ISC2 CSSLP Exam Questions

Correct answer: Situational

The Common Vulnerability Scoring System (CVSS) is a MITRE-developed risk scoring system for vulnerabilities. It includes three risk metric groups: Base, Temporal, and Environmental.

Correct answer: Worm

Malware comes in a variety of different forms, including the following:

• Virus: A virus spreads using an infected program that runs on a compromised system.
• Worm: Worms spread themselves without human interaction via means such as exploiting vulnerable applications and systems.
• Spyware: Spyware is stealth malware designed to collect information about the user of an infected system.
• Adware: Adware generates revenue for an attacker by displaying unwanted ads to a user.
• Trojan Horse: Trojan horses infect systems by masquerading as a benign and desirable program that deploys malicious functionality when executed by a user.
• Rootkit: Rootkits conceal themselves and other malicious programs (spyware, keyloggers, etc.) on an infected system. They can run either in kernel mode or user mode.
• Ransomware: Ransomware encrypts or corrupts files on an infected computer and demands a ransom in exchange for restoring access to the user's data.

Correct answer: Opportunity Costs

Some of the potential tradeoffs that an organization may need to consider when evaluating the security of third-party suppliers include:

• Strategic Improvements vs. Maintenance of Current Operations: Strategic improvements can benefit a supplier's operations, but they can also create security risks, making it necessary to weigh the risks and rewards.
• High vs. Low Risk: Managing the risk posed by a supplier can also constrain what they are able to accomplish, potentially lowering the value of the product.
• Impact of One Supplier on Another: Each supplier in an organization’s supply chain can have impacts on other suppliers, potentially creating ripple effects down the chain.
• Opportunity Costs: Managing suppliers and products costs money that might be better spent addressing other security risks in the future.

Correct answer: Limited operations

When a business is maintaining continuity of operations, it has suffered a business-disrupting event and is attempting to continue functioning until it restores to normal operations.

Correct answer: Cryptographically Hashed, Digitally Signed Components

Ensuring the authenticity and integrity of third-party code and components is essential to protecting against supply chain attacks where malicious or vulnerable functionality is inserted by an attacker with access to a vendor/supplier’s systems. Steps that organizations can take include:

• Secure Transfer: Software should be transferred over secure channels (i.e., TLS-encrypted) and should be digitally signed to ensure authenticity and integrity.
• System Sharing/Interconnections: Organizations often have direct connections to third-party systems, such as cloud-hosted infrastructure. Risks of these connections that should be addressed include attacks across this connection (in either direction) and loss of availability of remote systems.
• Code Repository Security: Code repositories should be protected against unauthorized and potentially malicious modifications to code. Code should only be added after it is fully scanned, and records of commit histories should be protected against tampering.
• Build Environment Security: With DevOps, build environments involve continuous integration, delivery, and deployment, where frequent small changes are made to code due to internal or third-party code updates. The build pipeline should be secured to ensure that it can’t be tampered with and that any issues (such as vulnerabilities) cause a failed build rather than allowing malicious or vulnerable code into production.
• Cryptographically Hashed, Digitally Signed Components: Digital signatures ensure the authenticity and integrity of the signed data. Requiring third-party components to be digitally signed whenever possible helps to verify the correctness of this external code.
• Right to Audit: An organization may impose requirements on third-party suppliers as part of its risk management procedures. This should include the right to audit to ensure that these requirements are being followed.

Correct answer: Acceptance

Organizations have a few options when dealing with risk, including:

• Mitigation: Take steps to reduce or eliminate the risk
• Acceptance: Accept the potential risk and do nothing
• Transference: Pass the risk on to an insurer, user, or other party
• Avoidance: Stop performing the risky activity

Risk appetite measures the amount of risk that an organization is willing to accept.

Correct answer: Race condition

Race condition vulnerabilities can occur if multiple threads of execution can read/write values at the same time. For example, two threads may update a value simultaneously, causing one update to overwrite the other.

