CISSP | Test Questions | Domain 4 | Software Development Security
Which of the following is not a usual common error or vulnerability in information systems? a. Encryption failures b. Buffer overflows c. Format string errors d. Failing to check input for validity
a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows, race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.
Security controls are designed and implemented in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Disposal
b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.
When Web applications use cryptographic factors that were proven difficult to code properly, it can lead to which of the following? a. Insecure storage b. Improper error handling c. Injection flaws d. Insecure configuration management
a. Web applications frequently use cryptographic functions to protect information and credentials in storage. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
Attackers can exploit which of the following flaws to access user accounts, view sensitive files, or use unauthorized functions? a. Broken access control b. Invalidated input c. Broken authentication d. Cross-site scripting flaws
a. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.
What is a malicious unauthorized act that is triggered upon initiation of a predefined event or condition and resides within a computer program known as? a. Logic bomb b. Computer virus c. Worm d. NAK attack
a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment. Computer virus is incorrect because it "reproduces" by making copies of it and inserting them into other programs. Worm is incorrect because it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received correctly or that a command was incorrect or unacceptable.
Both black-box and white-box testing are performed during which of the following? a. Unit testing b. Integration testing c. System testing d. Acceptance testing
a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box. Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware. System testing is incorrect because it comes after completion of the integration tests. It tests the completely integrated system and validates that the software meets its requirements. Acceptance testing is incorrect because it comes after completion of integration tests. It is testing of user requirements in an operational mode conducted by end users and computer operations staff.
Which of the following should be done prior to final system deployment for operation? a. Conduct a security certification process. b. Describe the known vulnerabilities in the system. c. Establish control verification techniques to provide confidence. d. Document the safeguards that are in place to protect the system.
a. Prior to final system deployment, a security certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security certification process.
Which of the following should have extremely limited access in a client/server environment? a. Source code b. Object code c. Executable code d. Machine code
a. Access to source code can provide tremendous assistance to any criminal wishing to penetrate a system's security. Without the source code, an intruder has to probe through a system to find its flaws. Access to the source code helps the intruder to identify gaps or flaws in security. It is important to ensure that adequate security is provided for the system's source code. It is not good to allow source code to reside on client machines or on the server. It should be located only on a workstation belonging to the configuration management group. The workstation should have extremely limited access. If the workstation can be disconnected from the network most of the time, that would provide additional security for the source code. Moreover, the source code is in human-readable format while the other three types of codes listed are not.
Which of the following is not a secondary source for malware incident detection? a. Antivirus software b. Firewall log files c. Network-based IPS sensors d. Capture files from packet sniffers
a. Antivirus software is the primary source of data for malware incident detection. Examples of secondary sources include (i) firewall and router log files, which might show blocked connection attempts, (ii) log files from e-mail servers and network-based IPS sensors, which might record e-mail headers or attachment names, (iii) packet capture files from packet sniffers, network-based IPS sensors, and network forensic analysis tools, which might contain a recording of malware-related network traffic. Host-based IPS is also a secondary source.
Which of the following statements is not true about applets? a. Applets are large application programs. b. Applets are written mostly in Java language. c. Applets are automatically downloaded. d. Applets are small application programs.
a. Applets are small application programs mostly written in Java programming language that are automatically downloaded and executed by applet-enabled Web browsers.
Which of the following is basic, low-privilege access to a computer? a. Application access b. Administrative access c. Privileged access d. Root access
a. Application access is basic, low-privilege access. It may include access to data entry, data update, data query, data output, or report programs. Administrative access, privileged access, and root access are advanced levels of access to a computer system that include the ability to perform significant configuration changes to the computer's operating system.
An unauthorized user has successfully accessed a computer-based application system. Which of the preventive controls has failed to work? a. Compatibility tests b. Validity checks c. Security label checks d. Confidentiality tests
a. As a part of preventive controls, compatibility tests are used to determine whether an acceptable user is allowed to proceed in the system. This test focuses on passwords, access rules, and system privileges. A validity check is incorrect because it tests for the accuracy of codes such as state, tax rates, and vendor number. A security label check is incorrect because it tests for the specific designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. A confidentiality test is incorrect because it ensures that data is disclosed only to authorized individuals.
Which of the following statements is true about application software testing? a. Basic testing equals black-box testing. b. Comprehensive testing equals black-box testing. c. Basic testing equals gray-box testing. d. Comprehensive testing equals focused testing.
a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing. Comprehensive testing is a test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing. Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.
Which of the following is most vulnerable to Trojan horse attacks? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control
a. Because the discretionary access control system restricts access based on identity, it carries with it an inherent flaw that makes it vulnerable to Trojan horse attacks. Most programs that run on behalf of a user inherit the discretionary access control rights of that user.
Which of the following tests is driven by system requirements? a. Black-box testing b. White-box testing c. Gray-box testing d. Integration testing
a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Gray-box testing can be looked at as anything that is not tested in white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.
Attackers use which of the following to corrupt a Web application execution stack? a. Buffer overflows b. Injection flaws c. Denial-of-service d. Improper error handling
a. Buffer overflows occur when web application components (for example, common gateway interface, libraries, drivers, and Web application servers) that do not properly validate input can be crashed and, in some cases, used to take control of a process.
Controlling and maintaining an accurate inventory of any changes to an information system is possible due to which of the following? a. Configuration management and controls b. Continuous monitoring c. Security certification d. Security accreditation
a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of operation and maintenance phase.
Backdoors are which of the following? a. They are entry points into a computer program. b. They are choke points into a computer program. c. They are halt points into a computer program. d. They are exit points into a computer program.
a. Programmers frequently create entry points (backdoors) into a program for debugging purposes and/or insertion of new program codes at a later date. The other three choices do not apply here because they do not deal with entry points.
Data-flow diagrams are used in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
a. Data-flow diagrams are used to describe the data flow through a program in a diagrammatic form. They show how data input is transformed to output, with each stage representing a distinct transformation. The diagrams use three types of components: 1. Annotated bubbles represent transformation centers, and the annotation specifies the transformation. 2. Annotated arrows represent the data flow in and out of the transformation centers; annotations specify what the data is. 3. Operators (AND and OR) link the annotated arrows. Data-flow diagrams describe only data and should not include control or sequencing information. Each bubble can be considered a black box that, as soon as its inputs are available, transforms them to outputs. Each bubble should represent a distinct transformation, whose output is somehow different from its input.
The scope of a functional configuration audit does not include which of the following? a. Evaluation of change control b. Testing of software product c. Tracing of system requirements d. Evaluation of test approach and results
a. Evaluation of change control is a part of the physical configuration audit, whereas the other choices are part of the functional configuration audit. The physical configuration audit provides an independent evaluation of whether components in the as-built version of the software map to the specifications of the software. Specifically, this audit is held to verify that the software and its documentation are internally consistent and ready for delivery. Activities typically planned and executed as part of the physical configuration audit include evaluation of product composition and structure, product functionality, and change control. The functional configuration audit provides an independent evaluation of configuration items to determine whether actual functionality and performance are consistent with the requirements specifications. Specifically, this audit is conducted prior to the software delivery to verify that all requirements specified in the requirements document have been met. Activities typically planned and executed as part of a functional configuration audit include testing of software products, tracing of system requirements from their initial specification through system testing, evaluation of the test approach and results attained, and evaluating the consistency between the baselined product elements.
Which of the following statements about expert systems is not true? a. Expert systems are aimed at solving problems using an algorithmic approach. b. Expert systems are aimed at solving problems that are characterized by irregular structure. c. Expert systems are aimed at solving problems characterized by incomplete information. d. Expert systems are aimed at solving problems characterized by considerable complexity.
a. Expert systems are aimed at problems that cannot always be solved using a purely algorithmic approach. These problems are often characterized by irregular structure, incomplete or uncertain information, and considerable complexity.
Which of the following system development approaches is best when system requirements are fully understood by either the end user or the software developer? a. Waterfall model b. Incremental development model c. Evolutionary development model d. Rapid prototyping model
a. Functional decomposition works best when the system requirements are completely understood by the software developer or the end user. The waterfall model works with the functional decomposition principle. It assumes that system requirements can be defined thoroughly, and that end users know exactly what they wanted from the system. Incremental and evolutionary development models are incorrect because successive versions of the system are developed reflecting constrained technology or resources. Requirements are added in a layered manner. Rapid prototyping model is incorrect because it is quite opposite to the waterfall model. That is, it is good when requirements are not fully understood by both parties. Due to the iterative process, the specification-to-customer feedback cycle time is reduced, thus producing early versions of the system.
Which of the following cannot handle the complete workload of a malware incident and cannot ensure a defense-in-depth strategy? a. Antivirus software b. E-mail filtering c. Network-based intrusion prevention system software d. Host-based IPS software
a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools to contain the malware until the antivirus signatures can perform the containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high-volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across multiple components. Antivirus software alone cannot ensure defense-in-depth strategy. Automated detection methods other than antivirus software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion prevention system (IPS) software, and host-based IPS software.
If manual controls over program changes were weak, which of the following would be effective? a. Automated controls b. Written policies c. Written procedures d. Written standards
a. In general, automated controls compensate for the weaknesses in or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.
Security categorization is performed in which of the following phases of an application system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operations/maintenance
a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.
Security certification is made in support of which of the following? a. Security accreditation b. Management controls c. Operational controls d. Technical controls
a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes.
Which of the following software testing levels is least understood by software developers and end users? a. Integration testing b. Unit testing c. System testing d. Module testing
a. Integration testing is conducted when software units are integrated with other software units or with system components. Its objective is to test the interfaces among separately tested program units. Software integration tests check how the units interact with other software (for example, libraries) and hardware. Integration testing is in the middle; it is neither unit testing nor system testing. The approach to integration testing varies such as top-down, bottom-up, a combination of top-down and bottom-up (sandwich), or all-at-once (big-bang) approaches. Due to a variety of ways, integration testing can be conducted and because there is no base document such as specifications to rely upon for testing creates difficulty in understanding the objectives of integration testing clearly. Unit testing and module testing are incorrect because they are best understood of all. Unit testing is the same as module testing. Unit/module test cases are derived from the detailed design documentation of the unit. Each unit or module has a defined beginning and ending and deals with specific inputs and outputs. Boundaries are also well defined. System testing is incorrect because it is better understood than integration testing. End users know what they expect from the system because it is based on functional instead of structural knowledge. System test cases are derived from the requirements specification document.
From a testing viewpoint, when does a formal change control mechanism start? a. After completion of integration testing b. After completion of unit testing c. After completion of systems testing d. After completion of acceptance testing
a. Integration testing is the cutoff point for the development project, and, after integration, it is labeled the back end. Integration is the development phase in which various parts and components are integrated to form the entire software product, and, usually after integration, the product is under formal change control. Specifically, after integration testing, every change of the software must have a specific reason and must be documented and tracked. It is too early to have a formal change control mechanism during unit testing because of constant changes to program code. It is too late to have a formal change control mechanism after completing system and acceptance testing.
The information systems security analyst's participation in which of the following system development life cycle (SDLC) phases provides maximum benefit to the organization? a. System requirements definition b. System design c. Program development d. Program testing
a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the design phase. When there is a choice between the system requirements definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.
