1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 60
Выбрать главу

109. Information systems security testing is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

109. c. Information systems security testing is a part of detective controls because it includes vulnerability scanners, penetration tests, and war dialing. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation because they rely more on human judgment.

110. In a public cloud computing environment, which of the following is mostly needed to establish a level of trust among cloud service providers and subscribers?

a. Compensating controls

b. Third-party audits

c. Threshold for alerts

d. Service contracts

110. b. Establishing a level of trust about a cloud service is dependent on the degree of control an organization can exert on the service provider to protect the organization’s data and applications. Evidence is needed about the effectiveness of security controls over such data and applications. Third-party audits may be used to establish a level of trust and evidence if it is not feasible to verify through normal means. If the level of trust in the service falls below expectations and the organization cannot employ compensating controls, it must either reject the service or accept a greater degree of risk. Threshold for alerts and notification is needed to keep visibility on the cloud service provider.

111. Which of the following is an example of a personal firewall?

a. Network-based firewalls

b. Host-based firewalls

c. Source-based IP address

d. Destination-based IP address

111. b. Host-based firewalls, also known as personal firewalls, can be effective at preventing unauthorized access to endpoints if configured to block unwanted activity. Host-based firewalls might need to be reconfigured from their typical settings to permit legitimate activity, such as enabling an IPsec endpoint. Accordingly, organizations should consider providing information to external endpoint administrators and users on which services, protocols, or port numbers the host-based firewalls should permit for necessary services. The other three choices are not related to personal firewalls.

112. Which of the following is not used by an individual or a specialized computer program to read an online advertisement displayed by the Internet search engine without the intention of buying a product or service?

a. Honeynets

b. Pay-per-click feature

c. Botnets

d. Third parties

112. a. This question relates to click fraud. Honeynets are networks of honeypots, which are used to create fake production systems to attract attackers to study their behaviors and actions with an information system. Honeynets are not used in click fraud.

The other three choices are used to create a click fraud, which is a major problem at Internet service providers (ISPs) and other websites. The click fraud is perpetrated by a combination of individuals, specialized computer programs, bot networks (botnets), and third parties who are hired for a fee to click because they are paid on a per-click basis. (For example, the more clicks they do the more money they make.) In all these situations, fraudulent clicks are made on an online advertisement with no intention of learning further about a product or purchasing the product. The advertiser pays the website owners based on the number of clicks made on its advertisement. Unethical website owners are creating a click fraud to make easy money. Specialized computer programs are written to do the automatic clicking.

113. The purpose of the packet filter is not based on which of the following?

a. IP addresses

b. Protocols

c. Port numbers

d. Applications

113. d. The purpose of the packet filter is to specify how each type of incoming and outgoing traffic should be handled—whether the traffic should be permitted or denied (usually based on IP addresses, protocols, and port numbers), and how permitted traffic should be protected. The type of application does not matter for the packet filter.

114. As the packet filtering rules become more complex, they can lead to which of the following?

a. Authentication errors

b. Cryptographic errors

c. Configuration errors

d. Performance errors

114. c. One caveat in the packet filter is that the more complex the packet filtering rules become, the more likely it is that a configuration error may occur, which could permit traffic to traverse networks without sufficient controls.

115. The Internet Protocol security (IPsec) implementation typically supports which of the following authentication methods?

1. Preshared keys

2. Digital signatures

3. Kerberos

4. TACACS and RADIUS

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

115. d. The endpoints of an IPsec connection use the same authentication method to validate each other. IPsec implementations typically support preshared keys and digital signatures, and in some implementations external authentication services, such as Kerberos. Some IPsec implementations also support the use of legacy asymmetric authentication servers such as terminal access controller access control system (TACACS) and remote authentication dial-in user service (RADIUS).

116. Which of the following does not require redundancy and fail-over capabilities to provide a robust Internet Protocol security (IPsec) solution?

a. IPsec client software in a managed environment

b. IPsec gateways

c. Authentication servers

d. Directory servers

116. a. Redundancy and fail-over capabilities should be considered not only for the core IPsec components, but also for supporting systems. IPsec client software may be broken by a new operating system update. This issue can be handled rather easily in a managed environment, but it can pose a major problem in a nonmanaged environment. Therefore, the IPsec client software does not require redundancy and fail-over capabilities.

IPsec gateways are incorrect because two IPsec gateways can be configured so that when one gateway fails, users automatically fail over to the other gateway. Authentication servers and directory servers are incorrect because they also need redundancy due to their support role.

117. All the following can be disallowed at the voice gateway in Voice over Internet Protocol (VoIP) except:

~ 60 ~