CSSLP : Certified Secure Software Lifecycle Professional : Part 09

CSSLP : Certified Secure Software Lifecycle Professional : Part 09

1. Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

   • The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project’s competing demands.
   • The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
   • The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
   • The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.

   Explanation:

   ​Once the risk events have passed through qualitative risk analysis, then the risk events must be reviewed to determine the effect of the risks on the project’s competing demands. Answer: D is incorrect. While the quantitative risk analysis process will review the risk events for probability and impact, this statement does not answer the question as completely as answer option A. Answer: C is incorrect. The quantitative risk analysis process does not review every risk identified – only the risks which require further analysis. Answer: B is incorrect. Quantitative risk analysis process does not begin the risk response process. Its goal is to determine the effect of certain risk events on the project’s competing demands.

2. Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three.

   • To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
   • To review the classification assignments from time to time and make alterations as the business requirements alter.
   • To perform data restoration from the backups whenever required.
   • To delegate the responsibility of the data safeguard duties to the custodian.

3. Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?

   • Computer Misuse Act
   • Lanham Act
   • Computer Fraud and Abuse Act
   • FISMA
   Explanation:
   The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a ‘risk-based policy for cost-effective security’. FISMA requires agency program officials, chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. Answer: B is incorrect. The Lanham Act is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. It is also called Lanham Trademark Act. Answer: A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which states the following statement: Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine “not exceeding level 5 on the standard scale” (currently 5000). Unauthorized access with the intent to commit or facilitate commission of further offences is punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment. Unauthorized modification of computer material is subject to the same sentences as section 2 offences.
   Answer: C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18 U.S.C. 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so.

4. Which of the following specifies the behaviors of the DRM implementation and any applications that are accessing the implementation?

   • OS fingerprinting
   • OTA provisioning
   • Access control
   • Compliance rule
   Explanation:
   The Compliance rule specifies the behaviors of the DRM implementation and any applications that are accessing the implementation. The compliance rule specifies the following elements: Definition of specific license rights Device requirements Revocation of license path or penalties when the implementation is not robust enough or noncompliant Answer: B is incorrect. Over- the- air provisioning is a mechanism to deploy MIDlet suites over a network. It is a method of distributing MIDlet suites. MIDlet suite providers install their MIDlet suites on Web servers and provide a hypertext link for downloading. A user can use this link to download the MIDlet suite either through the Internet microbrowser or through WAP on his device. Answer: C is incorrect. An access control is a system, which enables an authority to control access to areas and resources in a given physical facility, or computer-based information system. Access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure. It refers to all mechanisms that control visibility of screens, views, and data within Siebel Business Applications. Answer: A is incorrect. OS fingerprinting is a process in which an external host sends special traffic on the external network interface of a computer to determine the computer’s operating system. It is one of the primary steps taken by hackers in preparing an attack.

5. Which of the following refers to the ability to ensure that the data is not modified or tampered with?

   • Integrity 
   • Availability
   • Non-repudiation
   • Confidentiality
   Explanation:
   Integrity refers to the ability to ensure that the data is not modified or tampered with. Integrity means that data cannot be modified without authorization. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a Web site, when someone is able to cast a very large number of votes in an online poll, and so on. Answer: D is incorrect. Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company’s employees is stolen or sold, it could result in a breach of confidentiality. Answer: B is incorrect. Availability means that data must be available whenever it is needed. Answer: C is incorrect. Non-repudiation is the concept of ensuring that a party in a dispute cannot refuse to acknowledge, or refute the validity of a statement or contract. As a service, it provides proof of the integrity and origin of data. Although this concept can be applied to any transmission, including television and radio, by far the most common application is in the verification and trust of signatures.

6. The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

   • Certification analysis
   • Assessment of the Analysis Results
   • Configuring refinement of the SSAA
   • System development
   • Registration
   Explanation:
   The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. This phase takes place between the signing of the initial version of the SSAA and the formal accreditation of the system. This phase verifies security requirements during system development. The process activities of this phase are as follows: Configuring refinement of the SSAA System development Certification analysis Assessment of the Analysis Results Answer: E is incorrect. Registration is a Phase 1 activity.

7. Harry is the project manager of the MMQ Construction Project. In this project, Harry has identified a supplier who can create stained glass windows for 1,000 window units in the construction project. The supplier is an artist who works by himself, but creates windows for several companies throughout the United States. Management reviews the proposal to use this supplier and while they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in time for the project’s deadline. Management asked Harry to find a supplier who can fulfill the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement?

