CISSP PRACTICE QUESTIONS – 20200902

Effective CISSP Questions

Content providers typically employ the content distribution network (CDN), a collection of proxy servers distributed geographically, to accelerate downloads of files, images, streaming media, scripts, etc. As a website author, which of the following best addresses security concerns?
A. User analytics for behavioral targeting
B. Cookies for data tracking
C. Hashes for subresource Integrity
D. Scripts for cross-origin access


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Hashes for subresource Integrity.

CDNs are applied in various areas. Caching contents of a web site for availability and performance is one of the most common applications of CDN. Images and JavaScript are the most often cached objects in CDNs. However, JavaScript typically causes security issues.

JavaScript Security Concerns

A web author or developer may employ open-source, free JavaScripts available on public CDNs. For example, Bootstrap, jQuery, Angular, just name a few. Some of them can be planted with malicious or problematic scripts. The integrity of those JavaScript is a significant concern o security.

Tracking, Sending, Analyzing, and Marketing

A malicious JavaScript can be included as part of a web site and downloaded into the client-side or web browser. Cookies can be used to track user behavior; a JavaScript can send those data to a remote data collector, not the web site or origin it is downloaded. The data collector can analyze the data to get more valuable information or intelligence for marketing use.

SubResource Integrity (SRI) as Countermeasure

For example, the official jQuery web site advises the hash code of jQuery 3.5.1 is “9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=” if a web author decides to use the copy from a CDN, the hash code should be specified as follows:

<script
  src="https://code.jquery.com/jquery-3.5.1.min.js"
  integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0="
  crossorigin="anonymous">
</script>

Same-Origin and Cross-Origin

A JavaScript is download to the browser from a web site as the origin. It is the same-origin policy that prohibits the javaScript from connecting to other web sites except for the origin (the web site it is downloaded). The same-origin policy is respected and implemented by most of the mainstream browsers, e.g., Chrome, Edge, Firefox, Safari, etc.

However, JavaScript can use other techniques to bypass the same-origin policy to achieve cross-origin communication. That is, a malicious JavaScript from a web site can collect the user data and submit those data to other remote web sites. Cross-origin resource sharing (CORS) is a mechanism to do so.

Cross-border Transfer

Cross-border (PII transfer) is a concern different from cross-origin (JavaScript access). When it comes to personal data and compliance (e.g., GDPR), enterprises should be aware of the personal data is replicated to another country when implementing CDN.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

內容提供商通常使用內容分發網絡(CDN),這是地理上分佈的代理服務器的集合,以加快文件,圖像,流媒體,腳本等的下載。作為網站作者,以下哪種方法可以最好地解決安全性問題?
A. 行為定位的用戶分析 (User analytics for behavioral targeting)
B. 用於數據跟踪的Cookies (Cookies for data tracking)
C. 子資源完整性哈希 (Hashes for subresource Integrity)
D. 跨域訪問腳本 (Scripts for cross-origin access)

2 thoughts on “CISSP PRACTICE QUESTIONS – 20200902

  1. I eliminated answer A and B based on thoughts below:
    A. User analytics for behavioral targeting (sounds like a concern for the host, not website auother’s concern)
    B. Cookies for data tracking (user’s concern, not website author’s concern)

    Now I am left with answer C and D, in which C sounds more like a author’s concern to me, plus I am not too clear on cross-origin in answer D before reading your explaination.
    C. Hashes for subresource Integrity
    D. Scripts for cross-origin access (more an availability related concern …?)

    Thank you!

    • Yes, a web author should include hashes for subresource Integrity to avoid incorporating malicious scripts downloaded from the CDN.
      Scripts downloaded from the CDN are limited to the same-origin policy by default. Scripts can work for cross-origin access are designed either on purpose or maliciously. A web author is typically not the developer who uploads scripts to the CDN.

Leave a Reply