Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
225 Cards in this Set
- Front
- Back
|
CSSLP?
|
Certified Secure Software Lifecycle Professional
|
|
|
What approach does CSSLP take?
|
Holistic approach covering people, processes, and technology elements in developing software.
|
|
|
Seven domains of the CSSLP Common body of knowledge (CBK)
|
1) Secure Software Concepts
2) " Requirements 3) " Design 4) " Implementation/Coding 5) " Testing 6) " Acceptance 7) " Deployment, Operations, Maintenance, and Disposal |
|
|
Holistically secure software secures:
|
The network, hosts, and application layers so there is no weak link.
|
|
|
Reasons why there is a prevalence of insecure software:
|
1) Iron triangle constraints of time/schedule, resources/scope/people, and cost/budget
2) Security as an afterthought because of lack on return on security investment but cost of fixing issues early is low 3) Security versus usability as it may increase complexity, restrictiveness, but see psychological acceptability. |
|
|
Quality and security differ in
|
that security may lead to quality while the inverse may not be true. Trust the quality but validate security.
|
|
|
What makes software secure?
|
A profile consisting of Core, General, and Design Security Concepts
|
|
|
Core Security Concepts
|
1. Confidentiality
2. Integrity 3. Availability |
|
|
General Security Concepts
|
1. Authentication
2. Authorization 3. Auditting/Logging 4. Session Management 5. Errors and Exception Management 6. Configuration Parameters Management |
|
|
Design Security Concepts
|
1. Least Privilege
2. Separation of duties 3. Defense in depth 4. Fail secure 5. Economy of mechanism 6. Complete mediation 7. Open design 8. Least common mechanisms 9. Psychological acceptability 10. Leveraging existing components 11. Weakest link 12. Single point of failure |
|
|
Do security concepts span across the entire SDLC?
|
Yes, it helps in risk management for example see NIST 800-64
|
|
|
Risk management in the context of software security is
|
the balancing act between the protection of IT assets and cost of implementing software security controls so that risk is handled properly. See NIST 800-30.
|
|
|
Define Asset
|
(In)tangile Items of value, the loss of which can cause disruptions in missions accomplishment.
|
|
|
Define Vulnerability
|
A weakness or flaw that could be exploited, resulting in security policy breaches across the SDLC (process, design, or implementation of a system).
|
|
|
Examples of process vulnerabilities
|
1. Improper source-code controls
2. Backups 3. Access control. |
|
|
Examples of implementation vulnerabilities
|
Software accepts any user supplied data and processes it without first validating it; reveals too much information in the event of an error, not closing connections to backend dbs.
|
|
|
Some well-known vulnerability trackers and repositories
|
US-CERT, CVWW, OSVDB, CVE, CWE
|
|
|
Define Threat and its classes
|
A possible unwanted, unintended, or harmful event posed by vulnerabilities to assets in terms of disclosure, alteration, or destruction.
|
|
|
Define Threat Source / Agent
|
Anyone or anything that has the probability/likelihood to make a threat materialize.
|
|
|
Define Attack
|
When a source or agent materializes a threat
|
|
|
Define Probability
|
The likelihood that a particular threat can happen.
|
|
|
Define Impact
|
The extent of the disruptions to the organization's ability to achieve its goals
|
|
|
Define Exposure Factor
|
The opportunity for a threat to cause loss. A low exposure factor may reduce the overall risk of exploitation.
|
|
|
Define Controls
|
Technical, administrative, or physical mechanisms by which threats to software and systems can be mitigated.
|
|
|
Define Total Risk
|
The likelihood of attack in terms of asset value, threat, and vulnerabilities.
|
|
|
Define Residual Risk
|
The remaining risk after the implementation of mitigating security controls.
|
|
|
How is risk conventionally expressed?
|
As the product of the probability of a threat source/agent taking advantage of a vulnerability and the corresponding impact.
|
|
|
How is risk classically calculated?
|
Annual Loss Expectancy = SLE(Asset value x Exposure Factor) x ARO (threat occurrence expectation in a year)
|
|
|
What is the primary goal of risk management?
|
The identification and reduction of the total risk using controls so that the residual risk is within the acceptable range or threshold, wherein business operations are not disrupted.
|
|
|
The most effective way to ensure that software developed has taken into account security threats and addressed vulnerabilities, thereby reducing overall risk of that software.
|
Incorporate risk management processes into the SDLC itself.
|
|
|
Challenges to risk management for software:
|
* Still maturing
* Software asset values are often subjective * Limited data on the EF, Impact, and Probability of software security breaches * Technical security risk is only a portion of the overall state of secure software |
|
|
Five possible ways to address risk (IAMAT):
|
1) Ignore the risk
2) Avoid the risk 3) Mitigate the risk 4) Accept the risk 5) Transfer the risk |
|
|
Summarize risk management concepts
|
1) Owners value assets and wish to minimize risk to assets
2) Threat agents wish to abuse or damage assets and give rise to threats that increase the risk to assets 3) Threats may exploit vulnerabilities leading to the risk to assets 4) When known, vulnerabilities may be reduced by implementing controls that reduce the risk to assets 5) Controls themselves may pose additional unforeseen vulnerabilities |
|
|
What is a security policy?
|
The what and why document. It specifies the assets that need to be protected and the possible repercussions of noncompliance. Also state's the organization's goals and objectives. Ensures nonrepudiation in the organization. Provides CIA guidance to architect secure software. May define the security team for incident responses, enforcement mechanisms, and for exception handling, rewards, discipline.
