6), and application (7). SSL and IPSec can be used to assure confidentiality for data in motion. SSL operates at the transport layer (4), and IPSec operates at the network layer (3) of the OSI model.

589
Q

When internal business functionality is abstracted into service-oriented contract based interfaces, it is primarily used to provide for

A. Interoperability
B. Authentication
C. Authorization
D. Installation ease

A

A. Interoperability

A distinctive characteristic of SOA is that the business logic is abstracted into discoverable and reusable contract-based interfaces to promote interoperability between heterogeneous computing ecosystems.

590
Q

At which layer of the OSI model must security controls be designed to effectively mitigate side channel attacks?

A. Transport
B. Network
C. Data link
D. Physical

A

D. Physical

Side channel attacks use unconventional means to compromise the security of the system and, in most cases, require physical access to the device or system. Therefore, to mitigate side channel attacks, physical protection must be used.

591
Q

Which of the following software architectures is effective in distributing the load between the client and the server but because it includes the client to be part of the threat vectors it increases the attack surface?

A. Software as a Service (SaaS)
B. Service-oriented architecture (SOA)
C. Rich Internet application (RIA)
D. Distributed network architecture (DNA)

A

C. Rich Internet application (RIA)

RIAs require Internet protocol (IP) connectivity to the backend server. Browser sandboxing is recommended since the client is also susceptible to attack now, but it is not a requirement. The workload is shared between the client and the server, and the user’s experience and control is increased in RIA architecture.

592
Q

When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information?

A. Authorization
B. Identification
C. Archiving
D. Auditing

A

B. Identification

Trusted platform module (TPM) is the name assigned to a chip that can store cryptographic keys, passwords, and certificates. It can be used to protect mobile devices other than personal computers. It is also used to provide identity information for authentication purposes in mobile computing. It also assures secure startup and integrity. The TPM can be used to generate values used with whole-disk encryption, such as the Windows Vista’s BitLocker. It is developed to specifications of the Trusted Computing Group.

593
Q

When two or more trivial pieces of information are brought together with the aim of gleaning sensitive information, it is referred to as what type of attack?

A. Injection
B. Inference
C. Phishing
D. Polyinstantiation

A

B. Inference

An inference attack is one in which the attacker combines information available in the database with a suitable analysis to glean information that is presumably hidden or not as evident. This means that individual data elements when viewed collectively can reveal confidential information. It is therefore possible to have public elements in a database reveal private information by inference. The first things to ensure are that the database administrator does not have direct access to the data in the database and that the administrator’s access to the database is mediated by a program (the application) and audited. In situations where direct database access is necessary, it is important to ensure that the database design is not susceptible to inference attacks. Inference attacks can be mitigated by polyinstantiation.

594
Q

The inner workings and internal structure of backend databases can be protected from disclosure using

A. Triggers
B. Normalization
C. Views
D. Encryption

A

C. Views

Views provide a number of security benefits. They abstract the source of the data being presented, keeping the internal structure of the database hidden from the user. Furthermore, views can be created on a subset of columns in a table. This capability can allow users granular access to specific data elements. Views can also be used to limit access to specific rows of data.

595
Q

Choose the best answer. Configurable settings for logging exceptions, auditing and credential management must be part of

A. Database views
B. Security management interfaces
C. Global files
D. Exception handling

A

B. Security management interfaces

Security management interfaces (SMIs) are administrative interfaces for your application that have the highest level of privileges on the system and can do tasks such as

User provisioning: adding/deleting/enabling user accounts
Granting rights to different user roles
System restarting
Changing system security settings
Accessing audit trails, user credentials, exception logs

596
Q

The token that is primarily used for authentication purposes in an SSO implementation between two different organizations is

A. Kerberos
B. Security Assert Markup Language (SAML)
C. Liberty alliance ID-FF
D. One time password (OTP)

A

B. Security Assert Markup Language (SAML)

Federation technology is usually built on a centralized identity management architecture leveraging industry standard identity management protocols, such as SAML, WS Federation (WS-*), and Liberty Alliance. Of the three major protocol families associated with federation, SAML seems to be recognized as the de facto standard for enterprise-to-enterprise federation. SAML works in cross-domain settings, while Kerberos tokens are useful only within a single domain.

597
Q

Syslog implementations require which additional security protection mechanisms to mitigate disclosure attacks?

A. Unique session identifier generation and exchange
B. Transport layer security
C. Digital Rights Management (DRM)
D. Data loss prevention (DLP)

A

B. Transport layer security

The syslog network protocol has become a de facto standard for logging programs and server information over the Internet. Many routers, switches, and remote access devices will transmit system messages, and there are syslog servers available for Windows and UNIX operating systems. TLS protection mechanisms such as SSL wrappers are needed to protect syslog data in transit as they are transmitted in the clear. SSL wrappers such as stunnel provide transparent SSL functionality.

598
Q

Rights and privileges for a file can be granularly granted to each client using which of the following technologies?

A. Data loss prevention (DLP)
B. Software as a Service
C. Flow control
D. Digital Rights Management

A

D. Digital Rights Management

Digital rights management (DRM) solutions give copyright owners control over access and use of copyright protected material. When users want to access or sue digital copyrighted material, they can do so on the terms of the copyright owner.

