44. In the trusted computing base (TCB) environment, which of the following is not a sufficient design consideration for implementing domain separation?
a. Memory mapping
b. Multistate hardware
c. Multistate software
d. Multistate compiler
44. a. Memory mapping, which is manipulating memory-mapping registers, alone is not sufficient to meet the domain separation requirement but may be used to enhance hardware isolation. The other three choices are examples of good design considerations.
45. Enforcement of a system’s security policy does not imply which of the following?
a. Consistency
b. Efficiency
c. Reliability
d. Effectiveness
45. b. Assurance of trust requires enforcement of the system’s security policy. Enforcement implies consistency, reliability, and effectiveness. It does not imply efficiency because effectiveness is better than efficiency.
46. For a trusted computing base (TCB) to enforce the security policy, it must contain which of the following?
a. Single-layer and separate domain
b. Privileged user and privileged process
c. Tamperproof and uncompromisable
d. Trusted rule-base and trusted program
46. c. For a trusted computing base (TCB) to enforce the security policy, the TCB must be both tamperproof and uncompromisable. The other three choices are not strong.
47. In the trusted computing base (TCB) environment, resource isolation does not mean which of the following?
a. Containment of subjects and objects
b. Protection controls of the operating system
c. Imposition of mandatory access control
d. Auditing of subjects and objects
47. c. The trusted computing base (TCB) imposes discretionary access controls (DACs) and not mandatory access controls (MACs). The other three choices, along with discretionary access controls, provide resource isolation.
48. Which of the following can lead to a single point-of-failure?
a. Decentralized identity management
b. Universal description, discovery, and integration registry
c. Application programming interface
d. Web services description language
48. b. The universal description, discovery, and integration (UDDI) registry in Web services supports listing of multiple uniform resource identifiers (URIs) for each Web service. When one instance of a Web service has failed, requesters can use an alternative URI. Using UDDI to support failover causes the UDDI registry to become a single point-of-failure.
Centralized identity management, not decentralized identity management, is vulnerable to a single point-of-failure. Application programming interface (API) and Web services description language (WSDL) are not vulnerable to a single point-of-failure because API is defined as a subroutine library, and WSDL complements the UDDI standard.
49. Which of the following is most susceptible to a single point-of-failure?
a. Quarantine server
b. Proxy server
c. Centralized authentication server
d. Database server
49. c. A single sign-on (SSO) solution usually includes one or more centralized authentication servers containing authentication credentials for many users. Such a server becomes a single point-of-failure for authentication to many resources, so the availability of the server affects the availability of all the resources that they rely on the server for authentication services. Also, any compromise of the server can compromise authentication credentials for many resources. The servers in the other three choices do not contain authentication credentials.
50. Which of the following provides a centralized approach to enforcing identity and security management aspects of service-oriented architecture (SOA) implementation using Web services?
a. Unified modeling language (UML)
b. Extensible markup language (XML) gateways
c. Extended hypertext markup language (XHTML)
d. Extensible access control markup language (XACML)
50. b. Extensible markup language (XML) gateways are hardware- or software-based solutions for enforcing identity and security for SOA. An XML gateway is a dedicated application that enables a more centralized approach at the network perimeter.
The other three choices do not provide identity and security management features. UML simplifies the complex process of software design. XHTML is a unifying standard that brings the benefits of XML to those of HTML. XACML is a general-purpose language for specifying access control policies.
51. An extensible markup language (XML) gateway-based service-oriented architecture’s (SOA’s) security features do not contain which of the following?
a. Firewall
b. Public key infrastructure
c. Digital signature
d. Encryption
51. a. An XML gateway-based SOA’s security features include public key infrastructure (PKI), digital signatures, encryption, XML schema validation, antivirus, and pattern recognition. It does not contain a firewall feature; although, it operates like a firewall at the network perimeter.
52. The accountability security objective does not need which of the following security services?
a. Audit
b. Nonrepudiation
c. Access control enforcement
d. Transaction privacy
52. d. Transaction privacy is a security service that fulfills the confidentiality security objective. The other three choices fulfill the accountability security objective.
53. Which of the following security services is not common between the availability security objective and the assurance security objective?
a. Audit
b. Authorization
c. Access control enforcement
d. Proof-of-wholeness
53. a. Audit security service is needed for the assurance security objective but not to the availability security objective. The other three choices are common to availability and the assurance security objective.
54. Restricting the use of dynamic port allocation routines is a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
54. b. Controlling the multi-user and multiplatforms requires technical controls such as restricting the use of dynamic port allocation routines. Technical controls are implemented through security mechanisms contained in the hardware, software, or firmware components of a system. Management controls deal with risk management, policies, directives, rules of behavior, accountability, and personnel security decisions. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures, where they are implemented and executed by people, not by systems.