Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Cybersecurity Concepts and Practices, Exams of Medicine

A range of cybersecurity topics, including software configuration management, software quality assurance, physical security, budget and reporting, security certifications, cryptography, vulnerability assessment, security controls, authentication and authorization, cloud security, risk management, and various security standards and frameworks. Explanations and multiple-choice questions to test the reader's understanding of these cybersecurity concepts. The content is likely intended for individuals pursuing education or training in the field of information security, such as university students or professionals seeking to enhance their cybersecurity knowledge and skills. The document could be useful as study notes, lecture materials, or exam preparation resources for those interested in cybersecurity.

Typology: Exams

2024/2025

Available from 10/17/2024

Achieverr
Achieverr 🇺🇸

4.8

(4)

3.9K documents

Partial preview of the text

Download Cybersecurity Concepts and Practices and more Exams Medicine in PDF only on Docsity!

CSSLP-Exam Practice Test-ME

questions with answers

Question Number: 401 Question: Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject? Option 1: Biba model Option 2: Bell-LaPadula model Option 3: Clark-Wilson model Option 4: Lattice-based model - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Biba model." The Biba model uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject. The model focuses on preserving data integrity and preventing unauthorized modification or corruption of data. It ensures that subjects with lower integrity levels cannot modify or write to objects with higher integrity levels, preventing the spread of inaccurate or malicious data modifications. Question: Which Software Project & Org process is least relevant? Option 1: Software configuration management Option 2: Software quality assurance Option 3: Facility, site, physical security Option 4: Budget, schedule, reporting - ANSWERS✔✔ Correct Response: 3 Explanation: Physical security is less relevant to software practices. Question: Scenario: As a software developer working on a project for a client who follows U.S. Department of Defense (DoD) Instruction 8500.2, you are required to implement the Information Assurance (IA) controls defined by the DoD. What is the primary area of IA you should focus on according to DoD Instruction 8500.2?

Option 1: Software Development Security Option 2: Network Infrastructure Security Option 3: Physical and Environmental Security Option 4: Personnel Security - ANSWERS✔✔ Correct Response: 1 Explanation: As a software developer, your primary focus according to DoD Instruction 8500.2 would be Software Development Security (A). This area involves ensuring the application of security principles and practices in the development of systems and software. It's a critical part of the eight areas of IA defined by the DoD, particularly for your role. Question Number: 404 Question: Which statement about ISSO and ISSE is false? Option 1: ISSO is CNSS 4011 certified Option 2: ISSE advises on engineering Option 3: ISSO performs IA operations Option 4: ISSE supports IA engineering - ANSWERS✔✔ Correct Response: 1 Explanation: ISSOs are not required to be 4011 certified. Question Number: 405 Question: Which of the following security design patterns provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's data?Option 1: Role-Based Access Control (RBAC) Option 2: Attribute-Based Access Control (ABAC) Option 3: Mandatory Access Control (MAC) Option 4: Database Authentication - ANSWERS✔✔ Correct Response: 4 Explanation: The correct option is "Database Authentication." Database Authentication is a security design pattern that verifies a user's authentication credentials against the database before granting access to that user's data. This pattern ensures that the user's credentials are valid and authenticated by the database, providing an additional layer of security for data access. Question Number: 406 Question: Scenario: You are a software developer working on a project that requires a high level of security. The project is nearing completion, and your team is working on a process that concludes with an agreement that the system provides adequate protection controls in its current configuration. Which process is your team currently focusing on? Option 1: Risk Assessment

Option 2: System Certification Option 3: Security Audit Option 4: Vulnerability Scanning - ANSWERS✔✔ Correct Response: 2 Explanation: The process your team is currently working on is System Certification (B). This process involves a comprehensive evaluation of the technical and non-technical security controls of the system to ensure they provide adequate protection. It culminates in an agreement, often documented as a Certification Statement, stating that the system meets a certain set of security standards. Question Number: 407 Question: You are designing an e-commerce website that will handle sensitive customer data. Which of the following is not useful to ensure secure transactions? Option 1: Implementing SSL for data in transit Option 2: Storing user passwords in plaintext for easy recovery Option 3: Encrypting credit card data at rest Option 4: Using secure, vetted payment processing services - ANSWERS✔✔ Correct Response: 2 Explanation: Explanation: Storing user passwords in plaintext is a major security risk, as it makes them easily readable if the data is breached, which can lead to unauthorized access. Knowledge Area: Mock Exam 2 Question Number: 408 Question: In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? Option 1: White-box testing Option 2: Gray-box testing Option 3: Black-box testing Option 4: Penetration testing - ANSWERS✔✔ Correct Response: 3 Explanation: The correct option is "Black-box testing." In black-box testing, assessors work with no prior knowledge or access to internal details of the system. They use all available documentation and work under no constraints to simulate real-world attacks and attempt to circumvent the security features of the information system. This methodology helps identify vulnerabilities and weaknesses from an external perspective. Knowledge Area: Mock Exam 2