Mutual exclusion occurs when race condition protections cause thread deadlock. If thread A is waiting for thread B to perform action X before it performs action Y and thread B will only perform X if thread A performs Y, then neither can execute.

Infinite loops can occur when unhandled states occur in conditional logic. For example, code designed to read until it finds a particular letter could read forever if presented with all-numeric input.

Recursion is when a function within an application calls itself again.

Correct answer: Revision control

Configuration management is composed of configuration control and verification control. Three main components of this are:

• Change process management (change authorization, verification control, and release processing)
• Baseline control (change accounting and library management)
• Configuration verification (status accounting for compliance with specifications)

Correct answer: OEM

• Original Equipment Manufacturer (OEM): OEM is when a software license is bundled with the purchase of the hardware that runs it.
• Commercial off the Shelf (COTS): COTS software is available for sale to the general public and includes operating systems (OSes), Microsoft Office, and similar software.
• Government off the Shelf (GOTS): GOTS software is developed internally by a government agency, enabling them to control all aspects of it.
• Modifiable off the Shelf (MOTS): MOTS software is COTS software that allows customization of the source code.

Correct answer: Continuous integration

Continuous integration involves making frequent, small changes to the codebase, and testing each one before accepting it.

Continuous delivery automates the processing of testing small releases and rolling them out to production.

Continuous deployment uses automated scripts to roll updates out to customers.

Correct answer: Corrective

The five types of security controls are:

• Detective: Build a log of system or user actions that can be used to identify anomalies and potential threats.
• Preventative: Actively or proactively work to block an attack.
• Deterrent: Attempt to dissuade an attacker from carrying out an attack.
• Corrective: Help to recover back to normal operations after an attack.
• Compensating: Provide an alternative to a security requirement when the recommended control cannot be implemented for some reason.

Correct answer: Black-box

Application security testing can be performed in a few different ways, including:

• White-Box: White-box testing is performed with knowledge of an application’s internals. It can achieve higher test coverage than black-box testing. Unit testing is an example of white-box testing.
• Black-Box: Black-box testing is performed without knowledge of an application’s internals, sending inputs to the application and observing the responses. It may identify the vulnerabilities most likely to be exploited by an attacker. Penetration testing is an example of black-box testing.
• Gray-Box: Gray-box testing sits between white-box and black-box testing. For example, a tester may be granted the same level of knowledge and access as an advanced user but not access to system documentation.

Red-box testing is a fabricated term.

Correct answer: NIST SP 500

• Federal Information Processing Standards (FIPS): FIPS are mandatory standards for US government agencies and some federal government contractors.
• Special Publication 500 (SP 500): The SP 500 series of NIST publications describes general Information Technology requirements.
• Special Publication 800 (SP 800): The SP 800 series outlines research and best practices for information security.
• FISMA: The Federal Information Security Management Act of 2022 (FISMA) makes an information security program mandatory for all federal agencies.

Correct answer: Rapid Elasticity

The five characteristics of the cloud are:

• On-Demand Self-Service: Customers can deploy solutions and make changes with minimal service provider involvement
• Broad Network Access: High-bandwidth connectivity exists to the cloud backend and cloud services are accessible over the network
• Resource Pooling: Cloud tenants share a pool of resources, which are allocated on an as-needed basis
• Rapid Elasticity: Cloud tenants can rapidly gain access to pooled resources, which can be reallocated when no longer needed
• Measured Service: Cloud customers' resource usage is monitored, and they are billed based on their usage

Correct answer: Failure mode

Software testers may use various techniques to identify potential issues in an application, including:

• Scanning: Scanners automatically interact with an application to learn information or identify vulnerabilities. For example, network scanners can identify active hosts on a system and the network-connected services that they run, while OS fingerprinting scanners try to identify the OS that a system is running. Vulnerability scanners look for vulnerabilities in an application based on various lists (OWASP, CVEs, PCI DSS, etc.)
• Simulations: Simulations involve performing testing within a simulated environment that resembles the production environment. Simulation testing can help with identifying configuration issues, usability problems, and similar issues before putting an app into production.
• Failure Mode: Not all errors in an application will cause a crash. Failure testing involves ensuring that erroneous inputs cause a failure and that the fault is properly handled.
• Regression Testing: Changes to an application’s code can break functional or non-functional requirements. Regression testing is designed to ensure that code still meets requirements after an update.

