213. Which of the following is required to ensure a foolproof security over a mobile code?
a. Firewalls
b. Antivirus software
c. Intrusion detection and prevention systems
d. Cascaded defense-in-depth measures
213. d. Cascaded defense-in-depth measures come close to providing foolproof security over a mobile code with examples such as firewalls, antivirus software, intrusion detection and prevention systems, and behavior blocking technologies. Although firewalls, antivirus software, and intrusion detection and prevention systems provide useful safeguards, they do not provide strong security due to the existence of a variety of techniques for deception such as mutation, segmentation, and disguise via extended character set encoding.
214. The Common Criteria (CC) permits which of the following between the results of independent security evaluations?
a. Usability
b. Comparability
c. Scalability
d. Reliability
214. b. The Common Criteria (CC) permits comparability between the results of independent security evaluations. The evaluation process establishes a level of confidence that the security functionality of IT products and the assurance measures applied to these IT products meet a common set of requirements. The CC is applicable to IT security functionality implemented in hardware, firmware, or software.
Usability is incorrect because it means such things as easy to learn and remember, productivity enhancing, error resistant, and friendly features.
Scalability is incorrect because it means the system can be made to have more or less computational power by configuring it with a larger or smaller number of processors, amount of memory, interconnection bandwidth, input/output bandwidth, and amount of mass storage. Reliability is incorrect because it means the system can be counted upon to perform as expected.
215. The Common Criteria (CC) is not useful as a guide for which of the following when evaluating the security functionality of IT products?
a. Development
b. Evaluation
c. Procurement
d. Implementation
215. d. The CC is useful as a guide for the development, evaluation, and/or procurement of products with IT security functionality. The CC is not useful in implementation because implementation scenarios can vary from organization to organization.
216. The Common Criteria (CC) addresses which of the following in an uncommon way?
a. Confidentiality
b. Risks
c. Integrity
d. Availability
216. b. The Common Criteria (CC) addresses information protection from unauthorized disclosure (confidentiality), modification (integrity), or loss of use (availability), which is a common way. The CC is also applicable to risks arising from human activities (malicious or otherwise) and to risks arising from nonhuman activities, which is an uncommon way.
217. The scope of Common Criteria (CC) covers which of the following?
a. Physical protection
b. Administrative security
c. Electromagnetic emanation control
d. Quality of cryptographic algorithm
217. a. In particular, the Common Criteria (CC) addresses some aspects of physical protection. CC does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security functionality. CC does not cover the evaluation of technical physical aspects of IT security such as electromagnetic emanation control. CC does not cover the inherent qualities of cryptographic algorithms.
218. Which of the following requires that all users must have formal access approval?
a. Compartmented security mode
b. System-high security mode
c. Controlled mode
d. Limited access mode
218. b. The system-high security mode requires that if the system processes special access information, all users must have formal access approval.
219. Protecting interconnectivity communication devices is a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
219. c. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Physical security controls (e.g., locked rooms and closets) are used to protect interconnectivity communication devices. Management controls deal with policies and directives. Technical controls deal with technology and systems.
220. Which of the following is not a broad-based security objective for ensuring information systems protection?
a. Prepare and prevent
b. Breach and damage
c. Detect and respond
d. Build and grow
220. b. Breach and damage are narrow-based security objectives because they signify the occurrence of a security incident and recovery from its damage. The scope of prepare and prevent includes minimizing the possibility of a significant attack on critical information assets and networks. Detect and respond includes identifying and assessing an attack in a timely manner. Build and grow is building organizations and facilities, hiring and training people, and establishing policies and procedures.
221. The totality of protection mechanisms used for enforcing a security policy is which of the following?
a. Trusted computing base
b. Trusted path
c. Trusted software
d. Trusted subject
221. a. The trusted computing base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. The other three choices are part of the TCB.
222. Requiring signed conflict-of-interest and nondisclosure statements are a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
222. d. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Requiring signed conflict of interest and nondisclosure statements are a part of procedural controls. Management controls deal with policies and directives. Technical controls deal with technology and systems.
223. Taken to its extreme, what does active content become?
a. Built-in macro processing
b. Delivery mechanism for mobile code
c. Scripting language
d. Virtual machine
223. b. Taken to its extreme, active content becomes, in effect, a delivery mechanism for mobile code. Active content involves a host of new technologies such as built-in macro processing, scripting language, and virtual machine.