1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 131
Выбрать главу

Host-based firewalls do block worm activity from entering or exiting hosts, reconfigure the host-based firewall itself to prevent exploitation by the worm, and update the host-based firewall software so that it is no longer exploitable.

Network-based firewalls do detect and stop the worm from entering or exiting networks and subnets.

Internet border and internal routers do detect and stop the worm from entering or exiting networks and subnets if the volume of traffic is too high for network firewalls to handle or if certain subnets need greater protection.

The incorrect sequences listed in the other three choices does not contain malware incidents because their combined effect is not as strong and effective as the correct sequence.

131. All the following are characteristics of a managed environment dealing with malware prevention and handling except:

a. Installing antivirus software

b. Requiring administrator-level privileges to end users

c. Using deny-by-default policies

d. Applying software patches

131. b. Requiring administrator-level privileges is a characteristic of a nonmanaged environment, where system owners and users have substantial control over their own system. Owners and users can alter system configurations, making security weak. In a managed environment, one or more centralized groups have substantial control over the server and workstation operating system and application configurations across the enterprise. Recommended security practices include installing antivirus software on all hosts and keeping it up-to-date, using deny-by-default policies on firewalls, and applying patches to operating systems and applications. These practices enable a consistent security posture to be maintained across the enterprise.

132. Which of the following is required to control the actions of mobile code, stationary code, or downloaded code?

a. Technical controls

b. Administrative controls

c. Behavioral controls

d. Physical controls

132. c. Conceptually, behavioral controls can be viewed as a software cage or quarantine mechanism that dynamically intercepts and thwarts attempts by the subject code to take unacceptable actions that violate policy. As with firewalls and antivirus products, methods that dynamically restrain mobile code were born out of necessity to supplement existing mechanisms, and represent an emerging class of security product. Such products are intended to complement firewall and antivirus products that respectively block network transactions or mobile code based on predefined signatures (i.e., content inspection), and may refer to methods such as dynamic sandbox, dynamic monitors, and behavior monitors, used for controlling the behavior of mobile code. In addition to mobile code, this class of product may also be applicable to stationary code or downloaded code whose trust-worthiness is in doubt.

Technical controls, administrative controls, and physical controls are incorrect because they are not strong enough as the behavioral controls to combat mobile code.

133. Which of the following is basic, low-privilege access to a computer?

a. Application access

b. Administrative access

c. Privileged access

d. Root access

133. a. Application access is basic, low-privilege access. It may include access to data entry, data update, data query, data output, or report programs. Administrative access, privileged access, and root access are advanced levels of access to a computer system that include the ability to perform significant configuration changes to the computer’s operating system.

134. Assume that a new computer worm is released that can spread rapidly and damage any computer in an organization unless it is stopped. The organization has 1,000 computers, the budget for in-house technical support is $500,000 per year, and the budget for outsourced technical support is $600,000. It takes an average of 4 hours for one technical support worker to rebuild a computer at a rate of $70 per hour for wages and benefits. What is the total cost for not mitigating the worm release?

a. $280,000

b. $500,000

c. $560,000

d. $600,000

134. c. The cost not to mitigate = W × T × R, where W is the number of computers or workstations, T is the time spent fixing systems plus lost user productivity, and R is the hourly rate of time spent or lost. During downtime, the computer owner or user is without a computer to do his work, which should be added to the time required to rebuild a computer. This is translated into $560,000 (i.e., 1,000 computers × 8 hours × $70 per hour). $280,000 is incorrect because it fails to take into account the lost user productivity time. This is translated into $280,000 (i.e., 1,000 computers × 4 hours × $70 per hour). $500,000 is incorrect because it assumes the budget for in-house technical support. $600,000 is incorrect because it assumes the budget for outsourced technical support.

135. What is the major principle of configuration management?

a. To reduce risks to data confidentiality

b. To reduce risks to data integrity

c. To reduce risks to data availability

d. To provide repeatable mechanism for effecting system changes

135. d. The major principle of configuration management is to provide a repeatable mechanism for effecting system modifications in a controlled environment. Achieving repeatable mechanism can automatically achieve the other three choices.

136. Which of the following refers to the Reference Monitor concept?

a. It is a system access control concept.

b. It is a system penetration concept.

c. It is a system security concept.

d. It is a system-monitoring concept.

136. a. The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls.

137. Which of the following is a malicious code that replicates using a host program?

a. Boot sector virus

b. Worm

c. Multi-partite virus

d. Common virus

137. d. A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable.

The boot-sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and file-infector viruses.

138. Which of the following is not an example of built-in security features?

a. Authentication controls were designed during a system development process.

b. Fail-soft security features were installed.

c. Least-privilege principles were installed during the post-implementation period.

d. Fail-safe security features were implemented.

~ 131 ~