599
Q

Software developers write software programs primarily to

A. create new products
B. capture market share
C. solve business problems
D. mitigate hacker threats

A

C. solve business problems

IT and software development teams function to provide solutions to the business. Manual and inefficient business processes can be automated and made efficient using software programs.

600
Q

The process of combining necessary functions, variables, and dependency files and libraries required for the machine to run the program is referred to as

A. compilation
B. interpretation
C. linking
D. instantiation

A

C. linking

Linking is the process of combining the necessary functions, variables, and dependencies files and libraries required for the machine to run the program. The output that results from the linking process is the executable program or machine code/file that the machine can understand and process. In short, linked object code is the executable. Link editors that combine object codes are known as linkers. Upon the completion of the compilation process, the compiler invokes the linker to perform its function. There are two types of linking: static linking and dynamic linking.

601
Q

Which of the following is an important consideration to manage memory and mitigate overflow attacks when choosing a programming language?

A. locality of reference
B. type safety
C. cyclomatic complexity
D. Parametric polymorphism

A

B. type safety

Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the just in time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, code can then make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing.” Type safety must be one of the most important considerations in regards to security when selecting a programming language.

602
Q

Using multifactor authentication is effective in mitigating which of the following application security risks?

A. injection flaws
B. Cross-Site Scripting (XSS)
C. buffer overflow
D. Man-in-the-Middle (MITM)

A

D. Man-in-the-Middle (MITM)

As a defense against man-in-the-middle (MITM) attacks, authentication and session management need to be in place. Multifactor authentication provides greater defense than single factor authentication and is recommended. Session identifiers that are generated should be unpredictable, random, and non-guessable.

603
Q

Implementing Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) protection is a means of defending against

A. SQL injection
B. Cross-Site Scripting (XSS)
C. Cross-Site Request Forgery (CSRF)
D. insecure cryptographic storage

A

C. Cross-Site Request Forgery (CSRF)

In addition to assuring that the requestor is a human, CAPTCHAs are useful in mitigating CSRF attacks. Since CSRF is dependent on a preauthenticated token’s being in place, using CAPTCHA as the anti-CSRF token is an effective way of dealing with the inherent XSS problems regarding anti-CSRF tokens, as long as the CAPTCHA image itself is not guessable, predictable, or re-served to the attacker.

604
Q

The findings of a code review indicate that cryptographic operations in code use the Rijndael cipher, which is the original publication of which of the following algorithms?

A. Skipjack
B. Data Encryption Standard (DES)
C. Triple Data Encryption Standard (3DES)
D. Advanced Encryption Standard (AES)

A

D. Advanced Encryption Standard (AES)

Advanced encryption standard (FIPS 197) is published as the Rijndael cipher. Software should be designed so that you should be able to replace one cryptographic algorithm with a stronger one, when needed, without much rework or recoding. This is referred to as cryptographic agility.

605
Q

Which of the following transport layer technologies can best mitigate session hijacking and replay attacks in a local area network (LAN)?

A. Data Loss Prevention (DLP)
B. Internet Protocol Security (IPSec)
C. Secure Sockets Layer (SSL)
D. Digital Rights Management (DRM)

A

C. Secure Sockets Layer (SSL)

SSL provides disclosure protection and protection against session hijacking and replay at the transport layer (layer 4), while IPSec provides confidentiality and integrity assurance operating in the network layer (layer 3). DRM provides some degree of disclosure (primarily IP) protection and operates in the presentation layer (layer 6), and data loss prevention (DLP) technologies prevent the inadvertent disclosure of data to unauthorized individuals, predominantly those external to the organization.

606
Q

Verbose error messages and unhandled exceptions can result in which of the following software security threats?

A. spoofing
B. tampering
C. repudiation
D. information disclosure

A

D. information disclosure

Information disclosure is primarily a design issue and therefore is a language-independent problem. There is a tricky balance between providing the user with helpful information about errors and preventing attackers from learning about the internal details and architecture of the software. From a security standpoint, it is advisable not to disclose verbose error messages and provide the users with a helpline to get additional support.

607
Q

Code signing can provide all of the following except

A. anti-tampering protection
B. authenticity of code origin
C. runtime permissions for code
D. authentication of users

A

D. authentication of users

Code signing can provide all of the following: anti-tampering protection assuring integrity of code, authenticity (not authentication) of code origin, and runtime permissions for the code to access system resources. The primary benefit of code signing is that it provides users with the identity of the software’s creator, and this is particularly important for mobile code, which is code downloaded from a remote location over the Internet.

608
Q

When an attacker uses delayed error messages between successful and unsuccessful query probes, he is using which of the following side channel techniques to detect injection vulnerabilities?

A. distant observation
B. cold boot
C. power analysis
D. timing

A

D. timing

A side channel is a potential source of information flow from a physical system to an adversary beyond what is available via the conventional (abstract) model. These include subtle observation of timing, electromagnetic radiations, power usage, analog signals, and acoustic emanations. The use of nonconventional and specialized techniques along with physical access to the target system to discover information is characteristic of side channel attacks. The analysis of delayed error messages between successful and unsuccessful queries is a form of timing side channel attacks.

609
Q

When the runtime permissions of the code are defined as security attributes in the metadata of the code, it is referred to as

A. imperative syntax security
B. declarative syntax security
C. code signing
D. code obfuscation

A

B. declarative syntax security

There are two types of security syntax: declarative security and imperative security. Declarative syntax addresses the “what” part of an action, whereas imperative syntax tries to deal with the “how” part. When security requests are made in the form of attributes (in the metadata of the code), it is referred to as declarative security. When security requests are made through programming logic within a function or method body, it is referred to as imperative security. Declarative security is an all-or-nothing kind of implementation, while imperative security offers greater levels of granularity and control because the security requests run as lines of code intermixed with the application code.

