1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 199
Выбрать главу

224. A denial-of-service attack is an example of which of the following threat categories that apply to systems on the Internet?

a. Browser-oriented

b. User-oriented

c. Server-oriented

d. Network-oriented

224. d. Attacks can be launched against the network infrastructure used to communicate between the browser and server. An attacker can gain information by masquerading as a Web server using a man-in-the middle attack, whereby requests and responses are conveyed via the impostor as a watchful intermediary. Such a Web spoofing attack allows the impostor to shadow not only a single targeted server, but also every subsequent server accessed. Other obvious attack methods lie outside the browser-server framework and involve targeting either the communications or the supporting platforms. Denial-of-service (DoS) attacks through available network interfaces are another possibility, as are exploits involving any existing platform vulnerability.

225. In the trusted computing base (TCB) environment, which of the following is referred to when a security administrator accidentally or intentionally configures the access tables incorrectly?

a. Compromise from above

b. Compromise from within

c. Compromise from below

d. Compromise from cross domains

225. b. Compromise from within results when a security administrator accidentally or intentionally configures the access tables incorrectly. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from below occurs as a result of accidental failure of an underlying trusted component. Compromise from cross domains is not relevant here.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 12.

The SRC Company is a software development firm serving major military markets. It builds off-the-shelf software, which eventually is bought by the public. For certification and accreditation purposes, it is applying for evaluation of assurance level (EAL)–4 for two of its new products. The company has a repeatable software development process in place. It semi-formally designs and tests each product. It methodically reviews the development process.

1. Regarding Common Criteria (CC), which of the following provides an implementation-independent statement of security needs?

a. Target of evaluation (TOE)

b. Security target (ST)

c. Protection profile (PP)

d. Evaluation of assurance level (EAL)

1. c. Protection profile (PP) is an implementation-independent statement of security needs for a product type. TOE is incorrect because it is a product that has been installed and is being operated according to its guidance. ST is incorrect because it is an implementation-dependent statement of security needs for a specific identified TOE. EAL is incorrect because it is an assurance package, consisting of assurance requirements, representing a point on the CC predefined assurance scale.

2. The Common Criteria (CC) permits which of the following between the results of independent security evaluations?

a. Usability

b. Comparability

c. Scalability

d. Reliability

2. b. The Common Criteria (CC) permits comparability between the results of independent security evaluations. The evaluation process establishes a level of confidence that the security functionality of IT products and the assurance measures applied to these IT products meet a common set of requirements. The CC is applicable to IT security functionality implemented in hardware, firmware, or software. Usability is incorrect because it means easy to learn and remember, productivity enhancing, error resistant, and friendly. Scalability is incorrect because it means the system can be made to have more or less computational power by configuring it with a larger or smaller number of processors, amount of memory, interconnection bandwidth, input/output bandwidth, and amount of mass storage. Reliability is incorrect because it means the system can be counted upon to perform as expected.

3. The Common Criteria (CC) is not useful as a guide for which of the following when evaluating the security functionality of IT products?

a. Development

b. Evaluation

c. Procurement

d. Implementation

3. d. The Common Criteria (CC) is useful as a guide for the development, evaluation, and/or procurement of products with IT security functionality. Implementation scenarios can vary from organization to organization.

4. The Common Criteria (CC) addresses which of the following in an uncommon way?

a. Confidentiality

b. Risks

c. Integrity

d. Availability

4. b. The Common Criteria (CC) addresses information protection from unauthorized disclosure (confidentiality), modification (integrity), or loss of use (availability). These are the most common ways. The CC is also applicable to risks arising from human activities (malicious or otherwise) and to risks arising from nonhuman activities, which is an uncommon way.

5. The scope of Common Criteria (CC) covers which of the following?

a. Physical protection

d. Administrative security

c. Electromagnetic emanation control

d. Quality of cryptographic algorithm

5. a. In particular, the Common Criteria (CC) addresses some aspects of physical protection. Administrative security is incorrect because the CC does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security functionality. Electromagnetic emanation control is incorrect because the CC does not cover the evaluation of technical physical aspects of IT security such as electromagnetic emanation control. Quality of cryptographic algorithm is incorrect because the CC does not cover the inherent qualities of cryptographic algorithms.

6. Which of the following is not one of the target audiences of the Common Criteria (CC) from a general interest viewpoint?

a. Security designers

b. Consumers

c. Developers

d. Evaluators

6. a. There are three groups with a general interest in evaluating the security properties of target of evaluations (TOEs): consumers, developers, and evaluators. Additional interest groups that can benefit from information contained in the Common Criteria (CC) are system custodians, system security officers, auditors, security architects, and security designers.

7. Regarding the Common Criteria (CC), which of the following alone is not sufficient for use in common evaluation methodology?

1. Repeatability

2. Objectivity

3. Judgment

4. Knowledge

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

7. c. Use of a common evaluation methodology contributes to the repeatability and objectivity of the results but it is not by itself sufficient. Many of the evaluation criteria require the application of expert judgment and background knowledge for which consistency is more difficult to achieve.

~ 199 ~