Download CSSLP Exam 2024 Questions & Answers: Cybersecurity Fundamentals and more Exams Computer Security in PDF only on Docsity!
CSSLP Exam 2024 Questions & Answers
| 100% Correct | Verified
Your project involves streaming web conference content from your web servers to multiple endpoints. Because of the sensitive nature of the content, encryption is mandated. What would be the preferred algorithm? A. 3DES B. AES C. RC D. MD5 - ✔✔Answer: C. RC4 is a stream-based cipher, and the web conference traffic requires a stream cipher for performance reasons. A, B, and D are incorrect. 3DES and AES are symmetric block ciphers, but are poor choices for streaming media channels. MD5 is a hash algorithm, not an encryption method. Hint: What type of material is being encrypted and does it have any specific characteristics that are important to consider? Reference: Chapter 13: Defensive Coding PracticesObjective: 13.3 Cryptography WS-Security is: A. A method of providing confidentiality for SOAP B. A method of providing authentication, integrity, confidentiality, and non-repudiation for web services C. The encryption of SOAP messages D. A method of authenticating SOAP messages - ✔✔Answer: B. WS-Security is just a collection of security mechanisms for signing, encrypting, and authenticating SOAP messages. Merely using WS-Security does not guarantee security; it must be properly configured to provide protection. A, C, and D are incorrect. WS-Security is a mechanism for providing a wide range of security functionality with SOAP, not just confidentiality, authentication, and encryption services. Hint: WS-Security can provide a range of security-related functions.
Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.2 Service-oriented architecture Passwords and sensitive elements such as keys are sought after by hackers—what is the best way to store these in application programs? A. In a config file in a protected directory B. Hard-coded in the executable where they are protected C. Encrypted and stored in a file D. On a protected server - ✔✔Answer: C. All sensitive data should be encrypted and stored in an appropriate place. Storing elements in the executable file makes them difficult to change, so other files are recommended. A, B, and D are incorrect. A protected directory can be bypassed, and for some secrets, a demo of the code can give away the secret. Hard-coding in the executable makes them accessible. Remote storage does not solve the confidentiality problem. Hint: What protects the confidentiality of data? Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures Objective: 12.1.3 Handling configuration parameters Which of the following functions should never be relied upon with client-side processing? Choose all that apply. A. Input errors B. Missing values C. State management D. Input validation - ✔✔Answer: C and D. Because inputs can be changed by proxies between the client and the server, all security checks should only be done on the server side, including all state management and input validations. A and B are incorrect. Input errors and missing values can be checked for and validated on the client side for the purpose of improving user experience (preventing unnecessary round trips to the server). Hint: At what stages can input be changed?
The first step for general risk management is: A. Enumerate risks B. Security control selection C. Threat assessment D. Asset identification - ✔✔Answer: D. Risks are associated with assets, or things that have value in an enterprise. A, B, and C are incorrect. Risks cannot be enumerated until the target (asset) is identified. Security controls cannot be selected until a specific threat assessment is performed. All of the steps follow asset identification. Hint: Risk is associated with something of value. Reference: Chapter 2: Risk Management Objective: 2.2 Governance, risk, and compliance What are the two primary components associated with measuring the loss due to risk? Choose two. A. Likelihood of impact B. Magnitude of impact C. Scale of threat D. Likelihood of threat - ✔✔Answer: B and D. Risk is measured in terms of the likelihood of the threat and the magnitude of the impact. A and C are incorrect. The likelihood of impact is messy because it includes not just the likelihood of the threat, but the likelihood of bypassing mitigations; this makes it difficult to use consistently. The scale of the threat is again complicated by external factors, making it less useful. Hint: What are the elements of qualitative risk assessment? Reference: Chapter 2: Risk Management Objective: 2.5 Qualitative risk management PHI is affiliated with:
A. Gramm-Leach-Bliley B. Sarbanes-Oxley C. PCI DSS D. HIPAA/HITECH - ✔✔Answer: D. PHI is personal health information, which is protected by HIPAA/HITECH. A, B, and C are incorrect. Gramm-Leach-Bliley protects personal financial information, Sarbanes-Oxley is for corporate financials, and PCI DSS is for credit card information. Hint: Personal health information. Reference: Chapter 3: Security Policies and Regulations Objective: 3.1 Regulations and compliance Which of the following is not a technique for dealing with risk? A. Avoid B. Transfer C. Accept D. Eliminate - ✔✔Answer: D. Risk can never be eliminated, only mitigated or reduced to a particular level. A, B, and C are incorrect. After a risk has been identified and assessed, four techniques can be employed to deal with the risk: avoid the risk, transfer the risk, mitigate the risk, and accept the risk. Hint: One of these is an absolute, and absolutes typically do not fit with risk management. Reference: Chapter 2: Risk Management Objective: 2.4 Risk Controls You want to implement steps to validate the security of software design. At what phase in the SDLC should you implement the security design validation process? A. After implementation B. After design C. After testing
A, C, and D are incorrect. These are all classes of security controls. Hint: One way of classifying controls is based on the aspect of the business involved. Reference: Chapter 2: Risk Management Objective: 2.4 Risk controls The principle associated with the use of multiple overlapping controls is: A. Least privilege B. Separation of duties C. Defense in depth D. Fail safe - ✔✔Answer: C. The use of multiple independent security control mechanisms to protect a specific program is called defense in depth. A, B, and D are incorrect. These are all security design tenets that act individually. Hint: The key word in the question is multiple. Reference: Chapter 1: Security Concepts Objective: 1.3 Security design tenets The principle associated with the use of minimizing a user's authority to only what is needed is called: A. Separation of duties B. Least privilege C. Complete mediation D. Least common mechanism - ✔✔Answer: B. Users should only be given the level of privilege necessary to do their assigned tasks and no more. A, C, and D are incorrect. A is about using multiple users. C involves ensuring checks are performed every time. D is about ensuring that single functions do not perform multiple tasks at different privilege levels. Hint: Which of these is associated with a user's activity?
