Domain 8 Flashcards
When designing an object-oriented model, which of the following situations is ideal?
a. High cohesion, high coupling
b. High cohesion, low coupling
c. Low cohesion, low coupling
d. Low cohesion, high coupling
B. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. When you are developing an object-oriented model, it is desirable to have high cohesion and low coupling.
Which of the following is a common way that attackers leverage botnets?
a, Sending spam messages
b. Conducting brute-force attacks
c. Scanning for vulnerable systems
d. All of the above
D. Botnets are used for a wide variety of malicious purposes, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, and sending out spam messages.
Which one of the following statements is not true about code review?
a. Code review should be a peer-driven process that includes multiple developers.
b. Code review may be automated.
c. Code review occurs during the design phase.
d. Code reviewers may expect to review several hundred lines of code per hour.
C. Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC). Code review may use a combination of manual and automated techniques, or rely solely on one or the other. It should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.
Harold’s company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold’s organization?
a. Brute-force attack
b. Dictionary attack
c. Rainbow table attack
d. Social engineering attack
D. A social engineering attack may trick a user into revealing their password to the attacker. Other attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the organization’s strong password policy.
Which process is responsible for ensuring that changes to software include acceptance testing?
a. Request control
b. Change control
c. Release control
d. Configuration control
C. One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.
Which one of the following attack types attempts to exploit the trust relationship that a user’s browser has with other websites by forcing the submission of an authenticated request to a third-party site?
a. XSS
b. CSRF
c. SQL injection
d. Session hijacking
B. Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests. SQL injection directly attacks a database through a web application. Cross-site scripting uses reflected input to trick a user’s browser into executing untrusted code from a trusted site.
When using the SDLC, which one of these steps should you take before the others?
a. Functional requirements determination
b. Control specifications development
c. Code review
d. Design review
A. The SDLC consists of seven phases, in the following order: conceptual definition, functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.
Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?
a. Fail open
b. Irrecoverable error
c. Memory exhaustion
d. Fail secure
D. The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.
Which one of the following is not a goal of software threat modeling?
a. To reduce the number of security-related design flaws
b. To reduce the number of security-related coding flaws
c. To reduce the severity of non-security-related flaws
d. To reduce the number of threat vectors
D. Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.
In the diagram shown here, which is an example of a method?
a. Account
b. Owner
c. AddFunds
d. None of the above
C. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
Which one of the following is considered primary storage?
a. Memory
b. Hard disk
c. Flash drive
d. DVD
A. Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.
Which one of the following testing methodologies typically works without access to source code?
a. Dynamic testing
b. Static testing
c. White box testing
d. Code review
A. Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code. Static testing, white box testing, and code review approaches all require access to the source code of the application.
B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.What concept in object-oriented programming allows a subclass to access methods belonging to a superclass?
a. Polymorphism
b. Inheritance
c. Coupling
d. Cohesion
B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function?
a. Inference
b. Polymorphic
c. Aggregate
d. Modular
C. Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.
Which one of the following controls would best protect an application against buffer overflow attacks?
a. Encryption
b. Input validation
c. Firewall
d. Intrusion prevention system
B. The best protection against buffer overflow attacks is server-side input validation. This technique limits user input to approved ranges of values that fit within allocated buffers. While firewalls and intrusion prevention systems may contain controls that limit buffer overflows, it would be more effective to perform filtering on the application server. Encryption cannot protect against buffer overflow attacks.
Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate?
a. SQL injection
b. Port scan
c. Teardrop
d. Land
B. The log entries show the characteristic pattern of a port scan. The attacking system sends connection attempts to the target system against a series of commonly used ports
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
What phase of the SW-CMM should Robert report as the current status of Acme Widgets?
a. Defined
b. Repeatable
c. Initial
d. Managed
C. Acme Widgets is clearly in the initial stage of the SW-CMM. This stage is characterized by the absence of formal process. The company may still produce working code, but they do so in a disorganized fashion.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
a. Defined
b. Repeatable
c. Initial
d. Managed
B. The Repeatable stage is the second stage in the SW-CMM, following the Initial stage. It should be the next milestone goal for Acme Widgets. The Repeatable stage is characterized by basic life-cycle management processes.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
What phase of the SW-CMM should Robert report as the current status of Beta Particles?
a. Defined
b. Repeatable
c. Optimizing
d. Managed
A. The Defined stage of the SW-CMM is marked by the presence of basic life-cycle management processes and reuse of code. It includes the use of requirements management, software project planning, quality assurance, and configuration management practices.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
a. Defined
b. Repeatable
c. Optimizing
d. Managed
D. The Managed stage is the fourth stage in the SW-CMM, following the Defined stage. It should be the next milestone goal for Beta Particles. The Repeatable stage is characterized by the use of quantitative software development measures.
