CIS 3500 CH 14, 15, 16

Code analysis can be performed at which of the following levels of development? (Choose all that apply.) A. Unit level B. Subsystem level C. System level D. Complete application

A, B, C, and D. Code analysis can be performed at virtually any level of development, from unit level to subsystem to system to complete application.

Which of the following are elements of software development that will help to improve the security of code? (Choose all that apply.) A. Input validation B. Proper error and exception handling C. Cross-site scripting mitigations D. Patch management

A, B, and C. All are elements of software development that will help to improve the security of code. While patch management is an important aspect of security, it occurs after code development and delivery and is considered a process element and not a part of the software development lifecycle.

Which of the following is true concerning verification? (Choose all that apply.) A. Ensuring the code does what the code is supposed to do, verification, is more complex than just running the program and looking for runtime errors. B. Verification also checks whether the program specification captures the requirements from the customer. C. Verification is simple on a case-by-case basis, but when a program has many interdependent calculations, verifying that the results match the desired design model can be a fairly complex task. D. Verification is the process of checking that the software developed meets the model specification.

A, C, and D. Ensuring the code does what the code is supposed to do, verification, is more complex than just running the program and looking for runtime errors. The program results for a given set of inputs need to match the expected results per the system model. For instance, if applying a simple mathematical operation, is the calculation correct? This is simple to verify on a case-by-case basis, but when a program has many interdependent calculations, verifying that the result matches the desired design model can be a fairly complex task. Verification is the process of checking that the software developed meets the model specification. Validation is the process of checking whether the program specification captures the requirements from the customer.

What is a key principle about elasticity? A. You can configure systems to scale up and down, so you only pay for the resources used. B. Elasticity works very well with on-premises equipment. C. Elasticity is not a strength of cloud environments. D. Scaling up and down both result in increased charges.

A. A key principle about elasticity is that you can configure systems to scale up and down, so you only pay for the resources used.

What is a major benefit provided by snapshots? A. If a change contains errors, it is easy to revert to the previous configuration. B. Snapshots can retain a large number of photos. C. Because they are instantaneous savepoints on a machine, they do not need to be retained. D. They work very well on physical hardware but not so well on virtual machines.

A. A major benefit provided by snapshots is that if a change contains errors, it is easy to revert to the previous configuration.

Why is automated testing an important part of configuration validation? A. It can scale and be used in continuous monitoring. B. It can compare before and after versions of a given system. C. It can automatically confirm the validity of a configuration. D. It can slow the divergence caused by system updates.

A. Automated testing is an important part of configuration validation because it can scale and be used in continuous monitoring.

Which of the following correctly defines continuous monitoring? A. The operational process by which you can confirm if controls are functioning properly B. An ongoing process to evaluate the utility of flat-screen monitors C. A dashboard that shows the status of systems D. An operations center staffed 24×7, 365 days per year

A. Continuous monitoring is the operational process by which you can confirm if controls are functioning properly.

What term is used to refer to testing a system under a controlled speed environment? A. Load testing B. Stress testing C. Sandboxing D. Static code analysis

A. Load testing involves running the system under a controlled speed environment. Stress testing takes the system past this operating point to see how it responds to overload conditions. Sandboxing refers to the execution of computer code in an environment designed to isolate the code from direct contact with the target system. Static code analysis is when the code is examined without being executed.

You need to move to the cloud a specific customer service module that has a web front end. This application is highly scalable and can be provided on demand. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above

A. Software as a Service is suitable for delivering highly scalable, on-demand applications without installing endpoint software.

Your supervisor asks you to analyze virtualization options for an upcoming project to move several critical servers onto virtual machines. He asks you to find a solution that maximizes the number of guest OSs per server and optimizes speed and efficiency. What solution should you recommend? A. A Type I hypervisor, such as VMware Sphere/ESXi or Hyper-V B. A Type II hypervisor, such as VirtualBox or VMware Player C. Both A and B D. Neither A nor B

A. Speed and efficiency are maximized by a Type I hypervisor.

What is the primary downside of a private cloud model? A. Restrictive access rules B. Cost C. Scalability D. Lack of vendor support

B. A private cloud model is considerably more expensive as it is a dedicated resource, negating some of the advantages of outsourcing the infrastructure in the first place.

