ISC2 CSSLP Certified Secure Software Lifecycle Professional Exam Practice Test

Answer : A, C, D

The security challenges for DRM are as follows:

Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret keys are used for

authentication, encryption, and node-locking.

Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting includes the summary of hardware

and software characteristics in order to uniquely identify a device.

OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted software to mobile devices.

Answer B is incorrect. Access control is not a security challenge for DRM.

Answer : D

There are four risk responses available for a negative risk event.

The risk response strategies for negative risks are:

Avoid: It involves altering the project management plan to remove the threats completely.

Transfer: It requires shifting some or all of the negative effects of a threat including the ownership of response, to a third party.

Mitigate: It implies a drop in the probability and impact of an unfavorable risk event to be within suitable threshold limits.

Accept: It delineates that the project plan will not be changed to deal with the risk. Management may develop a contingency plan if the

risk occurs. It is used for both negative and positive risks.

Answer C is incorrect. There are four responses for negative risk events.

Answer A is incorrect. There are four, not three, responses for negative risk events. Do not forget that acceptance can be used for

negative risk events.

Answer B is incorrect. There are seven total risk responses, four of which can be used for negative risk events.

Answer : C

The risk management plan defines the roles and responsibilities for conducting risk management.

A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans

to mitigate them. It also consists of the risk assessment matrix.

Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management

plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid

being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to

avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk

strategy for project execution.

Answer A is incorrect. The risk register does not define the risk management roles and responsibilities.

Answer D is incorrect. Enterprise environmental factors may define the roles that risk management officials or departments play in the

project, but the best answer for all projects is the risk management plan.

Answer B is incorrect. The staffing management plan does not define the risk management roles and responsibilities.

Answer : C, D

A host-based intrusion prevention system (HIPS) is an application usually employed on a single computer. It complements traditional finger-

print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. When a

malicious code needs to modify the system or other software residing on the machine, a HIPS system will notice some of the resulting changes

and prevent the action by default or notify the user for permission. It can handle encrypted and unencrypted traffic equally and cannot detect

events scattered over the network.

Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple computers to share one or more IP

addresses. NAT is configured at the server between a private network and the Internet. It allows the computers in a private network to share

a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets outbound to the Internet, it translates

the source addresses from private to public, whereas for packets inbound from the Internet, it translates the destination addresses from

public to private.

Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform that is designed to analyze, detect,

and report on security related events. NIPS is designed to inspect traffic and based on its configuration or security policy, it can drop malicious

traffic. NIPS is able to detect events scattered over the network and can react.

Answer : B

Teardrop is an attack with IP fragments that cannot be reassembled. In this attack, corrupt packets are sent to the victim's computer by using

IP's packet fragmentation algorithm. As a result of this attack, the victim's computer might hang.

Answer D is incorrect. Smurf is an ICMP attack that involves spoofing and flooding.

Answer C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to

find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs

available on the Internet to automate and execute dictionary attacks.

Answer A is incorrect. A password guessing attack occurs when an unauthorized user tries to log on repeatedly to a computer or

network by guessing usernames and passwords. Many password guessing programs that attempt to break passwords are available on the

Internet. Following are the types of password guessing attacks:

Brute force attack

Dictionary attack

Answer : D

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act

of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The

act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the

information and information systems that support the operations and assets of the agency, including those provided or managed by another

agency, contractor, or other source.

FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a 'risk-based policy for cost-effective

security'. FISMA requires agency program officials, chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the

agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its

oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.

Answer B is incorrect. The Lanham Act is a piece of legislation that contains the federal statutes of trademark law in the United States.

The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. It is also called Lanham

Trademark Act.

Answer A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which states the following statement:

Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine 'not exceeding level 5 on the standard

scale' (currently 5000).

Unauthorized access with the intent to commit or facilitate commission of further offences is punishable by 6 months/maximum fine on

summary conviction or 5 years/fine on indictment.

Unauthorized modification of computer material is subject to the same sentences as section 2 offences.

Answer C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce

cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18 U.S.C.

1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are

involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994,

1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act punishes

anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do

so.

Answer : A, B, D

The different tasks performed by the owner are as follows:

He makes the original determination to decide what level of classification the information requires, which is based on the business

requirements for the safety of the data.

He reviews the classification assignments from time to time and makes alterations as the business needs change.

He delegates the responsibility of the data safeguard duties to the custodian.

He specifies controls to ensure confidentiality, integrity and availability.

Answer C is incorrect. This task is performed by the custodian and not by the owner.