Which one of the following database keys is used to enforce referential integrity relationships between tables?
a. Primary key
b. Candidate key
c. Foreign key
d. Master key
C. Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.
Which one of the following files is most likely to contain a macro virus?
a. projections.doc
b. command.com
c. command.exe
d. loopmaster.exe
A. Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docxextension. They are not commonly found in executable files with the .com or .exe extensions.
Victor created a database table that contains information on his organization’s employees. The table contains the employee’s user ID, three different telephone number fields (home, work, and mobile), the employee’s office location, and the employee’s job title. There are 16 records in the table. What is the degree of this table?
a. 3
b. 4
c. 6
d. 16
C. The degree of a database table is the number of attributes in the table. Victor’s table has six attributes: the employee’s user ID, home telephone, office telephone, mobile telephone, office location, and job title.
Carrie is analyzing the application logs for her web-based application and comes across the following string:
../../../../../../../../../etc/passwd
What type of attack was likely attempted against Carrie’s application?
a. Command injection
b. Session hijacking
c. Directory traversal
d. Brute force
C. The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of “double dots” is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.
When should a design review take place when following an SDLC approach to software development?
a. After the code review
b. After user acceptance testing
c. After the development of functional requirements
d. After the completion of unit testing
C. Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.
Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?
a. Unit testing
b. Acceptance testing
c. Regression testing
d. Vulnerability testing
C. Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.
What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?
a. Validation
b. Accreditation
c. Confidence interval
d. Assurance
D. Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.
Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that result in conflicting modifications to the production code. What process should Victor invest in improving?
a. Request control
b. Release control
c. Change control
d. Configuration control
C. The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment. Request control provides a framework for user requests. Release control manages the deployment of code into production. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.
What type of database security issue exists when a collection of facts has a higher classification than the classification of any of those facts standing alone?
a. Inference
b. SQL injection
c. Multilevel security
d. Aggregation
D. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information?
a. Timing and storage
b. Timing and firewall
c. Storage and memory
d. Firewall and storage
A. The two major classifications of covert channels are timing and storage. A covert timing channel conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner. A covert storage channel conveys information by writing data to a common storage area where another process can read it. There is no such thing as a covert firewall channel. Memory is a type of storage, so a memory-based covert channel would fit into the covert storage channel category.
Vivian would like to hire a software tester to come in and evaluate a new web application from a user’s perspective. Which of the following tests best simulates that perspective?
a. Black box
b. Gray box
c. Blue box
d. White box
A. Black box testing begins with no prior knowledge of the system implementation, simulating a user perspective. White box and gray box testing provide full and partial knowledge of the system, respectively, in advance of the test. Blue boxes are a phone hacking tool and are not used in software testing.
Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001?
a. The database would create a new account with this account number and give it a $250 balance.
b. The database would ignore that command and still reduce the balance of the second account by $250.
c. The database would roll back the transaction, ignoring the results of both commands.
d. The database would generate an error message.
B. In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would “succeed” in updating zero rows and not generate an error or cause the transaction to rollback. The second command would then execute, reducing the balance of the second account by $250.
What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention?
a. Trojan horse
b. Virus
c. Logic bomb
d. Worm
D. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
Kim is troubleshooting an application firewall that serves as a supplement to the organization’s network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company?
a. High availability cluster
b. Failover device
c. Fail open
d. Redundant disks
C. A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.
What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?
a. SQL injection
b. Multilevel security
c. Aggregation
d. Inference
D. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?
a. Stealth virus
b. Polymorphic virus
c. Multipartite virus
d. Encrypted virus
B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.
Questions 37–40 refer to the following scenario:
Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
What vulnerability definitely exists on Linda’s message board?
a. Cross-site scripting
b. Cross-site request forgery
c. SQL injection
d. Improper authentication
A. The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The code that Linda discovered in the message is a definitive example of an attempt to conduct cross-site scripting, and the alert box that she received demonstrates that the vulnerability exists. The website may also be vulnerable to cross-site request forgery, SQL injection, improper authentication, and other attacks, but there is no evidence of this provided in the scenario.
