Multilevel or multiple levels do not have interactions or dependencies as the layers do because they deal with security clearances and access authorizations.

82. To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards?

a. Risk analysis and security management

b. Layered defenses and security policy

c. Software cages and digital signatures

d. Minimal functionality and least privilege

82. c. Hybrid safeguards combine more than one control. Combining software cages and digital signatures is an example of hybrid technical safeguard. The other three choices are examples of management and operational safeguards.

83. To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards?

a. Proof carrying code and filters

b. Security policy and security audit

c. Version control and patch management

d. System isolation and application settings

83. a. Hybrid technical safeguards combine more than one control. Blending the proof carrying code and filters is an example of hybrid technical safeguard. The blending of proof carrying code and software cage is known as model-carrying code. The other three choices are examples of management and operational safeguards.

84. Which of the following IT platforms face a single point-of-failure situation?

a. Wide-area networks

b. Distributed systems

c. Mainframe systems

d. Websites

84. a. A wide-area network (WAN) is a data communication network that consists of two or more local-area networks (LANs) that are dispersed over a wide geographical area. Communications links, usually provided by a public carrier, enable one LAN to interact with other LANs. If redundant communication links are used, it is important to ensure that the links have physical separation and do not follow the same path; otherwise, a single incident, such as a cable cut, could disrupt both links. Similarly, if redundant communication links are provided through multiple network service providers (NSPs), it is important to ensure that the NSPs do not share common facilities at any point. Hence, the communication links and the network service providers can become a single point-of-failure for WANs.

Distributed systems, mainframe systems, and websites do not have the single point-of-failure problems because WANs are more complicated.

85. Which one of the following is not related to the others?

a. Sandbox

b. S-box

c. Dynamic sandbox

d. Behavioral sandbox

85. b. S-box is a nonlinear substitution table box used in several byte substitution transformations in the cryptographic key expansion routine to perform a one-for-one substitution of a byte value. S-box is not related to the three choices. An application in a sandbox is usually restricted from accessing the file system or the network (e.g., JavaApplet). Extended technologies of a sandbox include dynamic sandbox or runtime monitor (i.e., behavioral sandbox), which are used in software cages and proof carrying code to protect against active content and for controlling the behavior of mobile code.

86. For information assurance vulnerabilities, what is independent validation of an information system conducted through?:

a. Penetration testing

b. Conformance testing

c. Red team testing

d. Blue team testing

86. b. Conformance testing is a type of compliance testing conducted by independent parties to ensure management that system specifications are followed through validation, which may include testing. For example, conformance testing is conducted on a cryptographic module against its cryptographic algorithm standards. Penetration testing is conducted either by a red team or blue team.

87. Which of the following statements is not true? A data warehouse is:

a. Distributed

b. Subject-oriented

c. Time-variant

d. Static in nature

87. a. Databases can be distributed, but not the data warehouse. A distributed data warehouse can have all the security problems faced by a distributed database. From a security viewpoint, data warehousing provides the ability to centrally manage access to an organization’s data regardless of a specific location. A data warehouse is subject-oriented, time-variant, and static in nature.

88. Database application systems have similarities and differences from traditional flat file application systems. Database systems differ most in which of the following control areas?

a. Referential integrity

b. Access controls

c. Data editing and validation routines

d. Data recovery

88. a. Referential integrity means that no record may contain a reference to the primary key of a nonexisting record. Cascading of deletes, one of the features of referential integrity checking, occurs when a record is deleted and all other referenced records are automatically deleted. This is a special feature of database applications.

The other three choices are incorrect because they are the same for flat file and database systems. They both need access controls to prevent unauthorized users accessing the system, they both need data editing and validation controls to ensure data integrity, and they both need data recovery techniques to recover from a damaged or lost file.

89. Software re-engineering is where:

a. Software engineering techniques are applied to fix the old software.

b. The existing system is analyzed and new functionality is added.

c. The existing programming code is manually converted to a database.

d. Software engineering techniques are applied to design a new system.

89. b. Software re-engineering is an approach for adding new functionality to an existing system. Unlike reverse software engineering, which aims to recycle existing specifications into an entirely new system, software re-engineering extends the functionality of a system without re-creating it. Software engineering is the use of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software; that is, the use of engineering principles in the development of software. It uses a combination of automated and manual tools, techniques, and procedures.

90. Transaction management mechanisms are applied to ensure that a structured query language (SQL) database remains in a consistent state at all times. Which of the following SQL statements is not part of the transaction management functions?

a. Rollback

b. Roll-forward

c. Commit

d. Savepoint

90. b. A database may be in a consistent or inconsistent state. A consistent state implies that all tables (or rows) reflect some real-world change. An inconsistent state implies that some tables (or rows) have been updated but others still reflect the old world. A transaction management mechanism enables the database to return to the previous consistent state if an error occurs. Roll-forward restores the database from a point in time when it is known to be correct to a later time.