This page was exported from Best Free Exam Guide [ http://free.exams4sures.com ] Export date:Fri Mar 14 21:14:41 2025 / +0000 GMT ___________________________________________________ Title: [Mar-2022] Dumps Brief Outline Of The CSSLP Exam - Exams4sures [Q14-Q38] --------------------------------------------------- [Mar-2022] Dumps Brief Outline Of The CSSLP Exam - Exams4sures CSSLP Training & Certification Get Latest ISC Certification NEW QUESTION 14Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle?  Phase 2, Verification  Phase 3, Validation  Phase 1, Definition  Phase 4, Post Accreditation Phase Explanation/Reference:Explanation: Phase 4, Post Accreditation Phase, of the DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle. AnswerC is incorrect. Phase 1, Definition, focuses on understanding the mission, the environment, and the architecture in order to determine the security requirements and level of effort necessary to achieve accreditation. Answer A is incorrect. Phase 2, Verification, verifies the evolving or modified system’s compliance with the information agreed on in the System Security Authorization Agreement (SSAA). Answer: B is incorrect. Phase 3 validates the compliance of a fully integrated system with the information stated in the SSAA.NEW QUESTION 15A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.  What is being secured?  Where is the vulnerability, threat, or risk?  Who is expected to exploit the vulnerability?  Who is expected to comply with the policy? Explanation/Reference:Explanation: A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A well designed policy addresses the following: What is being secured? – Typically an asset. Who is expected to comply with the policy? – Typically employees. Where is the vulnerability, threat, or risk? – Typically an issue of integrity or responsibility.NEW QUESTION 16DRAG DROPDrag and drop the correct DoD Policy Series at their appropriate places.Select and Place: Explanation/Reference:Explanation: The various DoD policy series are as follows:NEW QUESTION 17Which of the following cryptographic system services ensures that information will not be disclosed to any unauthorized person on a local network?  Authentication  Integrity  Non-repudiation  Confidentiality The confidentiality service of a cryptographic system ensures that information will not be disclosed to any unauthorized person on a local network.NEW QUESTION 18Which of the following allows multiple operating systems (guests) to run concurrently on a host computer?  Emulator  Hypervisor  Grid computing  CP/CMS A hypervisor is a virtualization technique that allows multiple operating systems (guests) to run concurrently on a host computer. It is also called the virtual machine monitor (VMM). The hypervisor provides a virtual operating platform to the guest operating systems and checks their execution process. It provides isolation to the host’s resources. The hypervisor is installed on server hardware. Answer A is incorrect. Emulator duplicates the functions of one system using a different system, so that the second system behaves like the first system. Answer D is incorrect. CP/CMS is a time-sharing operating system of the late 60s and early 70s, and it is known for its excellent performance and advanced features. Answer C is incorrect. Grid computing refers to the combination of computer resources from multiple administrative domains to achieve a common goal.NEW QUESTION 19Which of the following elements of the BCP process emphasizes on creating the scope and the additional elements required to define the parameters of the plan?  Business continuity plan development  Plan approval and implementation  Business impact analysis  Scope and plan initiation Explanation/Reference:Explanation: The scope and plan initiation process in BCP symbolizes the beginning of the BCP process. It emphasizes on creating the scope and the additional elements required to define the parameters of the plan. The scope and plan initiation phase embodies a check of the company’s operations and support services. The scope activities include creating a detailed account of the work required, listing the resources to be used, and defining the management practices to be employed. AnswerC is incorrect. The business impact assessment is a method used to facilitate business units to understand the impact of a disruptive event. This phase includes the execution of a vulnerability assessment. This process makes out the mission-critical areas and business processes that are important for the survival of business. It is similar to the risk assessment process. The function of a business impact assessment process is to create a document, which is used to help and understand what impact a disruptive event would have on the business.AnswerA is incorrect. The business continuity plan development refers to the utilization of the informationcollected in the Business Impact Analysis (BIA) for the creation of the recovery strategy plan to support the critical business functions. The information gathered from the BIA is mapped out to make a strategy for creating a continuity plan. The business continuity plan development process includes the areas of plan implementation, plan testing, and ongoing plan maintenance. This phase also consists of defining and documenting the continuity strategy. AnswerB is incorrect. The plan approval and implementation process involves creating enterprise-wide awareness of the plan, getting the final senior management signoff, and implementing a maintenance procedure for updating the plan as required.NEW QUESTION 20Which of the following is an example of penetration testing?  