Free CCOA Practice Quiz

HAn attribute-based access control (ABAC) is an example of a:

1. role-based access control (RBAC).

   A role-based access control (RBAC) is a mandatory access control (MAC) where access is restricted based on individual users’ roles within an enterprise. Attribute-based access control (ABAC) is not based on what users do in their roles.

2. rule-based access control (RuBAC).

   A rule-based access control (RuBAC) is used to manage access to locations, databases, and devices according to a set of predetermined rules and permissions that do not account for the individual’s role within the organization and users’ location and department.

3. mandatory control.

   ABAC is a mandatory access control (MAC) where the users are authorized based on location, department, etc., and not by job role.

4. Non-discretionary access control (NDAC).

   Non-discretionary access is often role-based and cannot be attribute-based.

An attacker entered a query code in the input field of a web application that displayed data from the database. Which of the following controls could have BEST protected the organization from this attack?

1. Implementing a web application firewall to detect and block the attacker

   A web application firewall may have helped in detecting the attack, but the application would still be vulnerable because it was not validated.

2. Performing periodic vulnerability scanning of the application for known vulnerabilities

   Periodic scanning of the application would have helped in detecting vulnerabilities, but validating input data would be better.

3. Integrating application security testing before deploying the application

   Integrated application security testing would have helped in detecting vulnerabilities during the testing phase and could have been fixed by coding for input validation.

4. Validating input data before processing, as per secure coding practices

   The attacker was successful in injecting query code because the input was directly processed without validating. This could have been prevented by validating the input and not processing it unless it is valid.

Which of the following is a PRIMARY characteristic of red team penetration testing?

1. Use of social engineering techniques

   While red teaming may involve social engineering techniques, it is not a primary characteristic because other techniques, such as chaining exploits across multiple systems, elevated access, and impersonating internal staff, are also used.

2. Focus on validating compliance requirements

   Validating compliance requirements may be a part of the testing, but it is not the primary focus.

3. Limited scope of the assessment

   Red teaming typically has a broader scope compared to limited scope assessments.

4. Mutually agreed-upon directives with the organization

   Red team, or adversarial penetration testing, often involves a mutually agreed-upon approach with the organization being tested. This specifies goals and limitations under which the red team will be engaged.

The PRIMARY goal of a post-incident review is to:

1. gather evidence for subsequent legal action.

   Forensic evidence should have been gathered earlier in the process.

2. identify individuals who failed to take appropriate action.

   A post-incident review should not focus on finding and punishing individuals who did not take appropriate action or learning the identity of the attacker.

3. prepare a report on the incident for management.

   Although a post-incident review can be used to prepare a report/presentation to management, it is not the primary goal.

4. derive ways to improve the response process.

   The primary goal of a post-incident review is to derive ways in which the incident response process can be improved.

Which of the following is the PRIMARY purpose of environmental metrics in the vulnerability management program?

1. To identify and categorize vulnerabilities within an organization’s infrastructure

   While identifying and categorizing vulnerabilities is a fundamental aspect of vulnerability management, the main purpose of environmental metrics is to go beyond this basic categorization by providing a customized and contextualized assessment of vulnerabilities to support informed risk management and decision making within the organization.

2. To provide authoritative scoring information for specific software as a service (SaaS) products

   . The primary objective is to facilitate risk assessment and decision making. While providing authoritative scoring information for specific software as a service (SaaS) products can be a valuable component of this process, it is not the main purpose. Instead, environmental metrics primarily focus on assessing an organization’s assets, risk, and operational context to prioritize and manage vulnerabilities effectively.

3. To tailor the Common Vulnerability Scoring System (CVSS) Base Metric scores to individual organization configurations

   Environmental metrics are used to adjust both base and temporal severity scores based on the unique characteristics of the environment, which include the presence of mitigations to reduce risk. These metrics enable organizations to determine the severity rating of vulnerabilities based on their specific operational environment, risk tolerance, and business impact. This customization helps organizations prioritize which vulnerabilities to address, considering factors that may not be applicable to all.

4. To review upstream open-source software for vulnerabilities

   Reviewing upstream open-source software for vulnerabilities can be a part of the vulnerability management process, but it is not the primary goal. Environmental metrics consider an organization’s unique environment, assets, and operational risk to prioritize and manage vulnerabilities more effectively within that specific context.