|
|
|
What may the scope be for an information security policy?
|
Organizational (global applicability) or functional (unit or specific issue applicability).
|
|
|
What are prerequisites for Security Policy Development?
|
1) Enforce-ability, top-level support
2) Inclusion of various teams 3) Marketing efforts that communicate mgmt goals |
|
|
Is security policy development a onetime activity?
|
No, the policy should be periodically evaluated so that they are contextually correct and relevant to address current-day threats.
|
|
|
High level security policies are supported by what?
|
More detailed security standards such as internal coding standards and external industry (PCI DSS), governmental (NIST), international (ISO), and national standards (FIPS).
|
|
|
Advantages attributable to using coding standards:
|
Consistency in style, improved readability, and maintainability (nonsecurity advantages). Less prone to errors and exposure to threats (security advantages).
|
|
|
What is PCI DSS?
|
Payment Card Industry Data Security Standard for the secure transmission and storage of credit card primary account number (PAN), etc.
|
|
|
PCI DSS control objectives
|
1) Build and maintain a secure network, 2) Protect cardholder data, 3) Maintain a vulnerability management program, 4) Implement strong access control, 5) Regularly monitor and test networks, 6) Maintain an information security policy
|
|
|
NIST's computer security division information technology laboratory (ITL) periodically publishes which special publications:
|
NIST Special Publication (SP) 500 and 800 series. NIST also publishes bulletins and computer security-related Federal Information Processing Standards (FIPS).
|
|
|
NIST SP which discusses security considerations in the information systems development lifecycle:
|
NIST SP 800-64
|
|
|
NIST SP "handbook" which discusses the benefits of different security controls and the scenarios in which they would be appropriately applicable:
|
NIST SP 800-12
|
|
|
NIST SP for generally accepted principle and practices for securing IT systems:
|
NIST SP 800-14
|
|
|
NIST SP risk management guide for IT
|
NIST SP 800-30
|
|
|
NIST SP for security considerations in the information systems development life cycle
|
NIST SP 800-64 (especially pertinent to CSSLPs)
|
|
|
NIST SP guide for managers in information security
|
NIST SP 800-100
|
|
|
What are ISO standards and what do they cover?
|
International Standards Organizations and they cover all sectors except electrotechnology (IEC) and telecommunications (ITU).
|
|
|
ISO/IEC standard for information security management system (ISMS) overviews and vocabulary:
|
ISO/IEC 27000:2009
|
|
|
ISO/IEC standard for information security management system (ISMS):
|
ISO/IEC 27001:2005
|
|
|
ISO/IEC standard for code of practice for information security management:
|
ISO/IEC 27002:2005/Cor1:2007
|
|
|
ISO/IEC standard concerning ISMS Implementation Guidance
|
ISO/IEC FCD 27003
|
|
|
ISO/IEC standard for information security risk management
|
ISO/IEC 27005:2008
|
|
|
ISO/IEC standard on requirements for bodies providing audit and certification of ISMS
|
ISO/IEC 27006:2007
|
|
|
ISO/IEC standard on evaluating criteria for IT security (Common Criteria)
|
ISO/IEC 15408, part1 introduces security functional and security assurance requirements (SFRs and SARs) along with the protection profile (PP), the security target (ST), and the target of evaluation (TOE). Part 2 contains the catalog of predefined SFRs as classes, families, and components. Part 3 defines the SARs and include the EALs for measuring assurance of a TOE.
|
|
|
Examples of design vulnerabilities
|
Using obsolete crypto algorithms such as DES, not handling resource deadlocks, unhandled exceptions, hard-coding db connections.
|
|
|
PCI DSS
|
Payment Card Industry Data Security Standard for the secure transmission and storage of credit card primary account number (PAN), etc.
|
|
|
ISO/IEC standard on System Security Engineering Capability Maturity Model (SSE-CMM)
|
ISO/IEC 21827:2008 provides guidelines to ensure secure engineering of system and software by augmenting project and organizational process areas and encompassing all phases in the SDLC from definitions, requirement analysis, design, development, testing, deployment, operations, maintenance, and disoposal.
|
|
|
ISO/IEC Software Engineering Product Quality standard
|
ISO/IEC 9216 provides for quality of software products.
|
|
|
Aside from SPs what other publications does NIST produce?
|
Federal Information Processing Standards (FIPS) which address requirements for 1) Interoperability of disparate systems, 2) Portability of data and software, 3) Computer security
|
|
|
FIPS publication on Security Requirement for Cryptographic Modules
|
FIPS 140-2 which includes cryptographic module specification, ports and interfaces, roles, services, authentication, finite state model, physical security, operation environment, cryptographic key management, electromagentic interference/compatibility (EMI/EMC), self-tests, and design assurance. Also requires documentation on control to mitigate other attacks (power analysis TEMPEST).
|
|
|
FIPS publication on Advance Encryption Standards (AES)
|
FIPS 197 defines the AES, a symmetic block cipher.
|
|
|
FIPS publication on Personal Identity Verification (PIV) of Federal Employees and Contractors
|
FIPS 201 as a response to the need to ensure that the trust of claimed identities.
|
|
|
Benefits of Security Standards:
|
Provides a common and consistent basis for building and maintaining secure software as they enable operational efficiency and agility; Interoperability; Competitive advantage; A common baseline for assessments; For demonstrating indirect governance.