Implementing NIDS on a network  Implementing HIDS on a computer  Simulating an actual attack on a network  Configuring firewall to block unauthorized traffic Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration testing is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. Answer A, B, and D are incorrect. Implementing NIDS and HIDS and configuring firewall to block unauthorized traffic are not examples of penetration testing.NEW QUESTION 21Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?  Phase 1  Phase 4  Phase 2  Phase 3 The Phase 1 of the DITSCAP C&A process is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. Answer C is incorrect. The Phase 2 of the DITSCAP C&A process is known as Verification. Answer D is incorrect. The Phase 3 of the DITSCAP C&A process is known as Validation. Answer B is incorrect. The Phase 4 of the DITSCAP C&A process is known as Post Accreditation.NEW QUESTION 22In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system?  Full operational test  Penetration test  Paper test  Walk-through test A penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. Answer C is incorrect. A paper test is the least complex test in the disaster recovery and business continuity testing approaches. In this test, the BCP/DRP plan documents are distributed to the appropriate managers and BCP/DRP team members for review, markup, and comment. This approach helps the auditor to ensure that the plan is complete and that all team members are familiar with their responsibilities within the plan. Answer D is incorrect. A walk-through test is an extension of the paper testing in the business continuity and disaster recovery process. In this testing methodology, appropriate managers and BCP/DRP team members discuss and walk through procedures of the plan. They also discuss the training needs, and clarification of critical plan elements. Answer A is incorrect. A full operational test includes all team members and participants in the disaster recovery and business continuity process. This full operation test involves the mobilization of personnel. It restores operations in the same manner as an outage or disaster would. The full operational test extends the preparedness test by including actual notification, mobilization of resources, processing of data, and utilization of backup media for restoration.NEW QUESTION 23Which of the following are examples of the application programming interface (API)? Each correct answer represents a complete solution. Choose three.  HTML  PHP  .NET  Perl Perl, .NET, and PHP are examples of the application programming interface (API). API is a set of routines, protocols, and tools that users can use to work with a component, application, or operating system. It consists of one or more DLLs that provide specific functionality. API helps in reducing the development time of applications by reducing application code. Most operating environments, such as MS-Windows, provide an API so that programmers can write applications consistent with the operating environment. Answer A is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup symbols or codes used to create Web pages and define formatting specifications. The markup tells the Web browser how to display the content of the Web page.NEW QUESTION 24Which of the following coding practices are helpful in simplifying code? Each correct answer represents a complete solution. Choose all that apply.  Programmers should use multiple small and simple functions rather than a single complex function.  Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements.  Programmers should implement high-consequence functions in minimum required lines of code and follow proper coding standards.  Processes should have multiple entry and exit points. Explanation/Reference:Explanation: The various coding practices that are helpful in simplifying the code are as follows:Programmers should implement high-consequence functions in minimum required lines of code and follow the proper coding standards. Software should implement the functions that are defined in the software specification. Software should avoid ambiguities and hidden assumptions, recursion, and GoTo statements. Programmers should use multiple small and simple functions rather than a complex function.The processes should have only one entry point and minimum exit points. Interdependencies should be minimum so that a process module or component can be disabled when it is not needed, or replaced when it is found insecure or a better alternative is available, without disturbing the software operations.Programmers should use object-oriented techniques to keep the code simple and small. Some of the object-oriented techniques are object inheritance, encapsulation, and polymorphism. Answer: D is incorrect. Processes should have only one entry point and the minimum number of exit points.NEW QUESTION 25You work as a Security Manager for Tech Perfect Inc. You find that some applications have failed to encrypt network traffic while ensuring secure communications in the organization. Which of the following will you use to resolve the issue?  SCP  TLS  IPSec  HTTPS Explanation/Reference:Explanation: In order to resolve the issue, you should use TLS (Transport Layer Security). Transport Layer Security (TLS) is a cryptographic protocol that provides security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). The TLS protocol, an application layer protocol, allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. AnswerC is incorrect. Internet Protocol Security (IPSec) is a method of securing data. It secures traffic by using encryption and digital signing. It enhances the security of data as if an IPSec packet is captured, its contents cannot be read. IPSec also provides sender verification that ensures the certainty of the datagram’s origin to the receiver. Answer D is incorrect. Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL) then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL. Answer: A is incorrect. The SCP (secure copy) protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It hinders the ability for packet sniffers to extract usable information from the data packets.NEW QUESTION 26John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems Location of open ports and applications Now, which of the following tasks should he perform next?  