1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 184
Выбрать главу

c. Persistent cookies

d. Tracking cookies

97. d. Information collected by tracking cookies is often sold to other parties and used to target advertisements and other directed content at the user. Most spyware detection and removal utility software specifically looks for tracking cookies on systems.

Encrypted cookies are incorrect because they protect the data from unauthorized access. Session cookies are incorrect because they are temporary cookies that are valid only for a single website session. Persistent cookies are incorrect because they are stored on a computer indefinitely so that a website can identify the user during subsequent visits.

98. A system is in a failure state when it is not in a:

1. Protection-state

2. Reachable-state

3. System-state

4. Initial-state

a. 1 or 2

b. 1 and 3

c. 3 and 4

d. 1, 2, 3, and 4

98. d. A system must be either in a protection-state or reachable-state. If not, the system is in a failure state. The protection state is a part of system-state, whereas the reachable-state is obtained from an initial-state.

99. A buffer overflow attack is an example of which of the following threat category that applies to systems on the Internet?

a. Browser-oriented

b. User-oriented

c. Server-oriented

d. Network-oriented

99. c. A buffer overflow attack is a (i) method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory, and (ii) condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit these methods and conditions through servers to crash a system or to insert specially crafted code that allows them to gain control of the system. Subtle changes introduced into the Web server can radically change the server’s behavior (for example, turning a trusted entity into a malicious one), the accuracy of the computation (for example, changing computational algorithms to yield incorrect results), or the confidentiality of the information (for example, disclosing collected information).

The other three choices are incorrect because they do not involve buffer overflow attacks. Web browser-oriented threats can launch attacks against Web browser components and technologies. Web-based applications often use tricks, such as hidden fields within a form, to provide continuity between transactions, which may provide an avenue of attack. Examples of user-oriented threats include social engineering. Examples of network-oriented threats include spoofing, masquerading, and eavesdropping attacks.

100. In general, which of the following is legal under reverse-engineering practices?

a. Reverse-engineer computer software with intent to launch commercially with similar design.

b. Reverse-engineer the design of computer chips for duplication.

c. Reverse-engineer a computer program to see how it works and what it does.

d. Reverse-engineer the basic input/output system of a personal computer for duplication.

100. c. Reverse engineering is the process of analyzing a subject system to identify the system’s components and their interrelationships and create representations of the system in another form or at a higher level of abstraction. Some shrink-wrap agreements contain an express prohibition on reverse engineering, decompilation, or disassembly. The correct answer does not hurt the software copyright owner, and it is legal. The other three choices are based on bad intentions on the part of the user and hence can be illegal.

101. When the requirements of the ISO’s Information Security Management Systems (ISO/IEC 27001) framework are applied to any computing environment, “measure and improve controls” belong to which of the following PDCA cycle steps?

a. Plan

b. Do

c. Check

d. Act

101. c. According to the International Organization or Standardization (ISO), the Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management system standards. The step “check” measures the results. Specifically, it measures and monitors how far the actual achievements meet the planned objectives.

The step “plan” establishes objectives and develops plans. Specifically, it analyzes an organization’s situation, establishes the overall objectives, sets interim targets, and develops plans to achieve them. The step “do” implements the plans. The step “act” corrects and improves the plans by putting them into practice. Specifically, it makes one learn from mistakes in order to improve and achieve better results next time.

102. Regarding Common Criteria (CC), which of the following alone is not sufficient for use in common evaluation methodology?

1. Repeatability

2. Objectivity

3. Judgment

4. Knowledge

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

102. c. Use of a common evaluation methodology contributes to the repeatability and objectivity of the results but it is not by itself sufficient. Many of the evaluation criteria require the application of expert judgment and background knowledge for which consistency is more difficult to achieve.

103. Regarding Common Criteria (CC), precise and universal rating for IT security products is infeasible due to which of the following?

1. Reducing risks

2. Protecting assets

3. Objective elements

4. Subjective elements

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

103. d. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. As the application of criteria contains objective and subjective elements, precise and universal ratings for IT security are infeasible. Reducing risks and protecting assets are the outcomes of a target of evaluation (TOE).

104. Regarding Common Criteria (CC), how should a Security Target (ST) be used?

1. Before evaluation

2. After evaluation

3. Detailed specification

4. Complete specification

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

104. c. A typical security target (ST) fulfills two roles such as before and during the evaluation and after the evaluation. Two roles that an ST should not fulfill include a detailed specification and a complete specification.

105. For Common Criteria (CC), how should a Protection Profile (PP) be used?

1. Specification of a single product

2. Complete specification

3. Requirements specification

4. Baseline

~ 184 ~