CSSLP-Exam Practice Test-ME2

Question Number : 494 Question : John works as a professional Ethical Hacker . He has been assigned the project of testing the security of www.abc_security.com . He finds that the We - are - secure server is vulnerable to attacks . As a countermeasure , he suggests that the Network Administrator should remove the IPP printing capability from the server . He is suggesting this as a countermeasure against __________ . Option 1 : Data exfiltration Option 2 : Denial - of - Service ( DoS ) Option 3 : Confidentiality breach Option 4 : Unauthorized access

1 Explanation : The correct option is " Data exfiltration . " By suggesting the removal of the IPP printing capability from the server , John is recommending a countermeasure against data exfiltration . Data exfiltration refers to the unauthorized or malicious extraction of data from a system or network . By removing the IPP printing capability , the network administrator can reduce the risk of sensitive or confidential information being printed and potentially taken out of the system without proper authorization . Knowledge Area : Mock Exam 2

Question Number : 495 Question : John works as a professional Ethical Hacker . He has been assigned the project of testing the security of abc.com . He finds that the We - are - secure server is vulnerable to attacks . As a countermeasure , he suggests that the Network Administrator should remove the IPP printing capability from the server . He is suggesting this as a countermeasure against __________ . Option 1 : Denial of Service ( DoS ) attacks Option 2 : SQL injection attacks Option 3 : Unauthorized access Option 4 : Information leakage

1 Explanation : The correct option is " Denial of Service ( DoS ) attacks . " John suggests removing the IPP printing capability from the server as a countermeasure against DoS attacks . DoS attacks aim to disrupt the availability of a system or network by overwhelming it with excessive traffic or resource consumption . By removing the IPP printing capability , the server reduces the potential attack surface and minimizes the risk of being targeted by DoS attacks that exploit vulnerabilities in the printing service . Knowledge Area : Mock Exam 2

Question Number: 455 Question: Which PDCA activity is incorrect? Option 1: Implement solutions Option 2: Check results Option 3: Plan changes Option 4: Identify issues

1 Explanation: Implementation is done in the "do" phase. Knowledge Area: Mock Exam 2

Question Number: 462 Question: How does quantitative risk analysis differ? Option 1: Prioritizes risks Option 2: Measures probabilities Option 3: Identifies triggers Option 4: Quantifies impacts

1 Explanation: It quantifies, not just prioritizes, risks. Knowledge Area: Mock Exam 2

Question Number: 456 Question: As a software developer, you are working on a web application using the Java Servlet Specification v2.4. You're focusing on the Web resource collection, a security constraint element. Which of the following does this element include? Option 1: Methods and URL patterns Option 2: Memory allocation settings Option 3: Database connection strings Option 4: HTTP response headers

1 Explanation: The Web resource collection in the Java Servlet Specification v2.4 includes methods and URL patterns. This allows you to specify which resources in your web application should be protected and how, which is a crucial part of secure software development. Knowledge Area: Mock Exam 2

Question Number: 450 Question: You are the project manager of the QSL project for your organization. You are working with your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process? Option 1: Cause and effect diagram (Fishbone diagram) Option 2: Data flow diagram (DFD) Option 3: State transition diagram Option 4: Decision tree diagram

1 Explanation: The correct option is "Cause and effect diagram (Fishbone diagram)." A cause and effect diagram, also known as a Fishbone diagram, is a diagramming technique used to visualize the interrelationships and causation mechanism within a system. It helps identify potential causes of a problem or risk by organizing them into categories and showing the relationships between various factors. This diagramming technique is commonly used as a part of the risk identification process to understand the root causes of risks and determine appropriate mitigation strategies. Knowledge Area: Mock Exam 2

Question Number: 476 Question: Which of the following are the primary functions of configuration management? Option 1: Change control, version control, asset management Option 2: Risk assessment, incident response, vulnerability scanning Option 3: Authentication, access control, encryption Option 4: Backup and recovery, network monitoring, auditing

1 Explanation: The correct option is "Change control, version control, asset management." The primary functions of configuration management include change control, which ensures that changes to the system are properly assessed and approved; version control, which manages different versions of software or configurations; and asset management, which tracks and manages the hardware and software assets in the system. Configuration management helps ensure that systems are properly controlled, documented, and maintained throughout their life cycle. Knowledge Area: Mock Exam 2

Question Number: 490 Question: Which of the following methods is a means of ensuring that system changes are approved before being implemented, only the proposed and approved changes are implemented, and the implementation is complete and accurate? Option 1: Change management Option 2: Risk management Option 3: Configuration management Option 4: Incident management

1 Explanation: The correct option is "Change management." Change management is a method used to ensure that system changes are approved before being implemented, and that only the proposed and approved changes are implemented. It includes processes, procedures, and controls to manage and track changes throughout their lifecycle. Change management helps ensure that changes are properly evaluated, approved, scheduled, implemented, and validated, while minimizing the risks and impact on the system. Knowledge Area: Mock Exam 2

Question Number: 451 Question: Which of the following technologies is used by hardware manufacturers, publishers, copyright holders, and individuals to impose limitations on the usage of digital content and devices? Option 1: Digital Rights Management (DRM) Option 2: Public Key Infrastructure (PKI) Option 3: Virtual Private Network (VPN) Option 4: Secure Sockets Layer (SSL)

1 Explanation: The correct option is "Digital Rights Management (DRM)." Digital Rights Management is a technology used by hardware manufacturers, publishers, copyright holders, and individuals to impose limitations on the usage of digital content and devices. DRM systems enforce access control, usage restrictions, and copy protection mechanisms to protect intellectual property rights. DRM can be applied to various forms of digital content, such as music, movies, e-books, and software, to manage and protect their distribution, usage, and licensing. Knowledge Area: Mock Exam 2

Question Number: 479 Question: Which of the following types of attacks occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts? Option 1: Man-in-the-middle (MitM) attack Option 2: Distributed Denial of Service (DDoS) attack Option 3: SQL injection attack Option 4: Cross-Site Scripting (XSS) attack

1 Explanation: The correct option is "Man-in-the-middle (MitM) attack." In a MitM attack, an attacker successfully inserts an intermediary software or program between two communicating hosts. The attacker can then intercept and potentially manipulate the communication between the hosts, allowing them to eavesdrop on sensitive information, modify data, or impersonate one of the parties involved. MitM attacks are a significant security concern, as they can lead to unauthorized access, data breaches, and the compromise of confidential information. Knowledge Area: Mock Exam 2

Question Number: 481 Question: You are responsible for network and information security at a large hospital. It is a significant concern that any change to any patient record can be easily traced back to the person who made that change. What is this called? Option 1: Non-repudiation Option 2: Confidentiality Option 3: Integrity Option 4: Availability

1 Explanation: The correct option is "Non-repudiation." Non-repudiation is the ability to ensure that a person or entity cannot deny their involvement in a particular action or transaction. In this case, the concern is to trace any change to a patient record back to the person who made the change, ensuring they cannot deny their responsibility. Non-repudiation mechanisms, such as digital signatures or audit logs, are used to provide evidence of actions or transactions and prevent individuals from disowning their actions. Knowledge Area: Mock Exam 2