Where should all errors/exceptions be trapped and handled? A. In the main program or routing that called the routine that generated the error/exception B. In the generating routine itself C. In a special routine designed to handle all errors/exceptions D. In a separate routine designed to handle each specific error/exception

B. All errors/exceptions should be trapped and handled in the generating routine.

When doing incident response for your company, you are reviewing the forensics of several virtual servers and you see the attacker on the web server injecting code into uninitialized memory blocks. What attack is the attacker likely attempting? A. Denial-of-service attack on the hypervisor B. VM escape C. Containerization attack D. Crashing the CASB

B. Although all hypervisors actively try to prevent it, any flaw in memory handling could allow code that is maliciously placed in a block to be read by the hypervisor or another machine. This is known as VM escape. The scenario states virtual server, eliminating C and D, and operational code blocks in uninitialized memory would not cause DOS.

Which of the following is a system that, once deployed, is never modified, patched, or upgraded? A. Baseline B. Immutable system C. Frozen system D. Fixed configuration

B. An immutable system is a system that, once deployed, is never modified, patched, or upgraded. If a patch or update is required, the system is merely replaced with a new system that is patched and updated. Baselining is the process of determining a standard set of functionality and performance. This is a metrics-driven process, where later changes can be compared to the baseline to gauge their impact on performance and other variables. If a change improves the baseline elements in a positive fashion, a new baseline can be established. The other terms are not commonly used in industry.

Which of the following correctly describes automation as discussed in this chapter? A. The configuration of redundant and fault-tolerant systems B. The use of short programs to perform tasks otherwise performed manually by keyboard entry. C. The proper use of configuration definitions and setup D. Processes running autonomously on a given system

B. Automation in the context of systems administration is the use of tools and methods to perform tasks otherwise performed manually by humans, thereby improving efficiency and accuracy and reducing risk.

The CIO asks you to provide guidance on implementing security now that many of the corporate applications are moving to the cloud. Which of the following should you recommend implementing? A. Encryption B. CASBs C. SaaS D. Containerization

B. Cloud access security brokers (CASBs) are specialized tools or services used to protect cloud infrastructure and data.

What is the term used to describe the loss of control over data from a system during operations? A. Sandboxing B. Data exposure C. Data breach D. Runtime release

B. Data exposure is the loss of control over data from a system during operations. Sandboxing refers to the execution of computer code in an environment designed to isolate the code from direct contact with the target system. A data breach occurs when an unauthorized user gains access to your system and its data. Runtime release is not a term used in the industry.

Which of the following is not an advantage of using scripts? A. Reducing the chance of error B. Performing change management on the scripts C. Avoiding time-consuming activities to correct mistakes D. Automating complex tasks by chaining scripts together.

B. Performing change management on the scripts is not an advantage of using them. Reducing the chance of error, avoiding time-consuming activities to correct mistakes, and automating complex tasks by chaining scripts together are all advantages of using scripts.

One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application? A. SaaS B. PaaS C. IaaS D. None of the above

B. Platform as a Service is suitable for standard resources in use by many other applications.

What is an important point to understand about reverting to a known state? A. Reverting to a known state can result in loss of a user's files. B. Reverting to a known state typically only protects the operating system and associated files. C. Reverting to a known state does not allow removing an error caused by change. D. Creating the known state only occurs after implementing a change.

B. Reverting to a known state typically only protects the operating system and associated files.

How does a hypervisor enable multiple guest operating systems to run concurrently on a host computer? A. Via a specialized driver package B. By abstracting the hardware from the guest operating systems C. By providing specific virtual hardware to each guest OS D. By hiding the underlying Linux operating system

B. The hypervisor abstracts the hardware from the guest operating system to enable multiple guest operating systems to run concurrently on a host computer.

Which cloud deployment model has the fewest security controls? A. Private B. Public C. Hybrid D. Community

B. The shared environment of a public cloud has the least amount of security controls.

Which of the following methodologies progresses through a series of phases, with each phase being completed before progressing to the next phase? A. Scrum B. Waterfall C. Agile D. Extreme Programming (XP)

B. The waterfall model is a development model based on simple manufacturing design. The work process begins with the requirements analysis phase and progresses through a series of four more phases, with each phase being completed before progressing to the next phase. The Scrum programming methodology is built around a 30-day release cycle. The Agile model is not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, Agile methods rely on quick turns involving small increases in functionality. Extreme Programming is a structured process that is built around user stories. These stories are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances. Conklin, Wm. Arthur. CompTIA Security+ All-in-One Exam Guide, Fifth Edition (Exam SY0-501) . McGraw-Hill Education. Kindle Edition.

