ISC2 CSSLP Exam Questions

Correct answer: Cross-site request forgery (CSRF)

Injection is a major, common vulnerability that usually features highly on vulnerability lists. Some common types of injection vulnerabilities include:

• SQL Injection: SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application.
• Command Injection: Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands.
• Integer Overflow: Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value.
• Path Traversal: In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory.
• Cross-Site Scripting (XSS): Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based.
• Cross-Site Request Forgery (CSRF): Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections.

Correct answer: Spyware

Malware comes in a variety of different forms, including the following:

• Virus: A virus spreads using an infected program that runs on a compromised system.
• Worm: Worms spread themselves without human interaction via means such as exploiting vulnerable applications and systems.
• Spyware: Spyware is stealth malware designed to collect information about the user of an infected system.
• Adware: Adware generates revenue for an attacker by displaying unwanted ads to a user.
• Trojan Horse: Trojan horses infect systems by masquerading as a benign and desirable program that deploys malicious functionality when executed by a user.
• Rootkit: Rootkits conceal themselves and other malicious programs (spyware, keyloggers, etc.) on an infected system. They can run either in kernel mode or user mode.
• Ransomware: Ransomware encrypts or corrupts files on an infected computer and demands a ransom in exchange for restoring access to the user's data.

Correct answer: Customer

The customer role is responsible for post-release maintenance of a system.

The supplier role is responsible for pre-release product configuration. Configuration managers ensure that the configuration plan is followed throughout the development process.

Correct answer: Version control

Version control involves managing the versions and changes to files and a codebase.

Revision control is related to version control and involves defining and labeling each release. Configuration control manages the configuration of hardware, software, documentation, interfaces, and patching. Baseline control is part of configuration management and includes change accounting and library management.

Correct answer: Triggers

Several tools exist to enhance database security, including:

• Encryption: Encryption protects data confidentiality by scrambling it in a way that renders it unreadable without the decryption key. Encryption enforces access controls because it prevents unauthorized users from reading the data.
• Triggers: Triggers automatically run certain actions if a particular event occurs. They can be used for logging, alerting, and similar security tasks.
• Views: Views provide partial visibility into the contents of database tables. They can be used to redact sensitive information when showing data to someone who doesn't need access to that information.
• Privilege Management: Privilege management implements internal access controls for a database, restricting users' privileges and access within the database.

Correct answer: Policies and Procedures

Some considerations when evaluating an organization’s security track record include:

• Past Incidents: How has the organization handled past security incidents?
• Audit Reports: Are there repeated audit findings that indicate that problems don’t get fixed?
• Policies and Procedures: What policies and procedures does the organization have in place?

Correct answer: Procedural

Security controls can be classified into three classes:

• Administrative
• Technical
• Physical

Correct answer: Develop in-house

Developing applications in-house reduces the probability of relying on a third-party supplier compared to reusing, outsourcing, or acquiring software.

Correct answer: Categorize information systems

The Federal Information Security Management Act of 2022 (FISMA) makes an information security program mandatory for all federal agencies. The National Institute of Standards and Technology (NIST) developed a risk management framework (RMF) for FISMA that is published in NIST SP 800-39 and includes six steps for risk management, including:

1. Categorize information systems
2. Select security controls
3. Implement security controls
4. Assess security controls
5. Authorize information systems
6. Monitor security controls

Correct answer: Maintain an Information Security Policy

The Payment Card Industry Data Security Standard (PCI DSS) was implemented by major payment card brands to fight payment card fraud and protect cardholders’ personal data. It includes twelve high-level requirements divided into six control objectives:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Correct answer: Threat Intel

Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture. Elements of ISCM include:

• Collect and Analyze Security Observable Data: Security intelligence can come from log data, network traffic, events, and similar sources. Tools such as a Security Information and Event Management (SIEM) solution can help with collecting, processing, storing, and accessing this data.
• Threat Intel: Threat intelligence is information about the risk that a company faces, such as new vulnerabilities, active attack campaigns, etc. This information can be used to help plan defenses and tune security solutions and application configurations.
• Intrusion Detection and Response: Intrusion detection is the process of identifying potential threats to the organization based on known-malicious actions, anomalous activities, and other signifiers. Once a potential threat is identified, it can be investigated and managed by the security team.
• Secure Configuration: The configuration of an application can impact its vulnerability to attack. Configurations should be implemented in line with best practice and monitored for unauthorized changes.
• Regulation Changes: Corporate security and AppSec policies are often driven at least partly by external regulations. As regulatory requirements evolve, organizations need to monitor these changes and make appropriate policy updates.

