16.
Which of the following policies is MOST likely to include the
following requirement? “All software processing financial transactions
need to use more than one factor to verify the identity of the entity
requesting access""
- A.Authorization.
- B.Authentication.
- C.Auditing.
- D.Availability
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication and when more than two factors are used for authentication purposes, it is referred to as multi-factor authentication. It is important to determine first, if there exists a need for two- or multi-factor authentication. |
17.
A means of restricting access to objects based on the identity of subjects
and/or groups to which they belong, as mandated by the requested
resource owner is the definition of
- A.Non-discretionary Access Control (NDAC).
- B.Discretionary Access Control (DAC).
- C.Mandatory Access Control (MAC).
- D.Role based Access Control.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource deciding who has access and their level of privileges or rights. |
18.
Requirements which when implemented can help to build a history of
events that occurred in the software are known as
- A.authentication requirements.
- B.archiving requirements.
- C.accountability requirements.
- D.authorization requirements.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
Accountability requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately. When auditing is combined with identification, it provides for accountability. |
19.
Which of the following is the PRIMARY reason for an application to
be susceptible to a Man-in-the-Middle (MITM) attack?
- A.Improper session management
- B.Lack of auditing
- C.Improper archiving
- D.Lack of encryption
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
Easily guessable and non-random session identifiers can be hijacked and replayed if not managed appropriately and this can lead to MITM attacks. |
20.
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in
the requirements phase of the SDLC is also known as
- A.threat modeling
- B.policy decomposition.
- C.subject-object modeling.
- D.misuse case generation.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components. |