ISC2 CSSLP Exam Questions

Correct answer: 2700X

The ISO/IEC 2700X series of standards lays out guidance for information security management systems. Its standards include the following:

• ISO/IEC 27000:2018: Information technology — Security techniques — Information security management systems — Overview and vocabulary
• ISO/IEC 27002:2013: Information technology — Security techniques — Code of practice for information security controls
• ISO/IEC 27003:2017: Information technology — Security techniques — Information security management systems — Guidance
• ISO/IEC 27004:2016: Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation
• ISO/IEC 27005:2018: Information technology — Security techniques — Information security risk management

Correct answer: Platform neutrality

Characteristics of a Service-Oriented Architecture (SOA) include:

• Abstracted Business Functionality: An SOA abstracts away the internal details of how a system works, providing logical views to the user.
• Contract-Based Interfaces: All communications between a provider and a consumer use an interface with a set message format, eliminating the need to understand the details of how the other side works.
• Platform Neutrality: All messages in SOA use a platform-neutral format, such as the Extensible Markup Language (XML).
• Modularity and Reusability: Services are created as modules with a particular purpose, and these "building blocks" can be combined to implement a desired function.
• Discoverability: A registry of available services is published using the Universal Description, Discovery, and Interface (UDDI) standard to allow clients to identify them.
• Interoperability: The abstraction of system internals enables various services on different platforms to interoperate.

Correct answer: MAC

Several access control models exist, including:

• Mandatory Access Control (MAC): MAC centrally controls access to resources based on a combination of sensitivity labels and user clearances. The military Unclassified/Confidential/Secret/Top Secret model with compartments is an example of a MAC system.
• Discretionary Access Control (DAC): DAC uses the concepts of users and groups and allows users to define who can access their resources. DAC is commonly used by computers, such as Linux’s support for granting read/write/execute permissions to the owner, group, members, and others.
• Role-Based Access Control (RBAC): Role-based access control assigns each user with a role and a set of associated permissions, which are used to determine if a request is valid. For example, a software developer may have access to certain systems and tools, while a software manager may have access to HR information that the developer cannot access.
• Rule-Based Access Control (RBAC): Rule-based access control uses access control lists (ACLs) and Boolean logic to determine if a request is valid. For example, rules may restrict the times during which a system can be accessed or the devices permitted to access sensitive data.
• Attribute-Based Access Control (ABAC): ABAC assigns attributes to a user’s identity that are used to determine their access. For example, a developer may have a certain set of permissions on one system but a different set on another.
• Resource-Based Access Control (RBAC): Resource-based access control systems include the Impersonation and Delegation Model used by Kerberos and the Trusted Subsystem Model. Under the Impersonation and Delegation Model, one entity delegates its access and privileges to another, allowing the other entity to impersonate it to achieve some task. The Trusted Subsystem Model controls access based on a trusted device rather than a user’s identity.

Correct answer: Aggregation

Production data can be useful for testing but should be properly anonymized. Some anonymization techniques include:

• Aggregation: Aggregation combines data from multiple different subjects to remove any identifiable information.
• Sanitization: Sanitization involves removing potentially sensitive data from records.
• Tokenization: Tokenization replaces sensitive data with a non-sensitive token that represents it on untrusted systems.
• Minimization: Minimization involves collecting, storing, and processing as little sensitive data as possible.

Correct answer: Backup, archiving, and retention

When a business is maintaining continuity of operations, it has suffered a business-disrupting event and is attempting to continue functioning until it restores to normal operations. Business continuity planning includes identifying the criticality of applications to the business to prioritize their restoration. Some concepts related to business continuity/disaster recovery include:

• Backup, Archiving, and Retention: If data is corrupted or destroyed during a security incident, backups are essential to restoring operations. These backups should be appropriately protected with encryption and access controls.
• Disaster Recovery (DR): Disaster recovery is the process of moving from continuity operations during an incident back to normal operations. This requires careful planning and full knowledge of system dependencies to ensure that applications are brought back online only when they have the resources needed to operate.
• Resiliency: Resiliency measures how well a system can survive a disruptive incident. Redundant systems and additional copies of vital data are examples of measures to boost resiliency.

Application Security (AppSec) is not a core part of continuity planning.

Correct answer: Threat modeling

Threat modeling identifies the potential risks faced by software, which can then be prioritized during risk assessment.

Correct answer: Views

Several tools exist to enhance database security, including:

• Encryption: Encryption protects data confidentiality by scrambling it in a way that renders it unreadable without the decryption key. Encryption enforces access controls because it prevents unauthorized users from reading the data.
• Triggers: Triggers automatically run certain actions if a particular event occurs. They can be used for logging, alerting, and similar security tasks.
• Views: Views provide partial visibility into the contents of database tables. They can be used to redact sensitive information when showing data to someone who doesn't need access to that information.
• Privilege Management: Privilege management implements internal access controls for a database, restricting users' privileges and access within the database.

Correct answer: Keys/Certificates

Software development teams must securely store and manage various types of security data. Examples include:

• Credentials: Credentials manage access to code, development environments, and tools. Credentials should be defined based on the principle of least privilege, and each account/environment should have its own credentials.
• Secrets: Applications may have access to encryption and API keys, user credentials, and other sensitive data. This information should be protected using access controls, encryption, and other data security best practices.
• Keys/Certificates: Encryption keys and digital certificates should be properly managed. For example, keys should not be hardcoded into application code, and digital certificates should be verified before being trusted/used.
• Configurations: An application’s configuration has a significant impact on its security. Application configuration information should be protected by access controls and integrity and authenticity checks.

