b. Invalidated input

c. Broken authentication

d. Cross-site scripting flaws

156. d. In cross-site scripting (XSS) flaws, the Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.

157. A polymorphic virus uses which of the following?

a. Inference engine

b. Heuristic engine

c. Mutation engine

d. Search engine

157. c. Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes and to evade detection. The other three choices do not deal with the transformation process.

158. All the following techniques can help in achieving process isolation security principle except:

a. Encapsulation

b. Naming distinctions

c. Virtual mapping

d. Security kernel

158. d. A security kernel is defined as hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implements the reference monitor concept. A security kernel cannot achieve process isolation.

Techniques such as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual mapping are used to employ the process isolation or separation principle. These separation principles are supported by incorporating the principle of least privilege.

159. Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist with changes in login scripts?

a. Security administrators

b. System administrators

c. Network administrators

d. Desktop administrators

159. d. Organizations should identify which individuals or groups can assist in infection identification efforts. Desktop administrators are good at identifying changes in login scripts along with Windows Registry or file scans, and good at implementing changes in login scripts. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.

160. Which of the following is a reactive countermeasure in defending against worms?

a. Integrity checkers

b. Software patching

c. Host firewalls

d. Stateful firewalls

160. b. Software patching, being one of reactive (detective) countermeasures, is mostly done after vulnerability or programming/design error is discovered. These reactive methods have no hope of preventing fast-spreading worms or worms that use zero-day exploits to carry out their attacks.

The other three choices are examples of proactive (preventive) countermeasures. Integrity checkers keep cryptographic hashes of known good instances of files so that integrity comparisons can be made at any time. Host firewalls enforce rules that define the manner in which specific applications may use the network. Stateful firewalls keep track of network connections and monitor their state.

161. Which of the following is an effective means of preventing and detecting computer viruses coming from outside into a network?

a. Install an antivirus program on the network.

b. Install an antivirus program on each personal computer.

c. Certify all removable media disks prior to their use.

d. Train all employees about potential risks.

161. c. It is a common practice for some organizations to certify all removable media disks coming into the organization from outside prior to their use. This is done by a centralized group for the entire location and requires testing the disk for possible inclusion of viruses. The other three choices are effective as internal protection mechanisms against viruses.

162. All the following are examples of measures to defend against computer viruses except:

a. Access controls

b. Audit trails

c. Passwords

d. Least privilege principle

162. c. Passwords are administrative controls; although, access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions, so security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more privileges than those needed to perform the duties of the role they are currently assuming.

163. Which of the following security principle balances various variables such as cost, benefit, effort, value, time, tools, techniques, gain, loss, risks, and opportunities involved in a successful compromise of security features?

a. Compromise recording

b. Work factor

c. Psychological acceptability

d. Least common mechanism

163. b. The goal of work factor principle is to increase an attacker’s work factor in breaking an information system or a network’s security features. The amount of work required for an attacker to break the system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time; tools and techniques; gains and losses; knowledge, skills, and abilities (KSAs); and risks and opportunities involved in a successful compromise of security features must be balanced.

The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers.

The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use, thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user’s own image of protection goals.

The principle of least common mechanism requires the minimal sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents possible communications paths between subjects used to circumvent security policy.

164. Certification and accreditation needs must be considered in all the following phases of system development life cycle except:

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

164. d. Certifications performed on applications under development are interleaved with the system development process. Certification and accreditation needs must be considered in the validation, verification, and testing phases employed throughout the system development process (i.e., development and implementation). It does not address the operation/maintenance phase.