Perform OS fingerprinting on the We-are-secure network.  Map the network of We-are-secure Inc.  Install a backdoor to log in remotely on the We-are-secure server.  Fingerprint the services running on the we-are-secure network. John will perform OS fingerprinting on the We-are-secure network. Fingerprinting is the easiest way to detect the Operating System (OS) of a remote system. OS detection is important because, after knowing the target system’s OS, it becomes easier to hack into the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting techniques as follows: 1.Active fingerprinting 2.Passive fingerprinting In active fingerprinting ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting the number of hops reveals the OS of the remote system. Answer D and B are incorrect. John should perform OS fingerprinting first, after which it will be easy to identify which services are running on the network since there are many services that run only on a specific operating system. After performing OS fingerprinting, John should perform networking mapping. Answer C is incorrect. This is a pre-attack phase, and only after gathering all relevant knowledge of a network should John install a backdoor.NEW QUESTION 27You are the project manager for GHY Project and are working to create a risk response for a negative risk.You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?  Transference  Exploiting  Avoidance  Sharing Explanation/Reference:Explanation: This is an example of transference as you have transferred the risk to a third party.Transference almost always is done with a negative risk event and it usually requires a contractual relationship.NEW QUESTION 28An organization monitors the hard disks of its employees’ computers from time to time. Which policy does this pertain to?  Backup policy  User password policy  Privacy policy  Network security policy Monitoring the computer hard disks or e-mails of employees pertains to the privacy policy of an organization. Answer A is incorrect. The backup policy of a company is related to the backup of its data. Answer D is incorrect. The network security policy is related to the security of a company’s network. Answer B is incorrect. The user password policy is related to passwords that users provide to log on to the network.NEW QUESTION 29Which of the following persons in an organization is responsible for rejecting or accepting the residual risk for a system?  Information Systems Security Officer (ISSO)  Designated Approving Authority (DAA)  System Owner  Chief Information Security Officer (CISO) Explanation/Reference:Explanation: The authorizing official is the senior manager responsible for approving the working of the information system. He is responsible for the risks of operating the information system within a known environment through the security accreditation phase. In many organizations, the authorizing official is also referred as approving/accrediting authority (DAA) or the Principal Approving Authority (PAA). AnswerC is incorrect. The system owner has the responsibility of informing the key officials within the organization of the requirements for a security C&A of the information system. He makes the resources available, and provides the relevant documents to support the process. Answer: A is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information System Security Officer (ISSO) are as follows: Manages the security of the information system that is slated for Certification& Accreditation (C&A). Insures the information systems configuration with the agency’s information security policy. Supports the information system owner/information owner for the completion of security-related responsibilities. Takes part in the formal configuration management process. Prepares Certification & Accreditation (C&A) packages. AnswerD is incorrect. The CISO has the responsibility of carrying out the CIO’s FISMA responsibilities. He manages the information security program functions.NEW QUESTION 30Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.  Biba model  Clark-Biba model  Clark-Wilson model  Bell-LaPadula model Explanation/Reference:Explanation: The Biba and Clark-Wilson access control models are used in the commercial sector. The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. The Clark-Wilson security model provides a foundation for specifying and analyzing an integrity policy for a computing system. Answer: D is incorrect. The Bell-LaPadula access control model is mainly used in military systems. Answer: B is incorrect. There is no such access control model as Clark-Biba.NEW QUESTION 31Which of the following are examples of passive attacks? Each correct answer represents a complete solution. Choose all that apply.  Dumpster diving  Placing a backdoor  Eavesdropping  Shoulder surfing In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of a system without affecting its state. Hence, they are considered passive attacks.NEW QUESTION 32SIMULATIONFill in the blank with an appropriate phrase. A is defined as any activity that has an effect on defining, designing, building, or executing a task, requirement, or procedure. technical effortExplanation/Reference:Explanation: A technical effort is described as any activity, which has an effect on defining, designing, building, or implementing a task, requirement, or procedure. The technical effort is an element of technical management that is required to progress efficiently and effectively from a business need to the deployment and operation of the system.NEW QUESTION 33Which of the following steps of the LeGrand Vulnerability-Oriented Risk Management method determines the necessary compliance offered by risk management practices and assessment of risk levels?  Assessment, monitoring, and assurance  Vulnerability management  Risk assessment  Adherence to security standards and policies for development and deployment Assessment, monitoring, and assurance determines the necessary compliance that are offered by risk management practices and assessment of risk levels.NEW QUESTION 34Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.  Right-Up Approach  Left-Up Approach  Top-Down Approach  Bottom-Up Approach Top-Down Approach is an approach to build a security program. The initiation, support, and direction come from the top management and work their way through middle management and then to staff members. It is treated as the best approach. This approach ensures that the senior management, who is ultimately responsible for protecting the company assets, is driving the program. Bottom-Up Approach is an approach to build a security program. The lower-end team comes up with a security control or a program without proper management support and direction. It is less effective and doomed to fail. Answer A and B are incorrect. No such types of approaches existNEW QUESTION 35Which of the following rated systems of the Orange book has mandatory protection of the TCB?  A-rated  B-rated  D-rated  C-rated A B-rated system of the orange book has mandatory protection of the trusted computing base (TCB). Trusted computing base (TCB) refers to hardware, software, controls, and processes that cause a computer system or network to be devoid of malicious software or hardware. Maintaining the trusted computing base (TCB) is essential for security policy to be implemented successfully.NEW QUESTION 36Joseph works as a Software Developer for WebTech Inc. He wants to protect the algorithms and the techniques of programming that he uses in developing an application. Which of the following laws are used to protect a part of software?  Code Security law  Patent laws  Trademark laws  Copyright laws Explanation/Reference:Explanation: Patent laws are used to protect the duplication of software. Software patents cover the algorithms and techniques that are used in creating the software. It does not cover the entire program of the software. Patents give the author the right to make and sell his product. The time of the patent of a product is limited though, i.e., the author of the product has the right to use the patent for only a specific length of time. Answer: D is incorrect. Copyright laws protect original works or creations of authorship including literary, dramatic, musical, artistic, and certain other intellectual works.NEW QUESTION 37Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project?  Mitigation  Transference  Acceptance  Avoidance  Explanation:This is an example of the avoidance risk response. Because the project plan has been changed to avoid the risk event, so it is considered the avoidance risk response. Risk avoidance is a technique used for threats. It creates changes to the project management plan that are meant to either eliminate the risk completely or to protect the project objectives from its impact.Risk avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope requirements. It may seem the answer to all possible risks, but avoiding risks also means losing out on the potential gains that accepting (retaining) the risk might have allowed. is incorrect. Acceptance is when the stakeholders acknowledge the risk event and they accept that the event could happen and could have an impact on the project. Acceptance is usually used for risk events that have low risk exposure or risk events in which the project has no control, such as a pending law or weather threats. Answer A is incorrect. Mitigation is involved with the actions to reduce an included risk’s probability and/or impact on the project’s objectives. As the risk was removed from the project, this scenario describes avoidance, not mitigation. Answer B is incorrect. Transference is when the risk is still within the project, but the ownership and management of the risk event is transferred to a third party – usually for a fee.NEW QUESTION 38Digital rights management (DRM) consists of compliance and robustness rules. Which of the following features does the robustness rule have? Each correct answer represents a complete solution. Choose three.  It specifies the various levels of robustness that are needed for asset security.  It specifies minimum techniques for asset security.  It specifies the behaviors of the DRM implementation and applications accessing the implementation.  It contains assets, such as device key, content key, algorithm, and profiling data. Explanation/Reference:Explanation: The DRM (digital rights management) technology includes the following rules: 1.Compliance rule: This rule specifies the behaviors of the DRM implementation, and applications that are accessing the implementation. The compliance rule specifies the following elements: Definition of specific license rights Device requirements Revocation of license path or penalties when the implementation is not robust enough or noncompliant 2.Robustness rule: This rule has the following features: It specifies the various levels of robustness that are needed for asset security. It contains assets, such as device key, content key, algorithm, and profiling data. It specifies minimum techniques for asset security. Loading … Certification Training for CSSLP Exam Dumps Test Engine: https://www.exams4sures.com/ISC/CSSLP-practice-exam-dumps.html --------------------------------------------------- Images: https://free.exams4sures.com/wp-content/plugins/watu/loading.gif https://free.exams4sures.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2022-03-19 21:57:21 Post date GMT: 2022-03-19 21:57:21 Post modified date: 2022-03-19 21:57:21 Post modified date GMT: 2022-03-19 21:57:21