Questions 37–40 refer to the following scenario:
Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
What was the likely motivation of the user who posted the message on the forum containing this code?
a. Reconnaissance
b. Theft of sensitive information
c. Credential stealing
d. Social engineering
A. The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.
Questions 37–40 refer to the following scenario:
Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack?
a. VPN
b. WAF
c. DLP
d. IDS
B. Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks, including cross-site scripting. They then block that traffic from reaching the web application. An intrusion detection system (IDS) may detect the attack but is unable to take action to prevent it. DLP and VPN solutions are unable to detect web application attacks.
Questions 37–40 refer to the following scenario:
Linda is reviewing posts to a user forum on her company’s website and, when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:
alert(‘Alert’);
In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack?
a. Bounds checking
b. Peer review
c. Input validation
d. OS patching
C. Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks. Bounds checking is a form of input validation, but it is used to ensure that numeric input falls within an acceptable range and is not applicable against cross-site scripting attacks. Peer review and OS patching are both good security practices but are unlikely to be effective against a cross-site scripting attack.
What property of relational databases ensures that once a database transaction is committed to the database, it is preserved?
a. Atomicity
b. Consistency
c. Durability
d. Isolation
C. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.
Which one of the following programming languages does not make use of a compiler?
a. Java
b. C++
c. C
d. JavaScript
D. JavaScript is an interpreted language that does not make use of a compiler to transform code into an executable state. Java, C, and C++ are all compiled languages.
Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?
a. Stealth
b. Multipartitism
c. Polymorphism
d. Encryption
B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.
Which one of the following types of software testing usually occurs last and is executed against test scenarios?
a. Unit testing
b. Integration testing
c. User acceptance testing
d. System testing
C. User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases. Unit testing, integration testing, and system testing are all conducted earlier in the process leading up to UAT.
What type of requirement specifies what software must do by describing the inputs, behavior, and outputs of software?
a. Derived requirements
b. Structural requirements
c. Behavioral requirements
d. Functional requirements
D. Functional requirements specify the inputs, behavior, and outputs of software. Derived requirements are requirements developed from other requirement definitions. Structural and behavioral requirements focus on the overall structure of a system and the behaviors it displays.
Which of the following organizations is widely considered as the definitive source for information on web-based attack vectors?
a. (ISC)2
b. ISACA
c. OWASP
d. Mozilla Foundation
C. The Open Web Application Security Project (OWASP) is widely considered as the most authoritative source on web application security issues. They publish the OWASP Top Ten list that publicizes the most critical web application security issues.
In an object-oriented programming language, what does one object invoke in a second object to interact with the second object?
a. Instance
b. Method
c. Behavior
d. Class
B. When one object wishes to interact with another object, it does so by invoking one of the second object’s methods, including required and, perhaps, optional arguments to that method.
Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is not a best practice that Lisa can configure at her network border?
a. Block packets with internal source addresses from entering the network.
b. Block packets with external source addresses from leaving the network.
c. Block packets with private IP addresses from exiting the network.
d. Block packets with public IP addresses from entering the network.
D. It is perfectly normal for packets with public IP addresses to enter the network from external locations. However, packets with internal addresses should never originate from the outside and should be blocked as spoofed traffic. Similarly, traffic leaving the network should have an internal source address. In no case should packets with private IP addresses cross the network border.
What type of attack is demonstrated in the C programming language example below?
int myarray[10]; myarray[10] = 8;
a. Mismatched data types
b. Overflow
c. SQL injection
d. Covert channel
B. This is an example of a specific type of buffer overflow known as an off-by-one error. The first line of the code defines an array of 10 elements, which would be numbered 0 through 9. The second line of code tries to place a value in the 11th element of the array (remember, array counting begins at 0!), which would cause an overflow.
Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value that was needed by transactions with earlier precedence?
a. Dirty read
b. Incorrect summary
c. Lost update
d. SQL injection
C. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.
Which one of the following is the most effective control against session hijacking attacks?
a. TLS
b. Complex session cookies
c. SSL
d. Expiring cookies frequently
A. Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials. Secure Sockets Layer (SSL) also encrypts traffic, but it is vulnerable to attacks against its encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.
