ISC CSSLP Certified Secure Software Lifecycle Professional Online Training

Question #31

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems Location of open ports and applications Now, which of the following tasks should he perform next?

A . Perform OS fingerprinting on the We-are-secure network.
B . Map the network of We-are-secure Inc.
C . Install a backdoor to log in remotely on the We-are-secure server.
D . Fingerprint the services running on the we-are-secure network.

Reveal Solution Hide Solution

Question #32

Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?

A . Phase 4
B . Phase 3
C . Phase 1
D . Phase 2

Reveal Solution Hide Solution

Question #33

In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?

A . Full operational test
B . Penetration test
C . Paper test
D . Walk-through test

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

ANS: C is incorrect. A paper test is the least complex test in the disaster recovery and business continuity testing approaches. In this test, the BCP/DRP plan documents are distributed to the appropriate managers and BCP/DRP team members for review, markup, and comment. This approach helps the auditor to ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan.

ANS: D is incorrect. A walk-through test is an extension of the paper testing in the business continuity and disaster recovery process. In this testing methodology, appropriate managers and BCP/DRP team members discuss and walk through procedures of the plan. They also discuss the training needs, and clarification of critical plan elements.

ANS: A is incorrect. A full operational test includes all team members and participants in the disaster recovery and business continuity process. This full operation test involves the mobilization of personnel. It restores operations in the same manner as an outage or disaster would. The full operational test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration.

Question #34

You work as a systems engineer for BlueWell Inc.

Which of the following tools will you use to look outside your own organization to examine how others achieve their performance levels, and what processes they use to reach those levels?

A . Benchmarking
B . Six Sigma
C . ISO 9001:2000
D . SEI-CMM

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Benchmarking is the tool used by system assessment process to provide a point of reference by which performance measurements can be reviewed with respect to other organizations. Benchmarking is also recognized as Best Practice Benchmarking or Process Benchmarking. It is a process used in management and mostly useful for strategic management. It is the process of comparing the business processes and performance metrics including cost, cycle time, productivity, or quality to another that is widely considered to be an industry standard benchmark or best practice. It allows organizations to develop plans on how to implement best practice with the aim of increasing some aspect of performance. Benchmarking might be a one-time event, although it is frequently treated as a continual process in which organizations continually seek out to challenge their practices. It allows organizations to develop plans on how to make improvements or adapt specific best practices, usually with the aim of increasing some aspect of performance.

ANS: C is incorrect. The ISO 9001:2000 standard combines the three standards 9001, 9002, and 9003 into one, called 9001. Design and development procedures are required only if a company does in fact engage in the creation of new products. The 2000 version sought to make a radical change in thinking by actually placing the concept of process management front and center ("Process management" was the monitoring and optimizing of a company’s tasks and activities, instead of just inspecting the final product). The ISO 9001:2000 version also demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators. Another goal is to improve effectiveness via process performance metrics numerical measurement of the effectiveness of tasks and activities. Expectations of continual process improvement

and tracking customer satisfaction were made explicit.

ANS: B is incorrect. Six Sigma is a business management strategy, initially implemented by Motorola. As of 2009 it enjoys widespread application in many sectors of industry, although its application is not without controversy. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects and variability in manufacturing and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization ("Black Belts", "Green Belts", etc.) who are experts in these methods. Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified financial targets (cost reduction or profit increase). The often used Six Sigma symbol is as follows:

ANS: D is incorrect. Capability Maturity Model Integration (CMMI) was created by Software Engineering Institute (SEI). CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. It can be used to guide process improvement across a project, a division, or an entire organization. CMMI can help integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes. CMMI is now the de facto standard for measuring the maturity of any process. Organizations can be assessed against the CMMI model using Standard CMMI Appraisal Method for Process Improvement (SCAMPI).

Question #35

Which of the following methods determines the principle name of the current user and returns the jav a.security.Principal object in the HttpServletRequest interface?

A . getUserPrincipal()
B . isUserInRole()
C . getRemoteUser()
D . getCallerPrincipal()

Reveal Solution Hide Solution

Question #36

The NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards" specifies potential advantages and disdvantages of virtualization.

Which of the following disadvantages does it include? Each correct answer represents a complete solution. Choose all that apply.

A . It increases capabilities for fault tolerant computing using rollback and snapshot features.
B . It increases intrusion detection through introspection.
C . It initiates the risk that malicious software is targeting the VM environment.
D . It increases overall security risk shared resources.
E . It creates the possibility that remote attestation may not work.
F . It involves new protection mechanisms for preventing VM escape, VM detection, and VM-VM interference.
G . It increases configuration effort because of complexity and composite system.

Reveal Solution Hide Solution

Question #37

Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three.

A . Physical
B . Technical
C . Administrative
D . Automatic

Reveal Solution Hide Solution

Question #38

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply.

A . Initiate IA implementation plan
B . Develop DIACAP strategy
C . Assign IA controls.
D . Assemble DIACAP team
E . Register system with DoD Component IA Program.
F . Conduct validation activity.

Reveal Solution Hide Solution

Question #39

Which of the following attacks causes software to fail and prevents the intended users from accessing software?

A . Enabling attack
B . Reconnaissance attack
C . Sabotage attack
D . Disclosure attack

Reveal Solution Hide Solution

Question #40

FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems.

Which of the following FITSAF levels shows that the procedures and controls have been implemented?

A . Level 2
B . Level 3
C . Level 5
D . Level 1
E . Level 4

Reveal Solution Hide Solution