610
Q

When an all-or-nothing approach to code access security is not possible and business rules and permissions need to be set and managed more granularly inline in code functions and modules, a programmer can leverage which of the following?

A. cryptographic agility
B. parametric polymorphism
C. declarative security
D. imperative security

A

D. imperative security

When security requests are made in the form of attributes, it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. Declarative syntax actions can be evaluated without running the code because attributes are stored as part of an assembly’s metadata, while the imperative security actions are stored as intermediary language (IL). This means that imperative security actions can be evaluated only when the code is running. Declarative security actions are checks before a method is invoked and are placed at the class level, being applicable to all methods in that class, unlike imperative security. Declarative security is an all-or-nothing kind of implementation, while imperative security offers greater levels of granularity and control, because the security requests run as lines of code intermixed with the application code.

611
Q

An understanding of which of the following programming concepts is necessary to protect against memory manipulation buffer overflow attacks? Choose the best answer.

A. error handling
B. exception management
C. locality of reference
D. generics

A

C. locality of reference

Computer processors tend to access memory in a very patterned way. The basic forms of locality of reference are temporal (based on time), spatial (based on address space), (branch conditional), and equidistant (somewhere between spatial and branch using simple linear functions that look for equidistant locations of memory to predict which location will be accessed in the near future). While this is good from a performance vantage point, it can lead to an attacker’s predicting memory address spaces and causing memory corruption and buffer overflow.

612
Q

Exploit code attempts to take control of dangling pointers that

A. are references to memory locations of destroyed objects
B. are the nonfunctional code left behind in the source
C. are the payload code that the attacker uploads into memory to execute
D. are references in memory locations that are used prior to being initialized

A

A. are references to memory locations of destroyed objects

A dangling pointer, aka stray pointer, occurs when a pointer points to an invalid memory address. Dangling pointers are usually created in one of two ways. An object is destroyed (freed), but the reference to the object is not reassigned and is later used. Or a local object is popped from the stack when the function returns, but a reference to the stack-allocated object is still maintained. Attackers write exploit code to take control of dangling pointers so that they can move the pointer to where their arbitrary shell code is injected.

613
Q

Which of the following is a feature of most recent operating systems (OS) that makes it difficult for an attacker to guess the memory address of the program as it makes the memory address different each time the program is executed?

A. Data Execution Prevention (DEP)
B. Executable Space Protection (ESP)
C. Address Space Layout Randomization (ASLR)
D. Safe Security Exception Handler (/SAFESEH)

A

C. Address Space Layout Randomization (ASLR)

In the past, the memory manager would try to load binaries at the same location in the linear address space each time the program was run. This behavior made it easier for shell coders by ensuring that certain modules of code would always reside at a fixed address and could be referenced in exploit code using raw numeric literals. Address space layout randomization (ASLR) is a feature in newer operating systems (introduced in Windows Vista) that deals with this predictable and direct referencing issue.

614
Q

When the source code is made obscure using special programs in order to make the readability of the code difficult when disclosed, the code is also known as

A. object code
B. obfuscated code
C. encrypted code
D. hashed code

A

B. obfuscated code

Reverse engineering is used to infer how a program works by inspecting it. Code obfuscation, which makes the readability of code extremely difficult and confusing, can be used to deter (not prevent) reverse engineering attacks. Obfuscating code is not detective or corrective in its implementation.

615
Q

The ability to track ownership, changes in code, and rollback abilities is possible because of which of the following configuration management processes?

A. version control
B. patching
C. audit logging
D. change control

A

A. version control

The ability to track ownership, changes in code, and rollback abilities is possible because of versioning, which is a configuration management process. A phenomenon known as “regenerative bugs” is often observed when it comes to improper release management processes. Regenerative bugs are fixed software defects that reappear in subsequent releases of the software. This happens when the software coding defect (bug) is detected in the testing environment (such as user acceptance testing), and the fix is made in that test environment and promoted to production without retrofitting it into the development environment. The latest version in the development environment does not have the fix, and the issue reappears in subsequent versions of the software.

616
Q

The main benefit of statically analyzing code is that

A. runtime behavior of code can be analyzed
B. business logic flaws are more easily detectable
C. the analysis is performed in a production or production-like environment
D. errors and vulnerabilities can be detected earlier in the life cycle

A

D. errors and vulnerabilities can be detected earlier in the life cycle

Code review is the process of systematically analyzing the code for insecure and inefficient coding issues. In addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools, which conduct automated scans of applications in production to unearth vulnerabilities. In other words, dynamic tools test from the outside in, while static tools test from the inside out. Just because the code compiles without any errors, it does not necessarily mean that it will run without errors at runtime.

617
Q

Cryptographic protection includes all of the following except

A. encryption of data when it is processed
B. hashing of data when it is stored
C. hiding of data within other media objects when it is transmitted
D. masking of data when they are displayed

A

D. masking of data when they are displayed

Masking does not use any overt cryptography operations, such as encryption, decryption, or hashing, or covert operations, such as data hiding, as in the case of steganography, to provide disclosure protection.