Question Number: 409 Question: Scenario: Your company is going through the Initiate and Plan Information Assurance Certification and Accreditation (IA C&A) phase of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). As a software developer, what is the primary subordinate task you should focus on during this phase? Option 1: Develop a System Identification Profile Option 2: Perform a vulnerability assessment Option 3: Implement security controls Option 4: Conduct a security audit - ANSWERS✔✔ Correct Response: 1 Explanation: During the Initiate and Plan IA C&A phase of the DIACAP process, the primary subordinate task is to Develop a System Identification Profile (A). This profile provides an overview of the system and its components, which is critical for identifying potential vulnerabilities and planning appropriate security controls. Knowledge Area: Mock Exam 2 Question Number: 410 Question: Which is NOT an access control type? Option 1: Mandatory Option 2: Discretionary Option 3: Advisory Option 4: Non-discretionary - ANSWERS✔✔ Correct Response: 3 Explanation: Advisory controls are recommendations, not access enforcement. Knowledge Area: Mock Exam 2 Question Number: 411 Question: Which of the following methods determines the principle name of the current user and returns the java.security.Principal object in the HttpServletRequest interface? Option 1: getUserPrincipal() Option 2: getPrincipal() term- Option 3: getCurrentPrincipal()

Option 4: getAuthenticatedUser() - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "getUserPrincipal()". This method is used in the HttpServletRequest interface to determine the principle name of the current user and returns the java.security.Principal object representing the user. The Principal object provides information about the user's identity and can be used for authentication and authorization purposes. Knowledge Area: Mock Exam 2 Question Number: 412 Question: Which attack does NOT cause software failure? Option 1: Buffer overflow Option 2: SQL injection Option 3: Cross-site scripting Option 4: Blind DoS - ANSWERS✔✔ Correct Response: 4 Explanation: Blind DoS prevents access but not software failure. Knowledge Area: Mock Exam 2 Question Number: 413 Question: Scenario: As a software developer, you are tasked with writing efficient and maintainable code for a new project. What is the primary coding practice you should adopt to simplify your code? Option 1: Use of nested conditionals for robustness Option 2: Frequent use of recursion for complex problems Option 3: Use of comments and meaningful variable names Option 4: Use of global variables for ease of access - ANSWERS✔✔ Correct Response: 3 Explanation: Simplifying code is critical for maintainability and ease of understanding. This can be achieved primarily through the use of comments and meaningful variable names (C). Comments provide additional information or clarify complex parts, while meaningful variable names make code self-explanatory. The use of nested conditionals or recursion may increase complexity, and global variables can lead to unexpected side effects, making the code harder to understand and maintain. Knowledge Area: Mock Exam 2 Question Number: 414 Question: Which of the following coding practices are helpful in simplifying code? Option 1: Modularity, abstraction, encapsulation

Option 2: Code obfuscation, spaghetti code, code duplication Option 3: Hard coding, insecure coding, global variables Option 4: Code comments, self-explanatory variable names, code repetition - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Modularity, abstraction, encapsulation." Modularity, abstraction, and encapsulation are coding practices that are helpful in simplifying code. Modularity involves breaking down complex systems into smaller, manageable modules. Abstraction focuses on hiding unnecessary details and exposing only relevant information. Encapsulation involves bundling data and related functions functions together to form a self-contained unit. These practices improve code readability, maintainability, and reusability. Knowledge Area: Mock Exam 2 Question Number: 415 Question: Which of the following methods does the Java Servlet Specification v2.4 define in the HttpServletRequest interface that control programmatic security? Option 1: getUserPrincipal(), isUserInRole() Option 2: setAuthentication(), setAuthorization() Option 3: encryptPassword(), decryptPassword() Option 4: verifyUser(), authorizeUser() - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "getUserPrincipal(), isUserInRole()." The Java Servlet Specification v2.4 defines the methods getUserPrincipal() and isUserInRole() in the HttpServletRequest interface that control programmatic security. getUserPrincipal() returns the user principal associated with the request, and isUserInRole() checks if the user associated with the request is in a specific role. These methods provide a way to implement custom security logic within a Java servlet application. Knowledge Area: Mock Exam 2 Question Number: 416 Question: Martha registers a domain named Microsoft.ABCDEF. She tries to sell it to Microsoft Corporation. The infringement of which of the following has she made? Option 1: Trademark infringement Option 2: Copyright infringement Option 3: Patent infringement