   • Transference
   • Avoidance
   • Mitigation 
   • Acceptance
   Explanation:
   This is an example of mitigation. By changing to a more reliable supplier, Harry is reducing the probability the supplier will be late. It’s still possible that the vendor may not be able to deliver the stained glass windows, but the more reputable supplier reduces the probability of the lateness. Mitigation is a risk response planning technique associated with threats that seeks to reduce the probability of occurrence or impact of a risk to below an acceptable threshold. Risk mitigation involves taking early action to reduce the probability and impact of a risk occurring on the project. Adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions. Answer: A is incorrect. Transference is when the risk is transferred to a third party, usually for a fee. While this question does include a contractual relationship, the risk is the lateness of the windows. Transference focuses on transferring the risk to a third party to manage the risk event. In this instance, the management of the risk is owned by a third party; the third party actually creates the risk event because of the possibility of the lateness of the windows. Answer: B is incorrect. Avoidance changes the project plan to avoid the risk. If the project manager and management changed the window-type to a standard window in the project requirements, then this would be avoidance. Risk avoidance is a technique used for threats. It creates changes to the project management plan that are meant to either eliminate the risk completely or to protect the project objectives from its impact. Risk avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope requirements. It may seem the answer to all possible risks, but avoiding risks also means losing out on the potential gains that accepting (retaining) the risk might have allowed. Answer: D is incorrect. Acceptance accepts the risk that the windows could be late and offers no response.

8. You work as a Security Manager for Tech Perfect Inc. You want to save all the data from the SQL injection attack, which can read sensitive data from the database and modify database data using some commands, such as Insert, Update, and Delete. Which of the following tasks will you perform? Each correct answer represents a complete solution. Choose three.

   • Apply maximum number of database permissions.
   • Use an encapsulated library for accessing databases.
   • Create parameterized stored procedures.
   • Create parameterized queries by using bound and typed parameters.
   Explanation:
   The methods of mitigating SQL injection attacks are as follows: 1.Create parameterized queries by using bound and typed parameters. 2.Create parameterized stored procedures. 3.Use a encapsulated library in order to access databases. 4.Minimize database permissions. Answer: A is incorrect. In order to save all the data from the SQL injection attack, you should minimize database permissions.

9. Security is a state of well-being of information and infrastructures in which the possibilities of successful yet undetected theft, tampering, and/or disruption of information and services are kept low or tolerable. Which of the following are the elements of security? Each correct answer represents a complete solution. Choose all that apply.

   • Integrity
   • Authenticity
   • Confidentiality
   • Availability
   Explanation: 
   The elements of security are as follows: 1.Confidentiality: It is the concealment of information or resources. 2.Authenticity: It is the identification and assurance of the origin of information. 3.Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. 4.Availability: It refers to the ability to use the information or resources as desired.

10. Which of the following statements about the integrity concept of information security management are true? Each correct answer represents a complete solution. Choose three.

    • It ensures that unauthorized modifications are not made to data by authorized personnel or processes. 
    • It determines the actions and behaviors of a single individual within a system
    • It ensures that internal information is consistent among all subentities and also consistent with the real-world, external situation.
    • It ensures that modifications are not made to data by unauthorized personnel or processes.
    Explanation: 
    The following statements about the integrity concept of information security management are true: It ensures that modifications are not made to data by unauthorized personnel or processes. It ensures that unauthorized modifications are not made to data by authorized personnel or processes. It ensures that internal information is consistent among all subentities and also consistent with the real-world, external situation. Answer: B is incorrect. Accountability determines the actions and behaviors of an individual within a system, and identifies that particular individual. Audit trails and logs support accountability.

11. Which of the following are the important areas addressed by a software system’s security policy? Each correct answer represents a complete solution. Choose all that apply. 

    • Identification and authentication 
    • Punctuality
    • Data protection
    • Accountability
    • Scalability
    • Access control
    Explanation:
    The security policy of a software system addresses the following important areas: Access control Data protection Confidentiality Integrity Identification and authentication Communication security Accountability Answer: E and B are incorrect. Scalability and punctuality are not addressed by a software system’s security policy.

12. The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. What are the different types of NIACAP accreditation? Each correct answer represents a complete solution. Choose all that apply. 