Faith is looking at the /etc/passwd file on a system configured to use shadowed passwords. When she examines a line in the file for a user with interactive login permissions, what should she expect to see in the password field?
a. Plaintext password
b. Hashed password
c. x
d. *
C. When a system uses shadowed passwords, the hashed password value is stored in /etc/shadowinstead of /etc/passwd. The /etc/passwd file would not contain the password in plaintext or hashed form. Instead, it would contain an x to indicate that the password hash is in the shadow file. The * character is normally used to disable interactive logins to an account.
What type of vulnerability does a TOC/TOU attack target?
a. Lack of input validation
b. Race condition
c. Injection flaw
d. Lack of encryption
B. Time of check to time of use (TOC/TOU) attacks target situations where there is a race condition, meaning that a dependence on the timing of actions allows impermissible actions to take place.
While evaluating a potential security incident, Harry comes across a log entry from a web server request showing that a user entered the following input into a form field:
CARROT’&1=1;–
What type of attack was attempted?
a. Buffer overflow
b. Cross-site scripting
c. SQL injection
d. Cross-site request forgery
C. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside of the SQL code’s input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.
Which one of the following is not an effective control against SQL injection attacks?
a. Escaping
b. Client-side input validation
c. Parameterization
d. Limiting database permissions
B. Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client. Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.
What type of project management tool is shown in the figure?
a. WBS chart
b. PERT chart
c. Gantt chart
d. Wireframe diagram
B. PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in web design.
In what software testing technique does the evaluator retest a large number of scenarios each time that the software changes to verify that the results are consistent with a standard baseline?
a. Orthogonal array testing
b. Pattern testing
c. Matrix testing
d. Regression testing
D. Regression testing is performed after developers make changes to an application. It reruns a number of test cases and compares the results to baseline results. Orthogonal array testing is a method for generating test cases based on statistical analysis. Pattern testing uses records of past software bugs to inform the analysis. Matrix testing develops a matrix of all possible inputs and outputs to inform the test plan.
Which one of the following conditions may make an application most vulnerable to a cross-site scripting (XSS) attack?
a. Input validation
b. Reflected input
c. Unpatched server
d. Promiscuous firewall rules
B. Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web application where input provided by one user is displayed to another user. Input validation is a control used to prevent XSS attacks. XSS does not require an unpatched server or any firewall rules beyond those permitting access to the web application.
Roger is conducting a software test for a tax preparation application developed by his company. End users will access the application over the web, but Roger is conducting his test on the back end, evaluating the source code on the web server. What type of test is Roger conducting?
a. White box
b. Gray box
c. Blue box
d. Black box
A. In a white box test, the attacker has access to full implementation details of the system, including source code, prior to beginning the test. In gray box testing, the attacker has partial knowledge. In black box testing, the attacker has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.
Which of the following statements is true about heuristic-based antimalware software?
a. It has a lower false positive rate than signature detection.
b. It requires frequent definition updates to detect new malware.
c. It has a higher likelihood of detecting zero-day exploits than signature detection.
d. It monitors systems for files with content known to be viruses.
C. Heuristic-based anti-malware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.
Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?
a. File infector virus
b. MBR virus
c. Service injection virus
d. Stealth virus
D. One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.
Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was conducted using URL encoding. The line reads:
%252E%252E%252F%252E%252E%252Fetc/passwd
What character is represented by the %252Evalue?
a. .
b. ,
c. ;
d. /
A. In URL encoding, the. character is replaced by %252E and the / character is replaced by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%252F.
An attacker posted a message to a public discussion forum that contains an embedded malicious script that is not displayed to the user but executes on the user’s system when read. What type of attack is this?
a. Persistent XSRF
b. Nonpersistent XSRF
c. Persistent XSS
d. Nonpersistent XSS
C. Attacks where the malicious user tricks the victim’s web browser into executing a script through the use of a third-party site are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remains on the discussion forum until an administrator discovers and deletes it, giving it the ability to affect many users.
Which one of the following is not a principle of the Agile software development process?
a. Welcome changing requirements, even late in the development process.
b. Maximizing the amount of work not done is essential.
c. Clear documentation is the primary measure of progress.
d. Build projects around motivated individuals.