|
|
|
Security Best practices or de facto security standards:
|
Open Web Application Security Project (OWASP) (Development, Code Review, and Testing Guides), Information Technology Infrastructure Library (ITIL) (for service management)
|
|
|
Security Methodologies that can be used throughout the SDLC
|
Socratic; Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE); STRIDE and DREAD; Open Source Security Testing Methodology Manual (OSSTMM); Flaw Hypothesis Method (FHM); Six Sigma; Capability Maturity Model Integration (CMM)
|
|
|
STRIDE and DREAD
|
Threat Modeling Methodology: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service; Elevation of privilege; and Damage Potential Reproducibility; Exploitability; Affected users; Discoverability.
|
|
|
Comprehensive penetration testing methodology
|
Flaw Hypothesis Method
|
|
|
Business management strategy for quality that can be used for security
|
Six Sigma because it measures deviations from the specified norm.
|
|
|
A process improvement methodology applicable to security
|
Capability Maturity Model Integration (CMMI) with 5 level of Initial, Repeatable, Defined, Managed Quantitatively, Optimizing
|
|
|
Prominent security frameworks related with software security
|
Zachman Framework (6x6 matrix of roles versus interrogatives); Control Objectives for Information and Related Technology (COBIT); Committee of Sponsoring Organizations (COSO); Sherwood Applied Business Security Architecture (SABSA)
|
|
|
Importance of regulations, privacy and compliance
|
For providing a check and balance mechanism to earn stakeholder trust and prevent disclosures of PII, PHI, PFI.
|
|
|
Significant regulations and acts on software security
|
Sarbanes-Oxley (SOX) Act for improving quality and transparency in financial reporting, independent audits and accounting; BASEL II (Euro regs to protect against financial risks and fraud); Gramm-Leach-Bliley Act (GLBA) for financial data (PFI) privacy; Health Insurance Portability and Accountability Act (HIPPA); Data Protection Act; Computer Misuse Act; State Security Breach Laws.
|
|
|
Challenges with Regulations and Privacy Mandates
|
Open interpretations, auditor's subjectivity, localized jurisdiction, regional variations, and inconsistent enforcement
|
|
|
Best practices for addressing privacy in software development
|
Collect only what's needed; Informed consent via Acceptable Use Policy (AUP); Process, store, archive collected data only if needed
|
|
|
Security Models
|
Confidentiality (Bell-LaPadula); Integrity Models (Biba, Clark and Wilson); Access Control Models (Brewer and Nash)
|
|
|
Trusted Computing Concepts
|
Ring Protection; Trust Boundary (Security Perimeter); Trusted Computing Base (TCB), Reference Monitor, and Rootkits (TC threat).
|
|
|
A specification to ensure protection and implementations against disclosure of sensitive and private information
|
Trusted Platform Module (TPM)
|
|
|
The primary reason for incorporating security into the software development life cycle is to protect:
|
Corporate brand and reputation
|
|
|
The resiliency of software to withstand attacks that attempt to modify or alter data in an unauthorized manner is referred to as:
|
Integrity
|
|
|
The main reason as to why the availability aspects of software must be part of the organization's software security initiative is:
|
Software issues can cause downtime to the business
|
|
|
Monitoring software functionality and report when software is down is a protection to assure:
|
Availability
|
|
|
Authentication of the type that requires one to enter a number that is used only once (nonce) from a token device issued by a service provider:
|
Ownership-based
|
|
|
Multifactor authentication is most closely related to which security design principle:
|
Defense in depth
|
|
|
Audit logs can be used for:
|
Providing evidentiary information; Non-repudiation; Detecting the actions that were undertaken; But does not prevent a user from performing some unauthorized operation.
|
|
|
Impersonation attacks such as man-in-the-middle (MITM) attacks in an Internet application can be best mitigated using proper:
|
Session management
|
|
|
Organizations often predetermine the acceptable number of user errors before recording them as security violations. This number is otherwise known as:
|
Clipping level
|
|
|
What are the challenges of adding auditing functionality to your software?
|
PICCA
1. Performance Impact 2. Information Overload 3. Capacity Limitation 4. Configuration Interfaces Protection 5. Audit Log Protection |
|
|
What are the Core Security Concepts outlined in CSSLP?
|
CIA
1. Confidentiality 2. Integrity 3. Availability |
|
|
What are the list of General Security Concepts outlined in CSSLP?
|
ASEACA
1. Authentication 2. Session Management 3. Errors and Exceptions Management 4. Authorization 5. Configuration Parameters Management 6. Auditing/Logging |
|
|
Define "Confidentiality" in security terms
|
Confidentiality is the security concept that has to do with protection against unauthorized information disclosure.
Confidentiality is one of the Core Security Concepts outlined in CSSLP. |
|
|
Define "Integrity" in security terms.
|
Integrity is the measure of software resiliency and the reliability of the functioning of the software and the data the software deals with.