Question Number: 488 Question: You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You have a disaster scenario and you want to discuss it with your team members to get appropriate responses to the disaster. In which of the following disaster recovery tests can this task be performed? Option 1: Tabletop test Option 2: Functional test Option 3: Integration test Option 4: Penetration test

1 Explanation: The correct option is "Tabletop test." In a tabletop test, you can discuss and simulate a disaster scenario with your team members to evaluate their awareness, preparedness, and response to the situation. This type of test is discussion-based and does not involve the actual execution of recovery procedures. It allows stakeholders to review their roles and responsibilities, assess the effectiveness of the disaster recovery plan, identify gaps or issues, and discuss appropriate responses. Tabletop tests help improve coordination, communication, and decision-making during a real disaster event. Knowledge Area: Mock Exam 2

Question Number : 499 Question : FITSAF stands for Federal Information Technology Security Assessment Framework . It is a methodology for assessing the security of information systems . Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed ? Option 1 : Level 1 : Initial Option 2 : Level 2 : Repeatable Option 3 : Level 3 : Defined Option 4 : Level 4 : Managed

2 Explanation : The correct option is " Level 2 : Repeatable . " In FITSAF , Level 2 : Repeatable shows that the procedures and controls are tested and reviewed . At this level , processes and practices are in place to ensure that security procedures and controls are repeatable and consistent across the organization . The organization has established a baseline of security practices that are followed and reviewed on a regular basis to ensure effectiveness and compliance . Knowledge Area : Mock Exam 2

Question Number: 464 Question: You're working on a major application that will be put into production once complete. What is a CRITICAL requirement before this application can be released? Option 1: The application must have a user-friendly interface Option 2: The application must be fully certified and accredited Option 3: The application must have backward compatibility Option 4: The application must have been beta tested

2 Explanation: Before any general support systems and major applications are put into production, they must be fully certified and accredited. This ensures that the systems and applications meet necessary security requirements and are fit for their intended use. Knowledge Area: Mock Exam 2

Question Number: 478 Question: What scan is unrelated to configuration control? Option 1: Patch audit Option 2: Port scan Option 3: File integrity Option 4: Vulnerability scan

2 Explanation: Port scanning tests network exposure. Knowledge Area: Mock Exam 2

Question Number: 486 Question: In your role as a software developer focused on secure development, you're working on risk management. Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur? Option 1: Risk Impact Option 2: Risk Likelihood Option 3: Risk Assessment Option 4: Risk Mitigation

2 Explanation: Risk Likelihood is the term used to represent the estimated frequency at which a threat is expected to occur. It is part of the risk assessment process, which aims to understand the potential threats to a system and their possible frequency of occurrence. Knowledge Area: Mock Exam 2

Question Number: 452 Question: Which of the following techniques is used when a system performs the penetration testing with the objective of accessing unauthorized information residing inside a computer? Option 1: White-box testing Option 2: Black-box testing Option 3: Gray-box testing Option 4: Purple-team testing

2 Explanation: The correct option is "Black-box testing." Black-box testing is a technique used during penetration testing when the objective is to access unauthorized information residing inside a computer system. In black-box testing, the tester has no prior knowledge or access to the internal details of the system and attempts to simulate real-world attacks to uncover vulnerabilities and access unauthorized information. This technique helps identify weaknesses from an external perspective. Knowledge Area: Mock Exam 2

Question Number: 454 Question: Which of the following access control models uses a predefined set of access privileges for an object of a system? Option 1: Role-Based Access Control (RBAC) Option 2: Discretionary Access Control (DAC) Option 3: Mandatory Access Control (MAC) Option 4: Attribute-Based Access Control (ABAC)

2 Explanation: The correct option is "Discretionary Access Control (DAC)." Discretionary Access Control uses a predefined set of access privileges for an object of a system. It allows the owner or custodian of the object to determine who can access it and what level of access they have. The owner has discretion over granting or denying access to the object, making it a flexible access control model commonly used in systems where users have varying levels of trust and responsibility. Knowledge Area: Mock Exam 2

Question Number: 480 Question: Which of the following security controls works as the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy? Option 1: Physical controls Option 2: Technical controls Option 3: Administrative controls Option 4: Compensating controls

2 Explanation: The correct option is "Technical controls." Technical controls refer to the totality of protection mechanisms within a computer system, including hardware, firmware, and software. These controls are responsible for enforcing a security policy and mitigating risks. Technical controls encompass various security measures such as access controls, encryption, firewalls, intrusion detection systems, and antivirus software. They provide the technical means to detect, prevent, and respond to security incidents and protect the confidentiality, integrity, and availability of information. Knowledge Area: Mock Exam 2

Question Number : 500 Question : Which of the following ISO standards is entitled as " Information technology - Security techniques - Information security management - Measurement " ? Option 1 : ISO / IEC 27001 Option 2 : ISO / IEC 27002 Option 3 : ISO / IEC 27005 Option 4 : ISO / IEC 27035

3 Explanation : The correct option is " ISO / IEC 27005 . " ISO / IEC 27005 is the ISO standard entitled " Information technology - Security techniques - Information security management - Measurement . " It provides guidance on information security risk management and measurement , including the identification , assessment , and treatment of information security risks . ISO / IEC 27005 helps organizations establish a systematic and consistent approach to managing information security risks based on their specific context and requirements . Knowledge Area : Mock Exam 2

Question Number: 492 Question: As a Software Developer focused on secure software development, you're implementing an intrusion detection system (IDS) that monitors network traffic and compares it against an established baseline. Which of the following IDS best describes this functionality? Option 1: Network-based Intrusion Detection System (NIDS) Option 2: Host-based Intrusion Detection System (HIDS) Option 3: Anomaly-based Intrusion Detection System (AIDS) Option 4: Signature-based Intrusion Detection System (SIDS)

3 Explanation: An Anomaly-based Intrusion Detection System (AIDS) is designed to monitor network traffic and compare it against an established baseline. It uses machine learning to create a model of trustworthy activity

Question Number: 460 Question: As a software developer, you are integrating authentication mechanisms in your application. Which of the following statements about the authentication concept of information security management holds TRUE? Option 1: Authentication is only about confirming a user's identity Option 2: Authentication can be done only with a password Option 3: Authentication ensures only authorized users have access Option 4: Authentication is not necessary for secure systems

3 Explanation: Authentication is a critical concept in information security management. Its primary purpose is to ensure that the system confirms a user's identity and allows only authorized users to access resources. It can be achieved by various means, not just a password, including biometrics, OTPs, and security tokens. Knowledge Area: Mock Exam 2

Question Number: 487 Question: Which IDS is proprietary? Option 1: Snort Option 2: Suricata Option 3: Cisco FirePOWER Option 4: Splunk

3 Explanation: Cisco FirePOWER is a commercial closed-source IDS. Knowledge Area: Mock Exam 2

Question Number: 472 Question: What is false regarding declarative security? Option 1: Specifies access rules Option 2: Enforced by framework Option 3: Inflexible to change Option 4: Code agnostic

