1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 196
Выбрать главу

d. Because it can be precompiled.

193. a. The common gateway interface (CGI) scripts are interpreted, not precompiled. As such, there is a risk that a script can be modified in transit and not perform its original actions. CGI scripts should not accept unchecked input.

194. Which of the following form the basic component technology of the Active-X framework?

a. Active-X controls

b. Active-X containers

c. Active-X documents

d. Active-X scripts

194. a. Active-X is a framework for Microsoft’s software component technology that allows programs encapsulated in units called “controls” to be embedded in Web pages. A programmer can develop a program, wrap it in an Active-X interface, compile it, and place it on a Web page. When end users point their Web browsers (that support Active-X) at the Web page, the Active-X control downloads and attempts to execute on their computer. Because Active-X controls are simply programs, they can do anything that they are programmed to do, including causing damage by removing critical files.

Other Active-X technologies include Active-X containers, documents, and scripts. An Active-X container is an Active-X application, and an Active-X document is one kind of container. Documents allow the functionality of controls to be extended. Thus, Active-X controls form the basic component technology of the Active-X framework. Active-X containers and scripts pose security risks to the end user.

195. What is the first place to focus on security improvements in a client/server system?

a. Application software level

b. Database server level

c. Database level

d. Application server level

195. c. The first place to focus on security improvements is at the database level. One advantage is that security imposed at the database level will be consistent across all applications in a client/server system.

196. Poorly implemented session-tracking may provide an avenue for which of the following?

a. Browser-oriented attacks

b. Server-oriented attacks

c. Network-oriented attacks

d. User-oriented attacks

196. b. Web-based applications often use tracks, such as session identifiers, to provide continuity between transactions. Poorly implemented session-tracking may provide an avenue for server-oriented attacks.

197. Which of the following allows a layered security strategy for information systems?

1. Implementing lower assurance solutions with lower costs to protect less critical systems

2. Implementing all management, operational, and technical controls for all systems

3. Implementing all compensating and common controls for all systems

4. Implementing higher assurance solutions only at the most critical areas of a system

a. 1 and 2

b. 1 and 4

c. 2 and 3

d. 1, 2, 3, and 4

197. b. Management should recognize the uniqueness of each system to allow for a layered security strategy. This is achieved by implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas of a system. It is not practical or cost-effective to implement all management, operational, technical, compensating, and common controls for all systems.

198. Which of the following consists of a layered security approach to protect against a specific threat or to reduce vulnerability?

1. Use of packet-filtering routers

2. Use of an application gateway

3. Use of strong password controls

4. Adequate user training

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 1, 2, 3, and 4

198. d. Security designs should consider a layered approach to address or protect against a specific threat or to reduce vulnerability. For example, the use of a packet-filtering router with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system’s security posture even more.

199. In the trusted computing base (TCB) environment, which of the following is referred to when a failure results from the modifications to the hardware?

a. Compromise from above

b. Compromise from within

c. Compromise from below

d. Compromise from cross domains

199. c. Compromise from below results when a failure occurs due to modification to the hardware. This is because the hardware is located at the bottom of the hierarchy. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from cross domains is not relevant here.

200. Which of the following is the most important property of well-designed distributed systems?

a. Fault tolerance through redundancy

b. Security protection through isolation

c. Extendibility through adaptability

d. Distribution transparency through separation of components

200. d. Distribution transparency provides a unified interface to a collection of computing resources using the same names and operations regardless of their location. This means that services are delivered wherever the user is located. New components can be added to the system without interrupting system operations. The other three choices are benefits of well-designed distributed systems.

201. Regarding Common Criteria (CC), which of the following provides an implementation-independent statement of security needs?

a. Target of evaluation (TOE)

b. Security target (ST)

c. Protection profile (PP)

d. Evaluation of assurance level (EAL)

201. c. Protection profile (PP) is an implementation-independent statement of security needs for a product type.

TOE is incorrect because it is a product that has been installed and is being operated according to its guidance. ST is incorrect because it is an implementation-dependent statement of security needs for a specific identified TOE. EAL is incorrect because it is an assurance package, consisting of assurance requirements, representing a point on the CC predefined assurance scale.

202. Which of the following contains a security kernel, some trusted-code facilities, hardware, and some communication channels?

a. Security domain

b. Security model

c. Security perimeter

d. Security parameters

202. c. A security perimeter is a boundary within which security controls are applied to protect information assets.

The security domain is a set of elements, a security policy, an authority, and a set of relevant activities. The security model is a formal presentation of the security policy enforced by the system. Examples of security parameters include passwords and encryption keys.

~ 196 ~