Software Design Flashcards
What should be done when sensitive data has to be shared over a network or in reports with another department in the organization that is not authorized to see certain data elements?
- Log the data access request
- Encrypt the data
- Anonymize the data
- Hash the data
Anonymize the data
What is a risk associated with relying on wireless network access in a congested area?
- Contamination of data from other channels
- Jamming of the signal
- Loss of packets
- Shorter battery life
Jamming of the signal
How can symmetric encryption keys be sent between business partners if the network is subject to monitoring?
- In email
- Prior to the data exchange
- In a certificate
- Out of band
Out of band
What is the condition an entity is in at a point in time?
- Security
- Temporal
- State
- Masked
State
Which of the following is a good justification for allocating secuurity requirements to existing systems?
- Greater (more granular) control
- Better tailoring of controls to the new system
- Avoid introducing new vulnerabilities
- Increase Total Cost of Ownership (TCO)
Avoid introducing new vulnerabilities
Which of the following is an example of a role that is responsible for ‘owning’ an external system such as power or physical access?
- Information owner
- A facility owner
- Senior management
- Security Director
A facility owner
What is a primary goal of control selection?
- To avoid all security risks
- To enable business functions
- To avoid the cost of controls
- Provide adequate security
Provide adequate security
Which type of malware is often described as parasitical?
- Virus
- Logic bomb
- Worm
- Trojan horse
Virus
In addition to motivation and skill, which other characteristic of a threat adversary is most important?
- Opportunity
- Circumstantial
- Proximity
- Persistence
Persistence
The network may be a victim of an attack or?
- The channel of an attack
- The source of an attack
- The reason for an attack
- The subject of an attack
The channel of an attack
A member of the sales team is going to make a presentation at a secure facility and has the presentation stored on the cloud. What risk may be associated with this?
- Interception of the presentation over a wireless network
- A laptop that is not compatible with the facility’s audio/visual equipment
- No network connectivity in the restricted location
- Corruption of the presentation by the CSP
No network connectivity in the restricted location
What plans should be made when setting up a new network connection between business partners?
- Allocate rack space for additional network devices
- Establish the process to disconnect the system
- Ensure that the network is redundant
- Train users in encryption
Establish the process to disconnect the system
What is a good place to record all security features that should be designed into the software?
- Risk Assessment Reports (RAR)
- Audit logs
- Requirements Traceability Matrix (RTM)
- User manuals
Requirements Traceability Matrix (RTM)
Which of the following is a weak encryption protocol?
- UDP
- TLS 1.2
- SSL
- SHA-1
SSL
Which access control limits a user’s access permissions to a certain time of day?
- Mutual exclusivity
- Least privilege
- Separation of duties
- Need to know
Least privilege
Which access control security model is focused on preserving confidentiality?
- Biba
- Bell LaPadula
- Clark Wilson
- Take-grant
Bell LaPadula
In addition to layers of control, what else is defense in depth concerned with?
- Redundancy
- Single points of failure
- Motivation of the attackers
- Quality of threats
Single points of failure
What is a database view an example of?
- Mutual exclusivity
- A constrained user interface
- A privileged access mode
- A network-based control
A constrained user interface
What is an operator console or management interface on a device known as?
- VLAN
- Redundant network
- Trusted path
- Encrypted channel
Trusted path
Why would a log be written to a WORM system?
- To save log data across multiple systems
- To ensure no one can read the data
- To prevent alteration of the log data
- To support better management overview
To prevent alteration of the log data
Which access control model enforced a well-formed transaction?
- Clark Wilson
- Boebert and Cain
- Bell LaPadula
- Biba
Clark Wilson
Threat modeling may be software-centric, secruity-centric and:
- user-centric
- asset-centric
- system-centric
- cost-centric
asset-centric
Which of the following statements about the authentication concept of information security management is true?
