Concepts
Which of the following is not a valid authentication factor or mechanism?
Something you have
Someone you know
Somewhere you are
All of the above
B. Someone you know is incorrect; something you know is a valid factor.
Which access control mechanism provides the owner of an object the opportunity to determine the access control permissions for other subjects?
Mandatory
Role-based
Discretionary
Token-based
C. This is the definition of discretionary access control.
Logging is a key element of what?
Accountability
Access control
Integrity
Authorization
A. Accounting is a means of measuring activity. Accountability is the recording of actions and the users performing them. In IT systems, this can be done by logging crucial elements of activity as they occur.
Functional requirements include all of the following except what?
Determining specific architecture details
Deployment platform considerations
DR/BCP requirements
Security requirements
A. The specific architecture details come from requirements but are not specified directly as functional requirements.
Which of the following would not be considered structured data?
Excel spreadsheet of parts prices
Oracle database of customer orders
XML file of parts and descriptions
Log file of VPN failures
A. Microsoft Office files are considered unstructured data.
What is the concept of preventing a subject from denying a previous action with an object in a system?
Identity
Nonrepudiation
Authorization
Auditing
B. This is the definition of nonrepudiation.
Which access control technique relies on a set of rules to determine whether access to an object will be granted or not?
Role-based access control
Object and rule instantiation access control
Rule-based access control
Discretionary access control
C. This is a description of rule-based access control.
Bonus points if you can describe Mandatory Access Control (+50), Role-based access control (+50) and Discretionary access control (+50)
If one desires nonrepudiation with respect to an event performed by a user, which of the following is/are required?
Authentication
Authorization
Auditing
All the above
D. Nonrepudiation is the concept of preventing a subject from denying a previous action with an object in a system. When authentication, authorization, and auditing are properly configured, the ability to prevent repudiation by a specific subject with respect to an action and an object is ensured.
Access control lists are assigned to __________ as part of a security scheme.
Users
Roles
Objects
Activities
C. Access control lists are associated with users, objects, and activities, but are assigned to objects.
Presenting a known attack methodology to the development team to ensure appropriate mitigation can be done via what?
Use case
Misuse case
Security requirement
Business requirement
B. Misuse cases can present commonly known attack scenarios and are designed to facilitate communication among designers, developers, and testers to ensure that potential security holes are managed in a proactive manner.
Using the principle of keeping things simple is related to what?
Layered security
Simple Security Rule
Economy of mechanism
Implementing least privilege for access control
C. The principle of economy of mechanism states that complexity should be limited to make security manageable; in other words, keep things simple.
Bonus Points if you can describe Layered Security (+50), Simple Security Rule (+50) and implementing least privilege for access control (+50)
Open design places the focus of security efforts on what?
Open-source software components
Hiding key elements (security through obscurity)
Proprietary algorithms
Producing a security mechanism in which its strength is independent of its design
D. Open design states that the security of a system must be independent from its design. In essence, the algorithm that is used will be open and accessible, and the security must not be dependent upon the design, but rather on an element such as a key.
Supply chains commonly include which of the following as part a set of requirements?
Testing regimes
Source code control
Encryption
All of the above
D. Common supply chain contract requirements include specific security requirements such as connections to external systems, input validation and encoding, authentication and session management, access control, logging, error handling, secure configuration, encryption, availability, libraries, testing procedures, and bug remediation processes, as well as general security issues such as source code control including revision control and code escrow.
Use cases should be constructed for what?
All requirements
All requirements that have security concerns
Business requirements that are poorly defined
Implementation features that need testing
C. Use cases are specifically well suited for business requirements that are not well defined.
What party is responsible for defining data classification?
Data custodian
Senior manager (CIO)
Security management
Data owner
D. Data owners are responsible for defining data classification.
Version Control
Also known as revision control or source control systems. A reference to software tools that are used by software development teams to manage the access and the changes to source code over time.
Malware
Malicious software such as viruses, worms, or Trojans.
NIST
National Institute of Standards and Technology
The National Institute of Standards and Technology is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. Its mission is to promote American innovation and industrial competitiveness.
What party determines which users or groups should have access to specific data elements?
Data custodian
Data manager
System administrator
Data owner
D. The data owner is the party who determines who has specific levels of access associated with specific data elements.
The RTM tracks which of the following?
Requirement description, failure modes, verification method(s), use cases
Requirement source, test objective(s), verification method(s), known bugs
Requirement description, test objective(s), verification method(s), use cases
Requirement source, test objective(s), failure modes, use cases
RTM is the Requirements traceability matrix
C. The requirements traceability matrix tracks requirement description, test objective(s), verification method(s), use cases.
Asymmetric Algorithm
A reference to cryptographic algorithms that rely on a mathematically related public-private key pair to perform encryption/decryption. Whichever key is used to encrypt a message, the other key must be used to decrypt the message. Aside from confidentiality, these algorithms may also be used for the purpose of key exchange and/or digital signatures.
Digital Signature
A reference to cryptographic operations that, when implemented correctly, can provide assurance for data integrity, origin, and nonrepudiation.
Data Custodian
A reference to a subject or entity with the responsibility to maintain the data and ensure that safeguards and countermeasures for data protection are implemented.
Security Requirements Traceability Matrix
A reference to a document that is created to link/map the requirements to test cases. This document may serve various purposes throughout the software lifecycle, but the primary objective is to provide forward and backward traceability to ensure that all defined requirements are tested.
Data Anonymization
The process of sanitizing data by removing personally identifiable information from the data sets for the purpose of privacy protection.