CAS-001 Question #500: Real Exam Question with Answer & Explanation

The correct answer is A: Insecure direct object references, CSRF, Smurf. This question tests the ability to rank security vulnerabilities from most critical to least critical for an organization that prioritizes confidentiality above integrity and treats availability as least important.

Question

A government agency considers confidentiality to be of utmost importance and availability issues to be of least importance. Knowing this, which of the following correctly orders various vulnerabilities in the order of MOST important to LEAST important?

Options

AInsecure direct object references, CSRF, Smurf
BPrivilege escalation, Application DoS, Buffer overflow
CSQL injection, Resource exhaustion, Privilege escalation
DCSRF, Fault injection, Memory leaks

Explanation

This question tests the ability to rank security vulnerabilities from most critical to least critical for an organization that prioritizes confidentiality above integrity and treats availability as least important.

Common mistakes.

B. This option places Application DoS, a pure availability attack, ahead of Buffer overflow, which can enable arbitrary code execution and confidentiality breaches, incorrectly elevating an availability threat above a confidentiality one.
C. This option ranks Privilege escalation last despite it being a high-severity confidentiality and integrity threat, while Resource exhaustion, an availability concern, is ranked in the middle - reversing the correct priority order.
D. None of the three vulnerabilities listed - CSRF, Fault injection, and Memory leaks - represent a primary confidentiality threat at the top of the ranking, so no ordering of this set correctly reflects a confidentiality-first model.

Concept tested. Ranking vulnerabilities by CIA triad priority under confidentiality-first model

Reference. https://owasp.org/www-project-top-ten/

Community Discussion

No community discussion yet for this question.

Full CAS-001 Practice