Domain X: Difficult to Memorize

Question 1

What is the purpose of ISO 27001?

Answer 1

ISO 27001: Establish, implement, control and improve the ISMS. Uses PDCA (Plan, Do, Check, Act)

Question 2

What is the purpose of ISO 27002?

Answer 2

ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS.

Question 3

What is the purpose of ISO 27004?

Answer 3

ISO 27004: Provides metrics for measuring the success of your ISMS.

Question 4

What does ISO 27005 contain?

Answer 4

ISO 27005: Standards-based approach to risk

Question 5

What are the requirements of the EU Data Protection Directive? (4 points)

Answer 5

EU Data Protection Directive Very aggressive pro-privacy law.

• Organizations must notify individuals of how their data is gathered and used.
• Organizations must allow for opt-out for sharing with 3rd parties.
• Opt-in is required for sharing “most” sensitive data.
• No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor, optional between organization and EU

Question 6

What is the ISC2 code of ethics preamble?

Answer 6

Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.

Question 7

What are the ISC2 code of ethics canons?

Answer 7

Code of Ethics Canons:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principles.
Advance and protect the profession.

Question 8

What are the 5 components of information security governance?

Answer 8

Information Security Governance:

Policies – Mandatory.
Standards – Mandatory.
Guidelines – non-Mandatory.
Procedures – Mandatory.
Baselines (Benchmarks) - Mandatory.

Question 9

What are the 7 types of security controls?

Answer 9

Access Control Defensive Types:

Preventive: Prevents an action from occurring
Detective: Controls that Detect during or after an attack – IDS, CCTV, alarms, antivirus.
Corrective: Controls that Correct an attack – Anti-virus, patches, IPS.
Recovery: Controls that help us Recover after an attack – DR Environment,backups, HA Environments .
Deterrent: Controls that Deter an attack – Fences, security guards, dogs, lights, Beware of the dog signs.
Compensating: Controls that Compensate – other controls that are impossible or too costly to implement.
Directive: directs, confines, or controls the actions of subjects to force or encourage compliance with security policy

Question 10

What are the 5 types of risk responses?

Answer 10

Types of risk responses:

Accept the Risk – We know the risk is there, but the mitigation is more costly than the
cost of the risk (Low risks). We ensure we have a paper trail and this was a calculated decision.
Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example – acceptable level (Leftover risk = Residual).
Transfer the Risk – The insurance risk approach – We could get flooding insurance for the data center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured for cost.
Risk Avoidance – We don’t issue employees laptops (if possible) or we build the data center in an area that doesn’t flood. (Most often done before launching new projects – this could be the data center build).
Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

Question 11

What are the 9 steps in the risk management process within NIST 800-30?

Answer 11

NIST 800-30 - United States National Institute of Standards and Technology Special Publication. A 9-step process for Risk Management.

1. System Characterization (Risk Management scope, boundaries, system and data sensitivity).
2. Threat Identification (What are the threats to our systems?).
3. Vulnerability Identification (What are the vulnerabilities of our systems
4. Control Analysis (Analysis of the current and planned safeguards, controls and mitigations).
5. Likelihood Determination (Qualitative – How likely is it to happen)?
6. Impact Analysis (Qualitative – How bad is it if it happens? Loss of CIA).
7. Risk Determination (Look at 5-6 and determine Risk and Associate Risk Levels).
8. Control Recommendations (What can we do to Mitigate, Transfer, … the risk).
9. Results Documentation (Documentation with all the facts and recommendations).

Question 12

What are the 10 commandments of computer ethics?

Answer 12

Ten Commandments of Computer Ethics are:

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Question 13

What are the 5 steps in the BIA process?

Answer 13

Identification of priorities
Risk identification
Likelihood assessment
Impact assessment
Resource prioritization

Question 14

What are the 4 components of the Common Criteria?

Answer 14

• Target of evaluation (ToE)
• Security target
• Protection profile
• Evaluation assurance level (EAL)

Question 15

What are the 7 common criteria levels?

Answer 15

The Common Criteria levels are
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semiformally designed, and tested
• EAL6: Semiformally verified, designed, and tested
• EAL7: Formally verified, designed, and tested

Question 16

What are the 11 areas of ISO 17799/27002?