Protection mechanisms defined in security design architecture include which of the following? a. Layering, abstraction, and data hiding b. Isolation, segmentation, and separation c. Security kernel, reference monitor, and system high d. Accountability, integrity, and confidentiality
a. Layering, abstraction, and data hiding are part of security design architecture. The other three choices deal with security control architecture. Layering uses multiple, overlapping protection mechanisms to address the people, technology, and operational aspects of IT. Abstraction is related to stepwise refinement and modularity of computer programs. Data hiding is closely related to modularity and abstraction and, subsequently, to program maintainability.
Which of the following is better for training IT staff in malware incident handling? a. Use an isolated test system. b. Use an infected production system. c. Keep the test system and the production system physically separate. d. Keep the test system and the production system logically separate.
a. Malware test systems and environments are helpful not only for analyzing current malware threats without the risk of inadvertently causing additional damage to the organization, but also for training staff in malware incident handling. An infected production system or a disk image of an infected production system could also be placed into an isolated test environment. Physical separation may not be possible at all times; although, logical separation might be possible. Both physical and logical separation are important but not as important as using an isolated test system.
The activity that would be different between a prototype development approach and the traditional system development approach is: a. How are activities to be accomplished? b. What do users need from the system? c. What should a project plan contain? d. How are individual responsibilities defined?
a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different.
Which of the following is a good definition of security control monitoring? a. Verifying the continued effectiveness of security controls over time b. Verifying the continued efficiency of security controls over time c. Verifying the development effectiveness of security controls over time d. Verifying the planning effectiveness of security controls over time
a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Securitycontrol monitoring means verifying the continued effectiveness of those controls over time.
Defining roles and responsibilities is important in identifying infected hosts with malware incidents. Which of the following groups can assist with host scans? a. Security administrators b. System administrators c. Network administrators d. Desktop administrators
a. Organizations should identify which individuals or groups can assist in infection identification efforts. Security administrators are good at analyzing host scans along with antivirus software, intrusion prevention system (IPS) software, firewalls, and vulnerability assessment results.
The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following? a. Statement of work development b. Configuration management plan c. Contingency plan d. Incident response plan
a. The statement of work development is a part of other planning components in the development/acquisition phase of a system development life cycle (SDLC). The other three choices are part of the security-planning document.
What is the main feature of software configuration management (SCM)? a. Tracing of all software changes b. Identifying individual components c. Using computer-assisted software engineering tools d. Using compilers and assemblers
a. Software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes. Identifying individual components is incorrect because it is a part of configuration identification function. The goals of configuration identification are to create the ability to identify the components of the system throughout its life cycle and to provide traceability between the software and related configuration identification items. Computer-assisted software engineering (CASE) tools, compilers, and assemblers are incorrect because they are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.
Software vendors and contractors can install a backdoor entry into their own products or client's computer systems. Which of the following are major risks arising from such installation? a. Software disconnection and hacker entry b. Remote monitoring and remote maintenance c. Software disconnection and remote monitoring d. Remote maintenance and hacker entry
a. Some vendors can install a backdoor or a trapdoor entry for remote monitoring and maintenance purposes. The good news is that the backdoor is a convenient approach to solve operational problems. The bad news is that the backdoor is wide open for hackers. Also, the vendor can modify the software at will without the user's knowledge or permission. An unhappy vendor can disconnect a user from accessing the software as a penalty for nonpayment or disputes in payment. Access codes should be required for remote monitoring and maintenance.
The application software test objective of verifying boundary conditions of a program is achieved in which of the following types of software testing approaches? a. Stress testing b. Conversion testing c. Performance testing d. Regression testing
a. Stress testing involves the response of the system to extreme conditions (for example, with an exceptionally high workload over a short span of time) to identify vulnerable points within the software and to show that the system can withstand normal workloads. Examples of testing conditions that can be applied during stress testing include the following: (i) if the size of the database plays an important role, then increase it beyond normal conditions, (ii) increase the input changes or demands per time unit beyond normal conditions, (iii) tune influential factors to their maximum or minimal speed, and (iv) for the most extreme cases, put all influential factors to the boundary conditions at the same time. Stress testing can detect design errors related to full-service requirements of system and errors in planning defaults when system is overstressed. Conversion testing is incorrect because it determines whether old data files and record balances are carried forward accurately, completely, and properly to the new system. Performance testing is incorrect because it measures resources required such as memory and disk and determines system response time. Regression testing is incorrect because it verifies that changes do not introduce new errors.
Which of the following refers to the Reference Monitor concept? a. It is a system access control concept. b. It is a system penetration concept. c. It is a system security concept. d. It is a system-monitoring concept.
a. The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls.
When does a major risk in application software prototyping occur? a. The prototype becomes the finished system. b. User's expectations are inflated. c. Too much attention is paid to cosmetic details. d. The model is iterated too many times.
a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.
The goal of which of the following virus obfuscation techniques is to prevent analyzing the virus's functions through disassembly? a. Armoring b. Tunneling c. Self-decryption d. Metamorphism
a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus's functions through disassembly (i.e., reverse engineering technique), traces, and other means. Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software. Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.
Which of the following statements is not true about artificial neural networks (ANNs)? a. The intention of ANNs is to replicate the workings of the human brain. b. The goal of ANNs is to develop computers that can learn from experience. c. ANNs have a capacity to generalize. d. ANNs complement the existing design of computers.
a. The intention is not to replicate the workings of the human brain but to use a simple model to see if some of the strengths of the human brain can be shown by computers based on that model. An important goal is to develop computers that can learn from experience. In the process of learning from experience, ANNs show a capacity to generalize. That is, recognizing a new problem as being "close" to the one they know and offering the same solution. ANNs are not meant to replace or supersede the existing design of computers. They are meant to complement them.
In the application security environment, system or network transparency is achieved through which of the following security principles? a. Process isolation and hardware segmentation b. Abstraction and accountability c. Security kernel and reference monitor d. Complete mediation and open design
a. Transparency is the ability to simplify the task of developing management applications, hiding distribution details. There are different aspects of transparency such as access failure, location, migration replication, and transaction. Transparency means the network components or segments cannot be seen by insiders and outsiders, and that actions of one user group cannot be observed by other user groups. Transparency is achieved through process isolation and hardware segmentation principles. The principle of process isolation or separation is employed to preserve the object's wholeness and subject's adherence to a code of behavior. It is necessary to prevent objects from colliding or interfering with one another and to prevent actions of active agents (subjects) from interfering or colluding with one another. The principle of hardware segmentation provides hardware transparency when hardware is designed in a modular fashion and yet interconnected. A failure in one module should not affect the operation of other modules. Similarly, a module attacked by an intruder should not compromise the entire system. System architecture should be arranged so that vulnerable networks or network segments can be quickly isolated or taken offline in the event of an attack. Examples of hardware that need to be segmented include network switches, physical circuits, and power supply equipment. The abstraction principle is related to stepwise refinement and modularity of programs. As the software design evolves, each level of module in a program structure represents a refinement in the level of software abstraction. Abstraction is presented in levels, where a problem is defined and a solution is stated in broad terms at the highest level of abstraction (during requirements and analysis phases) and where source code is generated at the lowest levels of abstraction (during programming phase). The accountability principle holds an individual responsible for his actions. From this principle, requirements are derived to uniquely identity and authenticate the individual, to authorize his actions within the system, to establish a historical track record or account of these actions and their effects, and to monitor or audit this historical account for deviations from the specified code of action. The security kernel principle is the central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. The principle of a reference monitor is the primary abstraction enabling an orderly evaluation of a standalone computer system with respect to its abilities to enforce both mandatory and discretionary access controls. The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (for example, normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority. The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design enables open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.
Which of the following software assurance processes is responsible for ensuring that any changes to software outputs during the system development process are made in a controlled and complete manner? a. Software configuration management processes b. Software project management processes c. Software quality assurance processes d. Software verification and validation processes
a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner. The objective of the project management process is to establish the organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the software development and software assurance processes. It establishes or approves standards, monitoring and reporting practices, and high-level policy for quality, and it cites policies and regulations. The objectives of the software quality assurance process are to ensure that the software development and software assurance processes comply with software assurance plans and standards, and to recommend process improvement. This process uses the system requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes. The objective of the software verification and validation (SV&V) process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software requirements are not in conflict with any standards or requirements applicable to other system components.
Finite state machines (FSMs) are used in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
a. The purpose of a finite state machine (FSM) is to define or implement the control structure of a system. Many systems can be defined in terms of their states, inputs, and actions. By defining a system's actions for each input in every state, you can completely define a system. The resulting model of the system is an FSM, which can detect incomplete or inconsistent requirements specifications.
Decision tables are used in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
a. The purpose of decision tables is to provide a clear and coherent analysis of complex logical combinations and relationships. This method uses two-dimensional tables to concisely describe logical relationships between Boolean program variables (for example, AND and OR). Advantages of decision tables include (i) their conciseness and tabular nature enables the analysis of complex logical combinations expressed in code and (ii) they are potentially executable if used as specifications. Disadvantages include that they require tedious effort. The requirements analysis, which is a part of initiation phase, is the best place to use the decision table.
Formal methods or verification of application software is performed in which of the following phases of system development life cycle (SDLC)? a. Initiation and development b. Development and implementation c. Implementation and operation d. Operation and disposal
a. The purpose of formal methods is to check whether software fulfills its intended function. It involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. The requirements should be written in a formal specification language (for example, VDM and Z) so that these requirements can then be verified using a proof of correctness. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus. A number of assertions are stated at various locations in the program and are used as pre- and post-conditions to various paths in the program. The proof consists of showing that the program transfers the pre-conditions into the post-conditions according to a set of logical rules, and that the program terminates.
Which of the following techniques cannot be used in all phases of a system development life cycle (SDLC)? a. Prototyping b. Reviews c. Simulation d. Walkthroughs
a. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier's interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer's criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements of the system. A review is a meeting at which the requirements, design, code, or other products of a software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. A review is usually held at the end of a phase, but it may be called when problems arise. Simulation is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique and style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal.
Which of the following comes first in the security certification and accreditation process of an information system? a. Security certification b. Security recertification c. Security accreditation d. Security reaccreditation
a. The security certification work comes first as it determines the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired system security posture. This assurance is achieved through system security assessments. The security accreditation package documents the results of the security certification. Recertification and reaccreditation occur periodically and sequentially whenever there is a significant change to the system or its operational environment as part of ongoing monitoring of security controls.
Which of the following categories of problem-solving activity is best suited to expert systems? a. Tasks based on a limited domain b. Tasks based on common sense knowledge c. Tasks requiring perceptual knowledge d. Tasks based on creativity
a. The size of completed expert systems is often large, consisting of hundreds or thousands of rules. If the task is too broad, the development effort may take an inordinate amount of time, or even be impossible. Two important guidelines on evaluating the scope and size of the problem include the task must be narrowly focused and the task should be decomposable. In other words, expert system tasks should be based on a limited domain. The other three choices are areas to avoid for expert system methods. These include (i) tasks based on common sense, (ii) tasks requiring perceptual (seeing or touching) knowledge, and (iii) tasks requiring creativity. People, not expert systems, are creative.
What is the name of the malicious act of a computer program looking normal but containing harmful code? a. Trapdoor b. Trojan horse c. Worm d. Time bomb
b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form of virus. Trapdoor is incorrect because it is an entry point built into a program created by programmers for debugging purposes. Worm is incorrect because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at some period of time after the bomb is set.
Which of the following actions is performed in the detailed design phase of a system development life cycle (SDLC) project? a. Defining control, security, and audit requirements b. Developing screen flows with specifications c. Identifying major purpose(s) of the system d. Developing system justification
b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This includes developing screen/program flows with specifications, input and output file specifications, and report specifications. The other three choices are incorrect because, by definition, they are examples of activities taking place in the general design phase. System requirements are the input to the general design where the system is viewed from top-down and where higher-level design issues are addressed. This includes (i) identifying the purpose and major functions of the system and its subsystems, (ii) defining control, security, and audit requirements, and (iii) developing system justification for the approval of analysis of alternative design choices.
A macro virus is most difficult to: a. Prevent b. Detect c. Correct d. Attach
b. A macro virus is associated with a word processing file, which can damage the computer system. Macro viruses pass through the firewall with ease because they are usually passed on as either an e-mail message or simply downloaded as a text document. The macro virus represents a significant threat because it is difficult to detect. A macro virus consists of instructions in Word Basic, Visual Basic for applications, or some other macro languages, and resides in documents. Any application that supports macros that automatically execute is a potential platform for macro viruses. Now, documents are more widely shared through networks and the Internet than via disks.
In the context of a reference monitor concept, a reference validation mechanism doesn't need to meet which one of the following design requirements? a. The reference validation mechanism must be tamperproof. b. The reference validation mechanism must be large. c. The reference validation mechanism must not be bypassed. d. The reference validation mechanism must always be invoked.
b. A reference monitor concept is an access control concept that refers to an abstract machine (computer) that mediates all accesses to objects by subjects. The five design requirements that must be met by a reference validation mechanism include (i) it must be tamperproof, (ii) it must not be bypassed, (iii) it must always be invoked, (iv) it must be small enough to be subject to analysis and tests, and (v) it must provide confidence that the other four items are assured. The reference monitor concept is useful to any system providing multilevel secure computing facilities and controls.
Which of the following is true about a stealth virus? a. It is easy to detect. b. It is a resident virus. c. It can reveal file size increases. d. It doesn't need to be active to show stealth qualities.
b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.
Which of the following can give a false sense of security? a. A test tool that requires planning. b. A test tool that produces error-free software. c. A test tool that requires time and effort. d. A test tool that requires experience to use
b. A test tool cannot guarantee error-free software; it is neither a cure-all nor a silver bullet. For some, it may give a false sense of security. The test tool still requires careful planning, time, effort, and experience from which it can use and benefit.
Attackers can use which of the following flaws to attack back-end components through a Web application? a. Broken access control b. Invalidated input c. Broken authentication d. Cross-site scripting flaws
b. According to the open Web application security project, information from Web requests is not validated before being used by a Web application leading to vulnerability from invalidated input.
Which of the following is not part of malware incident detection and analysis phase? a. Understanding signs of malware incidents b. Acquiring tools and resources c. Identifying malware incident characteristics d. Prioritizing incident response
b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.
Which of the following require an extensive testing effort in an application system integration project? a. Regression testing b. Interoperability testing c. Load testing d. Security testing
b. Adherence to a common standard ensures the interoperability of software components. Extensive testing is required to ensure that software components can communicate effectively in both single-processor and distributed processing environments. In a networked environment, it must be remembered that, when any component is added or replaced/upgraded, a large number of tests have to be run to ensure that the integrity and performance of the network has been retained. Therefore, tests must be repeatable and well documented. Hence, regression tests are necessary. In load testing, many combinations and permutations of workload patterns can be imposed on the components of a networked configuration. Although it would be difficult, if not impossible, to test them all, a thorough analysis of the expected workload is required to identify the most likely traffic patterns for this testing procedure. By their nature, networked systems provide a great number of opportunities for violating system security. This is especially true when security levels are not uniformly imposed throughout a configuration made of multiple, interconnected local-area networks. Systemwide security testing is required to identify any security fault that may have been overlooked in the integrated system design.
An impact analysis of changes is conducted in which of the following configuration management process steps? a. Identify changes. b. Evaluate change request. c. Implement decisions. d. Implement approved change requests.
b. After initiating a change request, the effects that the change may have on a specific system or other interrelated systems must be evaluated. An impact analysis of the change is conducted in the "evaluate change request" step. Evaluation is the end result of identifying changes, deciding what changes to approve and how to implement them, and actually implementing the approved changes.
From a security viewpoint, which of the following pose a severe security problem? a. Unattended computer operations b. Unattended computer terminal c. Unattended software testing d. Unattended facsimile machine
b. An unattended computer terminal represents a severe security violation. An unauthorized user could seize the opportunity to access sensitive data. The data could be copied, deleted, added to, or modified. An intruder can also use this occasion to modify executable files. A virus, Trojan horse, or a password-sniffing program could easily be slipped onto the system in no time. Security logic that detects an idle terminal is needed. Unattended computer operations are incorrect because they represent a situation where most of computer operational tasks are performed by machines (robots) and less with people. Unattended software testing is incorrect because testing is conducted by automated test tools without a person watching the testing process. The test tool continues running the test sessions by replaying one or more test scripts. It handles unforeseen circumstances gracefully. Unattended facsimile machine is incorrect because it can lead to social engineering attacks. The unattended computer operations, software testing, and facsimile machine pose less risk than the unattended computer terminal.
Which of the following is an example of both preventive and detective control? a. Audit trails b. Antivirus software c. Policies and procedures d. Contingency plans
b. Antivirus software is a preventive control in that it stops a known virus from getting into a computer system. It is also a detective control because it notifies upon detecting a known virus. Audit trails are detective controls; policies and procedures are directive controls, whereas contingency plans are an example of recovery controls.
Which of the following is not an example of a vulnerability mitigation technique for malware? a. Patch management b. Antivirus software c. Least privilege d. Host hardening measures
b. Antivirus software is an example of a threat mitigation technique for malware. Antivirus software, spyware detection and removal utility software, intrusion prevention systems, firewalls and routers, and application settings are security tools that can mitigate malware threats. Malware often attacks systems by exploiting vulnerabilities in operating systems, services, and applications. Vulnerability can usually be mitigated by patch management, least privilege, and host hardening measures.
Which of the following are essential components of the security certification and accreditation process? 1. Risk assessment 2. Security requirements 3. Security plans 4. Security controls a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4
b. Both risk assessment and security plans are essential components of the security certification and accreditation process. These two components accurately reflect the security requirements and security controls through the system development life cycle (SDLC) methodology. Security requirements and security controls (planned or designed) drive the risk assessment process and security plans.
An effective defense against new computer viruses does not include which of the following? a. Program change controls b. Virus scanning programs c. Integrity checking d. System isolation
b. Computer virus defenses are expensive to use, ineffective over time, and ineffective against serious attackers. Virus scanning programs are effective against viruses that have been reported and ineffective against new viruses or viruses written to attack a specific organization. Program change controls limit the introduction of unauthorized changes such as viruses. Redundancy can often be used to facilitate integrity. Integrity checking with cryptographic checksums in integrity shells is important to defend against viruses. System or equipment isolation to limit the spread of viruses is good, too.
In establishing a secure network, which of the following reflects the greatest need for restricting access via secure location? a. Transaction files b. Configuration files c. Work files d. Temporary files
b. Configuration files, system files, or files with sensitive information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don't need to be retained after their use is completed.
In the software capability maturity model, continuous process improvement takes place in which of the following levels? a. Managed level b. Optimizing level c. Defined level d. Repeatable level
b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
Which of the following is not a direct method to conduct data leakage attacks? a. Trojan horse b. Asynchronous attacks c. Logic bombs d. Scavenging methods
b. Data leakage is removal of data from a system by covert means, and it might be conducted directly through the use of Trojan horse, logic bomb, or scavenging methods. Asynchronous attacks are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the program is idle and then causing the changes to be added to the target program at later execution.
Which of the following is required when an organization uncovers deficiencies in the security controls employed to protect an information system? a. Develop preventive security controls. b. Develop a plan of action and milestones. c. Develop detective security controls. d. Modify ineffective security controls.
b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.
Which of the following gives assurance as part of system's security and functional requirements defined for an information system? a. Access controls b. Background checks for system developers c. Awareness d. Training
b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).
Security controls and audit trails should be built into computer systems in which of the following system development life cycle (SDLC) phases? a. System initiation phase b. System development phase c. System implementation phase d. System operation phase
b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users and system/security administrators develop system controls and audit trails used during the operational phase.
Formal risk assessment is conducted in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
b. Formal risk assessment is conducted in the development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but will be more in-depth and specific.
Which of the following levels of the software capability maturity model deal with security requirements? a. Initial level b. Repeatable level c. Defined level d. Optimizing level
b. In the repeatability level of the software capability maturity model, system requirements are defined; these include security, performance, quality, and delivery dates. The purpose is to establish a common understanding between the customer and the software development project team. The other three choices are not correct because each level deals with specific requirements.
Reconciliation routines in application systems are a part of which of the following? a. Authorization controls b. Integrity or validation controls c. Access controls d. Audit trail mechanisms
b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.
Which of the following are examples of local threats in Windows Extreme Programming (XP) systems? a. Unauthorized local access and malicious payloads b. Boot process and privilege escalation c. Network services and data disclosure d. Boot process and data disclosure
b. Local threats in Windows XP systems include boot process, unauthorized local access, and privilege escalation. A boot process threat results when an unauthorized individual boots a computer from third-party media (for example, removable drives and universal serial bus [USB] token storage devices), which permits the attacker to circumvent operating system security measures. An unauthorized local-access threat results when an individual who is not permitted to access a computer system gains local access. A privilege escalation threat results when an authorized user with normal user-level rights escalates the account's privileges to gain administrator-level access. Remote threats in Windows XP systems include network services, data disclosure, and malicious payloads. A network service threat results when remote attackers exploit vulnerable network services on a computer system. This includes gaining unauthorized access to services and data, and causing a denial-of-service (DoS) condition. A data disclosure threat results when a third party intercepts confidential data sent over a network. A malicious payload threat results when malicious payloads (for example, viruses, worms, Trojan horses, and active content) attack computer systems through many vectors. System end users may accidentally trigger malicious payloads.
Traditionally, which of the following malware attacker tools is the hardest to detect? a. Backdoors b. Rootkits c. Keystroke loggers d. Tracking cookies
b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.
Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist with identifying infected servers? a. Security administrators b. System administrators c. Network administrators d. Desktop administrators
b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), e-mail, and Web servers. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.
Product acquisition and integration costs are determined in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Disposal
b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware, software, personnel, and training.
Which of the following is similar to security certification and accreditation? a. Quality assurance b. Quality control c. Operational control d. Management control
b. Quality control is similar to security certification and accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to-day procedures.
All the following are characteristics of a managed environment dealing with malware prevention and handling except: a. Installing antivirus software b. Requiring administrator-level privileges to end users c. Using deny-by-default policies d. Applying software patches
b. Requiring administrator-level privileges is a characteristic of a nonmanaged environment, where system owners and users have substantial control over their own system. Owners and users can alter system configurations, making security weak. In a managed environment, one or more centralized groups have substantial control over the server and workstation operating system and application configurations across the enterprise. Recommended security practices include installing antivirus software on all hosts and keeping it up-to-date, using deny-by-default policies on firewalls, and applying patches to operating systems and applications. These practices enable a consistent security posture to be maintained across the enterprise.