Integrity is on of the Core Security Concepts outlined in CSSLP. |
|
|
The primary reason for incorporating security into the software development life cycle is to protect:
A. Unauthorized disclosure of information B. Corporate brand and reputation C. Against hackers who intend to misuse the software D. Developers from releasing software with security defects |
Answer: B
Rationale/Answer Explanation: When security is incorporated into the software development life cycle, confidentiality, integrity and availability can be assured and external hacker and insider threat attempts thwarted. Developers will generate more hack-resilient software with fewer vulnerabilities, but protection of the organization's reputation and corporate brand is the primary reason for software assurance. |
|
|
The resiliency of software to withstand attacks that attempt to modify or alter data in an unauthorized manner is referred to as:
A. Confidentiality B. Integrity C. Availability D. Authorization |
Answer: B
Rationale/Answer Explanation When the software program operates as expected, it is said to be reliable or internally consisten. Reliability is an indicator of the integrity of software. Hack-resilient (able to withstand attacks), and recoverable (capable of being restored to normal operations when breached or upon error) |
|
|
The main reason as to why the availability aspects of software must be part of the organization's software security initiatives is:
A. Software issues can cause downtime to the business B. Developers need to be trained in the business continuity procedures C. Testing for availability of the software and data is often ignored D. Hackers like to conduct denial of service attacks against the organization |
Answer: A
Rationale/Answer Explanation One of the tenets of software assurance is "availability". Software issues can cause software unavailability and downtime to the business. This is often observed as a denial of service (DoS) attack. |
|
|
Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following:
A. Confidentiality B. Integrity C. Availability D. Authentication |
Answer: C
Rationale/Answer Explanation: Confidentiality controls assure protection against unauthorized disclosure. Integrity controls assure protection against unauthorized modifications or alterations. Availability controls assure protection against downtime/denial of service and destruction of information Authentication is the mechanism to validate the claims/credentials of an entity Authorization covers the subjects rights and privileges upon requested objects |
|
|
While copying files from a USB Drive a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?
A. Scan of all USB Devices before use B. Antivirus on the network file server C. Scheduled daily scan of all network drives D. Antivirus on the suer's personal computer |
C. Scheduled daily scan of all network drives
Rationale/Answer Explanation: The only real answer that is a protective control. Antivirus is a protective and preventative control. |
|
|
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
A. Blackbox test B. Desk checking C. Structured walk-through D. Design and code |
A. Blackbox test
|
|
|
Structured programming is BEST described as a technique that:
A. Provides knowledge of program functions to other programmers via peer reviews B. Reduces the maintenance time of programs by the use of small-scale program modules. C. Makes the readable coding reflect as closely as possible the dynamic execution of the program D. Controls the coding and testing of the high-level functions of the program in the development process. |
B. Reduces the maintenance time of programs by the use of small-scale program modules.
|
|
|
Which of the following BEST describes the objectives of following a standard system development methodology?
A. To ensure that appropriate staffing is assigned and to provide a method of controlling costs and schedules B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel C. To provide a method of controlling costs and schedules and an effective means of auditing project development D. To ensure communication among users, IS auditors, management and personnel and to ensure that appropriate staffing is assigned |
B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel
------- This is the most comprehensive of answers. |
|
|
While reviewing the business continuity plan of an organization, the Security Professional observed that the organization's data and software files are backed up on a periodic basis. Which characteristic of an effective plan does this demonstrate?
A. Deterrence B. Mitigation C. Recovery D. Response |
B. Mitigation
------------------- We perform backups because they are countermeasures or safeguards which mitigate risk |
|
|
One of the purposes of library control software is to allow:
A. Programmers access to production source and object libraries B. Batch program updating C. Operators to update the control library with the production version before testing is completed D. Read-only access to source code |
D. Read-only access to source code
-------- |
|
|
An IS auditor who is participating in a systems development project should:
A. Recommend appropriate control mechanisms regardless of cost B. Obtain and read project team meeting minutes to determine the status of the project C. Ensure that adequate and complete documentation exists for all project phases D. Not worry about his/her own ability to meet target dates since work will progress regardless |
C. Ensure that adequate and complete documentation exists for all project phases
|
|
|
The intent of application controls is to ensure that when inaccurate data is entered into the system, the data is:
A. accepted and processed B. accepted and not processed C. not accepted and not processed D. not accepted and processed |
C. not accepted and not processed
---------------------- |
|
|
An IS auditor discovers that programmers have update access to the live environment. In this situation, the IS auditor is LEAST likely to be concerned that programmers can:
A. authorize transactions B. add transactions directly to the database C. make modifications to programs directly D. access data from live environment and provide faster maintenance |
A. authorize transactions
---------------- |
|
|
Which of the following should be in place to protect the purchaser of an application package in the event that the vendor ceases to exist?
A. Source code held in escrow B. Object code held by a trusted third party C. Contractual obligation for software maintenance D. Adequate training for internal programming staff |
A. Source code held in escrow
|
|
|
In which of the following phases of the system development life cycle (SDLC) is it the MOST important for the IS auditor to participate?
A. Design B. Testing C. Programming D. Implementation |
A. Design
|
|
|
When designing for confidentiality assurance, which of the following provides the MOST protection against the factor analysis of an attacker who is attempting to brute force the key value?
a. Transport Layer Security (TLS) b. Number of keys c. Size of the key d. Strength of the algorithm |
c. Size of the key
|
|
|
Version 2.1 of the software was tested and found to be lacking the software auditing capabilities that were present in Version 2.0. The MOST LIKELY type of test that was conducted to find this decreasing state of security is:
a. unit b. load c. regression d. integration |
c. regression
|
|
|
Which of the following application programming interfaces (APIs) provides users the ability to create and exchange documents and data over non-secure channels such as the Internet?
