“Defense in depth”, sometimes also known as layered defense, is one of the most important approaches to trustworthy secure system development. Which of the following is true?
A. It creates parallel barriers to prevent, delay, or deter an attack.
B. It achieves greater trustworthiness than the individual security components used.
C. It is an alternative to a balanced application of security concepts and design principles.
D. Its concepts are not the same as the security design principles of modularity and layering.
Monthly Archives: November 2020
Exploit and Attack
Threat Modeling
Continue readingThreat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment.
A common form of threat modeling is software threat modeling, which is threat modeling performed during software design to reduce software vulnerabilities. There are many established methodologies for performing software threat modeling.
Another common form of threat modeling is known as system threat modeling, which is threat modeling performed for operational systems to improve their overall security. Compared to software threat modeling, system threat modeling tends to be largely informal and ad hoc.
Source: NIST SP 800-154 (draft)
CISSP PRACTICE QUESTIONS – 20201130
Alice develops a program and has permissions, {read, write, execute}, on it. Bob has no permissions on the program but can forcibly take Alice’s permissions. Alice was surprised that Eve should have executed the program because Bob granted Eve this permission without Alice’s awareness. Which of the following is the authorization mechanism the security kernel implements?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Non-discretionary access control
CISSP PRACTICE QUESTIONS – 20201129
A plethora of vulnerabilities is discovered after conducting a vulnerability assessment against your company’s official web site. You decide to implement continuous monitoring over the web server and automate the patching process. Which of the following is the best vehicle?
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)
Wentz on Risk Management
It’s my pleasure that my interview in September is reported in one of the most influential magazines on project management and agile that is run by the chief editor, Roger Chou, PgMP.
Continue readingCISSP PRACTICE QUESTIONS – 20201128
Your company is developing an ERP system, owned by the head of the IT department, using Scrum. You are the product owner of the development of the material management module. Which of the following is the least of your concerns?
A. Refinement of the product backlog
B. Application for authorization to operate (ATO)
C. Trustworthiness of the product
D. User acceptance
CMM and CMMI
Software Engineering Institute (SEI), 1984
Software Engineering Institute (SEI) was established in 1984 at Carnegie Mellon University as a federally funded research and development center (FFRDC) dedicated to advancing the practice of software engineering and improving the quality of systems that depend on software. (JUNE 21, 2000 • SEI PRESS RELEASE)
Continue readingThe Effective CISSP: Security and Risk Management
The CISSP exam tests not only your technical foundation but also your management concepts. Many CISSP aspirants fail in Domain 1, 2, 6, or 7. It can be an indicator that they may not have connected the dots, e.g., information security governance, risk management, strategic management, project/program management, business continuity, etc.
My book, The Effective CISSP: Security and Risk Management, introduces those concepts that can help you build a solid foundation of information security from the perspective of information systems, business processes, and the organization.
If you have just started your CISSP or CISM (yes, CISM) journey, lost in the jungle of knowledge, or even failed in any of the domains mentioned above, The Effective CISSP: Security and Risk Management will make it straight.
Click the following book to get a copy to kill the beast!
CISSP PRACTICE QUESTIONS – 20201127
You started a software house two years ago that builds and implements custom software solutions for clients. As there existed no organizational project management standard and unified processes, your company relied on senior project managers capable of managing projects and delivering software to clients based on their own approaches and experience. Which of the following is the maturity level that best describes your company in terms of CMMI?
A. Initial
B. Repeatable
C. Managed
D. Defined
CISSP PRACTICE QUESTIONS – 20201126
Which of the following is not a software testing technique that emphasizes using unexpected, malformed, random data as program inputs to crash the program or make it behave unexpectedly?
A. Fuzz testing
B. Synthetic transaction
C. Random testing
D. Monkey testing