Читаем CISSP Practice полностью

80. b. Because Active-X is a framework for Microsoft’s software component technology, it is platform-specific in that Active-X contents can be executed on a 32-bit or 64-bit Windows platform. It is language-independent because Active-X contents can be written in several different languages, including C, C++, Visual Basic, and Java. Note that Java, Active-X, and plug-ins can be malicious or hostile.

81. What does implementing security functions in an information system using a layered structure mean?

1. Using multilevel secure systems

2. Using multiple security level systems

3. Avoiding any dependence by lower layers on the functionality of higher layers

4. Minimizing interactions between layers of the design

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

81. c. Security functions in an information system should be implemented by using a layered structure that minimizes interactions between layers of the design and that avoids any dependence by lower layers on the functionality or correctness of higher layers.

Multilevel or multiple levels do not have interactions or dependencies as the layers do because they deal with security clearances and access authorizations.

82. To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards?

a. Risk analysis and security management

b. Layered defenses and security policy

c. Software cages and digital signatures

d. Minimal functionality and least privilege

82. c. Hybrid safeguards combine more than one control. Combining software cages and digital signatures is an example of hybrid technical safeguard. The other three choices are examples of management and operational safeguards.

83. To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards?

a. Proof carrying code and filters

b. Security policy and security audit

c. Version control and patch management

d. System isolation and application settings

83. a. Hybrid technical safeguards combine more than one control. Blending the proof carrying code and filters is an example of hybrid technical safeguard. The blending of proof carrying code and software cage is known as model-carrying code. The other three choices are examples of management and operational safeguards.

84. Which of the following IT platforms face a single point-of-failure situation?

a. Wide-area networks

b. Distributed systems

c. Mainframe systems

d. Websites

84. a. A wide-area network (WAN) is a data communication network that consists of two or more local-area networks (LANs) that are dispersed over a wide geographical area. Communications links, usually provided by a public carrier, enable one LAN to interact with other LANs. If redundant communication links are used, it is important to ensure that the links have physical separation and do not follow the same path; otherwise, a single incident, such as a cable cut, could disrupt both links. Similarly, if redundant communication links are provided through multiple network service providers (NSPs), it is important to ensure that the NSPs do not share common facilities at any point. Hence, the communication links and the network service providers can become a single point-of-failure for WANs.

Distributed systems, mainframe systems, and websites do not have the single point-of-failure problems because WANs are more complicated.

85. Which one of the following is not related to the others?

a. Sandbox

b. S-box

c. Dynamic sandbox

d. Behavioral sandbox

85. b. S-box is a nonlinear substitution table box used in several byte substitution transformations in the cryptographic key expansion routine to perform a one-for-one substitution of a byte value. S-box is not related to the three choices. An application in a sandbox is usually restricted from accessing the file system or the network (e.g., JavaApplet). Extended technologies of a sandbox include dynamic sandbox or runtime monitor (i.e., behavioral sandbox), which are used in software cages and proof carrying code to protect against active content and for controlling the behavior of mobile code.

86. For information assurance vulnerabilities, what is independent validation of an information system conducted through?:

a. Penetration testing

b. Conformance testing

c. Red team testing

d. Blue team testing