a. Cryptographic Application Programming Interface Component Object Model (CAPICOM) b. Cryptography API: Next Generation (CNG) c. Data Protection Application Programming Interface (DPAPI) d. Cryptographic Service Provider Interface (CryptoSPI) |
b. Cryptographic API: Next Generation (CNG)
|
|
|
When the runtime permissions of the code are defined within the body of a function or method, it is referred to as:
a. code signing b. declarative syntax security c. imperative syntax security d. code obfuscation |
b. declarative syntax security
|
|
|
Managers are allowed to update the salary information of only those employees that they directly manage. This is an example of:
a. Separation of duties b. Content based Role based Access Control c. Context based Role based Access Control d. Least privilege |
d. Least privilege
|
|
|
System resources can be protected from malicious file execution attacks by uploading the user supplied file and running it in which of the following environments?
a. Production b. Simulated c. Sandbox d. Honeypot |
b. Simulated
|
|
|
All of the human factors, hardware, software, firmware, process and inter-process communications which, when breached, will yield a security violation that is collectively referred to as:
a. Reference monitor b. Security perimeter c. Trusted Computing Base (TCB) d. Trusted Platform Model (TPM) |
c. Trusted Computing Base (TCB)
|
|
|
Your organization classifies all of its software into different classes of applications. This information needs to be updated in the disaster recovery plan/business continuity plan (DRP/BCP), but a review of the BCP/DRP shows that only some of the software is recorded. The MOST LIKELY reason for this is that the recording of software within the DRP/BCP is dependent on:
a. the completeness of the threat model b. how important the data is and its value to the business c. explicit functional requirement to record the software d. code review results showed that there were no critical vulnerabilities in the software that was not recorded. |
b. how important the data is and its value to the business
|
|
|
Financial institutions and corporations need to ensure that when a customer logs into their personal account, the customer is authorized to see only their account information and not anyone else's. This is an assurance of which of the following security principles?
a. Availability b. Authentication c. Confidentiality d. Integrity |
c. Confidentiality
|
|
|
The Bluetooth protocol that allows for ubiquitous computing between complex heterogeneous environments and mobile devices using a plug-and-play approach is characteristic of:
a. Rich Internet Applications (RIA) b. distributed computing c. Service oriented architecture (SOA) d. pervasive computing |
d. pervasive computing
|
|
|
The MOST effective implementation defense against buffer overflow attacks is to:
a. validate the input b. encode the output c. use random sessions identifiers d. handle exceptions and errors |
a. validate the input
|
|
|
The security analyst learns that in order for the software to run when it is deployed into the production environment, certain ports and protocols that were originally disabled need to be enabled. Further analysis revealed that the enabling of previously disabled ports and protocols increases the risk above the acceptable threshold as defined by the business. Which of the following processes must be followed to assure that risk is appropriately handled?
a. Reject the software and disallow its deployment into the production environment b. Enable the ports and protocols needed for the software to run and deploy the software in the production environment. c. Have an independent third party perform a vulnerability assessment to determine if a work around is feasible d. Formally document the risk and accept the software for deployment with a plan in place to mitigate the risk |
d. Formally document the risk and accept the software for deployment with a plan in place to mitigate the risk
|
|
|
Implementing a threshold (clipping) level for the number of allowed authentication attempts before locking a user's account is an effective defense against Denial of Service (DOS) and:
a. buffer overflow b. insecure direct object reference c. brute force d. phishing |
c. brute force
|
|
|
Your organization's online auction web site was reported to be susceptible to Cross-Site Scripting (XSS) attacks. Investigation of this report confirmed the absence of encoding the response and the security consultant is called to assist with this situation. Your MOST appropriate decision must be to:
a. mitigate the risk b. transfer the risk c. accept the risk d. avoid the risk |
a. mitigate the risk
|
|
|
Verifying and validating the identity information of the user or process requesting access to sensitive payroll information is otherwise referred to as:
a. authentication b. identification c. auditing d. authorization |
a. authentication
|
|
|
Which of the following provides protection against a disgruntled software developer who has expressed that he intends to create a similar version of the organization's software after leaving your company?
a. Software Escrow b. Non-compete Agreement c. Service Level Agreements (SLA) d. Non-Disclosure Agreements (NDA) |
d. Non-Disclosure Agreements (NDA)
|
|
|
The process of converting multiple alternate representations of data into its standard form is referred to as:
a. compilation b. coupling c. canonicalization d. cohesion |
c. canonicalization
|
|
|
The finance application that your organization developed was tested and found to meet all of the quality requirements, but the certified security analyst is reluctant to sign off on the 'approval to release' the application into the production environment. The MOST LIKELY reason for his reluctance can be attributed to which of the following reasons?
a. The application has not been tested in the production environment b. Meeting quality requirements does not necessarily imply that the application is secure c. The security analyst is a risk averse individual d. Further analysis is required |
b. Meeting quality requirements does not necessarily imply that the application is secure
|
|
|
Many software organizations are moving toward publishing their software as a subscription instead of their traditional installation executables and packages. The PRIMARY security benefit of a Software as a Service (SaaS) architecture as it pertains to change management is:
a. data privacy b. centralized administration c. integrity of versions d. shared hosting |
c. integrity of versions
|
|
|
The measure of linearly independent code paths that need to be checked as part of the unit testing is otherwise referred to as:
a. canonicalization b. locality of reference c. cyclomatic complexity d. cryptographic agility |
c. cyclomatic complexity
|
|
|
When a bastion host system that is set up as a honeypot actively solicits an individual to test the resiliency of an organization's security, the evidence collected against that individual if they attack your organization will not be acceptable in court because of the legal issues with:
a. entrapment b. estoppel c. enticement d. eavesdropping |
a. entrapment
|
|
|
During the approval to implement process, it was determined that Version 2.1 of the sales software continues to use the Triple Data Encryption Standard (3DES) algorithm for cryptographic functionality, although the new policy mandates the use of the Advanced Encryption Standard (AES). What is the next course of action that the security analyst MUST recommend to the Change Control Board (CCB) to address this situation?