What is an advantage of using templates? A. They reduce the need for customers to test configurations. B. They resolve patching problems. C. They allow rapid, error-free creation of systems and services, including configurations, connection of services, testing, and deployment. D. They enforce end-user requirements.

C. An important capability of templates is that they allow rapid, error-free creation of systems and services, including configurations, connection of services, testing, and deployment.

The process describing how an organization manages which versions are currently being used, and how it coordinates updates or new versions as they are released by a manufacturer, is known as which of the following? A. Version control B. Provisioning C. Change management D. Deprovisioning

C. Change management addresses how an organization manages which versions are currently being used, and how it coordinates changes as they are released by a manufacturer. Version control is as simple as tracking which version of a program is being worked on, whether in development, testing, or production. Provisioning is the process of assigning permissions or authorities to objects for users. Deprovisioning is the removal of permissions or authorities to objects for users.

Your new application has multiple small processes that provide services to the network. You want to make this application run more efficiently by virtualizing it. What is the best approach for virtualization of this application? A. Type II hypervisor B. Linux KVM C. Containerization D. Type I hypervisor

C. Containerization runs small applications on a host OS with virtually no overhead.

Which of the following is true about what is known as dead code? A. Dead code is code that is never executed and thus can be removed from the program without a negative impact. B. Dead code is code that is never executed but should remain in the program because removing it may have unintended consequences. C. Dead code is code that while it may be executed, the results that it produces are never used elsewhere in the program. There are compiler options that can remove dead code, which is called dead code elimination, but these must be used with care because dead code elimination may have unintended consequences. D. Dead code is code that while it may be executed, the results that it produces are never used elsewhere in the program. It should be removed through automated or manual means to improve the program.

C. Dead code is code that while it may be executed, the results that it obtains are never used elsewhere in the program. There are compiler options that can remove dead code, called dead code elimination, but these options must be used with care because dead code elimination may have unintended consequences.

Which of the following methodologies is a structured process that is built around user stories that are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances? A. Agile B. Scrum C. Extreme Programming (XP) D. Waterfall

C. Extreme programming (XP) is a structured process that is built around user stories. These stories are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances. Agile methods are not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, Agile methods rely on quick turns involving small increases in functionality. The waterfall model is a development model based on simple manufacturing design. The work process begins with the requirements analysis phase and progresses through a series of four more phases, with each phase being completed before progressing to the next phase. The Scrum programming methodology is built around a 30-day release cycle.

You are planning to move some applications to the cloud, including your organization's accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above

C. Infrastructure as a Service is appropriate for highly customized, poorly scaling solutions that require specific resources to run.

Non-persistence systems can reduce risk because? A. They can function in constantly evolving environments. B. They enable end users to change their computers as much as they want. C. They do not allow users to save changes to configuration or applications. D. None of the above.

C. Non-persistence does not allow saving changes to configuration or applications.

What is the difference between reverting to a known state and rolling back to a known configuration? A. Reverting to a known state can effect more than just the OS. B. Rolling back to a known configuration is a change to the system configuration, not necessarily what it is working on. C. Both A and B. D. Neither A nor B.

C. Reverting to a known state is rolling back to a restore point—this effects the OS and any processes currently running with saved values. Rolling back to a known configuration restores the registry values to a known good configuration, but does not change user values.

What is the Security Content Automation Protocol (SCAP) used for? A. To enumerate common vulnerabilities B. To secure networks C. To provide automation methods for managing vulnerabilities D. To define an overarching security architecture

C. SCAP provides automation methods for managing vulnerabilities.

What is the greatest advantage of outsourcing an organization's IT security to a Security as a Service provider? A. A lost or damaged encryption key can be recovered by the provider. B. Security can be provided seamlessly in all geographic locations. C. The provider can offer scale, cost, and speed efficiencies. D. Regulatory compliance is easier to achieve.

C. The greatest advantage to outsourcing cloud security to a Security as a Service provider is that the provider can offer scale, cost, and speed efficiencies.