Security planning is performed in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operations/maintenance
b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the development/acquisition phase.
Which of the following is a reactive countermeasure in defending against worms? a. Integrity checkers b. Software patching c. Host firewalls d. Stateful firewalls
b. Software patching, being one of reactive (detective) countermeasures, is mostly done after vulnerability or programming/design error is discovered. These reactive methods have no hope of preventing fast-spreading worms or worms that use zero-day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Integrity checkers keep cryptographic hashes of known good instances of files so that integrity comparisons can be made at any time. Host firewalls enforce rules that define the manner in which specific applications may use the network. Stateful firewalls keep track of network connections and monitor their state.
If there is a doubt as to whether sensitive information remains on a system, which of the following should be consulted before disposing of the system? a. Information system owner b. Information system security officer c. Information owner d. Certification and accreditation officer
b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties mentioned do not have a technical focus but instead have a business focus.
Which of the following is not a common tool for eradication of malware from an infected host? a. Antivirus software b. Spam-filtering software c. Spyware detection and removal utility software d. Patch management software
b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization's e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software, patch management software, and dedicated malware removal tool.
In the needs-determination task of the system development life cycle (SDLC) initiation phase, which of the following is a significant cost driver? a. Performance requirements b. Assurance requirements c. Supportability requirements d. Functional requirements
b. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Information security needs should address the appropriate level of assurance because this is a significant cost driver. The higher the assurance level required, the higher the cost and vice versa. Usually, investment analysis is structured to translate system needs and mission into high-level performance, assurance, functional, and supportability requirements. However, the assurance requirements are the significant cost driver because it integrates all the other requirements at the highest level.
The Reference Monitor concept is which of the following? a. It is dependent on mandatory access control policy. b. It is independent of any access control policy. c. It is independent of role-based access control policy. d. It is dependent on discretionary access control policy.
b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.
From a risk analysis viewpoint, what does the major vulnerable area in a computer application system include? a. Internal computer processing b. System inputs and outputs c. Telecommunications and networks d. External computer processing
b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.
The architecture of an expert system does not include which one of the following? a. Knowledge base b. Computing environment c. Inference engine d. End user interface
b. The computing environment consists of hardware, programming languages, editors and compilers, file management facilities, browsing program code, debugging and tracing program execution, and graphic programming. This computing environment is outside the expert systems architecture because it can change from one organization to another. On the other hand, knowledge base, inference engine, and end user interface are integral parts of expert systems architecture. Knowledge is stored in the knowledge base using symbols and data structures to stand for important concepts. The symbols and data structures are said to represent knowledge. A software module called the inference engine executes inference procedures. If the user of the expert system is a person, communications with the end user are handled via an end user interface.
Effective control is achieved when configuration management control is established prior to the start of which of the following? a. Requirements analysis b. Design c. Coding d. Testing
b. The design phase translates requirements into a representation of the software. The design is placed under configuration management control before coding begins. Requirements analysis is incorrect because it focuses on gathering requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with required results.
The security-planning document created in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following? a. Security awareness and training plan b. Contracting plans and processes c. Rules of behavior d. Risk assessment
b. The development and execution of necessary contracting plans and processes are a part of other planning components in the development/acquisition phase of an SDLC. The other three choices are part of the security-planning document.
Which of the following security principle balances various variables such as cost, benefit, effort, value, time, tools, techniques, gain, loss, risks, and opportunities involved in a successful compromise of security features? a. Compromise recording b. Work factor c. Psychological acceptability d. Least common mechanism
b. The goal of work factor principle is to increase an attacker's work factor in breaking an information system or a network's security features. The amount of work required for an attacker to break the system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time; tools and techniques; gains and losses; knowledge, skills, and abilities (KSAs); and risks and opportunities involved in a successful compromise of security features must be balanced. The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers. The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use, thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user's own image of protection goals. The principle of least common mechanism requires the minimal sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents possible communications paths between subjects used to circumvent security policy.
In which of the following system development life cycle (SDLC) models has the concept of application software reuse been incorporated? a. Waterfall model b. Object-oriented model c. Prototype model d. Spiral model
b. The notion of software component reuse has been developed with the invention of object-oriented development approach. After the design model has been created, the software developer browses a library, or repository, that contains existing program components to determine if any of the components can be used in the design at hand. If reusable components are found, they are used as building blocks to construct a prototype of the software. The waterfall model is incorrect because it takes a linear, sequential view of the software engineering process. The waterfall method is another name for the classic software development life cycle. The prototype model is incorrect because it is a process that enables the developer to create a model of the software built in an evolutionary manner. The spiral model is incorrect because it is another type of evolutionary model. It has been developed to provide the best feature of both the classic life cycle approach and prototyping. None of these three choices provide for software reuse.
An in-depth study of the needs-determination for a new system under development is conducted in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
b. The requirements analysis task of the SDLC phase of development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a highlevel x of functionality in the initiation phase.
The security accreditation decision reflects which of the following? a. Test-based decision b. Risk-based decision c. Evaluation-based decision d. Results-based decision
b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.
The security certification assessor is involved with which of the following activities? a. System development b. System controls c. System implementation d. System operations
b. The security certification assessor is involved in assessing security controls in an information system to provide an unbiased opinion. The assessor's independence implies that he is not involved in the information system development, implementation, or operation.
In the continuous monitoring phase of the security certification and accreditation process, ongoing assessment of security controls is based on which of the following? a. Configuration management documents b. Action plan and milestone documents c. Configuration control documents d. Security impact analyses documents
b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on "action plan and milestones" items that become closed. These newly implemented controls should be validated first. The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.
What do you call an attacker who can embed malicious commands in application parameters resulting in an external system executing those commands on behalf of the Web application? a. Buffer overflows b. Injection flaws c. Denial-of-service d. Improper error handling
b. Web applications pass parameters when they access external systems or the local operating system. Injection flaws occur when an attacker can embed malicious commands in these parameters; the external system may execute those commands on behalf of the Web application. The other three choices do not apply here because they do not embed malicious commands.
A worm has infected a system. What should be the first step in handling the worm incident? a. Analyze the host computer. b. Disconnect the infected system. c. Analyze the server. d. Identify the worm's behavior.
b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server's operating system, such as looking for administrative-level user accounts and groups that may have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm's behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.
Which of the following should be conducted before the approval of system design specifications of a new system under development? a. Enterprise security architecture b. Interconnected systems c. Formal risk assessment d. System security specifications
c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.
Which of the following is most likely to be tampered or manipulated with? a. Configuration file b. Password file c. Log file d. System file
c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and software.
Which of the following application software libraries can raise questions about data ownership rights? a. Test library b. Quality assurance library c. Reusable library d. Production library
c. A reusable library can improve software productivity and quality by increasing the efficient reuse of error-free code for both new and modified application software. "Who owns the reusable code?" is a legal question that requires a careful answer due to difficulty in tracing to the original author of the software. A test library is incorrect because it is where the new software is developed or the existing software is modified. A quality assurance library is incorrect because it is a staging area where final quality reviews and production setup procedures take place. A production library is incorrect because it is the official place where operational programs reside and execute to process data. Data ownership rights in these three libraries (test, quality assurance, and production) are clear and traceable to the author(s).
During the initiation phase of a system development life cycle (SDLC) process, which of the following tasks is not typically performed? a. Preliminary risk assessment b. Preliminary system security plans c. High-level security test plans d. High-level security system architecture
c. A security-test-plan, whether high level or low level, is developed in the development/acquisition phase. The other three choices are performed in the initiation phase.
Effective controls during the application software-testing phase include which of the following? a. Test cases and test documentation b. Test summaries and test execution reports c. Activity logs, incident reports, and software versioning d. Test cases rejected and test cases accepted
c. Activity logs contain a record of all the test cases executed. Incident reports show a priority assigned to test problems during test execution. All incidents logged should be resolved within a reasonable time. Software versioning controls the program source versions to ensure that there is no duplication or confusion between multiple versions. Test cases and test documentation are incorrect because test cases contain a listing of all possible tests to be executed with their associated data and test documentation includes test plans, test objectives, and approaches. Test summaries and test execution reports are incorrect because test summary is a brief description of what is changing. Key words are used so that project personnel reading the log can scan for items that may affect their work. Test execution reports show a status of software testing execution to management with summary information. Test cases rejected and test cases accepted are incorrect because they simply list what test cases were rejected or accepted. The documents such as test cases, test documentation, test summaries, test execution reports, and test cases rejected and accepted do not have the same monitoring and controlling effect as do the documents such as activity logs, incident reports, and software versioning.
Which of the following is the least beneficial of an application software test log? a. Recording actions for problem resolution b. Tracing events on post-test basis c. Reporting problems for compliance to a policy d. Promoting tester accountability
c. An application software test log has several benefits. Reporting problems for the sake of reporting/compliance to a policy or a procedure is the least beneficial. What is done with the report is more important than just reporting. The other three choices are incorrect because they are the most important benefits. The log shows a record of all problems encountered during testing so events can be traced for verification. The log can also be used as a training tool for new testers because the log shows what happened in the past. Most of all, the log indicates what the tester did or did not do during testing. It forces testers to document the actions or decisions taken place during testing.
Which of the following is not a part of software and information integrity for commercial off-the-shelf application security? a. Parity checks b. Cyclical redundancy checks c. Failed security tests d. Cryptographic hashes
c. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.
Security impact analyses are performed in which of the following configuration management processes? a. Baseline configuration b. Configuration change control c. Monitoring configuration changes d. Configuration settings
c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior to the monitoring.
Which of the following is the correct sequence of steps to be followed in an applicationsoftware change control process? 1. Test the changes. 2. Plan for changes. 3. Initiate change request. 4. Release software changes. a. 1, 2, 3, and 4 b. 2, 1, 3, and 4 c. 3, 2, 1, and 4 d. 4, 3, 1, and 2
c. Any application software change must start with a change request from a functional user. An information technology (IT) person can plan, test, and release the change after approved by the functional user.
In the context of expert systems, a heuristic is not a: a. Rule of thumb b. Known fact c. Known procedure d. Guaranteed procedure
d. A heuristic is a rule of thumb, a known fact, or even a known procedure that can be used to solve some problems, but it is not guaranteed to do so. It may fail. Heuristics can be conveniently regarded as simplifications of comprehensive formal descriptions of real-world systems. These heuristics are acquired through learning and experience.
Which of the following application settings used to prevent malware incidents will not stop phishing and spyware delivery? a. Filtering spam b. Filtering website content c. Restricting macro use d. Blocking Web browser pop-up windows
c. Applications such as word processors and spreadsheets often contain macro languages; macro viruses take advantage of this. Most common applications with macro capabilities offer macro security features that permit macros only from trusted locations or prompt the user to approve or reject each attempt to run a macro. Restricting macro use cannot stop phishing and spyware delivery. Filtering spam is incorrect because spam is often used for phishing and spyware delivery (for example, Web bugs often are contained within spam), and it sometimes contains other types of malware. Using spam-filtering software on e-mail servers or clients or on network-based appliances can significantly reduce the amount of spam that reaches users, leading to a corresponding decline in spam-triggered malware incidents. Filtering website content is incorrect because website content-filtering software contains lists of phishing websites and other sites that are known as hostile (i.e., attempting to distribute malware to visitors). The software can also block undesired file types, such as by file extension. Blocking Web browser pop-up windows is incorrect because some pop-up windows are crafted to look like legitimate system message boxes or websites and can trick users into going to phony websites, including sites used for phishing, or authorizing changes to their systems, among other malicious actions. Most Web browsers can block pop-up windows; other can do so by adding a third-party pop-up blocker to the Web browser.