3 Explanation: Declarative rules can be changed without code edits. Knowledge Area: Mock Exam 2

Question Number: 470 Question: Fred is the project manager of the CPS project. He is working with his project team to prioritize the identified risks within the CPS project. He and the team are prioritizing risks for further analysis or action by assessing and combining the risks probability of occurrence and impact. What process is Fred least likely to be completing? Option 1: Risk ranking Option 2: Risk response planning Option 3: Risk identification Option 4: Risk assessment

3 Explanation: Explanation: Risk identification is about finding and describing risks, which should happen before prioritization. In the given scenario, since Fred is already prioritizing risks, he is beyond the identification stage. This process is more aligned with risk ranking or risk assessment. Knowledge Area: Mock Exam 2

Question Number: 484 Question: During the development of secure software, you come across a method used by attackers to record everything a person types, including usernames, passwords, and account information. Which of the following is this method? Option 1: Phishing Option 2: Denial of Service attack Option 3: Keylogging Option 4: SQL Injection

3 Explanation: Keylogging is a method used by attackers to record everything a person types. It is a type of surveillance technology used to record keystrokes from a keyboard. This can include usernames, passwords, and account information, making it a significant security concern. Knowledge Area: Mock Exam 2

Question Number: 489 Question: Which of the following is the most secure method of authentication? Option 1: Single-factor authentication Option 2: Two-factor authentication Option 3: Biometric authentication Option 4: Password-based authentication

3 Explanation: The correct option is "Biometric authentication." Biometric authentication is considered the most secure method of authentication. It involves using unique physical or behavioral characteristics, such as fingerprints, iris patterns, or voiceprints, to verify the identity of an individual. Biometric authentication provides a high level of confidence in the user's identity, as it is difficult to forge or replicate these biometric traits. Single-factor authentication relies on a single authentication factor, such as a password. Two-factor authentication combines two different authentication factors, providing an added layer of security compared to single-factor authentication. Knowledge Area: Mock Exam 2

Question Number: 458 Question: Which of the following sections come under the ISO/IEC 27002 standard? Option 1: Risk assessment, incident response, business continuity Option 2: Policy and procedures, physical security, network security Option 3: Change management, access control, cryptography Option 4: Security awareness, asset management, supplier relationships

3 Explanation: The correct option is "Change management, access control, cryptography." Change management, access control, and cryptography are sections that come under the ISO/IEC 27002 standard. ISO/IEC 27002 provides a code of practice for information security management systems. It covers various aspects of information security, including organizational security policies, asset management, human resource security, physical and environmental security, communications and operations management, and more. Change management, access control, and cryptography are essential components of an effective information security program. Knowledge Area: Mock Exam 2

Question Number: 474 Question: Which of the following are included in Technical Controls? Option 1: Policies, procedures, and guidelines Option 2: Security awareness training Option 3: Firewalls, intrusion detection systems, encryption Option 4: Access control lists, security audits, incident response

3 Explanation: The correct option is "Firewalls, intrusion detection systems, encryption." Technical Controls are security measures implemented through technology. They include firewalls, intrusion detection systems, and encryption, among others. Firewalls monitor and control network traffic, intrusion detection systems detect and respond to unauthorized activities, and encryption protects data confidentiality. Technical Controls work in conjunction with other control types, such as policies, procedures, and guidelines, to enhance overall security. Knowledge Area: Mock Exam 2

Question Number: 475 Question: What are the various phases of the Software Assurance Acquisition process according to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group? Option 1: Initiation, Requirements, Design, Implementation, Verification, Maintenance Option 2: Planning, Analysis, Design, Development, Testing, Deployment Option 3: Initiation, Development, Deployment, Operations, Maintenance Option 4: Initiation, Planning, Execution, Monitoring, Closure

3 Explanation: The correct option is "Initiation, Development, Deployment, Operations, Maintenance." These are the various phases of the Software Assurance Acquisition process according to the DoD and DHS Acquisition and Outsourcing Working Group. Initiation involves defining the objectives and scope. Development focuses on creating the software. Deployment involves releasing the software for use. Operations represent the ongoing use and management of the software. Maintenance involves maintaining and updating the software over its lifecycle. Knowledge Area: Mock Exam 2

Question Number: 457 Question: You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well-defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur? Option 1: Initiation phase Option 2: Security Assessment phase Option 3: Risk Assessment phase Option 4: Continuous Monitoring phase

3 Explanation: The correct option is "Risk Assessment phase." In the NIST SP 800-37 C&A methodology, the security categorization occurs in the Risk Assessment phase. This phase involves categorizing the information system and the information processed, stored, and transmitted by the system based on the potential impact on organizational operations, assets, individuals, and other organizations. It helps determine the appropriate level of security controls to be implemented. Knowledge Area: Mock Exam 2

Question Number: 466 Question: Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system? Option 1: Chief Information Officer (CIO) Option 2: Chief Security Officer (CSO) Option 3: System Owner Option 4: Risk Manager

3 Explanation: The correct option is "System Owner." The System Owner in an organization is responsible for rejecting or accepting the residual risk for a system. The System Owner is typically the individual or group responsible for the overall management, operation, and security of a system. They have the authority and accountability to make decisions regarding the acceptance of risk associated with the system. The System Owner ensures that risks are appropriately assessed, documented, and mitigated, and they have the final say in accepting or rejecting residual risks. Knowledge Area: Mock Exam 2

Question Number: 469 Question: NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews? Option 1: Structured interview Option 2: Semi-structured interview Option 3: Unstructured interview Option 4: Interview-based assessment

3 Explanation: The correct option is "Unstructured interview." NIST SP 800-53A defines three types of interviews depending on the level of assessment conducted: structured, semi-structured, and unstructured. An unstructured interview consists of informal and ad hoc interviews. In unstructured interviews, the interviewer has flexibility in asking questions and exploring various topics without following a predetermined script. This type of interview allows for open-ended discussions and the collection of qualitative information. Knowledge Area: Mock Exam 2

Question Number : 497 Question : As a Software Developer , you are studying the Systems Development Life Cycle ( SDLC ) , which is the process of creating or altering systems . Which of the following is least likely to be a phase of the system development life cycle ? Option 1 : Requirements gathering Option 2 : System design Option 3 : Implementation Option 4 : Network topology design

4 Explanation : Explanation : Network topology design is not a typical phase in the SDLC . The SDLC phases typically include requirements gathering , system design , and implementation which involve specific steps towards creating or altering systems . Knowledge Area : Mock Exam 2

Question Number : 498 Question : In your role as a secure software developer , you're working with the Service - Oriented Modeling Framework ( SOMF ) . One of the major life cycle modeling activities integrates SOA software assets and establishes SOA logical environment dependencies . Which of the following activities does this describe ? Option 1 : Service Discovery Option 2 : Service Analysis Option 3 : Service Design Option 4 : Service Orchestration