Option 4: Trade secret infringement - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Trademark infringement." By registering a domain name using the trademarked term "Microsoft," Martha has infringed upon the trademark rights of Microsoft Corporation. Trademarks provide exclusive rights to the owner, preventing others from using similar marks that may cause confusion among consumers. Question Number: 417 Question: Which of the following is a variant with regard to Configuration Management? Option 1: Change control Option 2: Version control Option 3: Access control Option 4: Identity management - ANSWERS✔✔ Correct Response: 2 Explanation: The correct option is "Version control." Version control is a variant of Configuration Management that focuses on managing different versions of software or files. It tracks changes, enables collaboration, and provides a history of revisions. Version control systems help developers manage code and ensure that the correct versions are used and tracked throughout the software development lifecycle. Knowledge Area: Mock Exam 2 Question Number: 418 Question: You are developing a software that will integrate with Microsoft's cloud services and will handle sensitive user data. Which of the following is not useful to ensure secure transactions with Microsoft's cloud services? Option 1: Implementing SSL for data in transit Option 2: Storing user passwords in plaintext in the cloud for easy recovery Option 3: Encrypting sensitive data at rest in the cloud Option 4: Using secure, vetted APIs for cloud integration - ANSWERS✔✔ Correct Response: 2 Explanation: Explanation: Storing user passwords in plaintext, even in secure cloud services, is a major security risk as they could be accessed if the data is breached, leading to unauthorized access. Knowledge Area: Mock Exam 2 Question Number: 419 Question: Which statement about residual risk is false? Option 1: It can be accepted

Option 2: It can be mitigated Option 3: It can be transferred Option 4: It can be eliminated - ANSWERS✔✔ Correct Response: 4 Explanation: Residual risk cannot be fully eliminated. Knowledge Area: Mock Exam 2 Question Number: 420 Question: You have a storage media with some data, and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media. Which of the following refers to the above-mentioned condition? Option 1: Data remanence Option 2: Data leakage Option 3: Data integrity Option 4: Data sanitization - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Data remanence." Data remanence refers to the residual presence of data on storage media even after efforts have been made to remove or erase it. This can occur due to various factors, such as incomplete data deletion or the presence of data in hidden or inaccessible areas of the media. Knowledge Area: Mock Exam 2 Question Number: 421 Question: The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Option 1: Define C&A level of effort, identify C&A roles and responsibilities, establish security requirements Option 2: Develop project schedule, assign tasks, monitor progress Option 3: Conduct risk assessments, develop risk management plan, implement risk mitigation strategies Option 4: Identify system requirements, design system architecture, develop security controls - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Define C&A level of effort, identify C&A roles and responsibilities, establish security requirements." In the Definition Phase of DITSCAP C&A (Department of Defense Information Technology Security Certification and Accreditation Process), the process activities include defining the level of effort required for C&A, identifying the roles and responsibilities of C&A personnel, and establishing security requirements for the

system. This phase sets the foundation for the subsequent activities in the C&A process. Knowledge Area: Mock Exam 2 Question Number: 422 Question: Which of the following NIST Special Publication documents provides a guideline on network security testing? Option 1: NIST SP 800- Option 2: NIST SP 800- Option 3: NIST SP 800- Option 4: NIST SP 800-115 - ANSWERS✔✔ Correct Response: 4 Explanation: The correct option is "NIST SP 800-115." NIST SP 800-115 provides a guideline on network security testing. This publication focuses on the technical aspects of conducting network security testing, including methodologies, tools, and best practices. It provides guidance on how to assess the effectiveness of network security controls, identify vulnerabilities, and evaluate the overall security posture of a network. NIST SP 800- provides security controls and guidelines for federal information systems, while NIST SP 800-30 provides guidance on risk assessment. Knowledge Area: Mock Exam 2 Question Number: 423 Question: You work as a project manager for BlueWell Inc. You and your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team members wants to know what a residual risk is. What will you reply to your team member? Option 1: A residual risk is the risk that remains after applying all possible safety measures. Option 2: A residual risk is the risk that is no longer relevant and can be ignore Option 3: A residual risk is the risk that occurs due to human error. Option 4: A residual risk is the risk that is transferred to another party. - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "A residual risk is the risk that remains after applying all possible safety measures." A residual risk refers to the risk that remains even after implementing all theoretically possible safety measures. It represents the level of risk that cannot be eliminated completely and highlights the importance of ongoing risk management and mitigation efforts. Knowledge Area: Mock Exam 2

