ISC2 CSSLP Exam Questions

Page 4 of 25

61.

Which of the following is a cloud characteristic that applies LEAST to private cloud environments?

  • Resource Pooling

  • On-Demand Self-Service

  • Broad Network Access

  • Measured Service

Correct answer: Resource Pooling

The five characteristics of the cloud are:

  • On-Demand Self-Service: Customers can deploy solutions and make changes with minimal service provider involvement
  • Broad Network Access: High-bandwidth connectivity exists to the cloud backend and cloud services are accessible over the network
  • Resource Pooling: Cloud tenants share a pool of resources, which are allocated on an as-needed basis
  • Rapid Elasticity: Cloud tenants can rapidly gain access to pooled resources, which can be reallocated when no longer needed
  • Measured Service: Cloud customers' resource usage is monitored, and they are billed based on their usage

In private clouds, companies have dedicated infrastructure, so resource pooling does not apply.

62.

Which of the following is NOT one of the software system quality metrics defined in ISO/IEC 25010?

  • Scalability

  • Usability

  • Compatibility

  • Portability

Correct answer: Scalability

ISO/IEC 25010:2011: Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models replaces ISO/IEC 9126 and defines metrics for measuring the quality of software systems. The eight quality characteristics that it defines are:

  • Functional Suitability
  • Reliability
  • Performance Efficiency
  • Usability
  • Security
  • Compatibility
  • Maintainability
  • Portability

63.

The use of split keys is a security control intended to implement which of the following software security best practices?

  • Separation of duties

  • Least privilege

  • Defense in depth

  • Fail secure

Correct answer: Separation of duties

Separation of duties focuses on breaking privileged actions into multiple steps that must be performed by different parties. Security controls associated with separation of duties include:

  • Split Keys: Dividing an encryption key across multiple locations prevents a single compromised system or account from leaking sensitive data.
  • Role Separation: During the development process, a programmer should not be part of the testing and quality assurance team responsible for reviewing their own code.

64.

Which of the following risk management techniques reduces the total amount of risk?

  • Mitigation

  • Acceptance

  • Transference

  • Avoidance

Correct answer: Mitigation

Organizations have a few options when dealing with risk, including:

  • Mitigation: Take steps to reduce or eliminate the risk
  • Acceptance: Accept the potential risk and do nothing
  • Transference: Pass the risk on to an insurer, user, or other party
  • Avoidance: Stop performing the risky activity

65.

An organization may have multiple different versions of software due to restrictions on what?

  • Functionality

  • Number of Seats

  • Source Code Access

  • Time

Correct answer: Functionality

Software licenses may restrict usage based on various factors, including:

  • Number of Seats: How many systems or users can use the application
  • Time: Whether the license has a fixed or unlimited term
  • Functionality: Software may be distributed as shareware/demoware with limited functionality and a price for full functionality
  • Territory: Limit where an application can be used
  • Source Code Access: Defines the level of access to source code and how it can be used

66.

Which of the following cloud characteristics can lead to security issues due to misconfigurations?

  • On-Demand Self-Service

  • Resource Pooling

  • Rapid Elasticity

  • Measured Service

Correct answer: On-Demand Self-Service

The five characteristics of the cloud are:

  • On-Demand Self-Service: Customers can deploy solutions and make changes with minimal service provider involvement
  • Broad Network Access: High-bandwidth connectivity exists to the cloud backend and cloud services are accessible over the network
  • Resource Pooling: Cloud tenants share a pool of resources, which are allocated on an as-needed basis
  • Rapid Elasticity: Cloud tenants can rapidly gain access to pooled resources, which can be reallocated when no longer needed
  • Measured Service: Cloud customers' resource usage is monitored, and they are billed based on their usage

67.

Which of the following is NOT a runtime protection against application exploitation?

  • DAST

  • RASP

  • WAF

  • ASLR

Correct answer: DAST

Not all vulnerabilities are identified and fixed before applications reach production. Runtime protection systems help to mitigate this issue by protecting vulnerable applications against attempted exploitation or reducing the probability of a successful attack. Some examples include:

  • Runtime Application Self-Protection (RASP): RASP solutions are integrated with a protected application and monitor its inputs, output, and behavior for anomalies that could indicate a potential attack.
  • Web Application Firewall (WAF): A WAF sits between an application and the Internet and filters out traffic containing known exploits before it reaches the vulnerable application.
  • Address Space Layout Randomization (ASLR): ASLR randomizes the location of certain functions in memory, making it more difficult for an attacker to use these functions when exploiting a vulnerability.