    • Site accreditation
    • Type accreditation
    • Secure accreditation
    • System accreditation
    Explanation: 
    NIACAP accreditation is of three types depending on what is being certified. They are as follows: 1.Site accreditation: This type of accreditation evaluates the applications and systems at a specific, self contained location. 2.Type accreditation: This type of accreditation evaluates an application or system that is distributed to a number of different locations. 3.System accreditation: This accreditation evaluates a major application or general support system. Answer: C is incorrect. No such type of NIACAP accreditation exists.

13. Which of the following elements sets up a requirement to receive the constrained requests over a protected layer connection, such as TLS (Transport Layer Security)? 

    • User data constraint 
    • Authorization constraint
    • Web resource collection
    • Accounting constraint
    Explanation:
    User data constraint is a security constraint element summarized in the Java Servlet Specification 2.4. It sets up a requirement to receive the constrained requests over a protected layer connection, such as TLS (Transport Layer Security). The user data constraint offers guarantee (NONE, INTEGRAL, and CONFEDENTIAL) for the transportation of data between client and server. If a request does not have user data constraint, the container accepts the request after it is received on a connection. Answer: C is incorrect. Web resource collection is a set of URL patterns and HTTP operations that define all resources required to be protected. It is a security constraint element summarized in the Java Servlet Specification v2.4. The Web resource collection includes the following elements: URL patterns HTTP methods Answer: B is incorrect. Authorization constraint is a security constraint element summarized in the Java Servlet Specification 2.4. It sets up a requirement for authentication and names the authorization roles that can access the URL patterns and HTTP methods as defined by the security constraint. In the absence of a security constraint, the container accepts the request without requiring any user authentication. If no authorization role is specified in the authorization constraint, the container cannot access constrained requests. The wildcard character “*” specifies all authorization role names that are defined in the deployment descriptor. Answer: D is incorrect. It is not a security constraint element.

14. In digital rights management, the level of robustness depends on the various types of tools and attacks to which they must be resistant or immune. Which of the following types of tools are expensive, require skill, and are not easily available? 

    • Hand tools
    • Widely available tools
    • Specialized tools
    • Professional tools
    Explanation:
    The tools used in DRM to define the level of robustness are as follows: 1.Widely available tools: These tools are easy to use and are available to everyone. For example, screw-drivers and file editors. 2.Specialized tools: These tools require skill and are available at reasonable prices. For example, debuggers, decompilers, and memory scanners. 3.Professional tools: These tools are expensive, require skill, and are not easily available. For example, logic analyzers, circuit emulators, and chip disassembly systems.

15. You are responsible for network and information security at a large hospital. It is a significant concern that any change to any patient record can be easily traced back to the person who made that change. What is this called? 

    • Availability
    • Confidentiality
    • Non repudiation 
    • Data Protection
    Explanation:
    Non repudiation refers to mechanisms that prevent a party from falsely denying involvement in some data transaction.

16. You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member?

    • It is a risk that remains because no risk response is taken.
    • It is a risk that can not be addressed by a risk response.
    • It is a risk that will remain no matter what type of risk response is offered.
    • It is a risk that remains after planned risk responses are taken.
    Explanation: 
    Residual risks are generally smaller risks that remain in the project after larger risks have been addressed. The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. This is not a valid statement about residual risks. Answer: C is incorrect. This is not a valid statement about residual risks. Answer: A is incorrect. This is not a valid statement about residual risks.

17. You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased? 

    • Quantitative risk analysis 
    • Risk identification
    • Risk response implementation
    • Qualitative risk analysis
    Explanation:
    The quantitative risk analysis process is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased. Answer: D is incorrect. Qualitative risk analysis is not repeated after the plan risk response process. Answer: B is incorrect. Risk identification is an ongoing process that happens throughout the project. Answer: C is incorrect. Risk response implementation is not a project management process.

18. What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope?

    • Project Management Information System
    • Integrated Change Control
    • Configuration Management System 
    • Scope Verification
    Explanation:
    The change management system is comprised of several components that guide the change request through the process. When a change request is made that will affect the project scope. The Configuration Management System evaluates the change request and documents the features and functions of the change on the project scope.

19. Which of the following tools is used to attack the Digital Watermarking?

    • Steg-Only Attack
    • Active Attacks
    • 2Mosaic
    • Gifshuffle
    Explanation: 
    2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read watermark in very small pieces. Answer: D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool also provides compression and encryption. Answer: B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.

20. You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event? 

    • Quantitative risk analysis
    • Qualitative risk analysis 
    • Seven risk responses
    • A risk probability-impact matrix
    Explanation:
     Qualitative risk analysis is a high-level, fast review of the risk event. Qualitative risk analysis qualifies the risk events for additional analysis.