Which of the following correctly describes a resilient system? A. A system with defined configuration and setup strategies B. A system using snapshots and reverting to known states C. A system with redundancy and fault tolerance D. A system that can return to normal operating conditions after an upset

D. A resilient system is one that can return to normal operating conditions after a disruption.

The desktop support team wants to virtualize the desktop environment on a central server. What is the advantage for adopting VDI? A. Users can move to different machines and their applications will follow them. B. A wide array of devices, even low-powered ones, can be used to access a user's desktop. C. No data would be compromised if the hardware was lost. D. All of the above. E. None of the above.

D. All of the above. Adopting VDI can provide multiple advantages, including: the session can follow the user, the desktop can be accessed from a variety of devices, and if a device is lost, it contains no corporate data.

Which cloud deployment model is shared by several organizations with a specific purpose? A. Private B. Public C. Hybrid D. Community

D. Community clouds are shared resources for a specific purpose.

Your manager was just in a meeting about the security risks of storing data in the cloud and now is frantically requesting that you immediately shut off all access to cloud storage providers such as Dropbox, Box, OneDrive, and others, services that your company relies on for daily operations. What solution should you recommend to allow these services to be continued while protecting the corporate data in the cloud? A. VM escape B. Type II hypervisor C. Containerization D. Encryption

D. Data encryption can protect corporate data that is stored in cloud storage provider locations.

What is the term used to describe removing users' permissions or authorities to objects? A. Provisioning B. Version control C. Change management D. Deprovisioning

D. Deprovisioning is the removal of users' permissions or authorities to access objects. Provisioning is the process of assigning to users permissions or authorities to access objects. Version control is as simple as tracking which version of a program is being worked on, whether in development, testing, or production. Change management addresses how an organization manages which versions are currently being used, and how it coordinates changes as they are released by a manufacturer.

Which code analysis method is performed while the software is executed, either on a target system or an emulated system? A. Static analysis B. Runtime analysis C. Sandbox analysis D. Dynamic analysis

D. Dynamic analysis is performed while the software is executed, either on a target system or an emulated system. Static code analysis is when the code is examined without being executed. Sandboxing refers to the execution of computer code in an environment designed to isolate the code from direct contact with the target system. Runtime analysis is descriptive of the type of analysis but is not the term used in industry.

Fuzz testing works best in which of the following testing environments? A. White box testing B. Gray box testing C. Black box testing D. Fuzz testing works equally well in all of the above.

D. Fuzz testing works well in white, black, or gray box testing, as it can be performed without knowledge of the specifics of the application under test.

Which of the following correctly describes master images? A. They can regenerate a system, but only after much effort and delays. B. They work well for small corporations, but they don't scale. C. They require extensive change management efforts. D. They are key elements of template-based systems.

D. Master images are key elements of template-based systems.

Which of the following are benefits of using a master image? A. They make administrative tasks easier to automate. B. They make administrative tasks simpler. C. They substantially reduce the number of human errors. D. All of the above.

D. Master images make administrative tasks easier to automate, make administrative tasks simpler, and substantially reduce the number of human errors.

Which of the following is an initial step in the input validation process that creates the canonical form, or simplest form, of a string before processing? A. Implementing stored procedures B. Code signing C. Code reuse D. Normalization

D. Normalization is an initial step in the input validation process. Specifically, it is the step of creating the canonical form, or simplest form, of a string before processing. Stored procedures are precompiled methods implemented within a database engine. Stored procedures act as a secure coding mechanism because they offer an isolation of user input from the actual SQL statements being executed. Code signing involves applying a digital signature to code, providing a mechanism where the end user can verify the code integrity. Code reuse is reusing code from one application to another.

Which of the following is a true statement regarding automated courses of action? A. They are often unwieldy and error prone. B. They induce errors into system management. C. They take significant time to design and validate. D. They reduce errors.

D. The bottom-line statement about the value of automated courses of action is that they reduce errors.

Why is VM sprawl an issue? A. VM sprawl uses too many resources on parallel functions. B. The more virtual machines in use, the harder it is to migrate a VM to a live server. C. Virtual machines are so easy to create, you end up with hundreds of small servers only performing a single function. D. When servers are no longer physical, it can be difficult to locate a specific machine.

D. VM sprawl is an issue because when virtual machines proliferate, they can be easily moved and potentially easily copied to random locations. This can make finding a specific machine difficult without a specific organizational structure.