- It establishes the users’ identity and ensures that the users are who they say they are
- It ensures the reliable and timely access to resources
- It determines the actions and behaviors of a single individual within a system, and identifies that particular individual
- It ensures that modifications are not made to data by unauthorized personnel or processes
It establishes the users’ identity and ensures that the users are who they say they are
Which of the following provides an easy way to programmers for writing lower-risk applications and retrofitting security into an existing application?
- Watermarking
- Code obfuscation
- Encryption wrapper
- ESAPI
Watermarking
Which of the following secure coding principles and practices defines the appearance of code listing so that a code reviewer and maintainer who have not written that code can easily understand it?
- Make code forward and backward traceable
- Review code during and after coding
- Use a consistent coding style
- Keep code simple and small
Use a consistent coding style
‘Keep code simple and small’ was also noted as a valid answer in the notes
Which of the following types of signatures is used in an Intrusion Detection System to trigger on attacks that attempt to reduce the level of a resource or system, or to cause it to crash?
- Access
- Benign
- DoS
- Reconnaissance
DoS
Which of the following actions does the Data Loss Prevention (DLP) technology take when an agent detects a policy violation for data of all states? Each correct answer represents a complete solution. Choose all that apply.
- It creates an alert.
- It quarantines the file to a secure location.
- It reconstructs the session.
- It blocks the transmission of content.
- It creates an alert
- It quarantines the file to a secure location.
- It blocks the transmission of content.
Which of the following is designed to detect unwanted attempts at accessing, manipulating, and disabling of computer systems through the Internet?
- DAS
- IPsec
- IDS
- ACL
IDS
Which of the following are examples of the application programming interface (API)? Each correct answer represents a complete solution. Choose three.
- HTML
- PHP
- .NET
- Perl
Perl .NET and PHP
API is a set of routines protocols and tools that users can use to work with a component application or operating system. It consists of one or more DLLs that provide specific functionality. API helps in reducing the development time of applications by reducing application code. Most operating environments provide an API so that programmers can write HTML.
Which of the following authentication methods is used to access public areas of a Web site?
- Anonymous authentication
- Biometrics authentication
- Mutual authentication
- Multi-factor authentication
Anonymous authentication
Anonymous authentication is an authentication method used for Internet communication. It provides limited access to specific public folders and directory information or public areas of a Web site. It is supported by all clients and is used to access unsecured content in public folders.
Which of the following security models characterizes the rights of each subject with respect to every object in the computer system?
- Clark-Wilson
- Bell-LaPadula
- Biba
- Access matrix
Access matrix
Which of the following technologies is used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices?
- Hypervisor
- Grid computing
- Code signing
- Digital rights management
Digital rights management (DRM)
Which of the following security models dictates that subjects can only access objects through applications?
- Biba
- Bell-LaPadula
- Clark-Wilson
- Biba-Clark
Clark-Wilson
Which of the following intrusion detection systems (IDS) monitors network traffic and compares it against an established baseline?
- File based
- Network based
- Anomaly based
- Signature based
Anomaly based
Which of the following types of redundancy prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data?
- Data redundancy
- Hardware redundancy
- Process redundancy
- Application redundancy
Process redundancy
Process redundancy permits software to run simultaneously on multiple geographically distributed locations, with voting on results. It prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data.
Which of the following security design patterns provides an alternative by requiring that a user’s authentication credentials be verified by the database before providing access to that user’s data?
- Secure assertion
- Authenticated session
- Password propagation
- Account lockout
Password propagation
Password propagation provides an alternative by requiring that a user’s authentication credentials be verified by the database before providing access to that user’s data.
Authenticated session isn’t correct because it allows a user to access more than one access-restricted web page without re-authenticating every page
Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three. - Physical - Technical - Administrative - Automatic
- Physical
- Technical
- Administrative
To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?
- Compliance control
- Physical control
- Procedural control
- Technical control
Procedural control
Procedural controls include incident response processes, management oversight, security awareness, and training
You work as a Security Manager for Tech Perfect Inc. In the organization, Syslog is used for computer system management and security auditing, as well as for generalized informational, analysis, and debugging messages. You want to prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources. What will you do to accomplish the task?