C. The Agile Manifesto includes 12 principles for software development. Three of those are listed as answer choices: maximizing the amount of work not done is essential, build projects around motivated individuals, and welcome changing requirements throughout the development process. Agile does not, however, consider clear documentation the primary measure of progress. Instead, working software is the primary measure of progress.
Samantha is responsible for the development of three new code modules that will form part of a complex system that her company is developing. She is prepared to publish her code and runs a series of tests against each module to verify that it works as intended. What type of testing is Samantha conducting?
a. Regression testing
b. Integration testing
c. Unit testing
d. System testing
C. Unit testing works on individual system components, such as code modules. Regression testing is used to validate updates to code by comparing the output of the new version with previous versions. Samantha is developing new modules, so regression testing is not relevant. Integration and system testing require a broader scope than individual modules.
What are the two components of an expert system?
a. Decision support system and neural network
b. Inference engine and neural network
c. Neural network and knowledge bank
d. Knowledge bank and inference engine
D. Expert systems have two components: a knowledge bank that contains the collected wisdom of human experts and an inference engine that allows the expert systems to draw conclusions about new situations based on the information contained within the knowledge bank.
Neal is working with a DynamoDB database. The database is not structured like a relational database but allows Neal to store data using a key-value store. What type of database is DynamoDB?
a. Relational database
b. Graph database
c. Hierarchical database
d. NoSQL database
D. A key-value store is an example of a NoSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.
In the transaction shown here, what would happen if the database failed in between the first and second update statement?
a. The database would credit the first account with $250 in funds but then not reduce the balance of the second account.
b. The database would ignore the first command and only reduce the balance of the second account by $250.
c. The database would roll back the transaction, ignoring the results of both commands.
d. The database would successfully execute both commands.
C. A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command.
In the diagram shown here, which is an example of an attribute?
a. Account
b. Owner
c. AddFunds
d. None of the above
B. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
Which one of the following statements is true about software testing?
a. Static testing works on runtime environments.
b. Static testing performs code analysis.
c. Dynamic testing uses automated tools but static testing does not.
d. Static testing is a more important testing technique than dynamic testing.
B. Static testing performs code analysis in an offline fashion, without actually executing the code. Dynamic testing evaluates code in a runtime environment. Both static and dynamic testing may use automated tools, and both are important security testing techniques.
David is working on developing a project schedule for a software development effort, and he comes across the chart shown here. What type of chart is this?
a. Work breakdown structure
b. Functional requirements
c. PERT chart
d. Gantt chart
D. The chart shown in the figure is a Gantt chart, showing the proposed start and end dates for different activities. It is developed based on the work breakdown structure (WBS), which is developed based on functional requirements. Program Evaluation Review Technique (PERT) charts show the project schedule as a series of numbered nodes.
Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in an environment that best simulates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting?
a. White box
b. Black box
c. Blue box
d. Gray box
D. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.
Miguel recently completed a penetration test of the applications that his organization uses to handle sensitive information. During his testing, he discovered a condition where an attacker can exploit a timing condition to manipulate software into allowing him to perform an unauthorized action. Which one of the following attack types fits this scenario?
a. SQL injection
b. Cross-site scripting
c. Pass the hash
d. TOC/TOU
D. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.
In the diagram shown here, which is an example of a class?
a. Account
b. Owner
c. AddFunds
d. None of the above
A. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
Gary is designing a database-driven application that relies on the use of aggregate functions. Which one of the following database concurrency issues might occur with aggregate functions and should be one of Gary’s top concerns?
a. Lost updates
b. Incorrect summaries
c. SQL injections
d. Dirty reads
B. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. SQL injection is a web application security flaw, not a database concurrency problem.
Which one of the following approaches to failure management is the most conservative from a security perspective?
a. Fail open
b. Fail mitigation
c. Fail clear
d. Fail closed
D. The fail closed approach prevents any activity from taking place during a system security failure and is the most conservative approach to failure management. Fail open takes the opposite philosophy, allowing all activity in the event of a security control failure. Fail clear and fail mitigation are not failure management approaches.
What software development model is shown in the figure?
Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.
a. Waterfall
b. Agile
c. Lean
d. Spiral
D. The illustration shows the spiral model of software development. In this approach, developers use multiple iterations of a waterfall-style software development process. This becomes a “loop” of iterations through similar processes. The waterfall approach does not iterate through the entire process repeatedly but rather only allows movement backward and forward one stage. The agile approach to software development focuses on iterative improvement and does not follow a rigorous SDLC model. Lean is a process improvement methodology and not a software development model.
