a. Policies and procedures
b. Internal controls
c. Audit trails and logs
d. Training, awareness, and education
154. c. Audit trails and logs provide after-the-fact information to detect anomalies and therefore cannot provide the first line-of-defenses in terms of preventing an anomaly. Audit trails and logs provide second line-of-defenses, whereas all the other three choices provide first line-of-defense mechanisms.
155. Which of the following is an example of last line-of-defense?
a. Employee vigilance
b. Program change controls
c. Fault-tolerant techniques
d. Exterior protection
155. a. People can detect abnormalities that machines cannot through their common sense; therefore, employee vigilance is the last line-of-defense against anything that has escaped the first and/or second line-of-defense mechanisms. Exterior protection, such as walls and ceilings designed to prevent unauthorized entry, are examples of second line-of-defense, whereas the other three choices are examples of the first line-of-defense mechanisms.
The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.
156. The principal aspects of the defense-in-depth strategy to achieve an effective information-assurance posture do not include which of the following?
a. People
b. Processes
c. Technology
d. Operations
156. b. The defense-in-depth strategy achieves an effective information assurance posture and includes people, technology, and operations, but not processes. Organizations address information assurance needs with people executing operations supported by technology.
157. Operations, one of the principal aspects of the defense-in-depth strategy does not include which of the following?
a. Certification and accreditation
b. Attack sensing and warning
c. System risk assessment
d. Recovery and reconstitution
157. c. System risk assessment is a part of the technology principal, whereas the other choices are part of the operations principal. Defense-in depth strategy focuses on people, technology, and operations.
158. Technology, one of the principal aspects of the defense-in-depth strategy does not include which of the following?
a. Information assurance architecture
b. Facilities countermeasures
c. Information assurance criteria
d. Acquisition integration of evaluated products
158. b. Facilities countermeasures are a part of the people principal, whereas all the other choices are part of the technology principal. Defense-in depth strategy focuses on people, technology, and operations.
159. A strategy of layered protections is needed for which of the following?
1. Multiple points of vulnerability
2. Single points-of-failure
3. Network boundaries
4. Legacy information systems
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
159. c. Information infrastructures are composed of complicated systems with multiple points of vulnerability, single points-of-failure, and critical areas such as network boundaries. Layers of technology solutions are needed to establish an adequate information assurance posture. Organizations have spent considerable amounts of money on developing large legacy information systems to satisfy unique mission or business needs. These legacy systems will remain in place for some time to come, and slowly will be replaced by commercial off-the-shelf software products. Layered protection is not needed for legacy systems that will be expired soon.
160. Access to all the following should be denied except:
a. HTTP cookies
b. CGI scripts
c. PGP cookie cutter program
d. Applets
160. c. The full name of a cookie is a Persistent Client State HTTP Cookie, which can be an intrusion into the privacy of a Web user. A cookie is a basic text file, transferred between the Web server and the Web client (browser) that tracks where a user went on the website, how long the user stayed in each area, and so on. The collection of this information behind the scenes can be seen as an intrusion into privacy. Access to hypertext transfer protocol (HTTP) cookies can be denied. The pretty good privacy (PGP) cookie cutter program can prevent information about a user from being captured.
A common gateway interface (CGI) script is a small program to execute a single task on a Web server. These scripts are useful for filling out and submitting Web forms and hold information about the server on which they run. This information is also useful to an attacker, which makes its risky. The script can be attacked while running. Applets enable a small computer program to be downloaded along with a Web page.
Applets have both good and bad features. Making a Web page look richer in features is a good aspect. Siphoning off files and erasing a hard drive are some examples of bad aspects.
161. What is the least effective way to handle the Common Gateway Interface (CGI) scripts?
a. Avoid them.
b. Delete them.
c. Execute them.
d. Move them away.
161. c. Some hypertext transfer protocol (HTTP) servers come with a default directory of CGI scripts. The best thing is to delete or avoid these programs, or move them away to another location. The CGI scripts are dangerous because they are vulnerable to attack while executing.
162. Which of the following action items is not a part of the security principle of “increase resilience”?
a. Implement layered security to ensure no single point of vulnerability.
b. Use common languages in developing security requirements.
c. Limit or contain vulnerabilities.
d. Use boundary mechanisms to separate computing systems and networks.
162. b. The action item “Use common languages in developing security requirements” is a part of ease-of-use security principle. The other three choices are part of the increase resilience security principle.
163. Which of the following is not the common security approach taken by Java and Active-X?
a. Hardware
b. Software
c. Human judgment
d. Digital signature
163. a. Active-X technology relies on human judgment and the use of digital signatures. Java relies more on software. They are not dependent on hardware.