Programmers frequently create entry points into a program for debugging purposes and/or insertion of new program codes at a later date. What are these entry points called? a. Logic bombs b. Worms c. Backdoors d. Trojan horses
c. Backdoors are also called hooks and trapdoors. Logic bomb is incorrect because it is a program that triggers an unauthorized, malicious act when some predefined condition occurs. Worms are incorrect because they search the network for idle computing resources and use them to execute the program in small segments. Trojan horses are incorrect because a Trojan horse is a production program that has access to otherwise unavailable files and is changed by adding extra, unauthorized instructions. It disguises computer viruses.
When attackers compromise passwords, keys, and session cookies, it can lead to which of the following flaws? a. Broken access control b. Invalidated input c. Broken authentication d. Cross-site scripting flaws
c. Broken authentication means account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other user's identities.
Which of the following is not an example of built-in security features? a. Authentication controls were designed during a system development process. b. Fail-soft security features were installed. c. Least-privilege principles were installed during the post-implementation period. d. Fail-safe security features were implemented.
c. Built-in security means that security features are designed into the system during its development, not after. Any feature that is installed during post-implementation of a system is an example of built-on security, not built-in. Security and control features must be built in from a cost-benefit perspective.
By accrediting an information system, an organization's management official does which of the following? a. Avoids the risks b. Limits the risks c. Accepts the risks d. Transfers the risks
c. By accrediting an information system, an organization's management official accepts the risks associated with operating the system and the associated security implications to the organization's operations, assets, or individuals.
Which of the following is required to control the actions of mobile code, stationary code, or downloaded code? a. Technical controls b. Administrative controls c. Behavioral controls d. Physical controls
c. Conceptually, behavioral controls can be viewed as a software cage or quarantine mechanism that dynamically intercepts and thwarts attempts by the subject code to take unacceptable actions that violate policy. As with firewalls and antivirus products, methods that dynamically restrain mobile code were born out of necessity to supplement existing mechanisms, and represent an emerging class of security product. Such products are intended to complement firewall and antivirus products that respectively block network transactions or mobile code based on predefined signatures (i.e., content inspection), and may refer to methods such as dynamic sandbox, dynamic monitors, and behavior monitors, used for controlling the behavior of mobile code. In addition to mobile code, this class of product may also be applicable to stationary code or downloaded code whose trust-worthiness is in doubt. Technical controls, administrative controls, and physical controls are incorrect because they are not strong enough as the behavioral controls to combat mobile code.
Which of the following are not the responsibilities of the configuration control review board? 1. Discussing change requests 2. Conducting impact analysis of changes 3. Requesting funding to implement changes 4. Notifying users of system changes a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4
c. Conducting impact analysis of changes and notifying users of system changes are the responsibilities of the configuration manager, whereas discussing change requests and requesting funding to implement changes are the responsibilities of the configuration control review board.
Computer viruses continue to pose a threat to the following computer services except: a. Integrity b. Availability c. Confidentiality d. Usability
c. Confidentiality is not affected by the presence of computer viruses in computer systems because confidentiality is ensuring that data is disclosed only to authorized subjects. However, computer viruses affect integrity, availability, and usability. Computer programs can be deleted or modified, thus losing their integrity, the computer system may not be available due to disruption or denial of computer services, and end users may not use the system due to loss of files or disruption of services.
During the system design of data input control procedures, the least consideration should be given to which of the following items? a. Authorization b. Validation c. Configuration d. Error notification
c. Configuration management is a procedure for applying technical and administrative direction and monitoring to (i) identify and document the functional and physical characteristics of an item or system, (ii) control any changes made to such characteristics, and (iii) record and report the change, process, and implementation status. The authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for processing. Validation ensures that the data entered meets predefined criteria in terms of its attributes. Error notification is as important as error correction.
Which of the following statements dealing with security principles is not true when securing an application environment? a. Information security functions should be isolated from nonsecurity functions. b. Design for protection mechanisms should be simple and small in size. c. Similar security controls should be placed in series and in sequence to achieve defenseof- depth strategy. d. Data-hiding techniques should be practiced during program testing and software maintenance.
c. Defending an information system requires safeguards to be applied throughout the system, as well as at points of entry. The selection and placement of security controls should be done in a way that progressively weakens or defeats all attacks. Having a series of similar controls in succession tends to only lengthen the duration of the attack, which is not good. Applying different types of controls that complement each other and are mutually supportive is a much more effective approach in achieving defense-in-depth strategy. Although the capabilities of available safeguards may overlap to some extent, the combined effect should exceed the effects of each control used individually. The other three choices are true statements in achieving security in an application environment. The information system isolates security functions from nonsecurity functions implemented via partitions and domains that control access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Safety functions should be kept separate from one another. The design of information systems and the design of protection mechanisms in those systems should be as simple as possible. Complexity is at the root of many security issues. The principle of data hiding should be useful during program testing and software maintenance.
Which of the following is an example of a dynamic analysis to detect application software errors? a. Inspections b. Code reading c. Testing d. Tracing
c. Dynamic analysis techniques involve the execution of a product and analysis of its response to sets of input data to determine its validity and to detect errors. The behavioral properties of the program are also observed. The most common type of dynamic analysis technique is testing. Testing of software is usually conducted on individual components (for example, subroutines and modules) as they are developed, on software subsystems when they are integrated with one another or with other system components, and on the complete system. Another type of testing is acceptance testing performed before the user accepts the product. Inspections, code reading, and tracing are examples of static analysis. Static analysis is the analysis of requirements, design, code, or other items either manually or automatically, without executing the subject of the analysis to determine its lexical and syntactic properties as opposed to its behavioral properties.
A general testing strategy for conducting an application software regression testing includes which of the following sequence of tasks? a. Read, insert, and delete b. Precompile, link, and compile c. Prepare, execute, and delete d. Test, debug, and log
c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program. A source program is tested (errors discovered), debugged (errors removed), and logged for review and further action.
Which of the following software configuration-management capabilities available for client/server systems can help to detect and correct errors? a. Install check-in/check-out modules. b. Archive source code. c. Allow backtracking. d. Assemble new builds.
c. Errors are made in several places and times: (i) when source code is developed, (ii) when modules are initially written, (iii) when an enhancement is being added to a module, (iv) when another error is fixed, and (v) when code is being moved from one module to another. Software configuration management products have a backtracking feature to correct these types of errors. The product should list the exact source code changes that make up each build. Then, these changes are examined to identify which one can create the new error. The concept of check-in/check-out software enables multiple developers to work on a project without overwriting one another's work. It is a fundamental method of preventing errors from being included or reintroduced into software modules.
Which of the following is not the responsibility of the configuration manager? a. Documenting the configuration management plan b. Approving, denying, or deferring changes c. Evaluating configuration management metric information d. Ensuring that an audit trail of changes is documented
c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.
Expert systems differ from conventional systems in all the following except: a. Expert system knowledge is represented declaratively. b. Expert system computations are performed through symbolic reasoning. c. Expert system knowledge is combined into program control. d. Expert systems can explain their own actions.
c. Expert system programs differ from conventional systems in four important ways. First, knowledge is separated from program control; the knowledge base and inference engine are separate. Second, knowledge is represented declaratively. Third, expert systems perform computation through symbolic reasoning. And finally, expert systems can explain their own actions.
What does the most commonly used application program design structure metrics include? a. Check-in and check-out indicators b. Fan-in and check-out indicators c. Fan-in and fan-out metrics d. Fan-out metrics and check-in indicators
c. Fan-in and fan-out are based on program coupling. Fan-in is a count of the number of modules that call a given module, and fan-out is a count of the number of modules that are called by a given module. Both fan-in and fan-out measure program complexity. Check-in and check-out are program change controls where documents or data/program files will have a check-in or check-out indicator in system libraries to prevent their concurrent use by programmers and computer programs.
Countermeasures against hidden code attacks include which of the following? 1. Use war dialing software. 2. Use firewalls. 3. Use layered protections. 4. Disable active-content code. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1 and 4
c. Hidden code attacks are based on data and information. Using layered protections and disabling active-content code (for example, ActiveX and JavaScript) from the Web browser are effective controls against such attacks. War dialing software is good at detecting trapdoors (backdoor modems) and not good against trapdoor attacks. Firewalls are effective against spoofing attacks.
A worm has infected a system. From a network traffic perspective, which of the following contains more detailed information? a. Network-based IDS and firewalls b. Routers c. Host-based IDS and firewalls d. Remote access servers
c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable hostbased security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software was configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs' integrity is not in doubt). Network-based IDS is incorrect because it indicates which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access servers may record information similar to that logged by network-based firewalls.
Which of the following must be done when there is a significant change addressed in the configuration management process? 1. System certification 2. System accreditation 3. System recertification 4. System reaccreditation a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
c. If there were a significant change addressed in the configuration management process, then the system must be recertified and reaccredited. System certification and system accreditation are done when a new system is installed and implemented, prior to any changes.
Which of the following is an example of input validation error? a. Access validation error b. Configuration error c. Buffer overflow error d. Race condition error
c. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input received by a system is longer than the expected input length, but the system does not check for this condition. In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.
What do you call it when attacks consume Web application resources to a point where other legitimate users can no longer access or use the application? a. Buffer overflows b. Injection flaws c. Denial-of-service d. Improper error handling
c. In denial-of-service attacks, attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
Desk-checking is practiced in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. In desk-checking, programming code is read by an expert, other than the author of the code, who performs any of the following: (i) looking over the code for obvious defects, (ii) checking for correct procedure interfaces, (iii) reading the comments to develop a sense of what the code does and then comparing it to its external specifications, (iv) comparing comments to design documentation, (v) stepping through with input conditions contrived to exercise all paths including those not directly related to the external specifications, (vi) checking for compliance with programming standards and conventions, or (vii) any combination of these. As can be seen, desk-checking is a technical exercise performed by programmers.
A formal authorization to operate an information system is obtained in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Disposal
c. In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system.
In the needs-determination task of the system development life cycle (SDLC) initiation phase, which of the following optimizes the organization's system needs within budget constraints? a. Fit-gap analysis b. Risk analysis c. Investment analysis d. Sensitivity analysis
c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate investment strategy. The investment analysis optimizes the organization's system needs within budget constraints. Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.
Which of the following is an effective means of preventing and detecting computer viruses coming from outside into a network? a. Install an antivirus program on the network. b. Install an antivirus program on each personal computer. c. Certify all removable media disks prior to their use. d. Train all employees about potential risks.
c. It is a common practice for some organizations to certify all removable media disks coming into the organization from outside prior to their use. This is done by a centralized group for the entire location and requires testing the disk for possible inclusion of viruses. The other three choices are effective as internal protection mechanisms against viruses.
The initiation phase of the security certification and accreditation process does not contain which of the following? a. Preparation b. Resource identification c. Action plan and milestones d. Security plan acceptance
c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities. The other three choices are part of the initiation phase, which is the first phase, where it is too early to develop the action plan and milestones.