Question Number: 424 Question: You are attempting to securely erase data from a storage media. Which of the following methods is least effective in ensuring the data is completely removed? Option 1: Overwriting the data with zeros Option 2: Physically destroying the media Option 3: Using a magnet to degauss the media Option 4: Simply deleting the files via the operating system - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: Simply deleting the files via the operating system is the least effective method. The other methods are more effective as they either overwrite the existing data or physically destroy the media, making it extremely difficult, if not impossible, to recover the data. Knowledge Area: Mock Exam 2 Question Number: 425 Question: A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated? Option 1: Privacy laws Option 2: Data breach notification laws Option 3: Identity theft laws Option 4: Consumer protection laws - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Privacy laws." By providing Mark's financial and personal details to another company without his consent, the credit card issuing company has violated privacy laws. Privacy laws govern the collection, use, and sharing of personal information, and in this case, the company has breached Mark's privacy by sharing his information without proper authorization. Knowledge Area: Mock Exam 2 Question Number: 426 Question: Which risk response is least appropriate for both threats? Option 1: Mitigate Option 2: Transfer Option 3: Accept

Option 4: Exploit - ANSWERS✔✔ Correct Response: 4 Explanation: Exploiting risks is unethical and risky. Knowledge Area: Mock Exam 2 Question Number: 427 Question: There are seven risk responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events? Option 1: Avoidance Option 2: Acceptance Option 3: Mitigation Option 4: Transference - ANSWERS✔✔ Correct Response: 3 Explanation: The correct option is "Mitigation." Mitigation is the risk response strategy that is appropriate for both positive and negative risk events. It involves taking actions to reduce the probability or impact of identified risks. Mitigation focuses on minimizing the potential adverse effects of risks and maximizing the potential benefits of opportunities. Knowledge Area: Mock Exam 2 Question Number: 428 Question: What is the least effective for Syslog DoS prevention? Option 1: Rate limiting Option 2: Input validation Option 3: TLS encryption Option 4: Log analysis - ANSWERS✔✔ Correct Response: 3 Explanation: Encryption does not prevent DoS attacks. Knowledge Area: Mock Exam 2 Question Number: 429 Which CM procedure is wrong for new feature compatibility? Option 1: Change request Option 2: Baseline revision Option 3: Release planning Option 4: Design review - ANSWERS✔✔ Correct Response: 4 Explanation: Design reviews are for early stages, not changes. Knowledge Area: Mock Exam 2


Question Number: 430 Question: Scenario: As a software developer in a new security software project, you are tasked with modifying the functional features and the basic logic of the software to make them compatible with the initial design of the project. Which procedure of configuration management should you primarily follow to accomplish this task? Option 1: Configuration Identification Option 2: Configuration Control Option 3: Configuration Status Accounting Option 4: Configuration Auditing - ANSWERS✔✔ Correct Response: 2 Explanation: To modify functional features and the basic logic of software and align them with the initial design, you would primarily follow the Configuration Control procedure (B). This process involves the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items within a system. It helps ensure that changes are made in a systematic and disciplined manner, preserving the integrity and traceability of the configuration items. Knowledge Area: Mock Exam 2 Question Number: 431 Question: The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Option 1: Monitoring, continuous evaluation, and periodic reaccreditation. Option 2: Risk assessment, vulnerability scanning, and penetration testing. Option 3: System development, configuration management, and change control. Option 4: System verification and validation, security testing, and audit. - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Monitoring, continuous evaluation, and periodic reaccreditation." In the Post Accreditation phase of DITSCAP C&A, the process activities include ongoing monitoring, continuous evaluation, and periodic reaccreditation of the system. This phase ensures that the system remains in compliance with security requirements and continues to operate effectively and securely. Knowledge Area: Mock Exam 2 Question Number: 432 Question: As a software developer, you are using the Service- Oriented Modeling Framework (SOMF) to align business and IT organizations. Which of the following principles is not concentrated on by the SOMF?

Option 1: Business and IT alignment Option 2: Service discovery and definition Option 3: Service orchestration and choreography Option 4: Implementing proprietary protocols for service communication - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: SOMF concentrates on principles like business and IT alignment, service discovery and definition, and service orchestration. However, the use of proprietary protocols for service communication is not a principle of SOMF, as this approach could lead to interoperability issues. Knowledge Area: Mock Exam 2 Question Number: 433 Question: As a software developer, you are working on an application for the commercial sector. Which of the following access control models is least likely to be used in this sector? Option 1: Discretionary Access Control (DAC) Option 2: Role-Based Access Control (RBAC) Option 3: Mandatory Access Control (MAC) Option 4: Attribute-Based Access Control (ABAC) - ANSWERS✔✔ Correct Response: 3 Explanation: Explanation: While all the models could be used depending on the context, Mandatory Access Control (MAC) is less commonly used in the commercial sector due to its rigid structure. MAC is often associated with military or government systems where information classification and clearance levels are of paramount importance. Knowledge Area: Mock Exam 2 Question Number: 434 Question: Which of the following access control models are used in the commercial sector? Option 1: Bell-LaPadula model Option 2: Biba model Option 3: Role-Based Access Control (RBAC) Option 4: Clark-Wilson model - ANSWERS✔✔ Correct Response: 3 Explanation: The correct option is "Role-Based Access Control (RBAC)." RBAC is an access control model widely used in the commercial sector. It grants access to resources based on the roles assigned to users, rather than their individual identities. RBAC simplifies access

