203. Phishing attacks are mostly an example of which of the following?
a. Browser-oriented attacks
b. Server-oriented attacks
c. Network-oriented attacks
d. User-oriented attacks
203. d. In a phishing attack, attackers try to trick users into accessing a fake website and divulging personal information. Social engineering methods are employed in phishing attacks. Note that some phishing attacks can be a blended attack targeting the browser.
204. In which of the following security operating modes is the system access secured to at least the top level?
a. Multilevel security mode
b. Dedicated security mode
c. Compartmented security mode
d. Controlled mode
204. c. Compartmented security mode is the mode of operation that allows the system to process two or more types of compartmented information (information requiring a special authorization) or any one type of compartmented information with other than compartmented information. In this mode, system access is secured to at least the top-secret level, but all system users do not necessarily need to be formally authorized to access all types of compartmented information being processed and/or stored in the system.
Multilevel security mode is incorrect. It is the mode of operation that allows two or more classification levels of information to be processed simultaneously within the same system when some users are not cleared for all levels of information present.
Dedicated security mode is incorrect. It is the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.
Controlled mode is incorrect. It is a type of multilevel security in which a more limited amount of trust is placed in the hardware/software base of the system, with resultant restrictions on the classification levels and clearance levels that may be supported.
205. According to the Common Criteria (CC), security functional requirements do not include which of the following?
a. User data protection
b. Security management
c. Configuration management
d. Resource utilization
205. c. According to the Common Criteria (CC), configuration management is part of security assurance requirements, not a functional requirement. The other three choices are part of the security functional requirements.
206. According to the Common Criteria (CC), security assurance requirements do not include which of the following?
a. Privacy
b. Development
c. Tests
d. Vulnerability assessment
206. a. According to the Common Criteria (CC), privacy is part of security functional requirements, not a security assurance requirement. The other three choices are part of the security assurance requirements.
207. A factor favoring acceptability of a covert channel is which of the following?
a. High bandwidth
b. Low bandwidth
c. Narrow bandwidth
d. Broad bandwidth
207. b. Factors favoring acceptability of a covert channel include low bandwidth and the absence of application software that can exploit covert channels.
208. An information technology security principle should ensure which of the following?
a. No single point of access
b. No single point of use
c. No single point of responsibility
d. No single point of vulnerability
208. d. Good IT principles provide a foundation for better IT security. For example, a sound security policy provides a strong foundation for system design. Similarly, implementing a layered security approach ensures no single point of vulnerability in a computer system. The concern here is that if the single point-of-failure occurs because vulnerability is exploited, then the entire system can be compromised, which is risky.
209. What is the best time to implement a data dictionary system?
a. During the development of a new application system
b. During the redesign of an application system
c. During the reengineering of an application system
d. During the modification of an application system
209. a. Although it is best to implement a data dictionary during development of a new application system, it can also be implemented during a major redesign, reengineering, or maintenance of an existing application system.
210. Mapping information security needs to business data is a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
210. a. Management controls deal with policies and directives. Mapping information security needs to business data is a management policy. Technical controls deal with technology and systems. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures.
211. Which of the following is not an example of the basic components of a generic Web browser?
a. Java
b. Active-X
c. CGI
d. Plug-ins
211. c. The common gateway interface (CGI) is an industry standard for communicating between a Web server and another program. It is a part of a generic Web server. Java, Active X, and plug-ins are incorrect because they are a part of a generic Web browser.
212. Masquerading is an example of which of the following threat categories that apply to systems on the Internet?
a. Browser-oriented
b. Software-oriented
c. Server-oriented
d. Network-oriented
212. a. Internet-related threats are broken down into three categories: browser-oriented, server-oriented, and network-oriented. Software-oriented is a generic category useful to the other categories. Software-oriented threats may result from software complexity, configuration, and quality. Web servers can launch attacks against Web browser components and technologies. Because browsers can support multiple associations with different Web servers as separate windowed contexts, the mobile code of one context can also target another context. Unauthorized access may occur simply through a lack of adequate access control mechanisms or weak identification and authentication controls, which allow untrusted code to act or masquerade as a trusted component. After access is gained, information residing at the platform can be disclosed or altered.