CSSLP questions and answers latest 2023

CSSLP questions and answers latest 2023*-property Pronounced "star property," this aspect of the Bell-LaPadula security model is commonly referred to as the "no-write-down" rule because it doesn't allow a user to write to a file with a lower security classification, thus preserving confidentiality. 3DES Triple DES encryption—three rounds of DES encryption used to improve security. 802.11 A family of standards that describe network protocols for wireless devices. 802.1X An IEEE standard for performing authentication over networks. abuse case A use case built around a work process designed to abuse a normal work process. acceptance testing The formal analysis that is done to determine whether a system or software product satisfies its acceptance criteria. AUP acceptable use policy (AUP): A policy that communicates to users what specific uses of computer resources are permitted. access A subject's ability to perform specific operations on an object, such as a file. Typical access levels include read, write, execute, and delete. access control Mechanisms or methods used to determine what access permissions subjects (such as users) have for specific objects (such as files). ACL access control list (ACL): A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute). Active Directory The directory service portion of the Windows operating system that stores information about network-based entities (such as applications, files, printers, and people) and provides a structured, consistent way to name, describe, locate, access, and manage these resources. ActiveX A Microsoft technology that facilitates rich Internet applications and, therefore, extends and enhances the functionality of Microsoft Internet Explorer. Like Java, ActiveX enables the development of interactive content. When an ActiveX-aware browser encounters a webpage that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used. ARP - Address Resolution Protocol (ARP) : A protocol in the TCP/IP suite specification used to map an IP address to a Media Access Control (MAC) address. adware Advertising-supported software that automatically plays, displays, or downloads advertisements after the software is installed or while the application is being used. algorithm A step-by-step procedure—typically an established computation for solving a problem within a set number of steps. alpha testing This is a form of end-to-end testing done prior to product delivery to determine operational and functional issues. ALE annualized loss expectancy (ALE) : How much an event is expected to cost the business per year, given the dollar cost of the loss and how often it is likely to occur. ALE = single loss expectancy * annualized rate of occurrence. ARO annualized rate of occurrence (ARO) : The frequency with which an event is expected to occur on an annualized basis. anomaly Something that does not fit into an expected pattern. application A program or group of programs designed to provide specific user functions, such as a word processor or web server. asset Resources and information an organization needs to conduct its business. asymmetric encryption Also called public key cryptography, this is a system for encrypting data that uses two mathematically derived keys to encrypt and decrypt a message—a public key, available to everyone, and a private key, available only to the owner of the key. attack An action taken against a vulnerability to exploit a system. Attack Surface Analyzer A product from Microsoft designed to enumerate the elements of a system that are subject to attack. attack surface evaluation An examination of the elements of a system that are subject to attack and mitigations that can be applied. attack surface measurement A measurement of the relative number of attack points in the system throughout the development process. attack surface minimization The processes used to minimize the number of attackable elements in a system. attack tree A graphical method of examining the required elements to successfully prosecute an attack. audit trail A set of records or events, generally organized chronologically, that record what activity has occurred on a system. These records (often computer files) are often used in an attempt to re-create what took place when a security incident occurred, and they can also be used to detect possible intruders. auditing Actions or processes used to verify the assigned privileges and rights of a user, or any capabilities used to create and maintain a record showing who accessed a particular system and what actions they performed. authentication The process by which a subject's (such as a user's) identity is verified. AAA authentication, authorization, and accounting (AAA) Three common functions performed upon system login. Authentication and authorization almost always occur, with accounting being somewhat less common. AH Authentication Header (AH): A portion of the IPsec security protocol that provides authentication services and replay-detection ability. AH can be used either by itself or with Encapsulating Security Payload (ESP). Refer to RFC 2402. availability Part of the "CIA" of security. Availability applies to hardware, software, and data, specifically meaning that each of these should be present and accessible when the subject (the user) wants to access or use them. backdoor A hidden method used to gain access to a computer system, network, or application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor. backup Refers to copying and storing data in a secondary location, separate from the original, to preserve the data in the event that the original is lost, corrupted, or destroyed. baseline A system or software as it is built and functioning at a specific point in time. Serves as a foundation for comparison or measurement, providing the necessary visibility to control change.