Welcome back, aspiring CISSP professionals!
In our previous posts, we challenged your knowledge with a set of CarlsCloud™ CISSP mock exam questions 16-20 focusing on crucial aspects of cybersecurity.
Now, it's time to reveal the answers and delve into the why behind them!
Understanding the concepts that underpin these answers is crucial for mastering the CISSP domains and effectively applying cybersecurity principles in real-world scenarios. Let's dive in!
Question 16
Carla is conducting an assessment of an organization using the Software Assurance Maturity Model (SAMM). She notes that the organization seems to have difficulty with defect management and will be reporting that finding.
Which business function of SAMM includes defect management?
A. Implementation
B. Governance
C. Verification
D. Operations
Explanation: The Software Assurance Maturity Model (SAMM) is an open framework designed to help organizations analyze and improve their software security posture
While the provided sources do not explicitly list "defect management" as a standalone business function under "Implementation" within SAMM, the broader context of software development security and flaw remediation aligns with the Implementation phase2.
Question 17
You are reviewing a suspicious entry in the logs of your web server and find a request to the URL: https://yourapplication.com/index.asp?name=Mike';%20DELETE%20*%20FROM%20accounts;%20--
What type of attack has been attempted?
A. SQL injection
B. Cross-site scripting (XSS)
C. Cross-site request forgery (CSRF)
D. Server-side request forgery (SSRF)
Explanation: The log entry shows an attempt to insert SQL commands directly into a web application's URL parameters (DELETE * FROM accounts; --).
This is a hallmark of a SQL injection attack SQL injection attacks occur when an attacker provides "unexpected input to a web application to gain unauthorized access to an underlying database" or to "modify the back-end/server of the web application or execute harmful code".
The semicolon (;) is used to terminate the initial query and start a new, malicious one, while the double dash (--) is typically used to comment out the remainder of the original query, preventing it from interfering with the injected command.
Question 18
You are working with the team developing a new web application and you would like to perform a test that evaluates whether the application is able to successfully handle malicious input that it receives through that interface.
Which one of the following activities would best meet this need?
A. Input validation
B. Parameterized queries
C. Stored procedures
D. Fuzz testing
Explanation: To evaluate how an application handles malicious input, fuzz testing (also known as fuzzing) is the most appropriate activity.
Fuzz testing is a specialized dynamic testing technique that "submits random, malformed data as inputs into software programs to determine if they will crash" or enter an "unpredictable state”.
It "provides many different types of input to software to stress its limits and find previously undetected flaws".
While input validation, parameterized queries, and stored procedures are preventative secure coding practices designed to defend against malicious input like SQL injection, they are not testing methodologies themselves for discovering how an application behaves when it receives such input.
Question 19
What is the primary goal of change management in an organization?
A. Reducing the likelihood of service disruptions
B. Communicating to all affected stakeholders
C. Creating an auditable record
D. Organizing the work associated with a change
Explanation: The primary goal of change management is to ensure that modifications to an environment are handled in a "formalized process" that ultimately reduces the likelihood of service disruptions or "unintended outages".
By requiring changes to be "requested, approved, tested, and documented," change management minimizes negative impacts on capabilities, functionality, and performance.
While communicating to stakeholders, creating auditable records, and organizing work are all important aspects and benefits of effective change management, the overarching objective is to maintain stability and prevent adverse effects on services.
Question 20
Vivek is the chief information security officer (CISO) for a large organization. She would like to conduct an assessment that will provide her with an accurate view of how an attacker might target her organization.
What type of assessment would best meet her needs?
A. Vulnerability assessment
B. External audit
C. Internal audit
D. Penetration test
Explanation: To gain an accurate view of how an attacker might target an organization, a penetration test is the most effective assessment type.
Penetration testing (often called ethical hacking) is an "authorized simulated attack" that "mimic[s] real-world attacks to identify methods for circumventing the security features of an application, system, or network".
This type of test actively "exploits vulnerabilities and gains access to a system," providing an attacker-centric view, especially when conducted as "black box testing" with zero prior knowledge, simulating an external attacker. In contrast, a vulnerability assessment identifies known flaws but doesn't attempt to exploit them, and internal or external audits primarily "test against a published standard" to ensure compliance or find flaws, rather than simulating active adversarial exploitation.
Did you enjoy CarlsCloud™ today and did I help you at all?
If so, buy me a coffee or just shoot me a note via LinkedIn to say thanks it would mean a lot!