4 Explanation : Service Orchestration is the Service - Oriented Modeling Framework ( SOMF ) activity that integrates SOA software assets and establishes SOA logical environment dependencies . It involves the design and implementation of service compositions , which could include the coordination of multiple services , their interactions , and their dependencies Knowledge Area : Mock Exam 2

Question Number : 496 Question : In your role as a secure software developer , you're asked to consider the ' Code of Ethics Canons ' in the ' ( ISC ) 2 Code of Ethics ' . Which of the following best reflects these canons ? Option 1 : Protect society , the common good , and infrastructure Option 2 : Act honorably , honestly , justly , and legally Option 3 : Provide diligent and competent service Option 4 : All of the above

4 Explanation : The ' ( ISC ) 2 Code of Ethics ' includes four mandatory canons : ' Protect society , the common good , necessary public trust and confidence , and the infrastructure ' , ' Act honorably , honestly , justly , responsibly , and legally ' , ' Provide diligent and competent service to principals ' , and ' Advance and protect the profession ' . Knowledge Area : Mock Exam 2

Question Number : 493 Question : You're implementing a security design principle that supports comprehensive and simple design and implementation of protection mechanisms , with the goal of ensuring that an unintended access path does not exist , or can be readily identified and eliminated . Which of the following security design principles is this ? Option 1 : Least Privilege Option 2 : Open Design Option 3 : Defense in Depth Option 4 : Economy of Mechanism

4 Explanation : The principle of " Economy of Mechanism " supports comprehensive and simple design and implementation of protection mechanisms . This principle involves reducing the complexity of security systems to minimize the number of potential weaknesses . It aims to ensure that an unintended access path does not exist or can be readily identified and eliminated . Knowledge Area : Mock Exam 2

Question Number: 463 Question: Which SDLC phase is incorrect for audits? Option 1: Development Option 2: Testing Option 3: Deployment Option 4: Maintenance

4 Explanation: Audits validate software, not operational maintenance. Knowledge Area: Mock Exam 2

Question Number: 461 Question: You are leading a software development project expected to last for 18 months. Six months into the project, your team wonders about the frequency of risk reassessment. If you are adhering to the best practices for risk management, how often should you be performing risk reassessments? Option 1: Only at the start of the project Option 2: At the end of the project Option 3: Every six months Option 4: Continually throughout the project

4 Explanation: Best practices for risk management recommend that risk reassessment should be an ongoing activity throughout the project. Risk profiles can change as work is performed and circumstances evolve, so regular reassessment ensures that the project team is always aware of current risks and can adjust mitigation strategies accordingly Knowledge Area: Mock Exam 2

Question Number: 482 Question: As a Software Developer, you are trying to understand a scenario where users report that they are unable to log on to the network, and accounts are locked out due to multiple incorrect log on attempts. What is the least likely cause of the account lockouts? Option 1: A malicious insider repeatedly attempting to log in Option 2: An external brute force attack Option 3: A user forgetting their password Option 4: A network hardware failure

4 Explanation: Explanation: A network hardware failure would likely cause network-wide issues, not account-specific lockouts due to multiple incorrect log on attempts. The other options involve incorrect log on attempts which could lead to account lockouts. Knowledge Area: Mock Exam 2

Question Number: 491 Question: You are studying the NIACAP certification levels recommended by the certifier. Which of the following is least likely to be a NIACAP certification level? Option 1: Basic Option 2: System High Option 3: MAC I Option 4: Data encryption level

4 Explanation: Explanation: Data encryption level is not a type of NIACAP certification level. NIACAP certification levels typically include Basic, System High, and MAC I. Knowledge Area: Mock Exam 2

Question Number: 468 Question: You are familiarizing yourself with the types of interviews defined in NIST SP 800-53A depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews is least likely to consist of informal and ad hoc interviews? Option 1: Examiner-to-examinee interviews Option 2: Examiner-to-manager interviews Option 3: Examiner-to-developer interviews Option 4: Formal structured interviews

4 Explanation: Explanation: Formal structured interviews, unlike the other types, strictly follow a predetermined set of questions and are usually not informal or ad hoc in nature. Knowledge Area: Mock Exam 2

Question Number: 453 Question: In the Business Continuity Planning (BCP) process, one element includes plan implementation, plan testing, ongoing plan maintenance, and involves defining and documenting the continuity strategy. Which of the following is least likely to be part of this element? Option 1: Emergency response Option 2: Crisis communication Option 3: Information backup Option 4: Logo designing

4 Explanation: Explanation: Logo designing is a part of brand building and marketing strategy and does not contribute to the BCP process which focuses on ensuring that the organization's critical business functions can continue during and after a disaster. Knowledge Area: Mock Exam 2

Question Number: 459 Question: As a software developer, you are leading a project for a new financial management platform. After a recent update, end-users have reported issues with the application's functionality. What is the BEST course of action to address these concerns? Option 1: Ignore the user complaints as the software was previously working well Option 2: Rollback the software to its previous version Option 3: Make another update and hope it fixes the issues Option 4: Perform regression testing on the software

4 Explanation: Given the software was working before the modification and the users are now complaining, it's most likely that the recent changes have caused the issue. Performing regression testing would be the best course of action. This process involves testing the software to confirm that a recent program or code change has not adversely affected existing features. Knowledge Area: Mock Exam 2

Question Number: 485 Question: What does not represent threat frequency? Option 1: Likelihood Option 2: Probability Option 3: Impact Option 4: SLE

4 Explanation: Impact measures potential loss not frequency. Knowledge Area: Mock Exam 2

Question Number: 465 Question: You are considering the adoption of virtualization for your next project, as suggested in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards". What is one of the primary security advantages of virtualization? Option 1: It makes software development easier Option 2: It reduces the need for physical hardware Option 3: It allows for dynamic resource allocation Option 4: It enables isolation of different systems

4 Explanation: One of the main security advantages of virtualization, as described in the NIST ISPAB paper, is that it enables isolation of different systems. This means that if one virtual system is compromised, the attack is contained and doesn't affect other systems running on the same physical host. Knowledge Area: Mock Exam 2

Question Number: 483 Question: As a software developer, you're asked to be involved in the Project Risk Management process of your team's current project. This knowledge area primarily focuses on which of the following processes? Option 1: Planning risk management Option 2: Identifying risks Option 3: Performing qualitative risk analysis Option 4: All of the above

4 Explanation: The Project Risk Management knowledge area primarily focuses on planning risk management, identifying risks, and performing qualitative risk analysis. These processes aim to identify potential risks, analyze their impact, and develop strategies to manage them effectively, thereby ensuring the project's success. Knowledge Area: Mock Exam 2

Question Number: 477 Question: What are the various phases of the Software Assurance Acquisition process according to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group? Option 1: Planning, requirements, acquisition, sustainment Option 2: Initiation, verification, deployment, maintenance Option 3: Identification, authentication, authorization, accounting, audit Option 4: Initiation, analysis, design, development, testing