Reference: Chapter 1: Security Concepts Objective: 1.3 Security design tenets Which software development process is characterized by early and frequent deliverables in an incremental fashion? A. Agile B. Waterfall C. Prototype D. Spiral - ✔✔Answer: A. Agile development is characterized by early deliverables and regular incremental processes. B, C, and D are incorrect. These are all software development methodologies, but they do not provide for early and regular functional deliverables. Hint: Early and frequent are important aspects of one development methodology. Reference: Chapter 4: Software Development Methodologies Objective: 4.3 Software development models The Microsoft Security Development Lifecycle was built upon a set of principles known as: A. SD3+C B. Trusted computing base C. Address Space Layout Randomization (ASLR) D. Secure by design - ✔✔Answer: A. Secure by design, secure by default, secure in deployment and communications (SD3+C) program. B, C, and D are incorrect. The trusted computing base is not a Microsoft concept. ASLR is a security feature, and secure by design is only one of the principles. Hint: There are four pillars. Reference: Chapter 4: Software Development Methodologies Objective: 4.4 Microsoft Secure Development Lifecycle
C. Non-repudiation D. Confidentiality - ✔✔Answer: B. This is from the FIPS definition of integrity: "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...." A, C, and D are incorrect; they are descriptors involved in security aspects other than integrity. Hint: Modification or destruction is an example of what? Reference: Chapter 5: Policy Decomposition Objective: 5.1 Confidentiality, integrity, and availability requirements The validation of a user through the use of a shared set of secret credentials is: A. Identification B. Authentication C. Authorization D. Auditing - ✔✔Answer: B. Authentication is form of a validation in which the user is presenting the known shared secret. A, C, and D are incorrect, Identification is the establishment of the shared secret, authorization is a result of authentication, and auditing is a simple distractor. Hint: Tailgating when driving refers to what? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements Ensuring timely and reliable access to and use of information is a description of: A. Availability B. Integrity C. Non-repudiation D. Confidentiality - ✔✔Answer: A. This is from the FIPS definition of availability: "Ensuring timely and reliable access to and use of information...."
B, C, and D are incorrect; they are other descriptors involved in security aspects other than integrity. Hint: Access to information or the lack there of is an example of what? Reference: Chapter 5: Policy Decomposition Objective: 5.1 Confidentiality, integrity, and availability requirements The three forms of audit-related risk are: A. Residual risk, inherent risk, detection risk B. Control risk, inherent risk, detection risk C. Residual risk, control risk, detection risk D. Control risk, inherent risk, residual risk - ✔✔Answer: B. Inherent risks are those associated with the process and its inherent error rate, assuming no internal controls exist to handle the potential errors. Detection risk is the risk that an audit will not detect an issue that can result in material error. Control risk is the risk that controls will not detect or prevent material errors in a timely fashion. A, C, and D are incorrect. Residual risk is the term for audit-based risk in total. Hint: What is each of the listed types of risk? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements Security policies should ensure compliance with all external obligations. Examples of these obligations include: A. Statutory, regulatory, and contractual obligations B. Audit log and internal controls C. Internal controls and contractual obligations D. Internal SLAs, controls, and contractual obligations - ✔✔Answer: A. Statutory, regulatory, and contractual obligations are all external requirements. B, C, and D are incorrect. Audit logs, internal controls, and internal SLAs are all internal elements.