management by organizing users into roles and assigning permissions and privileges to those roles. This model provides a flexible and scalable approach to access control in large organizations. Knowledge Area: Mock Exam 2 Question Number: 435 Question: During the testing phase of software development, which of the following methods is least helpful in verifying the interfaces between components against a software design? Option 1: Integration testing Option 2: Interface testing Option 3: System testing Option 4: Performance testing - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: While performance testing is important, it is primarily focused on testing the speed, responsiveness, and stability of software under a workload, rather than verifying the interfaces between components against a software design. Knowledge Area: Mock Exam 2 Question Number: 436 Question: Which review is least focused on vulnerabilities? Option 1: Fagan inspection Option 2: Pair programming Option 3: Code audit Option 4: Penetration testing - ANSWERS✔✔ Correct Response: 2 Explanation: Pair programming is more for defect reduction. Knowledge Area: Mock Exam 2 Question Number: 437 Question: Which of the following methods offers a number of modeling practices and disciplines that contribute to a successful service-oriented life cycle management and modeling? Option 1: Service-Oriented Architecture (SOA) Option 2: Agile Development Methodology Option 3: Waterfall Development Methodology

Option 4: Object-Oriented Programming (OOP) - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Service-Oriented Architecture (SOA)." SOA offers a number of modeling practices and disciplines that contribute to a successful service- oriented life cycle management and modeling. SOA is an architectural approach that uses services as the fundamental building blocks for developing software applications. It emphasizes loose coupling, modularity, and reusability of services to enable greater flexibility and interoperability. SOA modeling practices help in designing, developing, and managing services throughout their life cycle. Knowledge Area: Mock Exam 2 Question Number: 438 Question: Which of the following is a set of exclusive rights granted by a state to an inventor or his assignee for a fixed period of time in exchange for the disclosure of an invention? Option 1: Patent Option 2: Trademark Option 3: Copyright Option 4: Trade secret - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Patent." A patent is a set of exclusive rights granted by a state to an inventor or their assignee for a fixed period of time. It provides legal protection for an invention and grants the patent holder the right to exclude others from making, using, or selling the invention without permission. In exchange for the protection, the inventor must disclose the details of the invention. Knowledge Area: Mock Exam 2


Question Number: 439 Question: Which of the following actions does the Data Loss Prevention (DLP) technology take when an agent detects a policy violation for data of all states? Option 1: Encrypt the data Option 2: Block the data Option 3: Monitor and report the violation Option 4: Quarantine the data - ANSWERS✔✔ Correct Response: 2 Explanation: The correct option is "Block the data." When a Data Loss Prevention (DLP) technology agent detects a policy violation for data of all states, it takes the action to block the data. This ensures that the data is not transmitted, shared, or accessed improperly, according to the policy violation. Blocking the data helps prevent unauthorized

disclosure, ensuring the security and protection of sensitive information. Knowledge Area: Mock Exam 2 -------------------------------------------- Question Number: 440 Question: You're reviewing the Orange Book's rated systems for secure software development. Which of the following rated systems does not include mandatory protection of the Trusted Computing Base (TCB)? Option 1: B1: Labeled Security Protection Option 2: A1: Verified Design Option 3: C2: Controlled Access Protection Option 4: D: Minimal Protection - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: D: Minimal Protection, according to the Orange Book, does not provide a mandatory protection of the Trusted Computing Base (TCB). The other classifications (A1, B1, C2) do have mandatory protections for the TCB. Knowledge Area: Mock Exam 2 -------------------------------------------- Question Number: 441 Question: Scenario: You are a software developer working on a system that requires the mandatory protection of the Trusted Computing Base (TCB). According to the Orange Book, which rated system requires this level of protection? Option 1: A Option 2: B Option 3: B Option 4: C2 - ANSWERS✔✔ Correct Response: 3 Explanation: According to the Orange Book, a system rated as B3 requires mandatory protection of the Trusted Computing Base (TCB) (C). This rating signifies that the system has strict access control measures in place, and the TCB must be protected to ensure the integrity, confidentiality, and availability of the system. Knowledge Area: Mock Exam 2


Question Number: 442 Question: As a software developer, you're implementing a system designed to detect unwanted attempts at accessing, manipulating, and disabling computer systems through the Internet. Which of the following is least likely to serve this purpose?