In a distributed computing environment, replicated servers could have negative impact on which of the following? a. Fault-tolerant mechanisms b. Availability c. Scalability d. Recoverability
c. Just as replication complicates concurrency control, it can affect scalability. The major concern in scalability is determining the effect of increased scale on client performance. Additional storage sites increase the amount of work servers must do to maintain a consistent state of the file system. Similarly, clients in a replicated file system may have more work to do when they make file updates. For this reason, both clients and servers share portions of system management work. Fault-tolerant mechanisms, availability, and recoverability are incorrect. Replicated servers have a positive impact on system availability and recoverability. If the primary server fails, the replicated server takes over, thus making the system available to system users. Recovery protocols help both servers and clients recover from system failures. Fault-tolerant mechanisms such as disk mirroring and disk duplexing help in recovering from a system failure. They all have a positive effect.
Which of the following is a nonresident virus? a. Master boot sector virus b. File infector virus c. Macro virus d. Boot-sector infector
c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most common file viruses are resident viruses. Macro viruses are found in documents, not in disks.
Most Trojan horses can be prevented and detected by which of the following? a. Removing the damage b. Assessing the damage c. Installing program change controls d. Correcting the damage
c. Most Trojan horses can be prevented and detected by a strong program change control in which every change is independently examined before being put into use. After a Trojan horse is detected, the cure is to remove it. Next, try to find all the damage it has done and correct that damage.
Which of the following infects both boot-sectors and file-infectors? a. Worm b. Link virus c. Multi-partite d. Macro
c. Multi-partite viruses are a combination of both sector- and file-infector viruses, which can be spread by both methods. A worm is a self-replicating, self-contained program and does not require a host program. Link viruses manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate code. Macro viruses are stored in a spreadsheet or word processing document.
Which of the following virus obfuscation techniques is difficult for antivirus software to overcome? a. Self-encryption b. Polymorphism c. Metamorphism d. Stealth
c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying virus code body does not change; encryption alters its appearance only. Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.
Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist in analyzing routers? a. Security administrators b. System administrators c. Network administrators d. Desktop administrators
c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of administrators defined in the other three choices are different due to separation of duties, independence, and objectivity viewpoints.
All the following are examples of measures to defend against computer viruses except: a. Access controls b. Audit trails c. Passwords d. Least privilege principle
c. Passwords are administrative controls; although, access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions, so security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more privileges than those needed to perform the duties of the role they are currently assuming.
Which of the following should occur prior to a significant change in the processing of an information system? a. System recertification b. System reaccreditation c. System reauthorization d. System reassessment
c. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.
The capability of an application system to survive misuse by naive users is examined in which of the following testing approaches? a. Functional testing b. Performance testing c. Resiliency testing d. Recovery testing
c. Resiliency testing measures durability of the system. In functional testing, correctness of system operation under normal operating conditions is demonstrated. In performance testing, system throughput and response times under varying load conditions are demonstrated. In recovery testing, the ability of the system to resume operating after partial or total system failure is determined. Both the system and individual components are tested to determine the ability to operate within the fallback and recovery structure established for the system.
Security certification and accreditation is performed in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operations/maintenance
c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the organization's information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the implementation phase.
Sensitivity analysis is conducted in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. Sensitivity analysis is a new method of quantifying ultra-reliable software during the implementation phase. It is based on a fault-failure model of software and is based on the premise that software testability can predict the probability that failure occurs when a fault exists given a particular input distribution. A sensitive location is one in which faults cannot hide during testing. The internal states are disturbed to determine sensitivity. This technique requires instrumentation of the code and produces a count of the total executions through an operation, an infection rate estimate, and a propagation analysis.
Software configuration management (SCM) should primarily address which of the following questions? a. How does software evolve during system development? b. How does software evolve during system maintenance? c. What constitutes a software product at any point in time? d. How is a software product planned?
c. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product is provided through the adoption of SCM on a software project. Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers questions such as (i) what constitutes the software product at any point in time? (ii) What changes have been made to the software product? How a software product is planned, developed, or maintained does not matter because it describes the history of a software product's evolution, as described in the other choices.
Which of the following defines a management's formal acceptance of the adequacy of an application system's security? a. System certification b. Security certification c. System accreditation d. Security accreditation
c. System accreditation is a management's formal acceptance of the adequacy of an application system's security. The accreditors are responsible for evaluating the certification evidence, deciding on the acceptability of application security safeguards, approving corrective actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement. System certification is the technical evaluation of compliance with security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical judgment of the extent to which safeguards meet security requirements. Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications. Security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls. A system certification is conducted first and system accreditation is next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.
Which of the following does not facilitate self-assessments or independent security audits of an information system? a. Internal control reviews b. Penetration testing c. Developing security controls d. Security checklists
c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security checklists simply facilitate self-assessments or independent audits of an information system later.
Which of the following fully characterizes an information system's security? a. Confidentiality b. Integrity c. Assurance d. Availability
c. System assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the data and information it processes. For example, software assurance achieves trustworthiness and predictable execution. The three well-accepted and basic-level security objectives are confidentiality, integrity, and availability, and assurance can be considered an advanced-level security objective because the former culminates into the latter. What good is an information system that cannot provide full assurance with regards to its security?
Which of the following phases of a system development life cycle (SDLC) should not be compressed so much for the proper development of a prototype? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. System testing, which is a part of implementation, is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures. In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping development methodology without loss of the main features, functions, and quality.
Which of the following levels of the software capability maturity model (CMM) is the most basic in establishing discipline and control in the software development process? a. Initial level b. Defined level c. Repeatable level d. Managed level
c. The Software Engineering Institute (SEI) is a nationally recognized, federally funded research and development center established in the United States to address software development issues. It developed a process maturity framework that would help organizations improve their software development process. In general, the CMM serves as an indicator of the likely range of cost, schedule, and quality results to be achieved by system development projects within an organization. In the repeatable level, basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. The other three choices are not applicable because the correct answer is based on the definition of CMM levels.
The security accreditation decision does not exclusively depend on which of the following? a. Verified effectiveness of security controls b. Completed security plan c. Security test and evaluation results d. Plan of actions and milestones
c. The authorizing official in charge of the security accreditation process relies primarily on the other three choices, but not exclusively on the security test and evaluation results produced during the security control verification process. The authorizing official pays more attention to the other three choices because of their significance.
The contingency processes should be tested in which of the following phases of system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. The contingency processes should be tested and maintained during the implementation phase of the SDLC. The capability to recover and reconstitute data should be considered during the initiation phase. Recovery strategies should be considered during the development phase. The contingency plan should be exercised and maintained during the operation/maintenance phase.
Assume that a new computer worm is released that can spread rapidly and damage any computer in an organization unless it is stopped. The organization has 1,000 computers, the budget for in-house technical support is $500,000 per year, and the budget for outsourced technical support is $600,000. It takes an average of 4 hours for one technical support worker to rebuild a computer at a rate of $70 per hour for wages and benefits. What is the total cost for not mitigating the worm release? a. $280,000 b. $500,000 c. $560,000 d. $600,000
c. The cost not to mitigate = W × T × R, where W is the number of computers or workstations, T is the time spent fixing systems plus lost user productivity, and R is the hourly rate of time spent or lost. During downtime, the computer owner or user is without a computer to do his work, which should be added to the time required to rebuild a computer. This is translated into $560,000 (i.e., 1,000 computers × 8 hours × $70 per hour). $280,000 is incorrect because it fails to take into account the lost user productivity time. This is translated into $280,000 (i.e., 1,000 computers × 4 hours × $70 per hour). $500,000 is incorrect because it assumes the budget for in-house technical support. $600,000 is incorrect because it assumes the budget for outsourced technical support.
System integration is performed in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.
Boundary-value analysis is conducted in which of the following phases of a system development life cycle (SDLC)? a. Requirements b. Design c. Implementation d. Maintenance
c. The purpose of boundary-value analysis is to detect and remove errors occurring at parameter limits or boundaries. The input domain of the program is divided into a number of input classes. The tests should cover the boundaries and extremes of the classes. The tests check that the boundaries of the input domain of the specification coincide with those in the program. Test cases should also be designed to force the output to its extreme values. If possible, a test case that causes output to exceed the specification boundary values should be specified. If output is a sequence of data, special attention should be given to the first and last elements and to lists containing zero, one, and two elements.
Which of the following tests would be conducted when an application system in an organization exchanges data with external application systems? a. Unit test b. Integration test c. End-to-end test d. System acceptance test
c. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. These interrelated systems include not only those owned and managed by the organization, but also the external systems with which they interface. Unit test is incorrect because its purpose is to verify that the smallest defined module of software (i.e., individual subprograms, subroutines, or procedures) works as intended. These modules are internal to an organization. Integration test is incorrect because its purpose is to verify that units of software, when combined, work together as intended. Typically, a number of software units are integrated or linked together to form an application. Again, this test is performed internally in an organization. System acceptance test is incorrect because its purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.
Error-seeding is planted in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. The purpose of error-seeding is to determine whether a set of test cases is adequate. Some known error types are inserted into the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set is not adequate. One can estimate the number of errors remaining by subtracting the number of real errors found from the total number of real errors. The remaining test effort can then be estimated. If all the seeded errors are found, this indicates that either the test case set is adequate or that the seeded errors were too easy to find.
Mutation analysis is performed in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
c. The purpose of mutation analysis is to determine the thoroughness with which a program has been tested and, in the process, detect errors. This procedure involves producing a large set of version or mutation of the original program, each derived by altering a single element of the program (for example, changing an operator, variable, or constant). Each mutant is then tested with a given collection of test data sets. Because each mutant is essentially different from the original, the testing should demonstrate that each is different. If each of the outputs produced by the mutants differs from the output produced by the original program and from each other, then the program is considered adequately tested and correct. Mutation analysis requires good automated tools to be effective.
The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following? a. System interconnection agreements b. Security tests and evaluation results c. Request for proposal d. Plan of actions and milestones
c. The request for proposal development, evaluation, and acceptance are a part of other planning components in the development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security-planning document.
Which of the following security accreditation authority's decision scenarios require justification for the decision? 1. Full accreditation of the system 2. Accredit the system with conditions 3. Deny the system accreditation 4. Defer the system accreditation a. 1 only b. 2 only c. 1, 2, or 3 d. 1, 2, 3, or 4
c. The security accreditation authority has three major scenarios to work with: (i) accredit the system fully, (ii) accredit the system with conditions, or (iii) deny the system accreditation. In any case, supporting rationale (justification) for the decision is needed. In some cases, the system accreditation can be deferred based on sudden changes in regulatory requirements or unexpected merger and acquisition activities in the company. Management can come back to the deferred decision later.
Which of the following requires a higher level of security protection in terms of security controls? a. Test procedures b. Test cases c. Test repository d. Test plans
c. The test repository consists of test plans, test cases, test procedures, test requirements, and test objectives maintained by the software test manager. Because of the concentrated work products, the test repository needs a higher level of security protection from unauthorized changes. Test procedures, test cases, and test plans are part of test repository.
Which of the following statements is not true about a system development life cycle (SDLC) process? a. Systems undergo improvements in technology. b. Security plans evolve with the follow-on system. c. There is a definitive end to an SDLC. d. Much of previous operational controls are relevant to the follow-on system.
c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system. Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.