Answer 16

ISO 17799./27002 has 11 areas, focusing on specific information security controls:

1. Policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information systems acquisition, development, and maintenance
9. Information security incident management
10. Business continuity management
11. Compliance

Question 17

What are the four domains of COBIT?

Answer 17

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Question 18

What are the five service publications of ITIL?

Answer 18

ITIL® contains five Service Management Practices—Core Guidance publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

Question 19

What are the properties of the Bell LaPadula model?

Answer 19

Bell-LaPadula: (Confidentiality) (Mandatory Access Control):

• Simple Security Property “No Read UP”.
• Subjects with Secret clearance can’t read Top Secret data.
• • Security Property: “No Write DOWN”.
• Subjects with Top Secret clearance can’t write Top Secret information to Secret folders.
• Strong * Property: “No Read or Write UP and DOWN”.
• Subjects can ONLY access data on their own level.

Question 20

What are the properties of the BIBA model?

Answer 20

BIBA: (Integrity) (Mandatory Access Control):

• Simple Integrity Axiom: “No Read DOWN”.
• Subjects with Top Secret clearance can’t read Secret data.
• Remember that integrity is the purpose here; we don’t want to have wrong or lacking lower clearance level data confuse us.
• • Integrity Axiom : “No Write UP”.
• Subjects with Secret clearance can’t write Secret information to Top Secret folders.
• We don’t want wrong or lacking lower level information to propagate to a higher level.
• Invocation Property: “No Read or Write UP”.
• Subjects can never access or alter data on a higher level

Question 21

What are the 8 rules that a subject can execute on an object in the Graham-Denning model?

Answer 21

The 8 rules that a specific subject can execute on an object are:

1. Transfer Access.
2. Grant Access.
3. Delete Access.
4. Read Object.
5. Create Object.
6. Destroy Object.
7. Create Subject.
8. Destroy Subject.

Question 22

What are the six frameworks of the Zachman Framework? What rules do those six frameworks map to?

Answer 22

Zachman Framework (for Enterprise Architecture):

• Provides six frameworks:
• What, How, Where, Who, When, and Why.
• Mapping those frameworks to rules for:
• Planner, Owner, Designer, Builder, Programmer, and User.

Question 23

What must all users have in the dedicated security mode?

Answer 23

Dedicated security mode - All users must have:

• Signed NDA for ALL information on the system.
• Proper clearance for ALL information on the system.
• Formal access approval for ALL information on the system.
• A valid need to know for ALL information on the system.

Question 24

What must all users have in the system high security mode?

Answer 24

System high security mode - All users must have:

• Signed NDA for ALL information on the system.
• Proper clearance for ALL information on the system.
• Formal access approval for ALL information on the system.
• A valid need to know for SOME information on the system.
• All users can access SOME data, based on their need to know

Question 25

What must all users have in the compartmented security mode?

Answer 25

Compartmented security mode - All users must have:

• Signed NDA for ALL information on the system.
• Proper clearance for ALL information on the system.
• Formal access approval for SOME information they will access on the system.
• A valid need to know for SOME information on the system.
• All users can access SOME data, based on their need to know and formal access approval.

Question 26

What must all users have in the multilevel security mode?

Answer 26

Multilevel security mode - (Controlled Security Mode) - All users must have:

• Signed NDA for ALL information on the system.
• Proper clearance for SOME information on the system.
• Formal access approval for SOME information on the system.
• A valid need to know for SOME information on the system.
• All users can access SOME data, based on their need to know, clearance and formal access approval.

Question 27

What are the four rings within the ring model?

Answer 27

The rings are (theoretically) used as follows:
• Ring 0: Kernel
• Ring 1: Other OS components that do not fit into Ring 0
• Ring 2: Device drivers
• Ring 3: User applications

most x86 operating systems, including Linux and Windows, use Rings 0 and 3 only

Question 28

What are the four functions of a CPU?

Answer 28

CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch - Gets the instructions from memory into the processor. Decode - Internally decodes what it is instructed to do. Execute - Takes the add or subtract values from the registers. Store - Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.

Question 29

What is DREAD?

Answer 29

DREAD is a threat rating system designed to provide a flexible rating solution that is based on asking five main questions to each threat:

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 30

What types of encryption are symmetric? What types are asymmetric?

Answer 30

Twofish, AES, DES and RC6 are types of symmetric encryption.