4 Explanation: The correct option is "Initiation, analysis, design, development, testing." According to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group, the various phases of the Software Assurance Acquisition process are initiation, analysis, design, development, and testing. These phases represent the typical life cycle stages of software development, where requirements are analyzed, system design is created, software is developed, and testing is performed to ensure the quality and security of the software. Knowledge Area: Mock Exam 2

Question Number: 467 Question: DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP? Option 1: Initiation, planning, execution, monitoring, closure Option 2: Definition, verification, validation, post accreditation Option 3: Identification, authentication, authorization, accounting, audit Option 4: Initiation, validation, operation, maintenance, disposal

4 Explanation: The correct option is "Initiation, validation, operation, maintenance, disposal." DIACAP (DoD Information Assurance Certification and Accreditation Process) identifies phases that include initiation, validation, operation, maintenance, and disposal. These phases represent the life cycle of a DoD system from its initial planning and development to its eventual retirement. Each phase encompasses specific activities and tasks related to ensuring the security and compliance of the system throughout its life cycle. Knowledge Area: Mock Exam 2

Question Number: 471 Question: You are involved in a project that requires handling sensitive data. You need to understand the levels of the data classification system to ensure proper handling and protection. What are the MOST common levels in a public or commercial data classification system? Option 1: Confidential, Secret, Top Secret Option 2: Public, Private, Confidential Option 3: Unclassified, Classified, Restricted Option 4: Public, Sensitive, Confidential, Secret

4 Explanation: The most common levels of a public or commercial data classification system are Public, Sensitive, Confidential, and Secret. These levels help organizations identify and protect sensitive information based on its potential impact on the organization if it were disclosed, altered, or destroyed. Knowledge Area: Mock Exam 2

Question Number: 473 Question: What plan least guides quantitative risk analysis? Option 1: Risk management Option 2: QA/test Option 3: Communications Option 4: Scope

4 Explanation: The scope plan guides project deliverables, not quantitative risks. Knowledge Area: Mock Exam 2

Question: Scenario: As a software developer working on a project for a client who follows U.S. Department of Defense (DoD) Instruction 8500.2, you are required to implement the Information Assurance (IA) controls defined by the DoD. What is the primary area of IA you should focus on according to DoD Instruction 8500.2? Option 1: Software Development Security Option 2: Network Infrastructure Security Option 3: Physical and Environmental Security Option 4: Personnel Security

Correct Response: 1 Explanation: As a software developer, your primary focus according to DoD Instruction 8500.2 would be Software Development Security (A). This area involves ensuring the application of security principles and practices in the development of systems and software. It's a critical part of the eight areas of IA defined by the DoD, particularly for your role.

Question Number: 409 Question: Scenario: Your company is going through the Initiate and Plan Information Assurance Certification and Accreditation (IA C&A) phase of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). As a software developer, what is the primary subordinate task you should focus on during this phase? Option 1: Develop a System Identification Profile Option 2: Perform a vulnerability assessment Option 3: Implement security controls Option 4: Conduct a security audit

Correct Response: 1 Explanation: During the Initiate and Plan IA C&A phase of the DIACAP process, the primary subordinate task is to Develop a System Identification Profile (A). This profile provides an overview of the system and its components, which is critical for identifying potential vulnerabilities and planning appropriate security controls. Knowledge Area: Mock Exam 2

Question Number: 404 Question: Which statement about ISSO and ISSE is false? Option 1: ISSO is CNSS 4011 certified Option 2: ISSE advises on engineering Option 3: ISSO performs IA operations Option 4: ISSE supports IA engineering

Correct Response: 1 Explanation: ISSOs are not required to be 4011 certified.

Question Number: 423 Question: You work as a project manager for BlueWell Inc. You and your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team members wants to know what a residual risk is. What will you reply to your team member? Option 1: A residual risk is the risk that remains after applying all possible safety measures. Option 2: A residual risk is the risk that is no longer relevant and can be ignore Option 3: A residual risk is the risk that occurs due to human error. Option 4: A residual risk is the risk that is transferred to another party.

Correct Response: 1 Explanation: The correct option is "A residual risk is the risk that remains after applying all possible safety measures." A residual risk refers to the risk that remains even after implementing all theoretically possible safety measures. It represents the level of risk that cannot be eliminated completely and highlights the importance of ongoing risk management and mitigation efforts. Knowledge Area: Mock Exam 2

Question Number: 401 Question: Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject? Option 1: Biba model Option 2: Bell-LaPadula model Option 3: Clark-Wilson model Option 4: Lattice-based model

Correct Response: 1 Explanation: The correct option is "Biba model." The Biba model uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject. The model focuses on preserving data integrity and preventing unauthorized modification or corruption of data. It ensures that subjects with lower integrity levels cannot modify or write to objects with higher integrity levels, preventing the spread of inaccurate or malicious data modifications.

Question Number: 420 Question: You have a storage media with some data, and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media. Which of the following refers to the above-mentioned condition? Option 1: Data remanence Option 2: Data leakage Option 3: Data integrity Option 4: Data sanitization

Correct Response: 1 Explanation: The correct option is "Data remanence." Data remanence refers to the residual presence of data on storage media even after efforts have been made to remove or erase it. This can occur due to various factors, such as incomplete data deletion or the presence of data in hidden or inaccessible areas of the media. Knowledge Area: Mock Exam 2

Question Number: 421 Question: The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Option 1: Define C&A level of effort, identify C&A roles and responsibilities, establish security requirements Option 2: Develop project schedule, assign tasks, monitor progress Option 3: Conduct risk assessments, develop risk management plan, implement risk mitigation strategies Option 4: Identify system requirements, design system architecture, develop security controls

Correct Response: 1 Explanation: The correct option is "Define C&A level of effort, identify C&A roles and responsibilities, establish security requirements." In the Definition Phase of DITSCAP C&A (Department of Defense Information Technology Security Certification and Accreditation Process), the process activities include defining the level of effort required for C&A, identifying the roles and responsibilities of C&A personnel, and establishing security requirements for the system. This phase sets the foundation for the subsequent activities in the C&A process. Knowledge Area: Mock Exam 2

Question Number: 444 Question: In which of the following cryptographic attacking techniques does an attacker obtain encrypted messages that have been encrypted using the same encryption algorithm? Option 1: Known-plaintext attack Option 2: Chosen-plaintext attack Option 3: Brute-force attack Option 4: Birthday attack

Correct Response: 1 Explanation: The correct option is "Known-plaintext attack." In a known-plaintext attack, an attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. The attacker knows both the plaintext and corresponding ciphertext pairs and attempts to derive the encryption key or deduce further plaintext-ciphertext pairs. This type of attack can be used to uncover vulnerabilities in the encryption algorithm or key management processes. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 414 Question: Which of the following coding practices are helpful in simplifying code? Option 1: Modularity, abstraction, encapsulation Option 2: Code obfuscation, spaghetti code, code duplication Option 3: Hard coding, insecure coding, global variables Option 4: Code comments, self-explanatory variable names, code repetition

Correct Response: 1 Explanation: The correct option is "Modularity, abstraction, encapsulation." Modularity, abstraction, and encapsulation are coding practices that are helpful in simplifying code. Modularity involves breaking down complex systems into smaller, manageable modules. Abstraction focuses on hiding unnecessary details and exposing only relevant information. Encapsulation involves bundling data and related functions functions together to form a self-contained unit. These practices improve code readability, maintainability, and reusability. Knowledge Area: Mock Exam 2

Question Number: 431 Question: The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Option 1: Monitoring, continuous evaluation, and periodic reaccreditation. Option 2: Risk assessment, vulnerability scanning, and penetration testing. Option 3: System development, configuration management, and change control. Option 4: System verification and validation, security testing, and audit.