a. Approve to implement as is so that the business is not impeded b. Approve to implement with a formal documentation of exception to policy c. Reject the approval to implement request d. Resubmit the request for approval after the development team makes the change from 3DES to AES |
c. Reject the approval to implement request
|
|
|
When designing software, it is essential to keep the design simple because the complexity of the design can potentially translate into an increased attack surface when implemented and deployed. This is the fundamental concept behind which of the following security design principles?
a. Least privilege b. Seperation of duties c. Economy of mechanisms d. Least common mechanisms |
c. Economy of mechanism
|
|
|
The MAJOR disadvantage of the unidirectional sequential phased Waterfall model approach to software development when it comes to incorporating software security controls is that:
a. it takes a lot of time to complete b. missed security requirements can be difficult to retrofit in c. it is very expensive to build security in the requirements phase d. the business can frequently change its requirements |
b. missed security requirements can be difficult to retrofit in
|
|
|
IS management has decided to rewrite a legacy customer relations system using fourth-generation languages (4GLs). Which of the following risks is MOST often associated with sytem development using 4GLs?
a. Inadequate screen/report design facilities b. Complex programming language subsets c. Lack of portability across operating systems d. Inability to perform data intensive operations |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?:
a. Unit testing b. Integration testing c. Design walk-throughs d. Configuration management |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
For which of the following applications would rapid recovery be MOST crucial?
A. Point-of-sale system B. Corporate planning C. Regulatory reporting D. Departmental chargeback |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following BEST describes the necessary documentation for an enterprise product reengineering (EPR) software installation?
A. Specific developments only B. Business requirements only C. All phases of the installation must be documented D. No need to develop a customer specific documentation |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Peer reviews to detect software errors during a program are called:
A. emulation techniques. B. structured walk-throughs. C. modular program techniques. D. top-down program construction |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
A programmer included a routine into a payroll application to search for his/her own payroll number. As a result, if this payroll number does not appear during the payroll run, a routine will generate and place random numbers onto every paycheck. This routine is known as:
A. Scavenging B. data leakage. C. piggybacking. D. a trojan horse |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
An organization is developing a new business system. Which of the following will provide the MOST
assurance that the system provides the required functionality? A. Unit testing B. Regression testing C. Acceptance testing D. Integration testing |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
When a systems development life cycle (SDLC) methodology is inadequate, the MOST serious immediate risk is that the new system will
A. be completed late. B. exceed the cost estimates. C. not meet business and user needs. D. be incompatible with existing systems |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
An IS auditor performing a review of an application's controls would evaluate the:
A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. the application's optimization |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The reliability of an application system's audit trail may be questionable if:
A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date time stamps record when an action occurs. D. users can amend audit trail records when correcting system errors. |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following would normally be found in application operation manuals?
A. Details of source documents B. Error codes and their recovery actions C. Program flowcharts and file definitions D. Change records for the application source code |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
An IS auditor performing an access controls review should be LEAST concerned if:
A. audit trails were not enabled. B. programmers have access to the live environment. C. group logons are being used for critical functions. D. the same user can initiate transactions and also change related parameters |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
An IS auditor reviewing back-up procedures for software need only determine that:
A. object code libraries are backed up. B. source code libraries are backed up. C. both object and source codes libraries are backed up. D. program patches are maintained at the originating site |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which is the first software capability maturity model (CMM) level to include a standard software development process?
A. Initial (level 1) B. Repeatable (level 2) C. Defined (level 3) D. Optimizing (level 5) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following functions, if performed by scheduling and operations personnel, would be in conflict with a policy requiring a proper segregation of duties?
A. Job submission B. Resource management. C. Code correction D. Output distribution |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following provides the MOST protection against external cryptographic software attacks?
a. Leveraging the Trusted Platform Module (TPM) chip for the storage of sensitive keys b. Using an asymmetric algorithm for cryptographic operations c. Using a symmetric algorithm for cryptographic operations d. Storing the decryption key in a separate configuration file |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The security professional is informed that his banking organization's incident reporting hotline has received notice from several customers that their bank accounts were debited without their consent. What is the FIRST thing the security professional needs to do as part of problem management to contain, eradicate and recover from this situation?
a. Notify the public about a potential security breach b. Notify his immediate management about the incident c. Contact the legal team member to prepare for potential lawsuits d. Determine the root cause of the incident |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following architecture is characterized by abstracting business logic into discoverable and reusable contract based interfaces making it possible to inter-operate between heterogeneous computing ecosystems?
a. Service Oriented Architecture (SOA) b. Distributed Computing Architecture c. Software as a Service (SaaS) d. Rich Internet Application (RIA) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The online transaction sales portal is starting to experience long delays and freezes every evening when the backup script is run. All except the CUSTOMER table is backed up successfully when the script runs. Investigation reveals that the data type for the customer-id column in the backup database is set to Int32, while it is Int64 in the transactional database. The MOST likely reason for this performance issue is that the:
a. backup script is being executed when the transactional sales are the highest b. data schema was not taken into account when designing the backup system. c. customer information which is sensitive in nature needs additional processing before being backed up d. transactional system is not taken offline when the data is being backed up |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The security professional, a CSSLP, is asked to assist in the following investigation. Upon research, the security professional finds out that while a customer of your bank was logged into your online bank application, he received an email with a link to see his favorite sports teams latest ranking. The customer clicked on that link but was directed to a blank page which he closed. Upon returning to his bank account, he noticed that money from his bank account had been withdrawn without his authorization. The security professional should FIRST review the online web application code for which of the following vulnerabilities?
