ISC2 CSSLP Exam Questions

Correct answer: Lost Update

Database management system (DBMS) concurrency controls protect against:

• Lost Updates: Multiple concurrent threads change the same data in different ways, causing only one change to be recorded.
• Dirty Read: One transaction selects a row in a table that has been updated but not committed by another transaction.
• Nonrepeatable Read: A transaction reads the same row multiple times and gets different results.
• Incorrect Summary: One transaction summarizes the values of a repeated data item while another transaction modifies some of these instances, making the summary incorrect.

Correct answer: Number of common errors

Metrics for measuring security can include:

• Defects per thousand lines of code
• Number of repeated errors
• Number of common errors
• Percent of errors above a criticality level
• Average time to remediate an issue
• Complexity associated with errors

Correct answer: Path traversal

Injection is a major, common vulnerability that usually features highly on vulnerability lists. Some common types of injection vulnerabilities include:

• SQL Injection: SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application.
• Command Injection: Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands.
• Integer Overflow: Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value.
• Path Traversal: In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory.
• Cross-Site Scripting (XSS): Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based.
• Cross-Site Request Forgery (CSRF): Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections.

Correct answer: PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was implemented by major payment card brands to fight payment card fraud and protect cardholders’ personal data. It includes twelve high-level requirements divided into six control objectives.

Correct answer: Resiliency

Some of the key security design principles include:

• Resiliency: Software systems should be designed to eliminate single points of failure via backups, redundancy, etc. The failure of a single point of failure could render the system unusable or insecure.
• Separation of Duties: Separation of duties or compartmentalization divides high-risk or critical processes across multiple roles. This reduces the probability that a malicious user could carry out the action or be tricked into doing so.
• Least Common Mechanism: Least common mechanism states that different processes with different privilege levels should not use the same function or mechanism because it is more difficult to keep these paths separate. Instead, each process should have its own mechanism.
• Diversity of Defense: Software defenses should be diverse geographically, technically, etc. This reduces the probability that an event affecting one defense will impact all of them.

Correct answer: Response

Vulnerability management in third-party components includes considerations such as:

• Notification: Vulnerabilities in shared components may be identified by another customer and not publicly reported
• Response: An organization may be dependent on a supplier to develop and release a patch for vulnerabilities
• Coordination: How the organization and supplier will work together to manage the issue
• Reporting: How any issues are reported to relevant stakeholders (management, regulators, customers, etc.)

Correct answer: Inefficient Code

Code review is a process by which other developers inspect code for security or efficiency issues. Some of the common checks performed during code review include:

• Inefficient Code: Complex or obfuscated code may need to be simplified to improve analysis or execution.
• Known Vulnerabilities: Code should be checked against the OWASP Top 10, SANS Top 25, and errors that have previously been found within an organization's code.
• Errors and Exception Handling: Code should fully test for error cases and handle all possible exceptions.
• Injection Flaws: Code should include input validation to protect against injection attacks.
• Cryptographic Strength: Cryptography should be implemented using trusted algorithms and libraries and use strong random number generation.
• Unsafe and Deprecated Function Calls: Code should only use approved functions and APIs, and unneeded functions should be removed.
• Privilege Levels: Code should be implemented in accordance with the principle of least privilege.
• Logging: Code should properly log errors without revealing unnecessary information.
• Secure Key Information: Cryptographic keys, passwords, and other authentication information should be properly used and protected.

Correct answer: Adware

Malware comes in a variety of different forms, including the following:

• Virus: A virus spreads using an infected program that runs on a compromised system.
• Worm: Worms spread themselves without human interaction via means such as exploiting vulnerable applications and systems.
• Spyware: Spyware is stealth malware designed to collect information about the user of an infected system.
• Adware: Adware generates revenue for an attacker by displaying unwanted ads to a user.
• Trojan Horse: Trojan horses infect systems by masquerading as a benign and desirable program that deploys malicious functionality when executed by a user.
• Rootkit: Rootkits conceal themselves and other malicious programs (spyware, keyloggers, etc.) on an infected system. They can run either in kernel mode or user mode.
• Ransomware: Ransomware encrypts or corrupts files on an infected computer and demands a ransom in exchange for restoring access to the user's data.

Correct answer: Encryption

Key database security elements include:

• Encryption: Encryption protects the confidentiality of data in a database.
• Triggers: Triggers are functions that run automatically when a particular database event occurs.
• Views: Views allow data to be extracted and displayed within tables.
• Privilege Management: Databases can have built-in access controls that limit the actions that a user or application can take on the database.