- Use a different message format other than Syslog in order to accept data.
- Enable the storage of log entries in both traditional Syslog files and a database.
- Limit the number of Syslog messages or TCP connections from a specific source for a certain time period.
- Encrypt rotated log files automatically using third-party or OS mechanisms.
Limit the number of Syslog messages or TCP connections from a specific source for a certain time period.
In order to accomplish the task, you should limit the number of Syslog messages or TCP connections from a specific source for a certain time period. This will prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources
The service-oriented modeling framework (SOMF) provides a common modeling notation to address alignment between business and IT organizations. Which of the following principles does the SOMF concentrate on? Each correct answer represents a part of the solution. Choose all that apply.
- Architectural components abstraction
- SOA value proposition
- Business traceability
- Disaster recovery planning
- Software assets reuse
- Architectural components abstraction
- SOA value proposition
- Business traceability
- Software assets reuse
Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.
- Biba model
- Clark-Biba model
- Clark-Wilson model
- Bell-LaPadula model
- Biba model
- Clark-Wilson model
The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.
The Clark-Wilson security model provides a foundation for specifying and analyzing an integrity policy for a computing system.
Which of the following methods offers a number of modeling practices and disciplines that contribute to a successful service-oriented life cycle management and modeling?
- Service-oriented modeling framework (SOMF)
- Service-oriented architecture (SOA)
- Sherwood Applied Business Security Architecture (SABSA)
- Service-oriented modeling and architecture (SOMA)
Service-oriented modeling framework (SOMF)
It offers a number of modeling practices and disciplines
that contribute to a successful service-oriented life cycle management and modeling.
Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of which of the following?
- Advanced Encryption Standard (AES)
- Steganography
- Public Key Infrastructure (PKI)
- Lightweight Directory Access Protocol (LDAP)
Public Key Infrastructure (PKI)
The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design?
- Speed of cryptographic operations
- Confidentiality assurance
- Key exchange
- Non-repudiation
Non-repudiation
When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using
- Encryption
- Masking
- Hashing
- Obfuscation
Hashing
Nicole is part of the ‘author’ role as well as she is included in the ‘approver’ role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of
- Least privilege
- Least common mechanisms
- Economy of mechanisms
- Separation of duties
Separation of duties
The primary reason for designing Single Sign On (SSO) capabilities is to
- Increase the security of authentication mechanisms
- Simplify user authentication
- Have the ability to check each access request
- Allow for interoperability between wireless and wired networks
Simplify user authentication
IPSec technology which helps in the secure transmission of information operates in which layer of the Open Systems Interconnect (OSI) model?
- Transport
- Network
- Session
- Application
Network
Which of the following software architectures is effective in distributing the load between the client and the server, but since it includes the client to be part of the threat vectors it increases the attack surface?
- Software as a Service (SaaS)
- Service Oriented Architecture (SOA)
- Rich Internet Application (RIA)
- Distributed Network Architecture (DNA)
Rich Internet Application (RIA)
When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information?
- Authorization
- Identification
- Archiving
- Auditing
dentification
When the software is designed using Representational State Transfer (REST) architecture, it promotes which of the following good programming practices?
- High Cohesion
- Low Cohesion
- Tight Coupling
- Loose Coupling
Loose Coupling
The primary security concern when implementing cloud applications is related to
- Insecure APIs
- Data leakage and/or loss
- Abuse of computing resources
- Unauthorized access
Unauthorized access
The predominant form of malware that infects mobile apps is
- Virus
- Ransomware
- Worm
- Spyware
Ransomware
Most Supervisory Control And Data Acquisition (SCADA) systems are susceptible to software attacks because
- They were not initially implemented with security in mind
- The skills of a hacker has increased significantly
- The data that they collect are of top secret classification
- The firewalls that installed in front o these devices have been breached.
They were not initially implemented with security in mind
