CISSP Official Practice Tests by Mike Chapple, David Seidl

(chelsyfait) #1

396 Appendix ■ Answers


3 1. A. Black box testing begins with no prior knowledge of the system implementation,
simulating a user perspective. White box and gray box testing provide full and partial
knowledge of the system, respectively, in advance of the test. Blue boxes are a phone
hacking tool and are not used in software testing.


  1. B. In this example, the two SQL commands are indeed bundled in a transaction, but it
    is not an error to issue an update command that does not match any rows. Therefore,
    the first command would “succeed” in updating zero rows and not generate an error or
    cause the transaction to roll back. The second command would then execute, reducing the
    balance of the second account by $250.

  2. D. Worms have built-in propagation mechanisms that do not require user interaction,
    such as scanning for systems containing known vulnerabilities and then exploiting those
    vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction
    to spread. Logic bombs do not spread from system to system but lie in wait until certain
    conditions are met, triggering the delivery of their payload.

  3. C. A fail open configuration may be appropriate in this case. In this configuration, the
    firewall would continue to pass traffic without inspection while it is restarting. This would
    minimize downtime, and the traffic would still be protected by the other security controls
    described in the scenario. Failover devices and high availability clusters would indeed
    increase availability, but at potentially significant expense. Redundant disks would not
    help in this scenario because no disk failure is described.

  4. D. An inference problem occurs when an attacker can pull together pieces of less sensitive
    information and use them to derive information of greater sensitivity. Aggregation is a
    security issue that arises when a collection of facts has a higher classification than the
    classification of any of those facts standing alone. SQL injection is a web application
    exploit. Multilevel security is a system control that allows the simultaneous processing of
    information at different classification levels.

  5. B. Polymorphic viruses mutate each time they infect a system by making adjustments to
    their code that assists them in evading signature detection mechanisms. Encrypted viruses
    also mutate from infection to infection but do so by encrypting themselves with different
    keys on each device.

  6. A. The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The
    code that Linda discovered in the message is a definitive example of an attempt to conduct
    cross-site scripting, and the alert box that she received demonstrates that the vulnerability
    exists. The website may also be vulnerable to cross-site request forgery, SQL injection,
    improper authentication, and other attacks, but there is no evidence of this provided in the
    scenario.

  7. A. The script that Linda discovered merely pops up a message on a user’s screen and
    does not perform any more malicious action. This type of script, using an alert() call, is
    commonly used to probe websites for cross-site scripting vulnerabilities.

Free download pdf