Dynamic Application Security Testing (DAST) is performed during the development process and involves sending malicious or malformed inputs to an application and monitoring its responses.

68.

An access control list (ACL) falls under which category of security control?

  • Technical

  • Administrative

  • Physical

  • Logical

Correct answer: Technical

Security controls can be classified into three classes:

  • Administrative: Administrative controls are guidelines, policies, and procedures. For example, many companies have a security policy that details acceptable use of their systems.
  • Technical: Technical security controls use software to protect against threats. Access control lists (ACLs) are an example of a technical control.
  • Physical: Physical controls are designed to provide physical security. Photo IDs, motion detectors, and security cameras are examples of physical controls.

Logical is not a type of security control.

69.

The I in STRIDE refers to threats to which of the following?

  • Confidentiality

  • Integrity

  • Authentication

  • Availability

Correct answer: Confidentiality

The STRIDE threat modeling framework includes the following threat categories:

  • Spoofing: Threats to user authentication
  • Tampering: Threats to data integrity
  • Repudiation: Attacker denies carrying out the attack
  • Information Disclosure: Threats to confidentiality
  • Denial of Service: Threats to availability
  • Elevation of Privilege: Threats to authorization and access management

70.

Which of the following restrictions implemented by the GDPR and similar laws might restrict data flows across jurisdictional boundaries?

  • Data residency

  • Access

  • Retention

  • Disposition

Correct answer: Data residency

The General Data Protection Regulation (GDPR) is an EU data privacy law that went into effect in May 2018. It protects the personally identifiable information (PII) of EU citizens. The GDPR and laws based on it provide various rights to data subjects, including:

  • Consent: Under the GDPR, data subjects must be informed of how their data will be used and provide affirmative consent (opt in) before data collection begins.
  • Access: The GDPR allows users to request a copy of the data that a company has stored about them in a usable format.
  • Correction: EU subjects can require organizations to correct inaccuracies in their records.
  • Disposition: The GDPR includes the “right to be forgotten” or to have their data erased by companies that have collected it.
  • Retention: Under the GDPR, organizations must delete collected data after the original purpose for collecting and processing it no longer exists.
  • Data Residency: The data of EU citizens cannot be transferred to countries or companies without privacy protections equivalent to those provided by the GDPR.

71.

Which of the following includes the use of automated scripts to roll out updates to customers?

  • Continuous deployment

  • Continuous integration

  • Continuous implementation

  • Continuous delivery

Correct answer: Continuous deployment

Continuous deployment uses automated scripts to roll updates out to customers.

Continuous integration involves making frequent, small changes to the codebase, and testing each one before accepting it.

Continuous delivery automates the processing of testing small releases and rolling them out to production.

72.

Which of the CVSS metric groups captures the original intent of the CVSS, which was to have a single, universally applicable risk score?

  • Base

  • Temporal

  • Environmental

  • Situational

Correct answer: Base

The Common Vulnerability Scoring System (CVSS) is a MITRE-developed risk scoring system for vulnerabilities. It includes three risk metric groups.

The Base metric group provides a general score for vulnerabilities and associated risk. It is broken up into:

  • Exploitability Metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope
  • Impact Metrics: Confidentiality Impact, Integrity Impact, and Availability Impact

The Temporal metric group shows how risk changes over time. Its metrics include:

  • Exploit Code Maturity
  • Remediation Level
  • Report Confidence

The Environmental metric group reflects the impacts that different environments and defenses have on risk. Its metrics include:

  • Modified Base Metrics
  • Confidentiality Requirement
  • Integrity Requirement
  • Availability Requirement

73.

Which of the following data protection mechanisms is commonly used when printing payment card information on a receipt?