DH, ECC, and RSA are asymmetric types of encryption.

Question 31

What are the four classes of gates?

Answer 31

Four classes of gates:
• Class I: Residential (home use)
• Class II: Commercial/General Access (parking garage)
• Class III: Industrial/Limited Access (loading dock for 18-wheeler trucks)
• Class IV: Restricted Access (airport or prison)

Question 32

What are the six common types of electrical faults?

Answer 32

The following are common types of electrical faults:
• Blackout: prolonged loss of power
• Brownout: prolonged low voltage
• Fault: short loss of power
• Surge: prolonged high voltage
• Spike: temporary high voltage
• Sag: temporary low voltage

Question 33

What are the six classes of material suppression agents? What are the US and European classifications?

Answer 33

US Class Europe Class Material Suppression Agent

A A Ordinary combustibles such as wood and paper Water or soda acid
B B Liquid Halon/Halon substitute, CO2, or soda acid
B C Flammable gases Halon/Halon substitute, CO2, or soda acid
C E Electrical equipment Halon/Halon substitute, CO2
D D Combustible metals Dry powder
K F Kitchen (oil or fat) fires Wet chemicals

Question 34

What is the difference between T1, T3, E1 and E3?

Answer 34

• A T1 is a dedicated 1.544-megabit circuit that carries 24.64kbit/s DS0 (Digital Signal 0) channels.
• A T3 is 28 bundled T1s, forming a 44.736-megabit circuit.
• An E1 is a dedicated 2.048-megabit circuit that carries 30 channels.
• An E3 is 16 bundled E1s, forming a 34.368-megabit circuit.

Question 35

What are the 5 RIRs?

Answer 35

• The world is divided into 5 RIR (Regional Internet Registry) regions and organizations:

The African Network Information Center (AFRINIC) serves Africa.[2]
The American Registry for Internet Numbers (ARIN) serves Antarctica, Canada, parts of the Caribbean, and the United States.[3]
The Asia-Pacific Network Information Centre (APNIC) serves East Asia, Oceania, South Asia, and Southeast Asia.[4]
The Latin America and Caribbean Network Information Centre (LACNIC) serves most of the Caribbean and all of Latin America.[5]
The Réseaux IP Européens Network Coordination Centre (RIPE NCC) serves Europe, Central Asia, Russia, and West Asia.[6]

Question 36

What are the six flags in the TCP header that are still commonly used?

Answer 36

XXUAPRSF. X flags are no longer used. Urgent, Acknowlegement, Push, Reset, Sync, and Finish.
Unskilled Attackers Pester Real Security Folk

Question 37

What are the 8 components of Kerberos?

Answer 37

Kerberos has the following components:
• Principal: Client (user) or service.
• Realm: A logical Kerberos network.
• Ticket: Data that authenticates a principal’s identity.
• Credentials: A ticket and a service key.
• KDC: Key Distribution Center, which authenticates principals. (consists of TGS and AS)
• TGS: Ticket Granting Service.
• AS: Authentication server
• C/S: Client Server, regarding communications between the two

Question 38

What are the 6 steps in the Kerberos authentication process?

Answer 38

Kerberos authentication process:

1. Send TGT request sending only plaintext user ID.
2. Sends session key encrypted with user’s secret key + TGT encrypted with TGS secret key.
3. TGT + Service request encrypted with the client/TGS session key.
4. Client to server ticket encrypted with server’s secret key + client/session key encrypted with the client/TGS session key.
5. Client/session key encrypted with the client/TGS session key + new authenticator encrypted with the client/server session Key.
6. Timestamp authentication Client/Server Session Key.

Question 39

What are the four AD trust models?

Answer 39

AD Trust models:

• One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
• Two-way trust: Two domains allow access to users on both domains.
• Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
• Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
• Intransitive (non-transitive) trust: A one way trust that does not extend beyond two domains

Question 40

What are the 7 components of a security assessment?

Answer 40

Security assessments view many controls across multiple domains and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits

Question 41

What are the 6 phases of a penetration testing?

Answer 41

Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting.

Question 42

What are the 5 common problems with audit record management?

Answer 42

Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

Question 43

What are the stages of Process for Attack Simulation and Threat Analysis (PASTA)?

