1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 192
Выбрать главу

164. What is the most effective control against Active-X programs?

a. Use digital signatures.

b. Issue a policy statement.

c. Accept only approved Active-X programs.

d. Prohibit all Active-X programs.

164. d. The problem with Active-X programs is that users may download a program signed by someone with whom the user is unfamiliar. A policy statement about who can be trusted is difficult to implement. The most effective control is to prohibit all Active-X programs.

165. Which of the following represents a single point-of-failure?

a. Network server

b. Database server

c. Firewall

d. Router

165. c. A firewall tends to concentrate security in a single point, which can lead to the potential of compromising the entire network through a single point. If the firewall fails, the entire network could be attacked. The other three choices are not examples of single point-of-failure.

166. Which of the following is an example of second line-of-defense?

a. Monitoring of systems and employees

b. Decoy systems

c. Honeypot systems

d. Network monitoring

166. a. Monitoring of systems and employees against unauthorized actions is an example of second line-of-defense. An example is keyboard monitoring of an employee’s work. The other three choices are examples of the first line-of-defense mechanisms.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

167. Which of the following statements is not true about a system’s protection profile (PP) format of the Common Criteria (CC)?

a. It records the threats that are being considered.

b. It is the result of the initial security analysis.

c. It documents the security objectives that are being pursued.

d. It records the actual security specifications as they are created.

167. b. The system protection profile (PP) format of Common Criteria (CC) can be used for presenting the results of the needs determination and requirements analysis. Further, a system PP acts as a record of the security analysis performed during this specification generation process. The PP provides all the things mentioned in the other three choices. Therefore, a system PP should be viewed as an evolving document that is not simply the “result” of the initial security analysis, but is also the full record of the security analysis performed during the course of the specification generation process.

168. Which of the following actions is not a part of the increase resilience security principle?

a. Operate an IT system to limit damage and to be resilient in response.

b. Do not implement unnecessary security mechanisms.

c. Isolate public access systems from mission-critical resources.

d. Implement audit mechanisms to detect unauthorized use and to support incident investigations.

168. b. The action item “Do not implement unnecessary security mechanisms” is a part of the reduce vulnerabilities. security principle. The other three choices are part of the increase resilience security principle.

169. Which of the following is required for a distributed information system to support migration to new technology or upgrade of new features?

1. Modular design

2. Common language

3. Interoperability

4. Portability

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 1, 2, 3, and 4

169. d. The security design should be modular so that individual parts of the security design can be upgraded without the requirement to modify the entire system. The use of a common language (e.g., the Common Criteria) during the development of security requirements permits organizations to evaluate and compare security products and features. This evaluation can be made in a common test environment. For distributed information systems to be effective, security program designers should make every effort to incorporate interoperability and portability into all security measures, including hardware and software, and implementation practices.

170. From a relative risk viewpoint, the need for layered security protection is most important for which of the following systems in order to protect against sophisticated attacks?

a. Major information systems

b. Commercial off-the-shelf systems

c. General support systems

d. Custom designed application systems

170. b. The need for layered security protection is most important when commercial off-the-shelf products are used from software vendors. Practical experience has shown that the current state-of-the-art for security quality in vendor’s commercial system products does not provide a high degree of protection against sophisticated attacks. Additional security controls are needed to provide a layered security protection because the vendor product is a generic product with minimal security controls for all customers’ use.

The systems in the other three choices are internal systems to an organization that are developed with a specific business purpose and with adequate security controls. General support system is an interconnected set of information resources under the same direct management control that share common functionality, including hardware, software, data/information, applications, communications, and people. An information system is classified as a major system when its development, maintenance, and operating cost are high and when it has a significant role in the overall operations of an organization.

171. Which of the following are required for an information system to become resilient?

1. Detect and respond capabilities

2. Manage single points-of-failure

3. Implement a response strategy

4. Develop a reporting system

a. 1 and 2

b. 2 and 3

c. 1 and 3

d. 1, 2, 3, and 4

171. d. For information systems to become resilient, organizations should establish detect and respond capabilities, manage single points-of-failure in their systems, implement a response strategy, and develop a reporting system for management.

172. Which of the following does not act as the first line-of-defense for protecting the data?

a. Passwords

b. Disk mirroring

c. Audit trails

d. Redundant array of independent disk

172. c. Audit trails provide information on an after-the-fact basis. They do not prevent bad things from happening.

~ 192 ~