1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 144
Выбрать главу

a. Read, insert, and delete

b. Precompile, link, and compile

c. Prepare, execute, and delete

d. Test, debug, and log

11. c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program.

Sources and References

“Capability Maturity Model for Software, Version 1.1, Technical Report,” CMU/SEI-93-TR-024, Software Engineering Institute (SEI), Carnegie Mellon University (CMU), Pittsburg, Pennsylvania, February 1993. (www.sei.cum.edu/publications/documents/93.reports/93.tr.024.html).

“The Case for Using Layered Defenses to Stop Worms (NSA Report# C43-002R-2004),” National Security Agency (NSA), Fort Meade, Maryland, June 2004.

“Guide for the Security Certification and Accreditation of Federal Information Systems (NIST SP800-37),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2004.

“Guide to Securing Microsoft Windows XP Systems for IT Professionals (NIST SP800-68R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 2008.

“Guidelines on Active Content and Mobile Code (NIST SP800-28 V2 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 3, System Development Life Cycle, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 11, Certification, Accreditation, and Security Assessments, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 14, Configuration Management, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“An Introduction to Computer Security: The NIST Handbook (NIST SP800-12),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.

“The Open Web Application Security Project,” (www.owasp.org), January 2004.

“Security Considerations in the Information Systems Development Lifecycle (NIST SP800-64R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 2003.

“Security Requirements for Cryptographic Modules (NIST FIPS PUB 140-3 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, July 2007.

“Source Code Security Analysis Tool Functional Specification (NIST SP500-268 V1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2007.

Domain 5

Cryptography

Traditional Questions, Answers, and Explanations

1. For security protection mechanisms for cryptographic data in storage, backup, and archives, the storage of keying material is a part of which of the following cryptographic services?

a. Confidentiality

b. Availability

c. Integrity

d. Labels

1. b. The availability service for data in storage deals with backup and archive storages. During a key’s crypto-period, keying material (i.e., keys and initialization vectors) should be stored in both normal operational storage and in backup storage. After the end of a key’s crypto-period, keying material should be placed in archive storage. The other three choices do not deal with backup and archive storages.

2. Which of the following is referred to when two cryptographic key component holders manage the process of handling the two components of a cryptographic key?

a. Key list

b. Key escrow

c. Key loader

d. Key exchange

2. b. In general, escrow is something (for example, a document or an encryption key) that is delivered to a third party to be given to the grantee only upon the fulfillment of a predefined condition (i.e., a grantor and grantee relationship with a third party in the middle). Key escrow is the processes of managing (for example, generating, storing, transferring, and auditing) the two components of a cryptographic key by two component holders. A key component is the two values from which a key can be derived. A key escrow system entrusts the two components comprising a cryptographic key (for example, a device unique key) to two key component holders (also called escrow agents).

The other three choices are incorrect. Key list is a printed series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format. Key loader is a self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module. Key exchange is the process of exchanging public keys and other information in order to establish secure communications.

3. Transaction privacy controls do not include which of the following?

a. Secure sockets layer (SSL)

b. Mandatory access controls (MAC)

c. Transmission layer security (TLS)

d. Secure shell (SSH)

3. b. Transaction privacy controls include secure sockets layer (SSL), transport layer security (TLS), and secure shell (SSH) to protect against loss of privacy for transactions performed by an individual. Mandatory access controls (MAC) define access control security policy.

4. A cryptographic key has been compromised due to usage and age. The next step is to use which of the following?

a. DNSSEC-aware resolver

b. Key rollover

c. Zone signing key

d. Key signing key

4. b. Key rollover is the process of generating and using a new key (symmetric or asymmetric key pair) to replace one already in use. Rollover is done because a key has been compromised as a result of usage and age.

The DNSSEC-aware resolver is incorrect because it is an entity that sends DNS queries, receives DNS responses, and understands the DNSSEC specification, even if it is incapable of performing validation. A zone-signing key is incorrect because it is an authentication key that corresponds to a private key used to sign a zone. A key signing key is incorrect because it is an authentication key that corresponds to a private key used to sign one or more other authentication keys for a given zone.

5. Which of the following protocols is used to encrypt individual messages?

a. Secure sockets layer (SSL)

b. Transport layer security (TLS)

c. Secure hypertext transfer protocol (S-HTTP)

~ 144 ~