Data owners are responsible for: A. Defining data classification, controls, and access criteria B. Maintaining data classification, controls, and access criteria C. Implementing data classification, controls, and access criteria D. Performing data classification, controls, and access criteria - ✔✔Answer: A. The data owner is the party who determines factors associated with specific data elements. B, C, and D are incorrect. These are all implementation oriented and belong to the data custodian function. Hint: What belongs to data custodians? Reference: Chapter 6: Data Classification and Categorization Objective: 6.2 Data ownership Data custodians are responsible for all of the following except: A. Performing data classification, controls, and access criteria B. Maintaining data classification, controls, and access criteria C. Implementing data classification, controls, and access criteria D. Defining data classification, controls, and access criteria - ✔✔Answer: D. This is a data owner responsibility; all of the others belong to data custodians. A, B, and C are incorrect. These are custodian functions. Hint: Which one belongs to data owners? Reference: Chapter 6: Data Classification and Categorization Objective: 6.2 Data ownership An application that is designed to be used by different classes of users would find which form of access control useful? A. Rule-based Access Control B. Discretionary Access Control C. Mandatory Access Control
D. Role-based Access Control - ✔✔Answer: D. Breaking users into groups based upon their roles simplifies authentication and authorization work. A, B, and C are incorrect. They are all access control mechanisms, but do not take advantage of the "groups of users" requirement. Hint: Which form of access control separates users into logical groups? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements FIPS 199 provides for classifying data into three levels. These levels are: A. Confidentiality, integrity, and availability B. High, medium, and low C. PII, security sensitive, and hidden D. Internal, input, and output - ✔✔Answer: B. FIPS uses three levels—high, medium, and low—across three dimensions—confidentiality, integrity, and availability. A, C, and D are incorrect. A represents the dimensions. C and D are classifications of data usage. Hint: Think levels that are hierarchal. Reference: Chapter 6: Data Classification and Categorization Objective: 6.3 Labeling Which of the following are examples of structured data? Choose all that apply. A. Databases B. Microsoft Excel file C. Formatted file structures D. E-mails - ✔✔Answer: A and C. These forms are managed by their format. B and D are incorrect. These forms are not managed by their format.
The elements of a data lifecycle are: A. Internal, input, and output B. Generation, retention, and disposal C. Customer, supplier, and internal D. Define, maintain, and dispose - ✔✔Answer: B. Data is created, used, and destroyed. A, C, and D are incorrect. These are all associated with data, but not specifically with its lifecycle. Hint: Data is created, used, and destroyed. Reference: Chapter 6: Data Classification and Categorization Objective: 6.5 Data lifecycle Requirements that relate directly to business requirements are referred to as: A. Functional B. Operational C. Intrinsic D. Business - ✔✔Answer: A. Functional requirements describe how the software is expected to function. B, C, and D are incorrect. Operational requirements relate to deployment. Intrinsic and business are simple related term distractors. Hint: The Answer: describes how the software is expected to work. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements The detailed listing of what users are involved in a system form part of the _____ definition. A. User B. Role
C. Requirement D. Use-case - ✔✔Answer: D. The detailed listing of what users are involved in a system form part of the use-case definition. A, B, and C are incorrect. Role and user definitions are the statements of who will be using what functionality of the software. The term requirement defines program objectives. Hint: How do you document user involvement with an application? Reference: Chapter 7: Requirements Objective: 7.1.1 Role and user definitions A powerful technique for determining functional requirements in developer-friendly terms is: A. Subject-object-activity matrix B. Use case C. Data flow diagram D. Misuse case - ✔✔Answer: B. A use-case is a specific example of an intended behavior of the system. A, C, and D are incorrect. Subject-object-activity matrix and data flow diagrams are not directly associated with functional requirements. Misuse cases are about security issues, not functional requirements. Hint: Functional requirements is the key part of the question. Reference: Chapter 7: Requirements Objective: 7.1.6 Use-cases Multithreaded operating systems are specifically susceptible to what types of attacks? A. Buffer overflow B. Stack-based attacks C. Arithmetic overflow attacks D. Time of check/time of use attacks - ✔✔Answer: D.
Hint: Which of these is not related to security functionality? Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements The multitude of requirements can be managed through the use of a: A. Subject-object-activity matrix B. Requirements traceability matrix C. Functional requirements listing D. Requirements lifecycle - ✔✔Answer: C. The requirements traceability matrix (RTM) is a grid that assists the development team in tracking and managing requirements and implementation details. A, B, and D are incorrect. A is a specific term used to describe interactions between users and objects. B and D are distractors created out of words that fit the topic, but have no specific contextual meaning. Hint: Managing includes what specific functions? Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements What represents the "who" in the subject-object-activity matrix? A. Subject B. Object C. Activity D. Interaction - ✔✔Answer: A. Subjects represent who, objects represent what, and activities or actions represent the how of the subject-object-activity relationship. B, C, and D are incorrect. Objects represent what and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context. Hint: Users are also who?
Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements To prevent error conditions from cascading or propagating through a system, a designer should: A. Practice complete error mitigation, including error trapping and handling B. Practice safe coding with managed code modules C. Use a language that supports managed code D. Log all user activity for troubleshooting during testing - ✔✔Answer: A. Errors should always be trapped and managed locally. B, C, and D are incorrect. B and C are about restricting language, when the question does not specify any particular language. D is good practice, but does not address the issue in question. Hint: Focus on how errors propagate through a system. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements What represents the "what" in the subject-object-activity matrix? A. Subject B. Object C. Activity D. Interaction - ✔✔Answer: B. Subjects represent the who, objects represent the what, and activities or actions represent the how of the subject-object-activity relationship. A, C, and D are incorrect. Subjects represent the who and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context. Hint: Users interact with the "what" element. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