a. Command injection b. Phishing c. Cross-Site Scripting (XSS) d. Cross-Site Request Forgery (CSRF) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
In a public/private key pair implementation, when the private key of digital certificate is disclosed to unauthorized users, the next course of action is to stop using the digital certificate for cryptographic operations and to add the exposed certificate to which of the following?
a. Certificate Signing Request (CSR) b. Web of Trust c. Machine Configuration File d. Certificate Revocation List (CRL) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
A formal abstraction of the security policy that includes the steps to be taken to assure the confidentiality and integrity of the software and data is otherwise known as:
a. security standard. b. guideline c. security model d. standard operating procedure. |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Threat agents, inverse relationships of intended behavior and auditing requirements can be identified using which of the following security processes?
a. Misuse case modeling b. Subject/object modeling c. Role hierarchy generation d. Data classification |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following security attacks is observed when data that is being copied into contiguous allocated storage space in memory is greater in length than the size of the allocated space?
a. Insecure direct object reference b. Injection flaws c. Broken authentication d. Buffer overflow |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Determining the version of the operating system by analyzing the response to packets that are sent to the TCP/IP stack is known as
a. fuzzing b. scanning c. fingerprinting d. cloaking |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Electronic social engineers PRIMARILY try to exploit which of the following?
a. Human trust b. Insecure design of the software c. Weaknesses in software implementations (coding) d. Improper technological configuration settings |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Organizational security policies are used to
a. establish the minimum configuration settings for the network and hosts b. specify the details of how to implement the controls c. communicate and mandate managements goals and objectives d. provide recommendations to align with industry best practice |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
When software that worked without any issues in the test environment, fails to work in the production environment, it is indicative of:
a. Inadequate integration testing b. Incompatible environment configuration c. Incomplete threat modeling d. Ignored code review |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Audit logs can be used for all of the following except
a. Providing evidentiary information b. Non-repudiation c. Detecting the actions that were undertaken d. Preventing user from performing unauthorized operations |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Requiring the end user to accept an "as is" disclaimer clause before installation of your software is an example of risk
a. Avoidance b. Mitigation c. Transference d. Acceptance |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is a framework that can be used to develop a risk based enterprise security architecture by determining security requirements after analyzing the business initiatives?
a. Capability Maturity Model (CMMI) b. Sherwood Applied Business Security Architecture (SABSA) c. Control objectives for Information and Related Technology (COBIT) d. Zackman Framework |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Capability Maturity Model (CMMI)
|
NEED TO LOOK UP
|
|
|
What is Sherwood Applied Business Security Architecture (SABSA)?
|
NEED TO LOOK UP
|
|
|
What is Control objectives for Information and Related Technology (COBIT)?
|
NEED TO LOOK UP
|
|
|
What is Zackman Framework?
|
NEED TO LOOK UP
|
|
|
Implementing IPSec to assure the confidentiality of data when they are transmitted is an example of risk
a. Avoidance b. Mitigation c. Transference d. Acceptance |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is IPSec?
|
NEED TO LOOK UP
|
|
|
What is Risk Avoidance?
|
NEED TO LOOK UP
|
|
|
What is Risk Mitigation?
|
NEED TO LOOK UP
|
|
|
What is Risk Transference?
|
NEED TO LOOK UP
|
|
|
What is Risk Acceptance?
|
NEED TO LOOK UP
|
|
|
A requirements traceability matrix (RTM) that includes security requirements can be used for all of the following except
a. Validating and communicating software functional user requirements b. Identifying software privileged code section c. Documenting software confidentiality protection requirements d. Documenting software integrity protection requirements |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is not something that you would associate symmetric key cryptography with?
a. Confidentiality protection b. Speed c. Public Key d. Private Key |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Symmetric Key Cryptography?
|
NEED TO LOOK UP
|
|
|
Nicole is part of the "author" role as well as the "approver" role, allowing her to approve her own articles before they are posted on the company blog site. This violates the principle of:
a. Least Privilege b. Least Common Mechanism c. Economy of Mechanism d. Separation of Duties |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Database triggers are primarily useful for providing which of the following detective software assure capabilities?
a. Availability b. Authorization c. Auditing d. Archiving |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Syslog implementation requires which additional security protection mechanisms to mitigate disclosure attacks?
a. Unique session identifier generation b. Transport layer security c. Digital rights management (DRM) d. Data loss prevention (DLP) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Unique Session Identifier Generation?
|
NEED TO LOOK UP
|
|
|
What is Transport Layer Security?
|
NEED TO LOOK UP
|
|
|
What is Digital Rights Management?
|
NEED TO LOOK UP
|
|
|
What is Data Loss Prevention?
|
NEED TO LOOK UP
|
|
|
The inner working and internal structure of backend databases can be protected from disclosure using
a. Database Normalization b. Database Triggers c. Database Views d. Database Encryption |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Database Encryption and how is it implemented?
