Which of the following could be considered the MOST significant security challenge when adopting DevOps practices compared to a more traditional control framework?
Correct Answer: B
In a DevOps environment, security and operations teams are often closely integrated with development teams, and there is typically a greater emphasis on automation, continuous integration, and rapid deployment. This can create significant challenges in maintaining traditional segregation of duties, which is a key principle in security frameworks designed to prevent fraud, errors, and abuse by ensuring that no single individual has control over both the development and deployment of code. In a traditional control framework, segregation of duties (e.g., developers not having direct access to production systems or operations) is easier to enforce because roles and responsibilities are clearly separated. However, in a DevOps environment, the lines between development, security, and operations are often blurred. Developers may have access to production systems or may be able to push code directly into production, making it more difficult to enforce traditional segregation of duties. This can lead to security risks if an attacker or insider is able to manipulate both development and production environments.
CISSP Exam Question 32
Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?
Correct Answer: B
WebSockets is an HTML5 option that presents a security challenge for network data leakage prevention and/or monitoring, as it enables a bidirectional, full-duplex communication channel between a web browser and a server. WebSockets can bypass the traditional HTTP request- response model and establish a persistent connection that can exchange data in real time. This can pose a risk of data leakage, as the data transmitted over WebSockets may not be inspected or filtered by the network security devices, such as firewalls, proxies, or data loss prevention systems. Cross Origin Resource Sharing (CORS), Document Object Model (DOM) trees, and Web Interface Definition Language (IDL) are not HTML5 options that present a security challenge for network data leakage prevention and/or monitoring, as they are not related to the communication channel between the web browser and the server.
CISSP Exam Question 33
Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security?
Correct Answer: A
Asymmetric algorithms are used for peer authentication when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security. SSL/TLS is a protocol that provides secure communication over the internet by encrypting and authenticating the data and the parties involved. Asymmetric algorithms are cryptographic algorithms that use two different keys, a public key and a private key, for encryption and decryption. Asymmetric algorithms are used for peer authentication in SSL/TLS, which is the process of verifying the identity and trustworthiness of the client and the server. Peer authentication is done by exchanging digital certificates, which are electronic documents that contain the public key and other information of the owner, and are signed by a trusted third party, such as a certificate authority. The client and the server validate each other's certificates using asymmetric algorithms, and establish a secure connection if the certificates are valid.
CISSP Exam Question 34
Mandatory Access Controls (MAC) are based on:
Correct Answer: A
Mandatory Access Control (MAC) is a type of access control model where access to resources is based on the security classification of the data and the security clearance of the user. In a MAC system, access decisions are not made by the owner of the data (as in Discretionary Access Control, or DAC), but are determined by a central authority based on predefined policies. Key components of MAC include: Security classifications: This refers to the sensitivity level of data (e.g., confidential, secret, top secret). Security clearances: This refers to the level of authorization a user has to access data (e.g., public, confidential, secret). In MAC, access is determined by system-enforced policies, ensuring that users only access data for which they have appropriate clearance, regardless of their role or ownership of the data.
CISSP Exam Question 35
A developer begins employment with an information technology (IT) organization. On the first day, the developer works through the list of assigned projects and finds that some files within those projects aren't accessible, Other developers working on the same project have no trouble locating and working on the. What is the MOST likely explanation for the discrepancy in access?
Correct Answer: D
The most likely explanation for the discrepancy in access is that the new developer's user account was not assigned the appropriate roles that correspond to the access rights for the project files. Roles are a way of grouping users based on their functions or responsibilities within an organization, and they can simplify the administration of access control policies. If the new developer's user account was not associated with the right roles, he or she would not be able to access the files that other developers with the same roles can access.