Читаем CISSP Practice полностью

115. a. Despite its security weaknesses, the Internet is not vulnerable to a single point-of-failure because it uses a point-to-point protocol (PPP) as the primary data link layer protocol over point-to-point lines. PPP handles error detection, supports multiple framing mechanisms, performs data compression and reliable transmission, enables IP addresses to be negotiated at connection time, and permits authentication. If one path or point fails, the Internet switches to another path or point therefore providing a solid connection.

The other three choices are vulnerable to a single point-of-failure. A converged network combines both data and voice, and as such it is vulnerable. Password synchronization can be a single point-of-failure because it uses the same password for many resources. The domain name system (DNS) server can become a single point-of-failure if there are no fault-tolerant and redundant mechanisms.

116. It is best to assume that external computer systems are:

a. Simple

b. Secure

c. Insecure

d. Complex

116. c. In general, external computer systems should be considered insecure. Until an external system has been deemed trusted, it is safe to assume that it is insecure. Systems can be simple or complex in design, which may or may not affect security.

117. Which of the following memory protection mechanisms deal with security impact levels?

a. System partitioning

b. Nonmodifiable executable programs

c. Resource isolation

d. Domain separation

117. a. An organization partitions the information system into components residing in separate physical domains or environments as deemed necessary. Information system partitioning is a part of a defense-in-depth protection strategy. The system partitioning is based on the system impact levels (i.e., low, medium, or high). Managed interfaces restrict network access and information flow among partitioned system components.

The other three choices are incorrect because they do not deal with security impact levels. A nonmodifiable executable program is the one that loads and executes the operating environment and application system from hardware-enforced and read-only media (e.g., CD-R/DVD-R disk drives). Resource isolation is the containment of subjects and objects in a system in such a way that they are separated from one another. Domain separation relates to the mechanisms that protect objects in the system.

118. Which of the following maintains the integrity of information that is sent over a channel?

a. Communication channel

b. Security-compliant channel

c. Trusted channel

d. Memory channel

118. c. A trusted channel maintains the integrity of information that is sent over it. The other three choices cannot maintain the integrity because they are not trusted.

119. Which of the following enforces the network policy?

a. Exploitable channel

b. Communications channel

c. Security-compliant channel

d. Memory channel

119. c. A security-compliant channel enforces the network policy and depends only upon characteristics of the channel either included in the evaluation or assumed as an installation constraint.

120. The use of which of the following can lead to the existence of a covert channel?

a. Data label

b. Dual label

c. Floating label

d. Fixed label

120. c. The covert channel problem resulting from the use of floating labels can lead to erroneous information labels. A fixed label is a part of a dual label.

121. Which of the following is needed for the correct operation of other security mechanisms?

a. Covert storage channel

b. Trusted channel

c. Covert timing channel

d. Overt channel

121. b. A trusted channel is needed for the correct operation of other security mechanisms. An overt channel may not be trusted. A covert storage and timing channel is a part of covert channel.

122. Which of the following determines the extent to which changes to an information system have affected the security state of the system?

a. Information system boundary

b. Information system resilience

c. Security impact analysis

d. Security control assessment

122. c. Security impact analysis is conducted to determine the extent to which changes to the information system have affected the security state of the system.