Correct Response: 1 Explanation: The correct option is "Monitoring, continuous evaluation, and periodic reaccreditation." In the Post Accreditation phase of DITSCAP C&A, the process activities include ongoing monitoring, continuous evaluation, and periodic reaccreditation of the system. This phase ensures that the system remains in compliance with security requirements and continues to operate effectively and securely. Knowledge Area: Mock Exam 2

Question Number: 438 Question: Which of the following is a set of exclusive rights granted by a state to an inventor or his assignee for a fixed period of time in exchange for the disclosure of an invention? Option 1: Patent Option 2: Trademark Option 3: Copyright Option 4: Trade secret

Correct Response: 1 Explanation: The correct option is "Patent." A patent is a set of exclusive rights granted by a state to an inventor or their assignee for a fixed period of time. It provides legal protection for an invention and grants the patent holder the right to exclude others from making, using, or selling the invention without permission. In exchange for the protection, the inventor must disclose the details of the invention. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 425 Question: A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated? Option 1: Privacy laws Option 2: Data breach notification laws Option 3: Identity theft laws Option 4: Consumer protection laws

Correct Response: 1 Explanation: The correct option is "Privacy laws." By providing Mark's financial and personal details to another company without his consent, the credit card issuing company has violated privacy laws. Privacy laws govern the collection, use, and sharing of personal information, and in this case, the company has breached Mark's privacy by sharing his information without proper authorization. Knowledge Area: Mock Exam 2

Question Number: 437 Question: Which of the following methods offers a number of modeling practices and disciplines that contribute to a successful service-oriented life cycle management and modeling? Option 1: Service-Oriented Architecture (SOA) Option 2: Agile Development Methodology Option 3: Waterfall Development Methodology Option 4: Object-Oriented Programming (OOP)

Correct Response: 1 Explanation: The correct option is "Service-Oriented Architecture (SOA)." SOA offers a number of modeling practices and disciplines that contribute to a successful service-oriented life cycle management and modeling. SOA is an architectural approach that uses services as the fundamental building blocks for developing software applications. It emphasizes loose coupling, modularity, and reusability of services to enable greater flexibility and interoperability. SOA modeling practices help in designing, developing, and managing services throughout their life cycle. Knowledge Area: Mock Exam 2

Question Number: 416 Question: Martha registers a domain named Microsoft.ABCDEF. She tries to sell it to Microsoft Corporation. The infringement of which of the following has she made? Option 1: Trademark infringement Option 2: Copyright infringement Option 3: Patent infringement Option 4: Trade secret infringement

Correct Response: 1 Explanation: The correct option is "Trademark infringement." By registering a domain name using the trademarked term "Microsoft," Martha has infringed upon the trademark rights of Microsoft Corporation. Trademarks provide exclusive rights to the owner, preventing others from using similar marks that may cause confusion among consumers.

Question Number: 411 Question: Which of the following methods determines the principle name of the current user and returns the java.security.Principal object in the HttpServletRequest interface? Option 1: getUserPrincipal() Option 2: getPrincipal() term-11 Option 3: getCurrentPrincipal() Option 4: getAuthenticatedUser()

Correct Response: 1 Explanation: The correct option is "getUserPrincipal()". This method is used in the HttpServletRequest interface to determine the principle name of the current user and returns the java.security.Principal object representing the user. The Principal object provides information about the user's identity and can be used for authentication and authorization purposes. Knowledge Area: Mock Exam 2

Question Number: 415 Question: Which of the following methods does the Java Servlet Specification v2.4 define in the HttpServletRequest interface that control programmatic security? Option 1: getUserPrincipal(), isUserInRole() Option 2: setAuthentication(), setAuthorization() Option 3: encryptPassword(), decryptPassword() Option 4: verifyUser(), authorizeUser()

Correct Response: 1 Explanation: The correct option is "getUserPrincipal(), isUserInRole()." The Java Servlet Specification v2.4 defines the methods getUserPrincipal() and isUserInRole() in the HttpServletRequest interface that control programmatic security. getUserPrincipal() returns the user principal associated with the request, and isUserInRole() checks if the user associated with the request is in a specific role. These methods provide a way to implement custom security logic within a Java servlet application. Knowledge Area: Mock Exam 2

Question Number: 407 Question: You are designing an e-commerce website that will handle sensitive customer data. Which of the following is not useful to ensure secure transactions? Option 1: Implementing SSL for data in transit Option 2: Storing user passwords in plaintext for easy recovery Option 3: Encrypting credit card data at rest Option 4: Using secure, vetted payment processing services

Correct Response: 2 Explanation: Explanation: Storing user passwords in plaintext is a major security risk, as it makes them easily readable if the data is breached, which can lead to unauthorized access. Knowledge Area: Mock Exam 2

Question Number: 418 Question: You are developing a software that will integrate with Microsoft's cloud services and will handle sensitive user data. Which of the following is not useful to ensure secure transactions with Microsoft's cloud services? Option 1: Implementing SSL for data in transit Option 2: Storing user passwords in plaintext in the cloud for easy recovery Option 3: Encrypting sensitive data at rest in the cloud Option 4: Using secure, vetted APIs for cloud integration

Correct Response: 2 Explanation: Explanation: Storing user passwords in plaintext, even in secure cloud services, is a major security risk as they could be accessed if the data is breached, leading to unauthorized access. Knowledge Area: Mock Exam 2

Question Number: 436 Question: Which review is least focused on vulnerabilities? Option 1: Fagan inspection Option 2: Pair programming Option 3: Code audit Option 4: Penetration testing

Correct Response: 2 Explanation: Pair programming is more for defect reduction. Knowledge Area: Mock Exam 2

Question Number: 445 Question: You've identified a potential security vulnerability in your company's software application. What is your NEXT ACTION as the software developer? Option 1: Ignore the issue, as it's not part of your assigned tasks Option 2: Report the vulnerability to your superior or security team Option 3: Work on a fix yourself without informing anyone Option 4: Document the vulnerability but take no further action

Correct Response: 2 Explanation: The best next action when a potential security vulnerability is identified is to report it to your superior or security team. They have the knowledge and authority to decide on the appropriate next steps, which may include determining the risk level, deciding whether and how to patch the vulnerability, and ensuring that similar vulnerabilities are prevented in the future. Other actions may be inappropriate or lack the necessary collaboration and risk management considerations. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 439 Question: Which of the following actions does the Data Loss Prevention (DLP) technology take when an agent detects a policy violation for data of all states? Option 1: Encrypt the data Option 2: Block the data Option 3: Monitor and report the violation Option 4: Quarantine the data