618
Q

Assembly and machine language are examples of

A. natural language
B. Very High-Level Language (VHLL)
C. High-Level Language (HLL)
D. Low-Level Language

A

D. Low-Level Language

A programming language in which there is little to no abstraction from the native instruction codes that the computer can understand is also referred to as low-level language. There is no abstraction from native instruction codes in machine language. Assembly languages are the lowest level in the software chain, which makes them incredibly suitable for reversing.

619
Q

The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as

A. Redundancy
B. Recoverability
C. Resiliency
D. Reliability

A

B. Recoverability

When the software performs as it is expected to, it is said to be reliable. When errors occur, the reliability of software is impacted, and the software needs to be able to restore itself to expected operations. The ability of the software to be restored to normal, expected operations is referred to as recoverability. The ability of the software to withstand attacks against its reliability is referred to as resiliency. Redundancy is about availability, and reconnaissance is related to information gathering, as in fingerprinting/footprinting.

620
Q

In which of the following software development methodologies does unit testing enable collective code ownership and is critical to assure software assurance?

A. Waterfall
B. Agile
C. Spiral
D. Prototyping

A

B. Agile

Unit testing enables collective code ownership. Collective code ownership encourages everyone to contribute new ideas to all segments of the project. Any developer can change any line of code to add functionality, fix bugs, or re-factor. No one person becomes a bottleneck for changes. The way this works is for each developer to work in concert (usually more in agile methodologies than the traditional model) to create unit tests for his code as it is developed. All code released into the source code repository includes unit tests. Code that is added, bugs as they are fixed, and old functionality as it is changed will be covered by automated testing.

621
Q

The use of if-then rules is characteristic of which of the following types of software testing?

A. Logic
B. Scalability
C. Integration
D. Unit

A

A. Logic

If-then rules are constructs of logic, and when these constructs are used for software testing, it is generally referred to as logic testing.

622
Q

The implementation of secure features, such as complete mediation and data replication, needs to undergo which of the following types of test to ensure that the software meets the service level agreements(SLA)?

A. Stress
B. Unit
C. Integration
D. Regression

A

A. Stress

Tests that assure that the service level requirements are met are characteristic of performance testing. Load and stress testing are types of performance tests. While stress testing is testing by starving the software, load testing is done by subjecting the software to extreme volumes or loads.

623
Q

Tests conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing?

A. Regression
B. Stress
C. Integration
D. Simulation

A

B. Stress

The goal of stress testing is to determine if the software will continue to operate reliably under duress or extreme conditions. Often the resources that the software needs are taken away from the software, and the software’s behavior is observed as part of the stress test.

624
Q

Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats?

A. Source code analyzers
B. Fuzzers
C. Banner-grabbing software
D. Scanners

A

A. Source code analyzers

White box testing, or structural analysis, is about testing the software with prior knowledge of the code and configuration. Source code review is a type of white box testing. Embedded code issues that are implanted by insiders, such as Trojan horses and logic bombs, can be detected using source code analyzers.

625
Q

When very limited or no knowledge of the software is made known to the software tester before she can test for its resiliency, it is characteristic of which of the following types of security tests?

A. White box
B. Black box
C. Clear box
D. Glass box

A

B. Black box

In black box or behavioral testing, test conditions are developed on the basis of the program’s or system’s functionality; that is, the tester requires information about the input data and observed output, but does not know how the program or system works. The tester focuses on testing the program’s behavior (or functionality) against the specification. With black box testing, the tester views the program as a black box and is completely unconcerned with the internal structure of the program or system.

626
Q

Penetration testing must be conducted with properly defined

A. Rules of engagement
B. Role-based access control mechanisms
C. Threat models
D. Use cases

A

A. Rules of engagement

Penetration testing must be controlled, not ad hoc in nature, with properly defined rules of engagement.

627
Q

Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls?

A. Availability
B. Authentication
C. Nonrepudiation
D. Authorization

A

C. Nonrepudiation

When session management is in place, it provides for authentication, and when authentication is combined with auditing capabilities, it provides nonrepudiation. In other words, the authenticated user cannot claim broken sessions or intercepted authentication and deny their user actions due to the audit logs’ recording their actions.

628
Q

Disassemblers, debuggers, and decompilers can be used by security testers primarily to determine which of the following types of coding vulnerabilities?

A. Injection flaws
B. Lack of reverse engineering protection
C. Cross-site scripting
D. Broken session management

A

B. Lack of reverse engineering protection

Disassemblers, debuggers, and decompilers are utilities that can be used for reverse engineering software, and software testers should have these utilities in their list of tools to validate protection against reversing.

629
Q

When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined?

A. Defect identifier
B. Title
C. Expected results
D. Tester name

A

C. Expected results

Knowledge of the expected results along with the defect information can be used to determine the variance between what the results need to be and what is deficient.

630
Q

An attacker analyzes the response from the Web server that indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0), but none of the IIS exploits that the attacker attempts to execute on the Web server are successful. Which of the following is the most probable security control that is implemented?

A. Hashing
B. Cloaking
C. Masking
D. Watermarking

A

B. Cloaking

Detection of Web server versions is usually done by analyzing HTTP responses. This process is known as banner grabbing. But the administrator can change the information that gets reported, and this process is known as cloaking. Banner cloaking is a security through obscurity approach to protect against version enumeration.

