CISSP PRACTICE QUESTIONS – 20210319

Effective CISSP Questions

You are conducting threat modeling and developing misuse cases. Which of the following is least likely to be treated as a misuse case?
A. A hacker types in SQL expressions in the login form.
B. A user uses relative paths to navigate between resources.
C. A developer creates a buggy API for system monitoring purposes.
D. A customer goes to a specific page of the product list by typing in the URL.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. A developer creates a buggy API for system monitoring purposes.

Use Cases and Misuse Cases
Use Cases and Misuse Cases (Source: https://en.wikipedia.org/wiki/Misuse_case)

Use Case

A use case describes one or more scenarios that denote how an actor (user, agent, system, or entity) interacts with the system. A use case is best suited for communicating functional requirements or from the user perspective. Use cases can be expressed in the structural text or diagrams. The title of a use case can be written in the pattern of Subject + Verb, e.g., a customer places orders.

Misuse Case

On the contrary, misuse cases document threats to functions typically from the malicious or inadvertent user’s perspective. A developer builds functions, while a user uses them. A use or misuse case typically won’t document a developer’s building process or work.

To err is human. It’s not uncommon for a developer to build an API with bugs. It’s a risk that a developer creates a buggy API for system monitoring purposes, but not a misuse case, which describes the actor’s steps to interact with the system (events and responses).

SQL Injection

It’s a typical misuse case that a hacker types in SQL expressions in the login form.

SQL injection (Source: PortSwigger)

Path/Directory Traversal

Path/Directory Traversal as an attack relies on relative paths very much. It’s a vulnerability or indicator that leads to a misuse case that a user uses relative paths to navigate between resources.

Source: Paul Ionescu

Web Parameter Tampering/Manipulation

It’s a terrible design to allow a customer to go to a specific page of the product list by typing in the URL. What if the user types in an invalid page number? Say -1 or 65535.

What is a URL?

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正在進行威脅建模並發展濫用案例。 以下哪項最不可能被視為濫用案例?
A. 黑客在登入晝面中輸入SQL表達式
B. 用戶使用相對路徑在資源之間切換
C. 開發人員創建用於系統監視目的的API
D. 客戶輸入URL轉到產品列表的特定頁面

1 thought on “CISSP PRACTICE QUESTIONS – 20210319

  1. Pingback: 濫用案例(misuse cases) – Choson資安大小事

Leave a Reply