Answer 43

Stage 1: Definition of Objectives
Stage 2: Technical Scope
Stage 3: Application Decomposition and Analysis
Stage 4: Threat Analysis
Stage 5: Weakness and Vulnerability Analysis
Stage 6: Attack Modeling & Simulation
Stage 7: Risk Analysis & Managment

Question 44

What are the 8 steps in the incident response process?

Answer 44

Steps in incident response process:

1. Preparation - The preparation phase includes steps taken before an incident occurs
2. Detection (identification) - events are analyzed in order to determine whether these events might comprise a security incident.
3. Response (containment) - the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident
4. Mitigation (eradication) - process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase
5. Reporting - The reporting phase of incident handling occurs throughout the process, beginning with detection. Reporting must begin immediately upon detection of malicious activity.
6. Recovery - involves cautiously restoring the system or systems to operational status.
7. Remediation - Remediation steps occur during the mitigation phase, where vulnerabilities within
8. Lessons learned (postincident activity, postmortem, or reporting) - provide a final report on the incident, which will be delivered to management

Question 45

What are the 8 steps in the change management process?

Answer 45

Flow of the change management process:
• Identifying the change
• Proposing the change
• Assessing the risk associated with the change
• Testing the change
• Scheduling the change
• Notifying impacted parties of the change
• Implementing the change
• Reporting results of the change implementation

Question 46

What does NIST 800-34 provide?

Answer 46

NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of BCP and DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others.

Question 47

What are the 7 types of disruptive events?

Answer 47

Types of disruptive events include:
• Errors and omissions: typically considered the most common source of disruptive events. This type of threat is caused by humans who unintentionally serve as a source of harm.
• Natural disasters: include earthquakes, hurricanes, floods, tsunamis, etc.
• Electrical or power problems: loss of power may cause availability issues, as well as integrity issues due to corrupted data.
• Temperature and humidity failures: may damage equipment due to overheating, corrosion, or static electricity.
• Warfare, terrorism, and sabotage: threats can vary dramatically based on geographic location, industry, and brand value, as well as the interrelatedness with other high-value target organizations.
• Financially motivated attackers: attackers who seek to make money by attacking victim organizations, includes exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus antimalware tools, corporate espionage, and others.
• Personnel shortages: may be caused by strikes, pandemics, or transportation issues. A lack of staff may lead to operational disruption.

Question 48

What are the five steps in the disaster recovery process?

Answer 48

Steps in the disaster recovery process:

Respond - assessing the damage. determine if event constitutes a disaster
Activate team
Communicate - This communication often must occur out-of-band, meaning that the typical communication method of leveraging an office phone will quite often not be a viable option
Access - Though an initial assessment was carried out during the initial response portion of the disaster recovery process, a more detailed and thorough assessment will be performed by the disaster recovery team
Reconstitution - successfully recover critical business operations at either a primary or secondary site.

Question 49

What are the 8 steps withing NIST 800-34 for creating a BCP/DRP?

Answer 49

NIST SP 800-34 Steps in creating a BCP/DRP:

• Project Initiation
• Scope of the Project
• Business Impact Analysis (BIA)
• Identify Preventive Controls
• Recovery Strategy
• Plan Design and Development
• Implementation, Training, and Testing
• BCP/DRP Maintenance

Question 50

What are the 7 levels of DRP testing?

Answer 50

Ranked in order of cost and complexity, from low to high:
• DRP Review
• Read-Through/Checklist/Consistency
• Structured Walkthrough/Tabletop
• Simulation Test/Walkthrough Drill
• Parallel Processing
• Partial Interruption
• Complete Business Interruption

Question 51

What are the 10 common BCP/DRP mistakes?

Answer 51

Common BCP/DRP mistakes include:
• Lack of management support
• Lack of business unit involvement
• Lack of prioritization among critical staff
• Improper (often overly narrow) scope
• Inadequate telecommunications management
• Inadequate supply chain management
• Incomplete or inadequate CMP
• Lack of testing
• Lack of training and awareness
• Failure to keep the BCP/DRP plan up to date

Question 52

What three things is ISO 27031 designed to do?

Answer 52

• “Provide a framework (methods and processes) for any organization—private, governmental, and nongovernmental
• Identify and specify all relevant aspects including performance criteria, design, and implementation details for improving ICT readiness as part of the organization’s SMS, helping
to ensure business continuity
• Enable an organization to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.”