631
Q

Smart fuzzing is characterized by injecting

A. Truly random data without any consideration for the data structure
B. Variations of data structures that are known
C. Data that get interpreted as commands by a backend interpreter
D. Scripts that are reflected and executed on the client browser

A

B. Variations of data structures that are known

The process of sending random data to test security of an application is referred to as “fuzzing” or “fuzz testing.” There are two levels of fuzzing: dumb fuzzing and smart fuzzing. Sending truly random data, known as dumb fuzzing, often does not yield great results and has the potential of bringing the software down, causing a denial of service (DoS). If the code being fuzzed requires data to be in a certain format but the fuzzer does not create data in that format, most of the fuzzed data will be rejected by the application. The more knowledge the fuzzer has of the data format, the more intelligent it can be at creating data. These more intelligent fuzzers are known as smart fuzzers.

632
Q

Which of the following is most important to ensure when the software is forced to fail as part of security testing? Choose the best answer.

A. Normal operational functionality is not restored automatically
B. Access to all functionality is denied
C. Confidentiality, integrity, and availability are not adversely impacted
D. End users are adequately trained and self-help is made available for the end user to fix the error on their own

A

C. Confidentiality, integrity, and availability are not adversely impacted

As part of security testing, the principle of failsafe must be assured. This means that confidentiality, integrity, and availability are not adversely impacted when the software fails. As part of general software testing, the recoverability of the software, or restoration of the software to normal operational functionality, is an important consideration, but it need not always be an automated process.

633
Q

Timing and synchronization issues such as race conditions and resource deadlocks can be most likely identified by which of the following tests? Choose the best answer.

A. Integration
B. Stress
C. Unit
D. Regression

A

B. Stress

Race conditions and resource exhaustion issues are more likely to be identified when the software is starved of the resources that it expects, as is done during stress testing.

634
Q

The primary objective of resiliency testing of software is to determine

A. The point at which the software will break
B. If the software can restore itself to normal business operations
C. The presence and effectiveness of risk mitigation controls
D. How a blackhat would circumvent access control mechanisms

A

C. The presence and effectiveness of risk mitigation controls

Security testing must include both external (blackhat) and insider threat analysis, and it should be more than just testing for the ability to circumvent access control mechanisms. The resiliency of software is the ability of the software to be able to withstand attacks. The presence and effectiveness of risk mitigation controls increase the resiliency of the software.

635
Q

The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as

A. Redundancy
B. Recoverability
C. Resiliency
D. Reliability

A

C. Resiliency

Resiliency of software is defined as the ability of the software to withstand attacker attempts.

636
Q

Drivers and stub-based programming are useful to conduct which of the following tests?

A. Integration
B. Regression
C. Unit
D. Penetration

A

C. Unit

In order for unit testing to be thorough, the unit/module and the environment for the execution of the module need to be complete. The necessary environment includes the modules that either call or are called by the unit of code being tested. Stubs and drivers are designed to provide the complete environment for a module so that unit testing can be carried out. A stub procedure is a dummy procedure that has the same input/output (I/O) parameters as the given procedure. A driver module should have the code to call the different functions of the module being tested with appropriate parameter values for testing.

637
Q

Assurance that software meets the expectations of the business as defined in the SLAs can be demonstrated by which of the following types of tests?

A. Unit
B. Integration
C. Performance
D. Regression

A

C. Performance

Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by performance testing. Once the importance of the performance of an application is known, it is necessary to understand how various factors affect the performance. Security features can have an impact on performance, and this must be checked to ensure that service level requirements can be met.

638
Q

Vulnerability scans are used to

A. Measure the resiliency of the software by attempting to exploit weaknesses
B. Detect the presence of loopholes and weaknesses in the software
C. Detect the effectiveness of security controls that are implemented in the software
D. Measure the skills and technical know-how of the security tester

A

B. Detect the presence of loopholes and weaknesses in the software

A vulnerability is a weakness (or loophole), and vulnerability scans are used to detect the presence of weaknesses in software.

639
Q

Your organization has the policy to attest the security of any software that will be deployed into the production environment. A third party vendor software is being evaluated for its readiness to be deployed. Which of the following verification and validation mechanism can be employed to attest the security of the vendor’s software?

A. Source code review
B. Threat modeling the software
C. Black box testing
D. Structural analysis

A

C. Black box testing

Third party vendor software is often received in object code form, access to source code is usually not provided, and structural analysis (white box) or source code analysis is not possible. Looking into the source code or source code look-alike by reverse engineering without explicit permission can have legal ramifications. Additionally, without documentation on the architecture and software makeup, a threat modeling exercise would most likely be incomplete. License validation is primarily used for curtailing piracy and is a component of verification and validation mechanisms. Black box testing or behavioral analysis would be the best option to attest the security of third party vendor software.

640
Q

When procuring commercial off-the-shelf (COTS) software for release within your global organization, special attention must be given to multilingual and multicultural capabilities of the software since they are more likely to have

A. Compilation errors
B. Canonicalization issues
C. Cyclomatic complexity
D. Coding errors

A

B. Canonicalization issues

The process of canonicalization resolves multiple forms into standard canonical forms. In software that needs to support multilingual, multicultural capabilities such as Unicode, input filtration can be bypassed by a hacker who sends in data in an alternate form from the standard form. Input validation for alternate forms is therefore necessary.