Correct answer: Tokenization

Some methods by which organizations can protect data from unauthorized access and disclosure include:

• Data Minimization: Data minimization involves collecting, processing, and storing the minimum data required. It is the most effective data protection mechanism because an organization can’t breach or misuse data that it doesn’t have.
• Data Masking: Data masking involves hiding part or all of the sensitive data, such as replacing most of a credit card number with asterisks on a receipt.
• Tokenization: Tokenization uses a random value to represent sensitive data in insecure locations. The actual values can be looked up based on the token value as needed.
• Anonymization: Anonymization involves removing any data from a record that can be used to uniquely identify an individual. This is difficult as even combinations of non-identifying characteristics can be combined to uniquely identify an individual.

Correct answer: Cross-site scripting (XSS)

Injection is a major, common vulnerability that usually features highly on vulnerability lists. Some common types of injection vulnerabilities include:

• SQL Injection: SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application.
• Command Injection: Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands.
• Integer Overflow: Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value.
• Path Traversal: In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory.
• Cross-Site Scripting (XSS): Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based.
• Cross-Site Request Forgery (CSRF): Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections.

Correct answer: Disposition

The General Data Protection Regulation (GDPR) is an EU data privacy law that went into effect in May 2018. It protects the personally identifiable information (PII) of EU citizens. The GDPR and laws based on it provide various rights to data subjects, including:

• Consent: Under the GDPR, data subjects must be informed of how their data will be used and provide affirmative consent (opt in) before data collection begins.
• Access: The GDPR allows users to request a copy of the data that a company has stored about them in a usable format.
• Correction: EU subjects can require organizations to correct inaccuracies in their records.
• Disposition: The GDPR includes the “right to be forgotten” or to have their data erased by companies that have collected it.
• Retention: Under the GDPR, organizations must delete collected data after the original purpose for collecting and processing it no longer exists.
• Data Residency: The data of EU citizens cannot be transferred to countries or companies without privacy protections equivalent to those provided by the GDPR.

Correct answer: Forensics

If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include:

• Root Cause Analysis: Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future.
• Incident Triage: An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug).
• Forensics: Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources.

Correct answer: Fail secure

Fail secure means that a system should default to a secure state if something goes wrong rather than an insecure one. Denying access if it can't validate users' identity is an example of fail secure.

The principle of least privilege states that users, applications, etc. should only have the access and privileges needed to do their jobs.

Economy of mechanism (also known as the Keep it Simple principle) states that software design and implementation should be as simple as possible to reduce the risk of errors.

Least common mechanism prevents against sharing mechanisms or functions in code that are used by different users or processes if they have different levels of privilege.

Correct answer: Restrict Access to Payment Card Processing Systems

The Payment Card Industry Data Security Standard (PCI DSS) was implemented by major payment card brands to fight payment card fraud and protect cardholders’ personal data. It includes twelve high-level requirements divided into six control objectives:

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

Correct answer: OWASP

Security requirements should flow down to supplier/providers. The Open Web Application Security Project (OWASP) has developed sample contractual terms based on six key philosophies:

• Security Decisions Will Be Based on Risk
• Security Activities Will Be Balanced
• Security Activities Will Be Integrated
• Vulnerabilities Are Expected
• Security Information Will Be Fully Disclosed
• Only Useful Security Documentation is Required

Correct answer: Component Reuse

Some of the key security design principles include:

• Component Reuse: Don’t reinvent the wheel. The use of secure, high-quality components rather than custom code can improve the efficiency and security of software and reduce the attack surface.
• Economy of Mechanism: Economy of Mechanism or “Keep It Simple” states that the design and implementation of software should be as simple as possible. Complex systems have a larger attack surface and are more difficult to troubleshoot if something goes wrong.
• Complete Mediation: Complete mediation states that authorization should be performed for every request, even if requests are repeated. This ensures that the authorization system is never bypassed.
• Least Common Mechanism: Least common mechanism states that different processes with different privilege levels should not use the same function or mechanism because it is more difficult to keep these paths separate. Instead, each process should have its own mechanism.

Correct answer: SOX

The Sarbanes-Oxley Act of 2022 (SOX) is an anti-fraud regulation developed in response to corporate scandals. Publicly-traded companies are required to have integrity protections for accounting data to verify the accuracy of reported data.

Correct answer: Compensating

The five types of security controls are:

• Detective: Build a log of system or user actions that can be used to identify anomalies and potential threats.
• Preventative: Actively or proactively work to block an attack.
• Deterrent: Attempt to dissuade an attacker from carrying out an attack.
• Corrective: Help to recover back to normal operations after an attack.
• Compensating: Provide an alternative to a security requirement when the recommended control cannot be implemented for some reason.

Correct answer: Write-up

Bell-LaPadula is a confidentiality protection model that combines attributes of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). Its Simple Security Rule prevents reading data at a higher level of classification ("read up"), while its * property prevents writing data to a system with a lower classification level ("write down").

Biba is an integrity model designed to protect higher-level, more trustworthy data from being corrupted by lower-level data. Its no write-up rule blocks systems from writing data to a system with a higher classification level. Its second rule states that a system reading/processing data from a lower-level system ("read down") will have its integrity level lowered as a result.