Which of the following is the best place to check for computer viruses? a. Each computer b. Each workstation c. The e-mail server d. Each network
c. Virus checkers monitor computers and look for malicious code. A problem is that viruschecking programs need to be installed at each computer, workstation, or network, thus duplicating the software at extra cost. The best place to use the virus-checking programs is to scan e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users.
Which of the following is a reactive countermeasure in defending against worms? a. Packet filtering firewalls b. Stackguarding c. Virus scanning tool d. Virtual machine
c. Virus scanners, being one of reactive (detective) countermeasures, search for "signature strings" or use algorithmic detection methods to identify known viruses. These reactive methods have no hope of preventing fast spreading worms or worms that use zero-day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Packetfiltering firewalls block all incoming traffic except what is needed for the functioning of the network. Stackguarding prevents worms from gaining increased privileges on a system. A virtual machine prevents potentially malicious software from using the operating system for illicit actions.
A polymorphic virus uses which of the following? a. Inference engine b. Heuristic engine c. Mutation engine d. Search engine
c. Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes and to evade detection. The other three choices do not deal with the transformation process.
Which of the following is the correct tool and technology deployment sequence for containing malware incidents, especially when a worm attacks the network service? 1. Internet border and internal routers 2. Network-based firewalls 3. Network- and host-based antivirus software 4. Host-based firewalls a. 1, 2, 4, and 3 b. 2, 3, 1, and 4 c. 3, 4, 2, and 1 d. 4, 2, 1, and 3
c. When organizations develop strategies for malware incident containment, they should consider developing tools to assist incident handlers in selecting and implementing containment strategies quickly when a serious incident occurs. Network- and host-based antivirus software does detect and stop the worm, and identify and clean the infected systems. Host-based firewalls do block worm activity from entering or exiting hosts, reconfigure the host-based firewall itself to prevent exploitation by the worm, and update the host-based firewall software so that it is no longer exploitable. Network-based firewalls do detect and stop the worm from entering or exiting networks and subnets. Internet border and internal routers do detect and stop the worm from entering or exiting networks and subnets if the volume of traffic is too high for network firewalls to handle or if certain subnets need greater protection. The incorrect sequences listed in the other three choices does not contain malware incidents because their combined effect is not as strong and effective as the correct sequence.
Blended attacks use which of the following? 1. Multiple infection methods 2. Multiple transmission methods 3. Multiple transmission methods simultaneously 4. Multiple infection methods in sequence a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4
d. A blended attack is an instance of malware that uses multiple infection or transmission methods. Blended attacks can spread through such services as instant messaging and peer-topeer (P2P) file sharing. Blended attacks do not have to use multiple methods simultaneously to spread; they can also perform multiple infections in sequence.
Which of the following is a malicious code that replicates using a host program? a. Boot sector virus b. Worm c. Multi-partite virus d. Common virus
d. A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable. The boot-sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and fileinfector viruses.
Rootkits are often used to install which of the following attacker tools? 1. Web browser plug-ins 2. E-mail generators 3. Backdoors 4. Keystroke loggers a. 1 only b. 2 only c. 3 only d. 3 and 4
d. A rootkit is a collection of files installed on a system to alter the standard functionality of the system in a malicious and stealthy way. Rootkits are often used to install attacker tools such as backdoors and keystroke loggers on a system. A Web browser plug-in provides a way for certain types of content to be displayed or executed through a Web browser. Attackers sometimes create malicious plug-ins that act as spyware. An example is the spyware dialer, which uses modem lines to dial phone numbers without the user's permission or knowledge. Some dialers are in forms other than Web browser plug-ins, such as Trojan horses. Malware can deliver an e-mail-generating program to a system, which can be used to create and send large quantities of e-mail to other systems without the user's permission or knowledge. Attackers often configure e-mail generators to send malware, spyware, spam, or other unwanted content to e-mail addresses on a predetermined list.
All the following techniques can help in achieving process isolation security principle except: a. Encapsulation b. Naming distinctions c. Virtual mapping d. Security kernel
d. A security kernel is defined as hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implements the reference monitor concept. A security kernel cannot achieve process isolation. Techniques such as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual mapping are used to employ the process isolation or separation principle. These separation principles are supported by incorporating the principle of least privilege.
What is the correct sequence of application software testing? a. Integration test, unit test, systems test, acceptance test b. Unit test, systems test, integration test, acceptance test c. Acceptance test, unit test, integration test, systems test d. Unit test, integration test, systems test, acceptance test
d. A system development life cycle moves through the unit test, integration test, system test, and acceptance test in that sequence. Programmers perform both the unit test and integration tests, whereas system testing is conducted jointly between users and programmers. End users and production operations staff, from their own viewpoint, perform acceptance testing. The quality of a computer system is enhanced if this sequence is followed during software testing.
Which of the following is a less-formal review technique? a. Inspections b. Traceability analysis c. Reviews d. Walkthroughs
d. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique, style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal. Inspections are incorrect because they are an evaluation technique in which application software requirements, design, code, or other products are examined by a person or group other than the author to detect faults, violations of development standards, and other problems. Inspections are more formal than walkthroughs. Traceability analysis is incorrect because it is the process of verifying that each specified requirement has been implemented in the design/code, that all aspects of the design/code have their basis in the specified requirements, and that testing produces results compatible with the specified requirements. Traceability analysis is more formal than walkthroughs. Reviews are incorrect because a review is a meeting at which the requirements, design, code, or other products of software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. Reviews are more formal than walkthroughs.
Which of the following best defines adequate information security? 1. Security commensurate with risk and harm. 2. Operating systems and applications operate effectively. 3. Operating systems and applications meet security objectives. 4. Operating systems and applications use cost-effective security controls. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. Adequate information security means (i) security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information, (ii) operating systems and applications operate effectively, (iii) operating systems and applications provide appropriate confidentiality (C), integrity (I), and availability (A), known as CIA security objectives, and (iv) security objectives use cost-effective management, operational, and technical controls (security controls).
Worms do which of the following? 1. Waste system resources 2. Waste network resources 3. Install backdoors 4. Perform distributed denial-of-service attacks a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4
d. Although some worms are intended mainly to waste system and network resources, many worms damage systems by installing backdoors, perform distributed denial-of-service (DDoS) attacks against other hosts, or perform other malicious acts.
Inspections cannot detect which of the following errors in application software? a. Incomplete requirements errors b. Infeasible requirements errors c. Conflicting requirements errors d. Input/output description errors
d. An inspection is an evaluation technique in which software requirements, design, code, or other products are examined by a person or group, other than the author, to detect faults, violations of development standards, and other problems. Input/output description errors are detected in the interface testing phase. The type of errors detected in inspections includes incomplete requirements errors, infeasible requirements errors, and conflicting requirements errors.
Backdoors listen for commands on which of the following? 1. Source port 2. Destination port 3. TCP port 4. UDP port a. 1 only b. 2 only c. 1 or 2 d. 3 or 4
d. Backdoor is a general term for a malicious program that listens for commands on a certain TCP or UDP port. Most backdoors consist of a client component and a server component. The client resides on the intruder's remote computer, and the server resides on the infected system. When a connection between client and server is established, the remote intruder has some degree of control over the infected computer. Both source port and destination port are incorrect because they are too generic to be of any use here.
Which of the following threats rely entirely on social engineering techniques? 1. Trojan horse 2. Mobile code 3. Phishing 4. Virus hoaxes a. 1 and 2 b. 2 and 3 c. 1 and 3 d. 3 and 4
d. Both phishing and virus hoaxes rely entirely on social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. Phishing refers to using deceptive computer-based means to trick individuals into disclosing sensitive personal information. Virus hoaxes are false virus warnings. The majority of virus alerts that are sent via e-mail among users are actually hoaxes. Trojan horse is incorrect because it is a nonreplicating program that appears to be benign but actually has a hidden malicious purpose. Mobile code is incorrect because it is software that is transmitted from a remote system to be executed on a local system, typically without the user's explicit instruction. Trojan horse and mobile code do not rely on social engineering.
Lessons learned from major malware incidents improve which of the following? 1. Security policy 2. Software configurations 3. Malware prevention software deployments 4. Malware detection software deployments a. 1 only b. 1 and 2 c. 3 and 4 d. 1, 2, 3, and 4
d. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention software deployments.
Certification and accreditation needs must be considered in all the following phases of system development life cycle except: a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. Certifications performed on applications under development are interleaved with the system development process. Certification and accreditation needs must be considered in the validation, verification, and testing phases employed throughout the system development process (i.e., development and implementation). It does not address the operation/maintenance phase.
Which of the following is not one of the primary goals of certification and accreditation of information systems? a. To enable consistent assessment of security controls b. To promote a better understanding of organization-wide risks c. To deliver reliable information to management d. To conduct reaccreditation reviews periodically
d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.
Configuration management and control is performed in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operations/maintenance
d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task performed in the operation/maintenance phase.
Which of the following system development life cycle (SDLC) phases establishes an initial baseline of hardware, software, and firmware components for the information system? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.
Configuration management change control and auditing takes place in which of the following system development life cycle (SDLC) phases? a. Initiation b. Acquisition/development c. Implementation d. Operation/maintenance
d. Configuration management change control and auditing takes place in the operation/maintenance phase of the SDLC. The phases in the other three choices are too early for this activity to take place.
Constant monitoring of an information system is performed with which of the following? 1. Risk management 2. Security certification 3. Security accreditation 4. Configuration management processes a. 1 and 2 b. 2 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. Constant monitoring of a system is performed to identify possible risks to the system so that these can be addressed through the risk management, security certification and accreditation, and configuration management processes.
Continuous monitoring is performed in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operations/maintenance
d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.
Periodic reaccreditation of a system is done in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in the operation phase.
Which of the following application system development approaches best brings the operational viewpoint to the requirements specification phase? a. Waterfall model b. Incremental development model c. Evolutionary development model d. Rapid prototyping model
d. Due to its iterative process and end-user involvement, the rapid prototype model brings the operational viewpoint to the requirements specification phase. Requirements are defined, refined, tested, and changed until the end user cannot change it any more. Later, these requirements will become input to the design work. Waterfall model is incorrect because it will not bring the operational viewpoint to the requirements phase until the system is completely implemented. Although the incremental development model and the evolutionary development models are better than the waterfall model, they are not as good as rapid prototyping in terms of bringing the operational viewpoint to the requirements specification.
System performance is monitored in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. During the operation/maintenance phase, the organization should continuously monitor performance of the system to ensure that it is consistent with pre-established user and security requirements and that all needed system modifications are incorporated into the system. Monitoring is done in the operation/maintenance phase of the SDLC because all the development work is completed, and the system should start delivering results. During implementation phase, the system is tested, employees are trained, and the system is not yet ready to put into production operation/maintenance phase to monitor system performance.
What should be in place prior to the security certification and accreditation process? a. The security plan is analyzed. b. The security plan is updated. c. The security plan is accepted. d. The security plan is developed.
d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.
Organizations should strongly consider rebuilding a system that has which of the following malware incident characteristics? 1. Unauthorized administrator-level access. 2. Changes to system files. 3. The system is unstable. 4. The extent of damage is unclear. a. 1 only b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. If an incident has resulted in unauthorized administrator-level access, changes to system files, unstable system, and the extent of damage is unclear, organizations should be prepared to rebuild each affected system.
System users must perform which of the following when new security controls are added to an existing application system? a. Unit testing b. Subsystem testing c. Full system testing d. Acceptance testing
d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.