Which of the following database keys is used by an RDBMS to uniquely identify each row in a database table?
a. Foreign key
b. Primary key
c. Candidate key
d. Referential key
B. Relational databases use the primary key to uniquely identify each of the rows in a table. The primary key is selected by the database designer from the set of candidate keys that are able to uniquely identify each row, but the RDBMS only uses the primary key for this purpose. Foreign keys are used to establish relationships between tables. Referential keys are not a type of database key.
Which one of the following change management processes is initiated by users rather than developers?
a. Request control
b. Change control
c. Release control
d. Design review
A. The request process begins with a user-initiated request for a feature. Change and release control are initiated by developers seeking to implement changes. Design review is a phase of the change approval process initiated by developers when they have a completed design.
Which one of the following techniques is an effective countermeasure against some inference attacks?
a. Input validation
b. Parameterization
c. Polyinstantiation
d. Server-side validation
C. Polyinstantiation allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from inferring anything about the absence of information. Input validation, server-side validation, and parameterization are all techniques used to prevent web application attacks and are not effective against inference attacks.
Ursula is a government web developer who recently created a public application that offers property records. She would like to make it available for other developers to integrate into their applications. What can Ursula create to make it easiest for developers to call her code directly and integrate the output into their applications?
a. Object model
b. Data dictionary
c. API
d. Primary key
C. While Ursula may certainly use an object model, data dictionary, and primary key in her development effort, external developers cannot directly use them to access her code. An application programming interface (API) allows other developers to call Ursula’s code from within their own without knowing the details of Ursula’s implementation.
During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change?
a. Initiating
b. Diagnosing
c. Establishing
d. Acting
C. In the Establishing phase of the IDEAL model, the organization takes the general recommendations from the Diagnosing phase and develops a specific plan of action that achieves those changes.
TJ is inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown in this figure. What type of malware should TJ suspect?
a. Service injection
b. Encrypted virus
c. SQL injection
d. Ransomware
D. Messages similar to the one shown in the figure are indicative of a ransomware attack. The attacker encrypts files on a user’s hard drive and then demands a ransom, normally paid in Bitcoin, for the decryption key required to restore access to the original content. Encrypted viruses, on the other hand, use encryption to hide themselves from antivirus mechanisms and do not alter other contents on the system.
What function can be used to convert a string to a safe value for use in passing from a PHP application to a database?
a. bin2hex()
b. hex2bin()
c. dechex()
d. hexdec()
A. The bin2hex() function converts a string to a hexadecimal value that may then be passed to a database safely. The dechex() function performs a similar function but will not work for a string as it only functions on numeric values. The hex2bin() and hexdec() functions work in the reverse manner.
Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind?
a. Decision support systems
b. Expert systems
c. Knowledge bank
d. Neural networks
D. Neural networks attempt to use complex computational techniques to model the behavior of the human mind. Knowledge banks are a component of expert systems, which are designed to capture and reapply human knowledge. Decision support systems are designed to provide advice to those carrying out standard procedures and are often driven by expert systems.
At which level of the Software Capability Maturity Model (SW-CMM) does an organization introduce basic life-cycle management processes?
a. Initial
b. Repeatable
c. Defined
d. Managed
B. In level 2, the Repeatable level of the SW-CMM, an organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins, and repeatable results are expected from similar projects. The key process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance, and Software Configuration Management.
Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Lucas suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Lucas suspect?
a. Privilege escalation
b. SQL injection
c. Logic bomb
d. Remote code execution
C. The key to this question is that Lucas suspects the tampering took place before the employee departed. This is the signature of a logic bomb: malicious code that lies dormant until certain conditions are met. The other attack types listed here: privilege escalation, SQL injection, and remote code execution would more likely take place in real time.
Which one of the following principles would not be favored in an Agile approach to software development?
a. Processes and tools over individuals and interactions
b. Working software over comprehensive documentation
c. Customer collaboration over contract negotiations
d. Responding to change over following a plan
A. The Agile approach to software development embraces four principles. It values individuals and interactions over processes and tools, working software over comprehensive documentation, customer collaboration over contract negotiation, and responding to change over following a plan.