Option 1: Intrusion Detection System (IDS) Option 2: Firewall Option 3: Intrusion Prevention System (IPS) Option 4: Email client - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: An email client is primarily used for sending, receiving, storing, and retrieving emails. While it may have some security features, it is not primarily designed to detect and prevent unwanted attempts at accessing, manipulating, or disabling computer systems. Knowledge Area: Mock Exam 2 -------------------------------------------- Question Number: 443 Question: Which attack does not use the same algorithm? Option 1: Chosen ciphertext Option 2: Known plaintext Option 3: Ciphertext only Option 4: Man-in-the-middle - ANSWERS✔✔ Correct Response: 4 Explanation: MITM attacks intercept different communications. Knowledge Area: Mock Exam 2


Question Number: 444 Question: In which of the following cryptographic attacking techniques does an attacker obtain encrypted messages that have been encrypted using the same encryption algorithm? Option 1: Known-plaintext attack Option 2: Chosen-plaintext attack Option 3: Brute-force attack Option 4: Birthday attack - ANSWERS✔✔ Correct Response: 1 Explanation: The correct option is "Known-plaintext attack." In a known-plaintext attack, an attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. The attacker knows both the plaintext and corresponding ciphertext pairs and attempts to derive the encryption key or deduce further plaintext-ciphertext pairs. This type of attack can be used to uncover vulnerabilities in the encryption algorithm or key management processes. Knowledge Area: Mock Exam 2


Question Number: 445 Question: You've identified a potential security vulnerability in your company's software application. What is your NEXT ACTION as the software developer? Option 1: Ignore the issue, as it's not part of your assigned tasks Option 2: Report the vulnerability to your superior or security team Option 3: Work on a fix yourself without informing anyone Option 4: Document the vulnerability but take no further action - ANSWERS✔✔ Correct Response: 2 Explanation: The best next action when a potential security vulnerability is identified is to report it to your superior or security team. They have the knowledge and authority to decide on the appropriate next steps, which may include determining the risk level, deciding whether and how to patch the vulnerability, and ensuring that similar vulnerabilities are prevented in the future. Other actions may be inappropriate or lack the necessary collaboration and risk management considerations. Knowledge Area: Mock Exam 2


Question Number: 446 Question: Which of the following authentication methods is used to access public areas of a Web site? Option 1: Biometric authentication Option 2: Multi-factor authentication Option 3: Single sign-on Option 4: Anonymous access - ANSWERS✔✔ Correct Response: 4 Explanation: The correct option is "Anonymous access." Anonymous access is the authentication method used to access public areas of a website. It allows users to access certain content or services without providing any identifying information or credentials. This type of access is typically used for publicly available information that does not require user-specific authentication. Knowledge Area: Mock Exam 2 Question Number: 447 Question: You're performing a testing method that focuses on system efficiency by systematically selecting a minimal set of tests to cover the affected changes. Which of the following testing methods is least likely to achieve this? Option 1: Regression testing

Option 2: Unit testing Option 3: Functional testing Option 4: UI testing - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: UI testing primarily focuses on the user interface and user experience, and may not be the most efficient method for covering only the affected changes in a system. Knowledge Area: Mock Exam 2 -------------------------------------------- Question Number: 448 Question: Which of the following testing methods tests the system efficiency by systematically selecting the suitable and minimum set of tests that are required to effectively cover the affected changes? Option 1: Regression testing Option 2: Boundary testing Option 3: Risk-based testing Option 4: Adaptive testing - ANSWERS✔✔ Correct Response: 3 Explanation: The correct option is "Risk-based testing." Risk-based testing is a testing method that focuses on systematically selecting the suitable and minimum set of tests required to effectively cover the affected changes. It prioritizes testing efforts based on the identified risks and their potential impact on the system's efficiency. By using risk analysis, the testing team can allocate resources efficiently and target the areas that pose the highest risks to the system's efficiency. Knowledge Area: Mock Exam 2


Question Number: 449 Question: As a software developer, you're designing a system to specify access privileges to a collection of resources using URL mapping. Which of the following is least likely to serve this purpose? Option 1: Access control lists (ACLs) Option 2: Role-based access control (RBAC) Option 3: Discretionary Access Control (DAC) Option 4: Salesforce CRM - ANSWERS✔✔ Correct Response: 4 Explanation: Explanation: Salesforce CRM is a customer relationship management solution and is not primarily used for specifying access privileges to resources using URL mapping. ACLs, RBAC, and DAC are all models that could be used for this purpose. Knowledge Area: Mock Exam 2 --------------------------------------------