|
NEED TO LOOK UP
|
|
|
Penetration Testing must be conducted with properly defined
a. Rules of engagement b. Treat models c. Use cases d. Role-based access control |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is NOT considered a recommendation to avoid SQL Injection flaws:
a. Performing user input validation b. Not handling exceptions in applications c. Not building SQL queries dynamically d. Using parameterized queries |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Using multifactor authentication is effective in mitigating which of the following application security risks?
a. Injection flaws b. Buffer overflow c. Man-in-the-middle d. Meet-in-the-middle |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is a multifaceted security standard used to regulate organizations that collect, process and/or store cardholder data as part of the business operation?
a. FIPS 2014 b. PCI DSS c. ISO-IEC 15408 d. NIST SP800-6 |
b. PCI DSS
|
|
|
What is FIPS 2014?
|
NEED TO LOOK UP
|
|
|
What is ISO-IEC 15408
|
NEED TO LOOK UP
|
|
|
What is NIST SP800-6
|
NEED TO LOOK UP
|
|
|
Which of the following must be addressed by software security requirements?
a. Technology used in building the application b. Goals and objectives of the organization c. Software quality requirements d. External auditor requirements |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is exempt from confidentiality requirements?
a. Directory information b. Personally identifiable information (PII) c. User's card holder data d. Personal health information |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Requirements that, when implemented, can help to build a history of events that occurred in the software are known as
a. Authentication requirements b. Archiving requirements c. Auditing requirements d. Authorization requirements |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is an activity that can be performed to clarify requirements with the business users by using diagrams that model the expected behavior of software?
a. Threat modeling b. Use case modeling c. Misuse case modeling d. Data modeling |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Threat modeling?
|
NEED TO LOOK UP
|
|
|
What is Use case modeling
|
NEED TO LOOK UP
|
|
|
What is Misuse case modeling?
|
NEED TO LOOK UP
|
|
|
What is Data modeling?
|
NEED TO LOOK UP
|
|
|
Data classification is a core activity that is conducted as part of which of the following?
a. Key management lifecycle b. Information lifecycle management c. Configuration management d. Problem management |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Which of the following is a covert mechanism that assures confidentiality?
a. Encryption b. Steganography c. Hashing d. Masking |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Steganography?
|
NEED TO LOOK UP
|
|
|
What is Hashing?
|
NEED TO LOOK UP
|
|
|
What is Masking
|
NEED TO LOOK UP
|
|
|
Which of the following is the primary reason for an application to be susceptable to a man-in-the-middle attack?
a. Improper archiving b. Lack of auditing c. Improper session management d. Lack of encryption |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Communication between Kerberos client and the Kerberos server:
a, Is conducted in clear-text b. Is encrypted using symmetric key algorithms c. Is encrypted using asymmetric key algorithms d. Always requires SSL as a protection mechanism |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Kerberos?
|
NEED TO LOOK UP
|
|
|
Published by the IT Governance Institute, this framework is considered an IT governance framework with supporting tools that can be used to close gaps between control requirements, technical issues and business risks...
a. Zackman Framework b. COBIT c. SABSA d. HIPPAA |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
This Integrity model addresses only the first goal of integrity. Its Star Integrity Property suggests that writing information at a higher level in the lattice, where more precision is expected, should not be allowed:
a. Brewer and Nash Model b. BLP c. Clark and Wilson d. Biba |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Threat modeling is conducted during the
a. Requirements phase b. Design phase c. Implementation phase d. Deployment phase |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
During a threat modeling exercise, the softwre architecture is reviewed to identify
a. The maximum tolerable downtime b. Attackers perspective c. Entry points into the software d. Critical sections of the code |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
When internal business functionality is abstracted into service-oriented contract-based interfaces, it is primarily used to provide for:
a. Interoperability b. Authentication c. Authorization d. Installation ease |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The primary reason for designing single sign on (SSO) capabilities is to:
a. Increase the security of authentication mechanism b. Have the ability to check each access request c. Allow for interoperability d. Simplify user authentication |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
Certificate authority, registration authority and certificate revocation lists are all part of which of the following?
a. Advanced Encryption Standard (AES) b. Stegnography c. Public Key Infrastructure (PKI) d. Lightweight Directory Access Protocol (LDAP) |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Advanced Encryption Standard (AES)?
|
NEED TO LOOK UP
|
|
|
What is Public Key Infrastructure (PKI)
|
NEED TO LOOK UP
|
|
|
What is Lightweight Deirectory Access Protocol (LDAP)?
|
NEED TO LOOK UP
|
|
|
When passwords are stored, the best defense against disclosure attacks can be accomplished using:
a. Encryption b. Hashing c. Masking d. Obfuscation |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
As a means to assure the confidentiality of copyright in formation the security analyst identifies the requirements to embed information inside another digital audio, video or image signal. This is an example of:
a. Encryption b. Decryption c. Hashing d. Watermarking |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
The use of digital signatures has the benefit of providing which of the following not provided by symmetric key cryptographic design?
a. Speeding up operations b. Confidentiality assurance c. Key exchange d. Non repudiation |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
A man-in-the-middle-attack is primarily an expression of which of the following threats?
a. Spoofing b. Tampering c. Repudiation d. Information Disclosure |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
IPSec technology, which helps in the secure transmission of information, operates at the
a. Application Layer b. Datalink Layer c. Network Layer d. Transport Layer |
NEED ANSWER FROM ONLINE CLASSES
|
|
|
What is Spoofing?
|
NEED TO LOOK UP
|
|
|
What is Tampering?
|
NEED TO LOOK UP
|