  • Data masking

  • Data minimization

  • Tokenization

  • Anonymization

Correct answer: Data masking

Some methods by which organizations can protect data from unauthorized access and disclosure include:

  • Data Minimization: Data minimization involves collecting, processing, and storing the minimum data required. It is the most effective data protection mechanism because an organization can’t breach or misuse data that it doesn’t have.
  • Data Masking: Data masking involves hiding part or all of the sensitive data, such as replacing most of a credit card number with asterisks on a receipt.
  • Tokenization: Tokenization uses a random value to represent sensitive data in insecure locations. The actual values can be looked up based on the token value as needed.
  • Anonymization: Anonymization involves removing any data from a record that can be used to uniquely identify an individual. This is difficult as even combinations of non-identifying characteristics can be combined to uniquely identify an individual.

74.

Which of the following is NOT a common step of testing patches?

  • Performance testing

  • Integrity testing

  • Regression testing

  • Functionality testing

Correct answer: Performance testing

Patch management is the practice of applying updates to fix security and functionality issues. Key elements of patch management are ensuring that update code is secured against malicious modification and testing patches to ensure that they fix the issue and don’t break anything else (regression testing).

75.

A "use at your own risk" banner is an example of which risk management strategy?

  • Transference

  • Mitigation

  • Acceptance

  • Avoidance

Correct answer: Transference

Organizations have a few options when dealing with risk, including:

  • Mitigation: Take steps to reduce or eliminate the risk
  • Acceptance: Accept the potential risk and do nothing
  • Transference: Pass the risk on to an insurer, user, or other party
  • Avoidance: Stop performing the risky activity

76.

Which of the following principles is intended to improve the effectiveness and resiliency of an organization's cyber defenses?

  • Diversity of Defense

  • Open Design

  • Economy of Mechanism

  • Component Reuse

Correct answer: Diversity of Defense

Some of the key security design principles include:

  • Diversity of Defense: Software defenses should be diverse geographically, technically, etc. This reduces the probability that an event affecting one defense will impact all of them.
  • Economy of Mechanism: Economy of Mechanism or “Keep It Simple” states that the design and implementation of software should be as simple as possible. Complex systems have a larger attack surface and are more difficult to troubleshoot if something goes wrong.
  • Open Design: Also known as Kerckhoffs’s Principle, the principle of open design states that a system should not rely on security via obscurity. For example, in encryption algorithms the only secret is the secret key, all details of the encryption algorithm used can be known to an attacker without compromising the security of the system.
  • Component Reuse: Don’t reinvent the wheel. The use of secure, high-quality components rather than custom code can improve the efficiency and security of software and reduce the attack surface.

77.

Which of the following database security tools protects data confidentiality and enforces access controls?

  • Encryption

  • Triggers

  • Views

  • Privilege Management

Correct answer: Encryption

Several tools exist to enhance database security, including:

  • Encryption: Encryption protects data confidentiality by scrambling it in a way that renders it unreadable without the decryption key. Encryption enforces access controls because it prevents unauthorized users from reading the data.
  • Triggers: Triggers automatically run certain actions if a particular event occurs. They can be used for logging, alerting, and similar security tasks.
  • Views: Views provide partial visibility into the contents of database tables. They can be used to redact sensitive information when showing data to someone who doesn't need access to that information.
  • Privilege Management: Privilege management implements internal access controls for a database, restricting users' privileges and access within the database.

78.

The risk that attacks against software may deprive the organization of the software's capabilities is classified as which of the following?

  • Business risk

  • Technical risk

  • Operational risk

  • Opportunity risk

Correct answer: Business risk

Technical risk is the risk posed by threats to software by attacks against it. Business risk is the risk posed to the business by attacks against software and the resulting loss of functionality.

79.

Which of the following is a list of all of the weaknesses that might occur within an application?

  • CWE

  • CVE

  • CDE

  • CFE

Correct answer: CWE

The Common Weaknesses Enumeration (CWE), maintained by MITRE, classifies the various types of errors that can occur in software.

The Common Vulnerabilities and Exposures (CVE) list, also maintained by MITRE, describes specific vulnerabilities that have been identified in a particular application.

CDE and CFE are fabricated terms.

80.

What is the name for the process by which a system or application starts up by using scripts in predefined locations?

  • Bootstrapping

  • System launching

  • Restoring

  • Scripting

Correct answer: Bootstrapping

Bootstrapping is the process by which a computer or application starts up based on the knowledge of where startup scripts, etc. are located. It is potentially vulnerable to malicious scripts or modifications to configuration files.