At ValidExamDumps, we consistently monitor updates to the ISC2 CSSLP exam questions by ISC2. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the ISC2 Certified Secure Software Lifecycle Professional exam on their first attempt without needing additional materials or study guides.
Other certification materials providers often include outdated or removed questions by ISC2 in their ISC2 CSSLP exam. These outdated questions lead to customers failing their ISC2 Certified Secure Software Lifecycle Professional exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the ISC2 CSSLP exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.
Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project
manager, asks what the configuration management activities are for scope changes. You tell her that all of the following are valid
configuration management activities except for which one?
Configuration item cost is not a valid activity for configuration management. Cost changes are managed by the cost change control system;
configuration management is concerned with changes to the features and functions of the project deliverables.
John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems
Location of open ports and applications Now, which of the following tasks should he perform next?
John will perform OS fingerprinting on the We-are-secure network. Fingerprinting is the easiest way to detect the Operating System (OS) of a
remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack into the system. The
comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint
as to which operating system is being used by the remote system.
There are two types of fingerprinting techniques as follows:
1.Active fingerprinting
2.Passive fingerprinting
In active fingerprinting ICMP messages are sent to the target system and the response message of the target system shows which OS is
being used by the remote system. In passive fingerprinting the number of hops reveals the OS of the remote system.
Answer D and B are incorrect. John should perform OS fingerprinting first, after which it will be easy to identify which services are
running on the network since there are many services that run only on a specific operating system. After performing OS fingerprinting, John
should perform networking mapping.
Answer C is incorrect. This is a pre-attack phase, and only after gathering all relevant knowledge of a network should John install a
backdoor.
John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully performed the following steps of the pre-attack phase to check the security of the We-are-secure network:
Gathering information Determining the network range Identifying active systems Now, he wants to find the open ports and applications running on the network. Which of the following tools will he use to accomplish his task?
In such a situation, John will use the SuperScan tool to find the open ports and applications on the We-are-secure network. SuperScan is a
TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the
host name of the remote system.
The features of SuperScan are as follows:
It scans any port range from a built-in list or any given range.
It performs ping scans and port scans using any IP range.
It modifies the port list and port descriptions using the built in editor.
It connects to any discovered open port using user-specified 'helper' applications.
It has the transmission speed control utility.
Answer C, A, and B are incorrect. RIPE, ARIN, and APNIC are the Regional Internet Registries (RIR) that manage, distribute, and
register public IP addresses within their respective regions. These can be used as passive tools by an attacker to determine the network
range.
According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability scenario using some functions. Which of the following are functions that are used by the dynamic analysis tools and are summarized in the NIST SAMATE? Each correct answer represents a complete solution. Choose all that apply.
According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability scenario using the following functions:
Resource fault injection
Network fault injection
System fault injection
User interface fault injection
Design attack
Implementation attack
File corruption
Answer B is incorrect. This function is summarized for static analysis tools.
Which of the following ISO standards provides guidelines for accreditation of an organization that is concerned with certification and registration related to ISMS?
ISO 27006 is an information security standard developed by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). It is entitled as 'Information technology - Security techniques - Requirements for bodies providing audit
and certification of information security management systems'. The ISO 27006 standard provides guidelines for accreditation of an
organization which is concerned with certification and registration related to ISMS.
The ISO 27006 standard contains the following elements:
Scope
Normative references
Terms and definitions
Principles
General requirements
Structural requirements
Resource requirements
Information requirements
Process requirements
Management system requirements for certification bodies
Information security risk communication
Information security risk monitoring and review
Annex A. Defining the scope of process
Annex B. Asset valuation and impact assessment
Annex C. Examples of typical threats
Annex D. Vulnerabilities and vulnerability assessment methods
Annex E. Information security risk assessment (ISRA) approaches
Answer C is incorrect. The ISO 27003 standard provides guidelines for implementing an ISMS (Information Security Management
System).
Answer D is incorrect. The ISO 27004 standard provides guidelines on specifications and use of measurement techniques for the
assessment of the effectiveness of an implemented information security management system and controls.
Answer B is incorrect. The ISO 27005 standard provides guidelines for information security risk management.