Question Number: 450 Question: You are the project manager of the QSL project for your organization. You are working with your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process? Option 1: Cause and effect diagram (Fishbone diagram) Option 2: Data flow diagram (DFD) Option 3: State transition diagram Option 4: Decision tree diagram - ANSWERS✔✔ 1 Explanation: The correct option is "Cause and effect diagram (Fishbone diagram)." A cause and effect diagram, also known as a Fishbone diagram, is a diagramming technique used to visualize the interrelationships and causation mechanism within a system. It helps identify potential causes of a problem or risk by organizing them into categories and showing the relationships between various factors. This diagramming technique is commonly used as a part of the risk identification process to understand the root causes of risks and determine appropriate mitigation strategies. Knowledge Area: Mock Exam 2 Question Number: 451 Question: Which of the following technologies is used by hardware manufacturers, publishers, copyright holders, and individuals to impose limitations on the usage of digital content and devices? Option 1: Digital Rights Management (DRM) Option 2: Public Key Infrastructure (PKI) Option 3: Virtual Private Network (VPN) Option 4: Secure Sockets Layer (SSL) - ANSWERS✔✔ 1 Explanation: The correct option is "Digital Rights Management (DRM)." Digital Rights Management is a technology used by hardware manufacturers, publishers, copyright holders, and individuals to impose limitations on the usage of digital content and devices. DRM systems enforce access control, usage restrictions, and copy protection mechanisms to protect intellectual property rights. DRM can be applied to various forms of digital content, such as music, movies, e-books, and software, to manage and protect their distribution, usage, and licensing. Knowledge Area: Mock Exam 2

Question Number: 452 Question: Which of the following techniques is used when a system performs the penetration testing with the objective of accessing unauthorized information residing inside a computer? Option 1: White-box testing Option 2: Black-box testing Option 3: Gray-box testing Option 4: Purple-team testing - ANSWERS✔✔ 2 Explanation: The correct option is "Black-box testing." Black-box testing is a technique used during penetration testing when the objective is to access unauthorized information residing inside a computer system. In black-box testing, the tester has no prior knowledge or access to the internal details of the system and attempts to simulate real-world attacks to uncover vulnerabilities and access unauthorized information. This technique helps identify weaknesses from an external perspective. Knowledge Area: Mock Exam 2 Question Number: 453 Question: In the Business Continuity Planning (BCP) process, one element includes plan implementation, plan testing, ongoing plan maintenance, and involves defining and documenting the continuity strategy. Which of the following is least likely to be part of this element? Option 1: Emergency response Option 2: Crisis communication Option 3: Information backup Option 4: Logo designing - ANSWERS✔✔ 4 Explanation: Explanation: Logo designing is a part of brand building and marketing strategy and does not contribute to the BCP process which focuses on ensuring that the organization's critical business functions can continue during and after a disaster. Knowledge Area: Mock Exam 2 Question Number: 454 Question: Which of the following access control models uses a predefined set of access privileges for an object of a system? Option 1: Role-Based Access Control (RBAC) Option 2: Discretionary Access Control (DAC) Option 3: Mandatory Access Control (MAC)

Option 4: Attribute-Based Access Control (ABAC) - ANSWERS✔✔ 2 Explanation: The correct option is "Discretionary Access Control (DAC)." Discretionary Access Control uses a predefined set of access privileges for an object of a system. It allows the owner or custodian of the object to determine who can access it and what level of access they have. The owner has discretion over granting or denying access to the object, making it a flexible access control model commonly used in systems where users have varying levels of trust and responsibility. Knowledge Area: Mock Exam 2 Question Number: 455 Question: Which PDCA activity is incorrect? Option 1: Implement solutions Option 2: Check results Option 3: Plan changes Option 4: Identify issues - ANSWERS✔✔ 1 Explanation: Implementation is done in the "do" phase. Knowledge Area: Mock Exam 2 Question Number: 456 Question: As a software developer, you are working on a web application using the Java Servlet Specification v2.4. You're focusing on the Web resource collection, a security constraint element. Which of the following does this element include? Option 1: Methods and URL patterns Option 2: Memory allocation settings Option 3: Database connection strings Option 4: HTTP response headers - ANSWERS✔✔ 1 Explanation: The Web resource collection in the Java Servlet Specification v2.4 includes methods and URL patterns. This allows you to specify which resources in your web application should be protected and how, which is a crucial part of secure software development. Knowledge Area: Mock Exam 2 Question Number: 457 Question: You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well-defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur?