What do you call it when an attack can cause errors to occur, which the Web application does not handle? a. Buffer overflows b. Injection flaws c. Denial-of-service d. Improper error handling
d. Improper error handling means error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
What do you call attacks that can disclose the end users' session token and attack the local machine? a. Broken access control b. Invalidated input c. Broken authentication d. Cross-site scripting flaws
d. In cross-site scripting (XSS) flaws, the Web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.
Additional testing or analysis may be needed in which of the following operational decision choices of the configuration management process? a. Approve b. Implement c. Deny d. Defer
d. In the "defer" choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later. On the other hand, approve, implement, and deny choices do not require additional testing and analysis because management is already satisfied with the testing and analysis.
From a risk management viewpoint, new system interfaces are addressed in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. In the operation/maintenance phase of the SDLC, risk management activities are performed whenever major changes are made to an IT system in its operational (production) environment (for example, new system interfaces).
A proactive role to protect an organization from computer-related failures, malfunctions, or disasters is to: a. Train every employee in the emergency procedures. b. Conduct fire drills regularly every month. c. Train all IT staff in file rotation procedures. d. Incorporate recovery requirements into system design.
d. Incorporation of recovery requirements into system design can provide automatic backup and recovery procedures. This helps to prepare for disasters in a timely manner. Training every employee in emergency procedures is incorrect because it does not guarantee that they can respond to a disaster in an optimal manner when needed. Conducting fire drills regularly every month is incorrect because the scope of fire drill may not address all possible scenarios. Disaster recovery goes beyond fire drills; although, the fire drill is a good practice. Training all IT staff in file rotation procedures is incorrect because only key people need to be trained.
Which of the following occurs after delivery and installation of a new information system under acquisition? a. Unit testing b. Subsystem testing c. Full system testing d. Integration and acceptance testing
d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.
In the preliminary risk assessment task of the system development life cycle (SDLC) initiation phase, integrity needs from a user's or owner's perspective are defined in terms of which of the following? a. Place of data b. Timeliness of data c. Form of data d. Quality of data
d. Integrity can be examined from several perspectives. From a user's or application owner's perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.
Information system assurance is achieved through which of the following? 1. Understanding of the threat environment 2. Evaluation of system requirements sets 3. Knowledge of hardware and software engineering principles 4. Availability of product and system evaluation results a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. System assurance is the grounds for confidence that a system meets its security expectations. Good understanding of the threat environment, evaluation of system requirements sets, knowledge of hardware and software engineering principles, and the availability of product and system evaluation results are required for system assurance.
Which of the following statements are true about malicious mobile code? 1. It does not infect files. 2. It does not attempt to propagate itself. 3. It takes advantage of the default privileges. 4. It uses languages such as Java and ActiveX. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. Malicious mobile code differs significantly from viruses and worms in that it does not infect files or does not attempt to propagate itself. Instead of exploiting particular vulnerabilities, it often affects systems by taking advantage of the default privileges granted to mobile code. It uses popular languages such as Java, ActiveX, JavaScript, and VBScript. Although mobile code is typically benign, attackers have learned that malicious code can be an effective way of attacking systems, as well as a good mechanism for transmitting viruses, worms, and Trojan horses to users' workstations.
Which of the following is the most effective approach in identifying infected hosts with malware incidents and in striking a balance between speed, accuracy, and timeliness? a. Forensic identification b. Active identification c. Manual identification d. Multiple identifications
d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts (for example, DoS and DDoS attacks). Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise-wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.
Which of the following are the two key information security steps of the operation phase within the system development life cycle (SDLC)? 1. Information preservation 2. Security accreditation 3. Configuration management and control 4. Continuous monitoring a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4
d. Managing and controlling the configuration of the system and providing for a process of continuous monitoring are the two key information security steps of the operation/maintenance phase of an SDLC. Information preservation is an activity of the disposal phase, whereas security accreditation is an activity of the implementation phase of an SDLC.
To overcome resistance to a change, which of the following approaches provides the best solution? a. The change is well planned. b. The change is fully communicated. c. The change is implemented in a timely way. d. The change is fully institutionalized.
d. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated, or implemented if it is not spread throughout the organization evenly. Institutionalizing the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as leverage to change the entire company.
Media sanitization activity is usually most intense during which of the following phases of the system development life cycle (SDLC)? a. Development/acquisition b. Implementation c. Operation/maintenance d. Disposal
d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.
Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist with changes in login scripts? a. Security administrators b. System administrators c. Network administrators d. Desktop administrators
d. Organizations should identify which individuals or groups can assist in infection identification efforts. Desktop administrators are good at identifying changes in login scripts along with Windows Registry or file scans, and good at implementing changes in login scripts. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.
Which of the following ways should be used to rebuild an infected host with malware incident? 1. Reinstalling the operating system 2. Reinstalling the application systems 3. Securing the operating and application systems 4. Restoring the data from known good backups a. 1 and 2 b. 3 only c. 1, 2, and 3 d. 1, 2, 3, and 4
d. Rebuild each affected system by reinstalling and reconfiguring its operating system and applications, securing the operating system and applications, and restoring the data from known good backups.
The security accreditation phase does not contain which of the following? a. System security plan b. System security assessment report c. Plan of actions and milestones d. Security impact analyses
d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase.
Which of the following are essential activities of a comprehensive information security program for an organization on an ongoing basis? 1. Information preservation 2. Security test and evaluation 3. Security control monitoring 4. Security status reporting a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4
d. Security-control monitoring and reporting the status of the information system to appropriate management authorities are essential activities of a comprehensive information security program. Information preservation is a part of the disposal phase, whereas security test and evaluation is a part of the implementation phase of a system development life cycle (SDLC). Security-control monitoring and security status reporting are a part of the operation and maintenance phase of an SDLC, which facilitate ongoing work.
System assurance requires which of the following? 1. Proof-of-origin 2. Proof-of-delivery 3. Techniques 4. Metrics a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4
d. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. System assurance requires (i) techniques to achieve integrity, confidentiality, availability, and accountability and (ii) metrics to measure them. Proof-of-origin and proof-of-delivery are required in nonrepudiation.
Which of the following tasks must be performed before placing an information system into production operation? 1. Analyze functional requirements. 2. Analyze assurance requirements. 3. Conduct system design reviews. 4. Perform system tests. a. 1 and 2 b. 2 and 3 c. 2 and 4 d. 3 and 4
d. System design reviews and system tests should be performed in the implementation phase before placing the system into production operation to ensure that it meets all required security specifications. The results of the design reviews or system tests should be fully documented, updating as new reviews or tests are performed. Analysis of functional requirements and assurance requirements is done in the development/acquisition phase, which is prior to the implementation phase.
Which of the following application software testing approaches does not require stubs or drivers? a. Top-down approach b. Bottom-up approach c. Sandwich approach d. Big-bang approach
d. The big-bang approach puts all the units or modules together at once, with no stubs or drivers. In it, all the program units are compiled and tested at once. Top-down approach is incorrect because it uses stubs. The actual code for lower level units is replaced by a stub, which is a throwaway code that takes the place of the actual code. Bottomup approach is incorrect because it uses drivers. Units at higher levels are replaced by drivers that emulate the procedure calls. Drivers are also a form of throwaway code. Sandwich approach is incorrect because it uses a combination of top-down (stubs) and bottom-up (drivers) approaches.
Which of the following is often overlooked when determining the cost of a new system's acquisition or development? a. Hardware b. Software c. Training d. Security
d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.
Which of the following tasks are performed during continuous monitoring step of the configuration management (CM) process? 1. Configuration verification tests 2. System audits 3. Patch management 4. Risk management a. 1 and 2 b. 2 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. The configuration management (CM) process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system. Configuration verification tests, system audits, patch management, and risk management activities are performed to achieve the CM goal.
Which of the following phases of the security certification and accreditation process primarily deals with configuration management? a. Initiation b. Security certification c. Security accreditation d. Continuous monitoring
d. The fourth phase of the security certification and accreditation process, continuousmonitoring, primarily deals with configuration management. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.
Application partitioning is achieved through which of the following? 1. User functionality is separated from information storage services. 2. User functionality is separated from information management services. 3. Both physical and logical separation techniques are employed. 4. Different computers and operating systems are used to accomplish separation. a. 1 and 2 b. 3 only c. 1, 2, and 3 d. 1, 2, 3, and 4
d. The information system physically or logically separates the user functionality (including user interface services) from information storage and management services (for example, database management). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or a combination of these methods.
A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Operation/maintenance d. Implementation
d. The major outputs from the implementation (testing) phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security features are tested to see if they work and are then certified.
What is the major principle of configuration management? a. To reduce risks to data confidentiality b. To reduce risks to data integrity c. To reduce risks to data availability d. To provide repeatable mechanism for effecting system changes
d. The major principle of configuration management is to provide a repeatable mechanism for effecting system modifications in a controlled environment. Achieving repeatable mechanism can automatically achieve the other three choices.
Which of the following are ways to accomplish ongoing monitoring of security control effectiveness? 1. Security reviews 2. Self-assessments 3. Security test and evaluation 4. Independent security audits a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 1, 2, 3, and 4
d. The ongoing monitoring of security control effectiveness can be accomplished in a variety of ways including security reviews, self-assessments, security test and evaluation, and independent security audits.
The primary implementation of the configuration management process is performed in which of the following system development life cycle (SDLC) phases? a. Initiation b. Acquisition/development c. Implementation d. Operation/maintenance
d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the SDLC, the operation/maintenance phase. The other phases are too early for this process to take place.
What is the major purpose of configuration management? a. To reduce risks from system insertions b. To reduce risks from system installations c. To reduce risks from modifications d. To minimize the effects of negative changes
d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a negative effect and the former leads to a positive effect.
Techniques such as prototyping and simulation cannot be used in which of the following phases of a system development life cycle (SDLC)? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier's interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer's criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements and design of the system. Simulation or modeling is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A model of the system to be controlled by the actual system under test is created. This model mimics the behavior of the controlled system and is for testing purposes only. Although prototyping and simulation can be used in the system maintenance phase, the payback would be less than the development phase. Usually, the scope of system maintenance can be small and minor, making it cost-prohibitive to the use of prototyping and simulation techniques.
Which of the following tests identify vulnerabilities in application systems? a. Functional test b. Performance test c. Stress test d. Security test
d. The purpose of security testing is to assess the robustness of the system's security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users. Functional test is incorrect because the purpose of functional or black-box testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and meantimes- to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system failure.
Which of the following areas of software configuration management (SCM) is executed last? a. Identification b. Change control c. Status accounting d. Audit
d. There are four elements of configuration management. The first element is configuration identification, consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation. The second element is configuration change control, consisting of evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. The third element is configuration status accounting, consisting of recording and reporting of information that is needed to manage a configuration effectively. The fourth element is software configuration audit, consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly working.
Which of the following are nonmalware threats? 1. Viruses 2. Worms 3. Phishing 4. Virus hoaxes a. 1 and 2 b. 2 and 3 c. 1 and 3 d. 3 and 4
d. There are two forms of nonmalware threats that are often associated with malware. The first is phishing attacks, which frequently place malware or other attacker tools onto systems. The second is virus hoaxes, which are false warnings of new malware threats. Viruses and worms are true forms of malware threats.