Correct answer: Least Privilege

Some of the key security design principles include:

• Least Privilege: Under the Principle of Least Privilege, users are granted the minimum set of permissions necessary to perform their role.
• Separation of Duties: Separation of duties or compartmentalization divides high-risk or critical processes across multiple roles. This reduces the probability that a malicious user could carry out the action or be tricked into doing so.
• Economy of Mechanism: Economy of Mechanism or “Keep It Simple” states that the design and implementation of software should be as simple as possible. Complex systems have a larger attack surface and are more difficult to troubleshoot if something goes wrong.
• Complete Mediation: Complete mediation states that authorization should be performed for every request, even if requests are repeated. This ensures that the authorization system is never bypassed.

Correct answer: Availability

Some of the core goals of cryptographic algorithms include:

• Confidentiality: Protecting sensitive information from being disclosed to unauthorized parties. Confidentiality can be protected overtly (encryption, hashing) or covertly (steganography, digital watermarking).
• Integrity: Preventing data from being modified without authorization. Data integrity can be protected by hash functions, digital signatures, parity bits, and cyclic redundancy checking.
• Availability: Ensuring that authorized personnel can access systems or data. 99.999% uptime is "five nines availability." Load balancing, backups, and redundant systems are examples of solutions for protecting availability.
• Non-Repudiation: Preventing a user from denying that they took a particular action. Digital signatures and the blockchain’s immutable ledger are examples of protections against repudiation.

Correct answer: Authentication

Authentication: Verifying the identity of the user. Common authentication factors include something you know (passwords, etc.), something you have (smartphone, etc.), and something you are (biometrics).

Authorization: Validating that an authenticated user has the right to perform a particular action. Authorization can be managed via various access control models.

Accountability: Monitoring and recording activity by users on systems. Audit logs should include at a minimum the user’s identity, the action taken, the object acted upon, and the time at which the action was taken.

Availability: Ensuring that authorized personnel can access systems or data. Load balancing, backups, and redundant systems are examples of solutions for protecting availability.

Correct answer: Regulation Changes

Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture. Elements of ISCM include:

• Collect and Analyze Security Observable Data: Security intelligence can come from log data, network traffic, events, and similar sources. Tools such as a Security Information and Event Management (SIEM) solution can help with collecting, processing, storing, and accessing this data.
• Threat Intel: Threat intelligence is information about the risk that a company faces, such as new vulnerabilities, active attack campaigns, etc. This information can be used to help plan defenses and tune security solutions and application configurations.
• Intrusion Detection and Response: Intrusion detection is the process of identifying potential threats to the organization based on known-malicious actions, anomalous activities, and other signifiers. Once a potential threat is identified, it can be investigated and managed by the security team.
• Secure Configuration: The configuration of an application can impact its vulnerability to attack. Configurations should be implemented in line with best practice and monitored for unauthorized changes.
• Regulation Changes: Corporate security and AppSec policies are often driven at least partly by external regulations. As regulatory requirements evolve, organizations need to monitor these changes and make appropriate policy updates.

Correct answer: EULA

An End User License Agreement (EULA) defines the terms under which an application can be used. For example, an EULA might prohibit commercial use or reverse engineering of an application’s logic.

Service level agreements (SLAs) define service level objectives (SLOs) that lay out the responsibilities of a service provider to a customer.

An acceptable use policy (AUP) states how employees, contractors, etc. can use corporate systems.