Correct answer: Logging

Code review is a process by which other developers inspect code for security or efficiency issues. Some of the common checks performed during code review include:

• Inefficient Code: Complex or obfuscated code may need to be simplified to improve analysis or execution.
• Known Vulnerabilities: Code should be checked against the OWASP Top 10, SANS Top 25, and errors that have previously been found within an organization's code.
• Errors and Exception Handling: Code should fully test for error cases and handle all possible exceptions.
• Injection Flaws: Code should include input validation to protect against injection attacks.
• Cryptographic Strength: Cryptography should be implemented using trusted algorithms and libraries and use strong random number generation.
• Unsafe and Deprecated Function Calls: Code should only use approved functions and APIs, and unneeded functions should be removed.
• Privilege Levels: Code should be implemented in accordance with the principle of least privilege.
• Logging: Code should properly log errors without revealing unnecessary information.
• Secure Key Information: Cryptographic keys, passwords, and other authentication information should be properly used and protected.

Correct answer: Continuous testing

Software testers may use various techniques to identify potential issues in an application, including:

• Failure Mode: Not all errors in an application will cause a crash. Failure testing involves ensuring that erroneous inputs cause a failure and that the fault is properly handled.
• Regression Testing: Changes to an application’s code can break functional or non-functional requirements. Regression testing is designed to ensure that code still meets requirements after an update.
• Integration Testing: Applications are deployed in environments alongside other applications and systems. Integration testing ensures that a system as a whole (including multiple different applications) achieves its intended purpose.
• Continuous Testing: Continuous testing processes build automated testing into development pipelines. This ensures that issues are identified and addressed as early as possible. This use of automated, continuous testing is well-aligned with DevOps and DevSecOps principles.

Correct answer: Laptops

Examples of pervasive or ubiquitous computing include mobile devices, Internet of Things (IoT) systems, and Radio-Frequency Identification (RFID) tags.

Correct answer: View

Key database security elements include:

• Encryption: Encryption protects the confidentiality of data in a database.
• Triggers: Triggers are functions that run automatically when a particular database event occurs.
• Views: Views allow data to be extracted and displayed within tables.
• Privilege Management: Databases can have built-in access controls that limit the actions that a user or application can take on the database.

Correct answer: Birthday attack

Birthday attacks take advantage of the fact that it is much more probable that any two members of a group have a collision (i.e., the same birthday) than that a particular member of the group has a collision with another member.

Dictionary attacks use a list of inputs (such as common passwords) to try to guess the input that produced a particular hash.

Salting involves adding a random, public value to the input to a hash algorithm (such as a password) so that identical inputs (such as identical passwords) do not produce the same hash.

Rainbow tables are precalculated lookup tables that map hash inputs to outputs and are designed to make future attacks faster. Salting can protect against rainbow attacks.

Correct answer: Download of Code without Integrity Check

Examples of common cryptographic failures include:

• Hard-Coded Credentials: Authentication information (passwords, keys, etc.) hard-coded into an application is vulnerable to exposure and difficult to change. This creates failures in authentication and enables account takeover.
• Missing Encryption of Sensitive Data: Certain types of sensitive data should be encrypted to protect the business and its customers and to comply with applicable regulations. Log files, error logs, and backups are common examples of locations where this issue occurs.
• Use of a Broken or Risky Cryptographic Algorithm: DES, MD5, SHA-1, and other algorithms are considered broken and insecure. Using broken or custom encryption algorithms leaves data vulnerable to exposure. Additionally, the use of a weak random number generator (RNG) to generate keys is a common problem.
• Download of Code without Integrity Check: Code downloaded from the Internet may be malicious or modified by an attacker. All downloaded code should be compared to the provided hash value or digital signature to ensure that it has not been tampered with.
• Unsalted Hash: Hash functions always provide the same output for a given input. This can be problematic for password management since it reveals which accounts have the same password and makes it possible to use precomputed rainbow tables to crack weak passwords. Salting hashes by including a random value as part of the input ensures that identical passwords produce different hashes and protects against the use of rainbow tables.

Correct answer: SaaS

Common cloud architectures include:

• Software as a Service (SaaS): The customers access a solution fully developed and managed by the cloud provider.
• Platform as a Service (PaaS): The cloud provider hosts and manages an environment where the customer can create and deploy applications.
• Infrastructure as a Service (IaaS): The cloud provider manages underlying infrastructure, and the customer can deploy and manage their own virtual machines (VMs).

AaaS is not a cloud service infrastructure.

Correct answer: Test script

A test script automates the process of implementing a test case, providing repeatability and speeding the testing process.

A test harness documents all aspects of a testing process including the systems under test and the tools, data, and configurations used during testing. Test suites are groups of tests.  For example, multiple tests focused on performance may be collected into a test suite. A test case describes a particular requirement to be tested and how an application will be tested against that requirement.

Correct answer: Integer overflow

Injection is a major, common vulnerability that usually features highly on vulnerability lists. Some common types of injection vulnerabilities include:

• SQL Injection: SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application.
• Command Injection: Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands.
• Integer Overflow: Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value.
• Path Traversal: In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory.
• Cross-Site Scripting (XSS): Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based.
• Cross-Site Request Forgery (CSRF): Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections.