Eberly Center Eberly: (412) 268-2896 4765 Forbes AvenueTepper Quad, Suite 1310Pittsburgh, PA 15213 Contact Us
This chapter provides sample questions [with answers and explanations] to help you prepare for the CISSP exam. The Application Security domain is concerned with the security controls used by applications during their design, development, and use. Individuals studying this domain should understand the security and controls of application security, which includes the systems development process, application controls, and knowledge-based systems. Test candidates should also understand the concepts used to ensure data and application integrity. The following list gives you some specific areas of knowledge to be familiar with for the CISSP exam: Which of the following is not a valid database management system model?
During which stage of the system’s development life cycle should security be implemented?
In which system development life cycle phase do the programmers and developers become deeply involved and do the majority of the work?
In the system development life cycle, what is used to maintain changes to development or production?
What is the most-used type of database management system?
Place the system development life cycle phases in the proper order.
Which of the following statements about Java applets is correct?
Which of the following is a valid system development methodology?
Which of the following best describes the Waterfall model?
Your friend is trying to learn more about databases and their structure. She wants to know what a tuple is.
Which of the system development life cycle phases is the point at which new systems need to be configured and steps need to be taken to make sure that security features are being used in the intended way?
Your CISSP study group has asked you to research information about databases. Specifically, they want you to describe what metadata is. What is your response?
Jamie, your assistant, is taking some classes on database controls and security features. She wants to know what aggregation is. How will you answer her?
What term describes users’ ability to infer or deduce information about data at sensitivity levels for which they do not have access privileges or rights?
Which of the following best describes a database schema?
Which type of malware is considered self-replicating?
Ashwin is building your company’s new data warehouse. In a meeting, he said, “Data in the data warehouse needs to be normalized.” What does this mean?
Which of the following best describes the term “data dictionary”?
Which of the following best describes data mining?
Jerry has top-secret access to a database and can see that the USS Yorktown has left for Iraq. Ted has only public access to the same database. He can see that the ship has left port. However, the record shows that it is bound for Spain. What is this called?
Which of the system development life cycle phases is the point at which a project plan is developed, test schedules are assigned, and expectations of the product are outlined?
Data checks and validity checks are examples of what type of application controls?
Which of the following is not a valid form of application control?
What document guarantees the quality of a service to a subscriber by a network service provider, setting standards on response times, available bandwidth, and system up times?
Which of the following is not one of the three main components of a SQL database?
Cyclic redundancy checks, structured walk-throughs, and hash totals are examples of what type of application controls?
Christine has been alerted by her IDS that a web server on her network was attacked. While examining a trace of the ICMP traffic, she noticed that the attacker’s packets were addressed to the network broadcast address and were spoofed to be from her web server. What type of attack has she been subjected to?
Which of the following best describes the OS protection mechanism that mediates all access that subjects have to objects to ensure that the subjects have the necessary rights to access the objects?
Which of the following describes mobile code?
Black Hat Bob has just attacked Widget, Inc.’s network. Although the attack he perpetrated did not give him access to the company’s network, it did prevent legitimate users from gaining access to network resources. What type of attack did he launch?
Java-enabled web browsers allow Java code to be embedded in a web page, downloaded across the Net, and run on a local computer. This makes the security of the local computer a big concern. With this in mind, how does the Java runtime system ensure secure execution of the Java code?
Chandra wants to learn more about the Software Capability Maturity Model. Help her put the five levels of this model in the proper order, from 1 to 5.
Which of the following Software CMM levels is the step at which project management processes and practices are institutionalized and locked into place by policies, procedures, and guidelines?
Which of the following technologies establishes a trust relationship between the client and the server by using digital certificates to guarantee that the server is trusted?
What is the process of cataloging all versions of a component configuration called?
Which of the following best describes a covert storage channel?
Which of the following is not one of the three ways in which inference can be achieved?
Raj has been studying database security features. He reads that two control policies are used to protect relational databases. He remembers that one is MAC, but he has forgotten the second one. Which one is it?
Boyd just downloaded a game from a peer-to-peer network. Although the game seemed to install OK, his computer now is acting strangely. The mouse cursor moves by itself, URLs are opening on their own, and his web camera keeps turning itself on. What has happened?
What is the goal of CRM?
What technology is based on the methods by which the human brain is believed to work?
Now that your organization is preparing to retire its mainframe systems, you have been asked to look at a distributed system as the replacement. What five requirements should a distributed system meet?
George receives an email that did not come from the individual listed in the email. What is the process of changing email message names to look as though they came from someone else?
Raj is still studying database design and security. Can you tell him what cardinality means?
Wes asks you to help him prepare a practice test for your CISSP study group. Can you tell him which of the following relationships is incorrect?
Joey has been reading about databases and application security. He has asked you to define perturbation for him. Which of the following offers the best answer?
SubSeven and NetBus typically are placed in which of the following categories?
Jennifer’s network has been hit by the following attack pattern: The attacker made many connection attempts to FTP. Each time, the handshake was not completed, and the source addresses were spoofed. The result was that legitimate users could not FTP to that computer. Which type of attack does this attack pattern match?
What is the point in the system development life cycle phase at which information may need to be archived or discarded and a team may be assembled to examine ways to improve subsequent iterations of this or other products?
Which type of virus can spread by multiple methods?
Polyinstantiation is a solution used by which of the following to remedy multiparty update conflicts?
The following security labels exist on a network operating in a multilevel security mode:
Jack edits file B and file C simultaneously and then saves both. Which files can John now access?
Which generation of code development is most likely to focus on constraints?
The network administrator has been analyzing network reports and is convinced that the network has been the victim of a SYN flooding DoS attack. What evidence might have been discovered that would support this conclusion?
Which language, when used for development of your company’s front-end application, results in a program that is least likely to have vulnerable code?
In your corporation, it is critical that the metadata surrounding business data be revealed to only the proper authorities, even though all employees require access to the business data. Access to the metadata is being controlled through the use of views so that only the appropriate authorities have deeper access. What is this technique called?
To prevent covert channels via race conditions, it is critical that software modules be able to execute independently of each other. What is this called?
Expert systems use forward and reverse chaining that is based on what?
What is the most common problem related to audit logs?
When you’re dealing with mobile code and wireless devices, many security issues can arise. For example, when you’re working with wireless devices that are using Wireless Application Protocol [WAP], which of the following is the primary security concern?
Which generation[s] of code is/are most likely to focus on the logic of the algorithms?
Which type of database combines related records and fields into a logical tree structure?
What type of database is unique because it can have multiple records that can be either parent or child?
Your colleague wants to know when is the best point within the system development life cycle [SDLC] to create a list of potential security issues. What do you tell her?
Which of the following are correct?
How can referential integrity best be defined?
Lenny is trying to determine how much money a new employee makes. His job in HR allows him to see total payroll by department but not by person. The individual he is curious about just started a month ago, so Lenny simply compares that department’s previous month’s total salary to the current month’s total salary. What has Lenny just done?
While browsing the company directory, you notice that your address is incorrect. To rectify the situation, you decide to modify the database that holds this information. Although the change seems to work, you notice later that the information has reverted to the previous, incorrect information. What do you believe is the source of the problem?
Knowledge discovery is also known what?
Which of the following statements are true?
Jim’s new job at the headquarters of a major grocery store has him examining buyer trends. He uses the database to find a relationship between beer and diapers. He discovers that men over 20 are the primary buyers of these two items together after 10 p.m. What best describes Jim’s actions?
Your application developer has created a new module for a customer-tracking system. This module will result in greater productivity. The application has been examined and tested by a second person in the development group. A summary of the test shows no problems. Based on the results, which of the following is not a recommended best practice?
Which of the following describes verification and validation?
You have been assigned to modify an application to address a specific problem with the current release of the program. When the change is complete, you notice that other modules that should not have been affected appear to be nonfunctional. What do you believe is the cause?
Jake has become concerned that a citizen programmer in the group has developed code for others in the department. What should be your primary concern?
Which of the following statements is most correct?
What level of the capability maturity model features quantitative process improvement?
Your company has just signed a software escrow agreement. Which of the following best describes this document?
With regard to database operations, canceling a set of changes and restoring the database to its prior state is called what?
The capability maturity model features five maturity levels that begin with initial. What is the proper order of the remaining four levels?
Data that describes other data is called what?
In which database model do you perceive the database as a set of tables that are composed of rows and columns?
With a relational database management system, you can constrain what a particular application or user sees by using what?
Security controls must be considered at which phases of the system life cycle?
The change control process is structured so that various steps must be completed to verify that no undocumented, unapproved, or untested changes are implemented. Which of the following is the final step?
You have been asked to develop an advanced program that will interact with users. You have been asked to look at knowledge-based systems. As such, expert systems use what type of information to make a decision?
Which of the following is considered a middleware technology?
The CMMI contains how many process areas? At which level of the CMM are processes likely to be variable [inconsistent] and depend heavily on institutional knowledge?
When dealing with expert systems, which of the following are valid methods for reasoning when using inference rules?
Starving is when activities in a stage must stop because there is no work. Throughput rate of a production process is the amount of time a unit spends actually being worked on. Efficiency of a production process is the ratio of the actual output of a process to some standards. Starving. The activities in a stage must stop because there is no work. Bottleneck. A resource that limits the capacity or maximum output of the process. |