Software Design Flashcards
What should be done when sensitive data has to be shared over a network or in reports with another department in the organization that is not authorized to see certain data elements?
- Log the data access request
- Encrypt the data
- Anonymize the data
- Hash the data
Anonymize the data
What is a risk associated with relying on wireless network access in a congested area?
- Contamination of data from other channels
- Jamming of the signal
- Loss of packets
- Shorter battery life
Jamming of the signal
How can symmetric encryption keys be sent between business partners if the network is subject to monitoring?
- In email
- Prior to the data exchange
- In a certificate
- Out of band
Out of band
What is the condition an entity is in at a point in time?
- Security
- Temporal
- State
- Masked
State
Which of the following is a good justification for allocating secuurity requirements to existing systems?
- Greater (more granular) control
- Better tailoring of controls to the new system
- Avoid introducing new vulnerabilities
- Increase Total Cost of Ownership (TCO)
Avoid introducing new vulnerabilities
Which of the following is an example of a role that is responsible for ‘owning’ an external system such as power or physical access?
- Information owner
- A facility owner
- Senior management
- Security Director
A facility owner
What is a primary goal of control selection?
- To avoid all security risks
- To enable business functions
- To avoid the cost of controls
- Provide adequate security
Provide adequate security
Which type of malware is often described as parasitical?
- Virus
- Logic bomb
- Worm
- Trojan horse
Virus
In addition to motivation and skill, which other characteristic of a threat adversary is most important?
- Opportunity
- Circumstantial
- Proximity
- Persistence
Persistence
The network may be a victim of an attack or?
- The channel of an attack
- The source of an attack
- The reason for an attack
- The subject of an attack
The channel of an attack
A member of the sales team is going to make a presentation at a secure facility and has the presentation stored on the cloud. What risk may be associated with this?
- Interception of the presentation over a wireless network
- A laptop that is not compatible with the facility’s audio/visual equipment
- No network connectivity in the restricted location
- Corruption of the presentation by the CSP
No network connectivity in the restricted location
What plans should be made when setting up a new network connection between business partners?
- Allocate rack space for additional network devices
- Establish the process to disconnect the system
- Ensure that the network is redundant
- Train users in encryption
Establish the process to disconnect the system
What is a good place to record all security features that should be designed into the software?
- Risk Assessment Reports (RAR)
- Audit logs
- Requirements Traceability Matrix (RTM)
- User manuals
Requirements Traceability Matrix (RTM)
Which of the following is a weak encryption protocol?
- UDP
- TLS 1.2
- SSL
- SHA-1
SSL
Which access control limits a user’s access permissions to a certain time of day?
- Mutual exclusivity
- Least privilege
- Separation of duties
- Need to know
Least privilege
Which access control security model is focused on preserving confidentiality?
- Biba
- Bell LaPadula
- Clark Wilson
- Take-grant
Bell LaPadula
In addition to layers of control, what else is defense in depth concerned with?
- Redundancy
- Single points of failure
- Motivation of the attackers
- Quality of threats
Single points of failure
What is a database view an example of?
- Mutual exclusivity
- A constrained user interface
- A privileged access mode
- A network-based control
A constrained user interface
What is an operator console or management interface on a device known as?
- VLAN
- Redundant network
- Trusted path
- Encrypted channel
Trusted path
Why would a log be written to a WORM system?
- To save log data across multiple systems
- To ensure no one can read the data
- To prevent alteration of the log data
- To support better management overview
To prevent alteration of the log data
Which access control model enforced a well-formed transaction?
- Clark Wilson
- Boebert and Cain
- Bell LaPadula
- Biba
Clark Wilson
Threat modeling may be software-centric, secruity-centric and:
- user-centric
- asset-centric
- system-centric
- cost-centric
asset-centric
Which of the following statements about the authentication concept of information security management is true?
- It establishes the users’ identity and ensures that the users are who they say they are
- It ensures the reliable and timely access to resources
- It determines the actions and behaviors of a single individual within a system, and identifies that particular individual
- It ensures that modifications are not made to data by unauthorized personnel or processes
It establishes the users’ identity and ensures that the users are who they say they are
Which of the following provides an easy way to programmers for writing lower-risk applications and retrofitting security into an existing application?
- Watermarking
- Code obfuscation
- Encryption wrapper
- ESAPI
Watermarking