Correct Response: 2 Explanation: The correct option is "Block the data." When a Data Loss Prevention (DLP) technology agent detects a policy violation for data of all states, it takes the action to block the data. This ensures that the data is not transmitted, shared, or accessed improperly, according to the policy violation. Blocking the data helps prevent unauthorized disclosure, ensuring the security and protection of sensitive information. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 417 Question: Which of the following is a variant with regard to Configuration Management? Option 1: Change control Option 2: Version control Option 3: Access control Option 4: Identity management

Correct Response: 2 Explanation: The correct option is "Version control." Version control is a variant of Configuration Management that focuses on managing different versions of software or files. It tracks changes, enables collaboration, and provides a history of revisions. Version control systems help developers manage code and ensure that the correct versions are used and tracked throughout the software development lifecycle. Knowledge Area: Mock Exam 2

Question Number: 406 Question: Scenario: You are a software developer working on a project that requires a high level of security. The project is nearing completion, and your team is working on a process that concludes with an agreement that the system provides adequate protection controls in its current configuration. Which process is your team currently focusing on? Option 1: Risk Assessment Option 2: System Certification Option 3: Security Audit Option 4: Vulnerability Scanning

Correct Response: 2 Explanation: The process your team is currently working on is System Certification (B). This process involves a comprehensive evaluation of the technical and non-technical security controls of the system to ensure they provide adequate protection. It culminates in an agreement, often documented as a Certification Statement, stating that the system meets a certain set of security standards.

Question Number: 430 Question: Scenario: As a software developer in a new security software project, you are tasked with modifying the functional features and the basic logic of the software to make them compatible with the initial design of the project. Which procedure of configuration management should you primarily follow to accomplish this task? Option 1: Configuration Identification Option 2: Configuration Control Option 3: Configuration Status Accounting Option 4: Configuration Auditing

Correct Response: 2 Explanation: To modify functional features and the basic logic of software and align them with the initial design, you would primarily follow the Configuration Control procedure (B). This process involves the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items within a system. It helps ensure that changes are made in a systematic and disciplined manner, preserving the integrity and traceability of the configuration items. Knowledge Area: Mock Exam 2

Question: Which Software Project & Org process is least relevant? Option 1: Software configuration management Option 2: Software quality assurance Option 3: Facility, site, physical security Option 4: Budget, schedule, reporting

Correct Response: 3 Explanation: Physical security is less relevant to software practices.

Question Number: 441 Question: Scenario: You are a software developer working on a system that requires the mandatory protection of the Trusted Computing Base (TCB). According to the Orange Book, which rated system requires this level of protection? Option 1: A1 Option 2: B1 Option 3: B3 Option 4: C2

Correct Response: 3 Explanation: According to the Orange Book, a system rated as B3 requires mandatory protection of the Trusted Computing Base (TCB) (C). This rating signifies that the system has strict access control measures in place, and the TCB must be protected to ensure the integrity, confidentiality, and availability of the system. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 410 Question: Which is NOT an access control type? Option 1: Mandatory Option 2: Discretionary Option 3: Advisory Option 4: Non-discretionary

Correct Response: 3 Explanation: Advisory controls are recommendations, not access enforcement. Knowledge Area: Mock Exam 2

Question Number: 428 Question: What is the least effective for Syslog DoS prevention? Option 1: Rate limiting Option 2: Input validation Option 3: TLS encryption Option 4: Log analysis

Correct Response: 3 Explanation: Encryption does not prevent DoS attacks. Knowledge Area: Mock Exam 2

Question Number: 433 Question: As a software developer, you are working on an application for the commercial sector. Which of the following access control models is least likely to be used in this sector? Option 1: Discretionary Access Control (DAC) Option 2: Role-Based Access Control (RBAC) Option 3: Mandatory Access Control (MAC) Option 4: Attribute-Based Access Control (ABAC)

Correct Response: 3 Explanation: Explanation: While all the models could be used depending on the context, Mandatory Access Control (MAC) is less commonly used in the commercial sector due to its rigid structure. MAC is often associated with military or government systems where information classification and clearance levels are of paramount importance. Knowledge Area: Mock Exam 2

Question Number: 413 Question: Scenario: As a software developer, you are tasked with writing efficient and maintainable code for a new project. What is the primary coding practice you should adopt to simplify your code? Option 1: Use of nested conditionals for robustness Option 2: Frequent use of recursion for complex problems Option 3: Use of comments and meaningful variable names Option 4: Use of global variables for ease of access

Correct Response: 3 Explanation: Simplifying code is critical for maintainability and ease of understanding. This can be achieved primarily through the use of comments and meaningful variable names (C). Comments provide additional information or clarify complex parts, while meaningful variable names make code self-explanatory. The use of nested conditionals or recursion may increase complexity, and global variables can lead to unexpected side effects, making the code harder to understand and maintain. Knowledge Area: Mock Exam 2

Question Number: 408 Question: In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? Option 1: White-box testing Option 2: Gray-box testing Option 3: Black-box testing Option 4: Penetration testing

Correct Response: 3 Explanation: The correct option is "Black-box testing." In black-box testing, assessors work with no prior knowledge or access to internal details of the system. They use all available documentation and work under no constraints to simulate real-world attacks and attempt to circumvent the security features of the information system. This methodology helps identify vulnerabilities and weaknesses from an external perspective. Knowledge Area: Mock Exam 2

Question Number: 427 Question: There are seven risk responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events? Option 1: Avoidance Option 2: Acceptance Option 3: Mitigation Option 4: Transference

Correct Response: 3 Explanation: The correct option is "Mitigation." Mitigation is the risk response strategy that is appropriate for both positive and negative risk events. It involves taking actions to reduce the probability or impact of identified risks. Mitigation focuses on minimizing the potential adverse effects of risks and maximizing the potential benefits of opportunities. Knowledge Area: Mock Exam 2

Question Number: 448 Question: Which of the following testing methods tests the system efficiency by systematically selecting the suitable and minimum set of tests that are required to effectively cover the affected changes? Option 1: Regression testing Option 2: Boundary testing Option 3: Risk-based testing Option 4: Adaptive testing

Correct Response: 3 Explanation: The correct option is "Risk-based testing." Risk-based testing is a testing method that focuses on systematically selecting the suitable and minimum set of tests required to effectively cover the affected changes. It prioritizes testing efforts based on the identified risks and their potential impact on the system's efficiency. By using risk analysis, the testing team can allocate resources efficiently and target the areas that pose the highest risks to the system's efficiency. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 434 Question: Which of the following access control models are used in the commercial sector? Option 1: Bell-LaPadula model Option 2: Biba model Option 3: Role-Based Access Control (RBAC) Option 4: Clark-Wilson model