What technique do API developers most commonly use to limit access to an API to authorized individuals and applications?
a. Encryption
b. Input validation
c. API keys
d. IP filters
C. API developers commonly use API keys to limit access to authorized users and applications. Encryption provides for confidentiality of information exchanged using an API but does not provide authentication. Input validation is an application security technique used to protect against malicious input. IP filters may be used to limit access to an API, but they are not commonly used because it is difficult to deploy an API with IP filters since the filters require constant modification and maintenance as endpoints change.
Which one of the following statements about malware is correct?
a. Malware authors do not target Macintosh or Linux systems.
b. The most reliable way to detect known malware is watching for unusual system activity.
c. Signature detection is the most effective technique to combat known malware.
d. APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.
C. Signature detection is extremely effective against known strains of malware because it uses a very reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.
Which one of the following is the proper order of steps in the waterfall model of software development?
a. Requirements, Design, Testing, Coding, Maintenance
b. Requirements, Design, Coding, Testing, Maintenance
c. Design, Requirements, Coding, Testing, Maintenance
d. Design, Requirements, Testing, Coding, Maintenance
B. In the waterfall model, the software development process follows five sequential steps which are, in order: Requirements, Design, Coding, Testing, and Maintenance.
Which component of the database ACID model ensures that database transactions are an “all or nothing” affair?
a. Atomicity
b. Consistency
Ic. solation
d. Durability
A. Atomicity ensures that database transactions either execute completely or not at all. Consistency ensures that all transactions must begin operating in an environment that is consistent with all of the database’s rules. The isolation principle requires that transactions operate separately from each other. Durability ensures that database transactions, once committed, are permanent.
Tom is writing a software program that calculates the sales tax for online orders placed from various jurisdictions. The application includes a user-defined field that allows the entry of the total sale amount. Tom would like to ensure that the data entered in this field is a properly formatted dollar amount. What technique should he use?
a. Limit check
b. Fail open
c. Fail secure
d. Input validation
D. Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure the value remains within an expected range, but there was no range specified in this scenario. Fail open and fail secure are options when planning for possible system failures.
Mal is eavesdropping on the unencrypted communication between the user of a website and the web server. She manages to intercept the cookies from a request header. What type of attack can she perform with these cookies?
a. Session hijacking
b. Cross-site scripting
c. Cross-site request forgery
d. SQL injection
A. Cookies are used to maintain authenticated sessions, even when IP addresses change. Therefore, Mal can use the stolen cookies to conduct a session hijacking attack, taking over an authorized user’s session with the website, potentially without the knowledge of the legitimate user.
Which of the following vulnerabilities might be discovered during a penetration test of a web-based application?
a. Cross-site scripting
b. Cross-site request forgery
c. SQL injection
d. All of the above
D. Penetration tests of web-based systems may detect any possible web application security flaw, including cross-site request forgery (XSRF), cross-site scripting (XSS), and SQL injection vulnerabilities.
What approach to technology management integrates the three components of technology management shown in this illustration?
Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.
a. Agile
b. Lean
c. DevOps
d. ITIL
C. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a seamless approach that builds collaboration between the three disciplines.
Which one of the following tools might an attacker use to best identify vulnerabilities in a targeted system?
a. nmap
b. nessus
c. ipconfig
d. traceroute
B. nessus is a vulnerability testing tool designed for use by security professionals but also available to attackers. nmap may also assist attackers, but it only shows open ports and has limited capability to identify vulnerabilities. ipconfig displays network configuration information about a system, whereas traceroute identifies the network path between two systems.
Which one of the following database concurrency issues occurs when one transaction reads information that was written to a database by a second transaction that never committed?
a. Lost update
b. SQL injection
c. Incorrect summary
d. Dirty read
D. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.
What type of virus works by altering the system boot process to redirect the BIOS to load malware before the operating system loads?
a. File infector
b. MBR
c. Polymorphic
d. Service injection
B. A master boot record (MBR) virus redirects the boot process to load malware during the operating system loading process. File infector viruses infect one or more normal files stored on the system. Polymorphic viruses alter themselves to avoid detection. Service injection viruses compromise trusted components of the operating system.
What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems?
a. Stealth virus
b. Polymorphic virus
c. Multipartite virus
d. Encrypted virus
C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.