Question 53

What are the four types of IDS/IPSs?

Answer 53

IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.

Question 54

What are the 8 plans found within a BCP?

Answer 54

BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Crisis Management Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), and Occupant Emergency Plan.

Question 55

What are the four phases of the DRP lifecycle?

Answer 55

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

Question 56

What are the 6 goals of change management?

Answer 56

Implement in an orderly manner
Formalized testing
Ability to reverse changes
Ability to inform users of changes
Minimize negative impact of changes
Minimize risk of changes

Question 57

What are the six basic SQL commands?

Answer 57

Select, update, delete, insert, grant, take

Question 58

What are the four values in the agile manifesto?

Answer 58

Agile manifesto: We are uncovering better ways of developing software by doing it and helping
others do it. Through this work we have come to value:
• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change over following a plan

Question 59

What are the 5 XP core practices?

Answer 59

XP core practices include:
• Planning: specifies the desired features, which are called the user stories. They are used to determine the iteration (timeline) and drive the detailed specifications.
• Paired programming: programmers work in teams.
• Forty-hour workweek: the forecasted iterations should be accurate enough to forecast how many hours will be required to complete the project. If programmers must put in additional overtime, the iteration must be flawed.
• Total customer involvement: the customer is always available and carefully monitors the project.
• Detailed test procedures: these are called unit tests.

Question 60

What are the 9 OWASP API controls?

Answer 60

The OWASP enterprise security API toolkits project includes these critical API controls:

• Authentication
• Access control
• Input validation
• Output encoding/escaping
• Cryptography
• Error handling and logging
• Communication security
• HTTP security
• Security configuration

Question 61

What are the five levels of the capability maturity model?

Answer 61

The five levels of the capability maturity model (CMM) are:

1. Initial: The software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends on individual effort.
2. Repeatable: Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3. Defined: The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. Projects use an approved, tailored version of the organization’s standard software process for developing and maintaining software.
4. Managed: Detailed measures of the software process and product quality are collected, analyzed, and used to control the process. Both the software process and products are quantitatively understood and controlled.
5. Optimizing: Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Question 62

What are the four levels of acceptance testing according to the ISTQB?

Answer 62

The International Software Testing Qualifications Board (ISTQB) lists four levels of acceptance testing:

• “The User Acceptance test: focuses mainly on the functionality, thereby validating the fitnessfor-use of the system by the business user. The user acceptance test is performed by the users and application managers.
• The Operational Acceptance test: also known as Production Acceptance test validates whether the system meets the requirements for operation. In most of the organization, the operational acceptance test is performed by the system administration before the system is released. The operational acceptance test may include testing of backup/restore, disaster recovery, maintenance tasks, and periodic check of security vulnerabilities.
• Contract Acceptance testing: performed against the contract’s acceptance criteria for producing custom-developed software. Acceptance should be formally defined when the contract is agreed.
• Compliance acceptance testing: also known as regulation acceptance testing, which is performed against the regulations that must be followed, such as governmental, legal, or safety regulations.

Question 63

What is the OWASP top 10?

Answer 63

OWASP Top 10

• A1 Injection.
• A2 Broken Authentication and Session Management.
• A3 Cross-Site Scripting (XSS).
• A4 Broken Access Control.
• A5 Security Misconfiguration.
• A6 Sensitive Data Exposure.
• A7 Insufficient Detection and Response (NEW still being worked on).
• A8 Cross-Site Request Forgery (CSRF).
• A9 Using Components with Known Vulnerabilities.
• A10 Underprotected APIs (Application Programming Interfaces)

Question 64

What is the spiral model? What are the four phases?

Answer 64

The spiral model: A risk-driven process model generator for software projects. The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation. A software project repeatedly passes through these phases in iterations (called Spirals in this model). The baseline spiral, starting in the planning phase, requirements are gathered and risk is assessed. Each subsequent spirals builds on the baseline spiral.

Question 65

What are the phases of the SDLC?

Answer 65

The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.

Question 66

What are the six steps of the Fagan code review process?

Answer 66

Planning
Overview
Preparation
Inspection
Rework
Follow-up

Question 67

What are the 9 phases of the e-Discovery reference model?

Answer 67

Information Governance 
Identification 
Preservation 
Collection 
Processing 
Review 
Analysis 
Production
Presentation