Correct Response: 3 Explanation: The correct option is "Role-Based Access Control (RBAC)." RBAC is an access control model widely used in the commercial sector. It grants access to resources based on the roles assigned to users, rather than their individual identities. RBAC simplifies access management by organizing users into roles and assigning permissions and privileges to those roles. This model provides a flexible and scalable approach to access control in large organizations. Knowledge Area: Mock Exam 2

Question Number: 412 Question: Which attack does NOT cause software failure? Option 1: Buffer overflow Option 2: SQL injection Option 3: Cross-site scripting Option 4: Blind DoS

Correct Response: 4 Explanation: Blind DoS prevents access but not software failure. Knowledge Area: Mock Exam 2

Question Number: 429 Which CM procedure is wrong for new feature compatibility? Option 1: Change request Option 2: Baseline revision Option 3: Release planning Option 4: Design review

Correct Response: 4 Explanation: Design reviews are for early stages, not changes. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 442 Question: As a software developer, you're implementing a system designed to detect unwanted attempts at accessing, manipulating, and disabling computer systems through the Internet. Which of the following is least likely to serve this purpose? Option 1: Intrusion Detection System (IDS) Option 2: Firewall Option 3: Intrusion Prevention System (IPS) Option 4: Email client

Correct Response: 4 Explanation: Explanation: An email client is primarily used for sending, receiving, storing, and retrieving emails. While it may have some security features, it is not primarily designed to detect and prevent unwanted attempts at accessing, manipulating, or disabling computer systems. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 440 Question: You're reviewing the Orange Book's rated systems for secure software development. Which of the following rated systems does not include mandatory protection of the Trusted Computing Base (TCB)? Option 1: B1: Labeled Security Protection Option 2: A1: Verified Design Option 3: C2: Controlled Access Protection Option 4: D: Minimal Protection

Correct Response: 4 Explanation: Explanation: D: Minimal Protection, according to the Orange Book, does not provide a mandatory protection of the Trusted Computing Base (TCB). The other classifications (A1, B1, C2) do have mandatory protections for the TCB. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 432 Question: As a software developer, you are using the Service-Oriented Modeling Framework (SOMF) to align business and IT organizations. Which of the following principles is not concentrated on by the SOMF? Option 1: Business and IT alignment Option 2: Service discovery and definition Option 3: Service orchestration and choreography Option 4: Implementing proprietary protocols for service communication

Correct Response: 4 Explanation: Explanation: SOMF concentrates on principles like business and IT alignment, service discovery and definition, and service orchestration. However, the use of proprietary protocols for service communication is not a principle of SOMF, as this approach could lead to interoperability issues. Knowledge Area: Mock Exam 2

Question Number: 449 Question: As a software developer, you're designing a system to specify access privileges to a collection of resources using URL mapping. Which of the following is least likely to serve this purpose? Option 1: Access control lists (ACLs) Option 2: Role-based access control (RBAC) Option 3: Discretionary Access Control (DAC) Option 4: Salesforce CRM

Correct Response: 4 Explanation: Explanation: Salesforce CRM is a customer relationship management solution and is not primarily used for specifying access privileges to resources using URL mapping. ACLs, RBAC, and DAC are all models that could be used for this purpose. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 424 Question: You are attempting to securely erase data from a storage media. Which of the following methods is least effective in ensuring the data is completely removed? Option 1: Overwriting the data with zeros Option 2: Physically destroying the media Option 3: Using a magnet to degauss the media Option 4: Simply deleting the files via the operating system

Correct Response: 4 Explanation: Explanation: Simply deleting the files via the operating system is the least effective method. The other methods are more effective as they either overwrite the existing data or physically destroy the media, making it extremely difficult, if not impossible, to recover the data. Knowledge Area: Mock Exam 2

Question Number: 447 Question: You're performing a testing method that focuses on system efficiency by systematically selecting a minimal set of tests to cover the affected changes. Which of the following testing methods is least likely to achieve this? Option 1: Regression testing Option 2: Unit testing Option 3: Functional testing Option 4: UI testing

Correct Response: 4 Explanation: Explanation: UI testing primarily focuses on the user interface and user experience, and may not be the most efficient method for covering only the affected changes in a system. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 435 Question: During the testing phase of software development, which of the following methods is least helpful in verifying the interfaces between components against a software design? Option 1: Integration testing Option 2: Interface testing Option 3: System testing Option 4: Performance testing

Correct Response: 4 Explanation: Explanation: While performance testing is important, it is primarily focused on testing the speed, responsiveness, and stability of software under a workload, rather than verifying the interfaces between components against a software design. Knowledge Area: Mock Exam 2

Question Number: 426 Question: Which risk response is least appropriate for both threats? Option 1: Mitigate Option 2: Transfer Option 3: Accept Option 4: Exploit

Correct Response: 4 Explanation: Exploiting risks is unethical and risky. Knowledge Area: Mock Exam 2

Question Number: 443 Question: Which attack does not use the same algorithm? Option 1: Chosen ciphertext Option 2: Known plaintext Option 3: Ciphertext only Option 4: Man-in-the-middle

Correct Response: 4 Explanation: MITM attacks intercept different communications. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 419 Question: Which statement about residual risk is false? Option 1: It can be accepted Option 2: It can be mitigated Option 3: It can be transferred Option 4: It can be eliminated

Correct Response: 4 Explanation: Residual risk cannot be fully eliminated. Knowledge Area: Mock Exam 2

Question Number: 446 Question: Which of the following authentication methods is used to access public areas of a Web site? Option 1: Biometric authentication Option 2: Multi-factor authentication Option 3: Single sign-on Option 4: Anonymous access

Correct Response: 4 Explanation: The correct option is "Anonymous access." Anonymous access is the authentication method used to access public areas of a website. It allows users to access certain content or services without providing any identifying information or credentials. This type of access is typically used for publicly available information that does not require user-specific authentication. Knowledge Area: Mock Exam 2

Question Number: 405 Question: Which of the following security design patterns provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's data?Option 1: Role-Based Access Control (RBAC) Option 2: Attribute-Based Access Control (ABAC) Option 3: Mandatory Access Control (MAC) Option 4: Database Authentication

Correct Response: 4 Explanation: The correct option is "Database Authentication." Database Authentication is a security design pattern that verifies a user's authentication credentials against the database before granting access to that user's data. This pattern ensures that the user's credentials are valid and authenticated by the database, providing an additional layer of security for data access.

Question Number: 422 Question: Which of the following NIST Special Publication documents provides a guideline on network security testing? Option 1: NIST SP 800-53 Option 2: NIST SP 800-30 Option 3: NIST SP 800-171 Option 4: NIST SP 800-115

Correct Response: 4 Explanation: The correct option is "NIST SP 800-115." NIST SP 800-115 provides a guideline on network security testing. This publication focuses on the technical aspects of conducting network security testing, including methodologies, tools, and best practices. It provides guidance on how to assess the effectiveness of network security controls, identify vulnerabilities, and evaluate the overall security posture of a network. NIST SP 800-53 provides security controls and guidelines for federal information systems, while NIST SP 800-30 provides guidance on risk assessment. Knowledge Area: Mock Exam 2