Correct answer: Brewer-Nash

Brewer-Nash or the Chinese Wall is a confidentiality model for enterprises. It addresses the case where one group within an organization may have information that cannot be shared with another.

Bell-LaPadula is a confidentiality protection model that combines attributes of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). Its Simple Security Rule prevents reading data at a higher level of classification, while its * property prevents writing data to a system with a lower classification level.

Biba is an integrity model designed to protect higher-level, more trustworthy data from being corrupted by lower-level data. Its no-write-up rule blocks systems from writing data to a system with a higher classification level. Its second rule states that a system reading/processing data from a lower-level system will have its integrity level lowered as a result.

Clark-Wilson is a transaction-based integrity model that defines Constrained Data Items (CDIs) and Unconstrained Data Items (UDIs). Integrity Verification Processes (IVPs) verify that CDI meets integrity rules for a particular state, and Transformation Processes (TPs) can change CDIs from one valid state to another.

Correct answer: White-box

White-box testing assesses an application's structure, while black-box testing assesses its behavior. Gray-box falls in between.

Red-box testing is a fabricated term.

Correct answer: Non-functional testing

Application testing may include several types of tests, including:

• Qualification/Acceptance Testing: Validates that an application is fit for use
• Functional Testing: Validates that the logic of an application is correct
• Unit Testing: Verifies that a unit of the software performs its intended purpose. This testing is performed during development, enabling it to find issues early.
• Non-Functional Testing: Validates that applications meet service level agreements (SLAs) regarding usability, reliability, performance, and scalability

Correct answer: Unit testing

Application testing may include several types of tests, including:

• Qualification/Acceptance Testing: Validates that an application is fit for use
• Functional Testing: Validates that the logic of an application is correct
• Unit Testing: Verifies that a unit of the software performs its intended purpose. This testing is performed during development, enabling it to find issues early.
• Non-Functional Testing: Validates that applications meet service level agreements (SLAs) regarding usability, reliability, performance, and scalability

Correct answer: Revision control

Revision control is related to version control and involves defining and labeling each release.

Configuration control manages the configuration of hardware, software, documentation, interfaces, and patching. Version control involves managing the versions and changes to files and a codebase. Baseline control is part of configuration management and includes change accounting and library management.

Correct answer: ISCM

Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture.

Security Information and Event Management (SIEM) solutions aggregate and analyze security data from multiple sources.

Correct answer: Hybrid system

Hybrid systems like the Common Language Runtime (CLR) and Java Virtual Machine (JVM) use an intermediate representation of code between source code and machine code that is interpreted at runtime.

Compilers convert source code into processor-specific machine code. Static linking copies required dependencies into an executable during compilation, creating a faster, easily-distributed, and bloated file. Dynamic linking stores the names and locations of dependencies to be resolved at runtime. It creates smaller files at risk of hijacked dependencies. Interpreters use a program to directly execute source code without a compilation step.

Correct answer: Private

According to NIST, the four cloud deployment models are:

• Private Cloud: In a private cloud, also known as an internal or corporate cloud, cloud services are provided to a single customer, often on-prem. It has greater privacy and security than other models.
• Public Cloud: In the public cloud, multiple cloud customers share infrastructure and services managed by the cloud provider. It has greater flexibility and scalability than other models.
• Community Cloud: In a community cloud, multiple organizations share cloud resources but not with anyone outside of the organization.
• Hybrid Cloud: The hybrid cloud combines multiple cloud environments, providing some of the benefits and risks of each.

Correct answer: Perform a risk assessment

The Federal Information Security Management Act of 2022 (FISMA) makes an information security program mandatory for all federal agencies. The National Institute of Standards and Technology (NIST) developed a risk management framework (RMF) for FISMA that is published in NIST SP 800-39 and includes six steps for risk management, including:

1. Categorize information systems
2. Select security controls
3. Implement security controls
4. Assess security controls
5. Authorize information systems
6. Monitor security controls

Correct answer: Copyright

Intellectual property (IP) can be protected in various ways, including:

• Patent: A patent provides exclusive rights to an invention for a specified period of time. Patents can be used to prevent others from using an invention even if they claimed to have invented it independently.
• Copyright: A copyright protects written works and artistic expression from being used or copied without the creator’s consent and proper attribution. They limit adaptations, performances, and who can profit from the work.
• Trademark: A trademark protects brand association and can be either registered or common-law. Images and company names are commonly trademarked items.
• Trade Secret: A trade secret is intellectual property that is protected only as long as it remains secret. The Cola-Cola secret recipe is probably the most famous example of a trade secret.

Correct answer: Incident triage

If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include:

• Root Cause Analysis: Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future.
• Incident Triage: An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug).
• Forensics: Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources.

Correct answer: Code signing

Anti-tampering solutions are designed to protect software against malicious modifications. Some common techniques include:

• Code Signing: Valid digital signatures can only be created with knowledge of the appropriate private key. Signing the application's code ensures that it is authentic and has not been modified since the signature was generated.
• Version Control/Revision Control: Version control systems (like git) record every change to software. These systems allow comments to be applied to commits, limitations on who can commit, comparisons between versions, and reversion to a previous version of a file or release.
• Obfuscation: Code obfuscation is designed to make production code more difficult to decompile and understand. Obfuscation can help to protect against tampering because it makes it more difficult to determine where and how to change the code.

Encryption is not a common anti-tampering solution because encrypted code can't be executed.