641
Q

To meet the goals of software assurance, when accepting software from a vendor, the software acquisition phase must include processes to

A. Verify that installation guides and training manuals are provided
B. Assess the presence and effectiveness of protection mechanisms
C. Validate vendor’s software products
D. Assist the vendor in responding to the request for proposals

A

B. Assess the presence and effectiveness of protection mechanisms

To maintain the confidentiality, integrity, and availability of software and the data it processes, prior to the acceptance of software, vendor claims of security must be assessed not only for their presence, but also their effectiveness within your computing ecosystem.

642
Q

Your organization’s software is published as a trial version without any restricted functionality from the paid version. Which of the following must be designed and implemented to ensure that customers who have not purchased the software are limited in the availability of the software?

A. Disclaimers
B. Licensing
C. Validity periods
D. Encryption

A

C. Validity periods

Software functionality can be restricted using a validity period as is often observed in the “try-before-you-buy” or “demo” versions of software. It is recommended to have a stripped down version of the software for the demo version, and if feasible, it is advisable to include the legal team to determine the duration of the validity period.

643
Q

Software escrowing is MORE closely related to which of the following risk handling strategy?

A. Avoidance
B. Mitigation
C. Acceptance
D. Transference

A

D. Transference

Since there is an independent third party engaged in an escrow agreement, business continuity is assured for the acquirer when the escrow agency maintains a copy of the source/object code from the publisher. For the publisher, it protects the intellectual property since the source code is not handed to the acquirer directly, but to the independent third escrow party. For both the acquirer and the publishers, some risk is transferred to the escrow party, who is responsible for maintaining the terms of the escrow agreement.

644
Q

Which of the following legal instruments assures the confidentiality of software programs, processing logic, database schema, and internal organizational business processes and client lists?

A. Noncompete agreements
B. Nondisclosure agreements (NDA)
C. Service level agreements (SLA)
D. Trademarks

A

B. Nondisclosure agreements (NDA)

Nondisclosure agreements assure confidentiality of sensitive information, such as software programs, processing logic, database schema, and internal organizational business processes and client lists.

645
Q

“As is” clauses and disclaimers transfer the risk of using the software from the software publisher to the

A. Developers
B. End users
C. Testers
D. Business owners

A

B. End users

Disclaimers, or “as is” clauses, transfer the risk from the software provider to the end user.

646
Q

Improper implementation of validity periods using length-of-use checks in code can result in which of the following types of security issues for legitimate users?

A. Tampering
B. Denial of service
C. Authentication bypass
D. Spoofing

A

B. Denial of service

If the validity period set in the software is not properly implemented, then legitimate users can potentially be denied service. It is therefore imperative to ensure that the duration and checking mechanism of validity periods is properly implemented.

647
Q

The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as

A. Verification
B. Validation
C. Authentication
D. Authorization

A

A. Verification

Verification is defined as the process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of the phase. In other words, verification ensures that the software performs as it is required and designed to do. Validation is the process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. In other words, validation ensures that the software meets required specifications.

648
Q

When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance?

A. Redundancy
B. Reliability
C. Resiliency
D. Recoverability

A

B. Reliability

Verification ensures that the software performs as it is required and designed to do, which is a measure of the software’s reliability.

649
Q

When procuring software the purchasing company can request the evaluation assurance levels (EALs) of the software product which is determined using which of the following evaluation methodologies?

A. Operationally Critical Assets Threats and Vulnerability Evaluation® (OCTAVESM)
B. Security quality requirements engineering (SQUARE)
C. Common criteria
D. Comprehensive, lightweight application security process (CLASP)

A

C. Common criteria

Common criteria (ISO 15408) are a security product evaluation methodology with clearly defined ratings, such as evaluation assurance levels (EALs). In addition to assurance validation, the common criteria also validate software functionality for the security target. EALs ratings assure the owner of the assurance capability of the software/system, so common criteria are also referred to as an owner assurance model.

650
Q

The final activity in the software acceptance process is the go/no go decision that can be determined using

A. Regression testing
B. Integration testing
C. Unit testing
D. User acceptance testing

A

D. User acceptance testing

The end users of the business have the final say on whether the software can be deployed/released. User acceptance testing (UAT) determines the readiness of the software for deployment to the production environment or release to an external customer.

651
Q

Management’s formal acceptance of the system after an understanding of the residual risks to that system in the computing environment is also referred to as

A. Patching
B. Hardening
C. Certification
D. Accreditation

A

D. Accreditation

While certification is the assessment of the technical and nontechnical security controls of the software, accreditation is a management activity that assures that the software has adequate levels of software assurance protection mechanisms.

652
Q

You determine legacy software running in your computing environment is susceptible to cross-site request forgery (CSRF) attacks because of the way it manages sessions. The business has the need to continue use of this software, but you do not have the source code available to implement security controls in code as a mitigation measure against CSRF attacks. What is the best course of action to undertake in such a situation?

A. Avoid the risk by forcing the business to discontinue use of the software
B. Accept the risk with a documented exception
C. Transfer the risk by buying insurance
D. Ignore the risk since it is legacy software

A

B. Accept the risk with a documented exception

When there are known vulnerabilities in legacy software and there is not much you can do to mitigate the vulnerabilities, it is recommended that the business accept the risk with a documented exception to the security policy. When accepting this risk, the exception to policy process must ensure that there is a contingency plan in place to address the risk by either replacing the software with a new version or discontinuing its use (risk avoidance). Transferring the risk may not be a viable option for legacy software that is already in your production environment, and one must never ignore the risk or take the vulnerable software out of the scope of an external audit.

653
Q

As part of the accreditation process, the residual risk of a software evaluated for deployment must be accepted formally by the

A. Board members and executive management
B. Business owner
C. Information technology (IT) management
D. Security organization
E. Developers

A

B. Business owner

Risk must always be accepted formally by the business owner.

654
Q

When software that worked without any issues in the test environments fails to work in the production environment, it is indicative of

A. Inadequate integration testing
B. Incompatible environment configurations
C. Incomplete threat modeling
D. Ignored code review

A

B. Incompatible environment configurations

When the production environment does not mirror the development or test environments, software that works fine in nonproduction environments are observed to experience issues when deployed in the production environment. This underlines the need for simulation testing.

655
Q

Which of the following is not characteristic of good security metrics?

A. Quantitatively expressed
B. Objectively expressed
C. Contextually relevant
D. Collected manually

A

D. Collected manually

A good security metric is expressed quantitatively and is contextually accurate. Regardless of how many times the metrics are collected, the results are not significantly variant. Good metrics are usually collected in an automated manner so that the collector’s subjectivity does not come into effect.

656
Q

Removal of maintenance hooks, debugging code and flags, and unneeded documentation before deployment are all examples of software

A. Hardening
B. Patching
C. Reversing
D. Obfuscation

A

A. Hardening

Locking down the software by removing unneeded code and documentation to reduce the attack surface of the software is referred to as software hardening. Before hardening the software, it is crucial to harden the operating system of the host on which the software program will be run.

657
Q

Which of the following has the goal of ensuring that the resiliency levels of software are always above the acceptable risk threshold as defined by the business post deployment?

A. Threat modeling
B. Code review
C. Continuous monitoring
D. Regression testing

A

C. Continuous monitoring

Operations security is about staying secure or keeping the resiliency levels of the software above the acceptable risk levels. It is the assurance that the software will continue to function as expected in a reliable fashion for the business without compromising its state of security by monitoring, managing, and applying the needed controls to protect resources (assets).

658
Q

Audit logging application events, such as failed login attempts, sales price updates, and user roles configuration, are examples of which of the following type of security control?

A. Preventive
B. Corrective
C. Compensating
D. Detective

A

D. Detective

Audit logging is a type of detective control. When the users are made aware that their activities are logged, audit logging could function as a deterrent control, but it is primarily used for detective purposes. Audit logs can be used to build the sequence of historical events and give insight into who (subject such as user/process) did what (action), where (object), and when (timestamp).

659
Q

When a compensating control is to be used, the Payment Card Industry Data Security Standard (PCI DSS) prescribes that the compensating control must meet all of the following guidelines except

A. Meet the intent and rigor of the original requirement
B. Provide a higher level of defense than the original requirement
C. Be implemented as part of a defense in depth measure
D. Be commensurate with additional risk imposed by not adhering to the requirement

A

B. Provide a higher level of defense than the original requirement

PCI DSS prescribes that the compensating control must provide a similar level, not an increased level of defense over the original requirement.

660
Q

Software that is deployed in a high trust environment such as the environment within the organizational firewall when not continuously monitored is most susceptible to which of the following types of security attacks? Choose the best answer.

A. Distributed denial of service (DDoS)
B. Malware
C. Logic bombs
D. DNS poisoning

A

C. Logic bombs

Logic bombs can be planted by an insider, and when the internal network is not monitored, the likelihood of this is much higher.

661
Q

Bastion host systems can be used continuously to monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?

A. Authentication
B. Authorization
C. Archiving
D. Auditing

A

D. Auditing

IDS and auditing are both detective types of controls that can be used to monitor the security health of the computing environment continuously.

662
Q

The first step in the incident response process of a reported breach is to

A. Notify management of the security breach
B. Research the validity of the alert or event further
C. Inform potentially affected customers of a potential breach
D. Conduct an independent third party evaluation to investigate the reported breach

A

B. Research the validity of the alert or event further

Upon the report of a breach, it is important to go into a triaging phase in which the validity and severity of the alert/event is investigated further. This reduces the number of false positives that are reported to management.

663
Q

Which of the following is the best recommendation to champion security objectives within the software development organization?

A. Informing the developers that they could lose their jobs if their software is breached
B. Informing management that the organizational software could be hacked
C. Informing the project team about the recent breach of the competitor’s software
D. Informing the development team that there should be no injection flaws in the payroll application

A

D. Informing the development team that there should be no injection flaws in the payroll application

Using security metrics over fear, uncertainty, and doubt (FUD) is the best recommendation to champion security objectives within the software development organization.

664
Q

Which of the following independent processes provides insight into the presence and effectiveness of security and privacy controls and is used to determine the organization’s compliance with the regulatory and governance (policy) requirements?

A. Penetration testing
B. Audits
C. Threat modeling
D. Code review

A

B. Audits

Periodic audits (both internal and external) can be used to assess the overall state of the organization’s security health.

665
Q

The process of using regular expressions to parse audit logs into information that indicate security incidents is referred to as

A. Correlation
B. Normalization
C. Collection
D. Visualization

A

B. Normalization

Normalizing logs means that duplicate and redundant information is removed from the logs after the time is synchronized for each log set, and the logs are parsed to deduce patterns that are identified in the correlation phase.

666
Q

The final stage of the incident management process is

A. Detection
B. Containment
C. Eradication
D. Recovery

A

D. Recovery

The incident response process involves preparation, detection, analysis, containment, eradication, and recovery. The goal of incident management is to restore (recover) service to normal business operations.

667
Q

Problem management aims to improve the value of information technology to the business because it improves service by

A. Restoring service to the expectation of the business user
B. Determining the alerts and events that need to be continuously monitored
C. Depicting incident information in easy-to-understand, user-friendly format
D. Identifying and eliminating the root cause of the problem

A

D. Identifying and eliminating the root cause of the problem

The goal of problem management is to identify and eliminate the root cause of the problem. All of the other definitions are related to incident management. The goal of incident management is to restore service, while the goal of problem management is to improve service.

668
Q

The process of releasing software to fix a recently reported vulnerability without introducing any new features or changing hardware configuration is referred to as

A. Versioning
B. Hardening
C. Patching
D. Porting

A

C. Patching

Patching is the process of applying updates and hot fixes. Porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed (e.g., different processor architecture, operating system, or third party software library).

669
Q

Fishbone diagramming is a mechanism that is primarily used for which of the following processes?

A. Threat modeling
B. Requirements analysis
C. Network deployment
D. Root cause analysis

A

D. Root cause analysis

Ishikawa diagrams or fishbone diagrams are used to identify the cause and effect of a problem and are commonly used to determine the root cause of the problem.

670
Q

As a means to assure the availability of the existing software functionality after the application of a patch, the patch needs to be tested for

A. The proper functioning of new features
B. Cryptographic agility
C. Backward compatibility
D. The enabling of previously disabled services

A

C. Backward compatibility

Regression testing of patches is crucial to ensure that there were no newer side effects and that all previous functionality as expected is still available.

671
Q

Which of the following policies needs to be established to dispose of software and associated data and documents securely?

A. End-of-life
B. Vulnerability management
C. Privacy
D. Data classification

A

A. End-of-life

End-of-life (EOL) policies are used for the disposal of code, configuration, and documents based on organizational and regulatory requirements.

672
Q

Discontinuance of a software with known vulnerabilities with a newer version is an example of risk called

A. Mitigation
B. Transference
C. Acceptance
D. Avoidance

A

D. Avoidance

When software with known vulnerabilities is replaced with a secure version, it is an example of avoiding the risk. It is not transference because the new version may not have the same risks. It is not mitigation since no controls are implemented to address the risk of the old software. It is not acceptance since the risk of the old software is replaced with the risk of the newer version. It is not ignorance, because the risk is not left unhandled.

673
Q

Printer ribbons, facsimile transmissions, and printed information when not securely disposed of are susceptible to disclosure attacks by which of the following threat agents? Choose the best answer.

A. Malware
B. Dumpster divers
C. Social engineers
D. Script kiddies

A

B. Dumpster divers

Dumpster divers are threat agents that can steal information from printed media (e.g., printer ribbons, facsimile transmission, printed paper).

674
Q

System resources can be protected from malicious file execution attacks by uploading the user-supplied file and running it in which of the following environments?

A. Honeypot
B. Sandbox
C. Simulated
D. Production

A

B. Sandbox

Preventing malicious file execution attacks takes some careful planning from the architectural and design phases of the SDLC to thorough testing. In general, a well written application will not use user-supplied input in any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions) and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server. However, many legacy applications continue to have a need to accept user-supplied input and files without the adequate levels of validation built in. When this is the case, it is advisable to separate the production environment and upload the files to a sandbox environment before the files can be processed.

675
Q

As a means to demonstrate the improvement in the security of code that is developed, one must compute the relative attack surface quotient (RASQ)

A. At the end of development phase of the project
B. Before and after the code is implemented
C. Before and after the software requirements are complete
D. At the end of the deployment phase of the project

A

B. Before and after the code is implemented

In order to understand if there is an improvement in the resiliency of the software code, the RASQ, which attempts to quantify the number and kinds of vectors available to an attacker, needs to be computed before and after code development is completed and the code is frozen.

676
Q

When the code is not allowed to access memory at arbitrary locations that are out of range of the memory address space that belong to the object’s publicly exposed fields, it is referred to as which of the following types of code?

A. Object code
B. Type safe code
C. Obfuscated code
D. Source code

A

B. Type safe code

Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the just in time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, it can lead to unpredictable results. The best example is that code can make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing.” Type safety must be one of the most important considerations in regards to security when selecting a programming language and phasing out older generation programming languages.

677
Q

Modifications to data directly in the database by developers must be prevented by

A. Periodically patching database servers
B. Implementing source code version control
C. Logging all database access requests
D. Proper change control management

A

D. Proper change control management

Proper change control management is useful to provide separation of duties as it can prevent direct access to backend databases by developers.

678
Q

Which of the following documents is the best source to contain damage, and which needs to be referred to and consulted upon the discovery of a security breach?

A. Disaster Recovery Plan
B. Project Management Plan
C. Incident Response Plan
D. Quality Assurance and Testing Plan

A

C. Incident Response Plan

An Incident Response Plan (IRP) must be developed and tested for completeness as it is the document that one should refer to and follow in the event of a security breach. The effectiveness of an IRP is dependent on the awareness of users on how to respond to an incident, and increased awareness can be achieved by proper education and training.