Option 1: Initiation phase Option 2: Security Assessment phase Option 3: Risk Assessment phase Option 4: Continuous Monitoring phase - ANSWERS✔✔ 3 Explanation: The correct option is "Risk Assessment phase." In the NIST SP 800-37 C&A methodology, the security categorization occurs in the Risk Assessment phase. This phase involves categorizing the information system and the information processed, stored, and transmitted by the system based on the potential impact on organizational operations, assets, individuals, and other organizations. It helps determine the appropriate level of security controls to be implemented. Knowledge Area: Mock Exam 2 Question Number: 458 Question: Which of the following sections come under the ISO/IEC 27002 standard? Option 1: Risk assessment, incident response, business continuity Option 2: Policy and procedures, physical security, network security Option 3: Change management, access control, cryptography Option 4: Security awareness, asset management, supplier relationships - ANSWERS✔✔ 3 Explanation: The correct option is "Change management, access control, cryptography." Change management, access control, and cryptography are sections that come under the ISO/IEC 27002 standard. ISO/IEC 27002 provides a code of practice for information security management systems. It covers various aspects of information security, including organizational security policies, asset management, human resource security, physical and environmental security, communications and operations management, and more. Change management, access control, and cryptography are essential components of an effective information security program. Knowledge Area: Mock Exam 2 Question Number: 459 Question: As a software developer, you are leading a project for a new financial management platform. After a recent update, end-users have reported issues with the application's functionality. What is the BEST course of action to address these concerns? Option 1: Ignore the user complaints as the software was previously working well Option 2: Rollback the software to its previous version Option 3: Make another update and hope it fixes the issues

Option 4: Perform regression testing on the software - ANSWERS✔✔ 4 Explanation: Given the software was working before the modification and the users are now complaining, it's most likely that the recent changes have caused the issue. Performing regression testing would be the best course of action. This process involves testing the software to confirm that a recent program or code change has not adversely affected existing features. Knowledge Area: Mock Exam 2 Question Number: 460 Question: As a software developer, you are integrating authentication mechanisms in your application. Which of the following statements about the authentication concept of information security management holds TRUE? Option 1: Authentication is only about confirming a user's identity Option 2: Authentication can be done only with a password Option 3: Authentication ensures only authorized users have access Option 4: Authentication is not necessary for secure systems - ANSWERS✔✔ 3 Explanation: Authentication is a critical concept in information security management. Its primary purpose is to ensure that the system confirms a user's identity and allows only authorized users to access resources. It can be achieved by various means, not just a password, including biometrics, OTPs, and security tokens. Knowledge Area: Mock Exam 2 Question Number: 461 Question: You are leading a software development project expected to last for 18 months. Six months into the project, your team wonders about the frequency of risk reassessment. If you are adhering to the best practices for risk management, how often should you be performing risk reassessments? Option 1: Only at the start of the project Option 2: At the end of the project Option 3: Every six months Option 4: Continually throughout the project - ANSWERS✔✔ 4 Explanation: Best practices for risk management recommend that risk reassessment should be an ongoing activity throughout the project. Risk profiles can change as work is performed and circumstances evolve, so regular reassessment ensures that the project team is always aware of current risks and can adjust mitigation strategies accordingly Knowledge Area: Mock Exam 2

Question Number: 462 Question: How does quantitative risk analysis differ? Option 1: Prioritizes risks Option 2: Measures probabilities Option 3: Identifies triggers Option 4: Quantifies impacts - ANSWERS✔✔ 1 Explanation: It quantifies, not just prioritizes, risks. Knowledge Area: Mock Exam 2 Question Number: 463 Question: Which SDLC phase is incorrect for audits? Option 1: Development Option 2: Testing Option 3: Deployment Option 4: Maintenance - ANSWERS✔✔ 4 Explanation: Audits validate software, not operational maintenance. Knowledge Area: Mock Exam 2 Question Number: 464 Question: You're working on a major application that will be put into production once complete. What is a CRITICAL requirement before this application can be released? Option 1: The application must have a user-friendly interface Option 2: The application must be fully certified and accredited Option 3: The application must have backward compatibility Option 4: The application must have been beta tested - ANSWERS✔✔ 2 Explanation: Before any general support systems and major applications are put into production, they must be fully certified and accredited. This ensures that the systems and applications meet necessary security requirements and are fit for their intended use. Knowledge Area: Mock Exam 2 Question Number: 465 Question: You are considering the adoption of virtualization for your next project, as suggested in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards". What is one of the primary security advantages of virtualization?