Читаем CISSP Practice полностью

d. Compromise from cross domains

39. a. The compromise resulting from the execution of a Trojan horse that misuses the discretionary access control (DAC) mechanism is an example of compromise from above.

The other three choices do not allow such an examination. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from below occurs as a result of accidental failure of an underlying trusted component. Compromise from cross domains is not relevant here.

40. All of the following are the most simplest and practical approaches to controlling active content documents and mobile code except:

a. Isolation at the system level

b. Isolation at the physical level

c. Isolation at the program level

d. Isolation at the logical level

40. b. Isolation can be applied at various levels to minimize harm or damage resulting from inserting malicious hidden code. The simplest one is complete isolation at the system level (high level) and the hardest one is at the physical level (low level) when controlling the active content documents and mobile code. Physical level means being close to the PC/workstation’s hardware, circuits, and motherboards, which is not practical with remote computing. This means physical isolation is not always possible due to location variables.

Regarding system level isolation, a production computer system that is unable to receive active content documents cannot be affected by malicious hidden code insertions. Logical level isolation consists of using router settings or firewall rulesets. Program level isolation means isolating tightly bounded, proprietary program components. By integrating products from different manufacturers, you can effectively isolate program components from not using the standard documented interfaces.

41. Which of the following assumes that control over all or most resources is possible?

a. Security and quality

b. Reliability and availability

c. Security and survivability

d. Integrity and durability

41. c. Security and survivability requirements are based on the bounded system concept, which assumes that control over all resources is possible. Security and survivability must be part of the initial design to achieve the greatest level of effectiveness. Security should not be something added on later to improve quality, reliability, availability, integrity, or durability or when budget permits or after an attack has already occurred.

42. Which of the following eliminates single point-of-failure?

a. SCSI

b. PATA

c. RAID

d. SATA

42. c. Redundant arrays of independent disks (RAID) protect from single points-of-failure. RAID technology provides greater data reliability through redundancy—data can be stored on multiple hard drives across an array, thus eliminating single points-of-failure and decreasing the risk of data loss significantly. RAID systems often dramatically increase throughput of both reading and writing as well as overall capacity by distributing information across multiple drives. Initially, RAID controllers were based on using small computer systems interface (SCSI), but currently all common forms of drives are supported, including parallel-ATA (PATA), serial-ATA (SATA), and SCSI.

43. In an end user computing environment, what is the least important concern for the information security analyst?

a. Data mining

b. Data integrity

c. Data availability

d. Data usefulness

43. a. Data mining is a concept where the data is warehoused for future retrieval and use. Data mining takes on an important role in the mainframe environment as opposed to the personal computer (end user) environment. Management at all levels relies on the information generated by end user computer systems. Therefore, data security, integrity, availability, and usefulness should be considered within the overall business plans, requirements, and objectives. Data security protects confidentiality to ensure that data is disclosed to authorized individuals only.

Data integrity addresses properties such as accuracy, authorization, consistency, timeliness, and completeness. Data availability ensures that data is available anywhere and anytime to authorized parties. Data usefulness ensures that data is used in making decisions or running business operations.

44. In the trusted computing base (TCB) environment, which of the following is not a sufficient design consideration for implementing domain separation?