Читаем CISSP Practice полностью

144. c. Firewalls are good at preventing vulnerabilities in software inside the firewall from being exposed to the Internet at large. However, firewalls permit Internet requests to access certain software running on machines inside the firewall. This includes e-mail, Web requests, file transfer protocol (FTP), and telnet sessions. The problem with trusted Active-X controls is that an Active-X control can easily exploit vulnerabilities in the firewall that allows the control to make a connection back to a Web server. This means that the Active-X control can behave maliciously by design or through manipulation by a malicious server. The ability for Active-X controls to accept scripting commands makes them vulnerable to manipulation from malicious servers.

145. Which of the following has a sound security model to prevent malicious code behavior?

a. Active-X controls

b. Java Applets

c. JavaScripts

d. E-mail attachments

145. b. Java Applets have a sound security model to prevent malicious code behavior when compared to Active-X controls, JavaScripts, and e-mail attachments. Java applets use a technology-oriented policy called the sandbox concept. The Java Sandbox prevents Java applets from using sensitive system services. With all other forms of active content, the security policy is trust-based. That is, the user must trust the source of the active content and assume the risk in case the active content causes harm, whether through malicious intention or through inadvertent flaws in the code.

Although most malicious file attachments have suspicious file extensions, such as .bat, .cmd, .exe, .pif, .vbs, and .scr, the use of once-benign file extensions, such as .zip, has become more prevalent for malicious file attachments.

146. Which one of the following security features and mechanisms is specified by the structured query language (SQL) standards?

a. Identification and authentication

b. Transaction management

c. Auditing

d. Fault tolerance

146. b. The database language SQL is a standard interface for accessing and manipulating relational databases. Many critical security features are not specified by SQL; others are specified in one version of SQL but omitted from earlier versions. A database may be in a consistent or inconsistent state. A consistent state implies that all tables (or rows) reflect some real-world change. An inconsistent state implies that some tables (or rows) have been updated but others still reflect the old world. Transaction management mechanisms are applied to ensure that a database remains in a consistent state at all times. These mechanisms enable the database to return to the previous consistent state if an error occurs.

Identification and authentication mechanisms are not specified in SQL. However, they are required implicitly. In the simplest case, the user authenticates his identity to the system at logon. That information is maintained throughout the session. The information is passed to the DBMS when the DBMS is accessed. The strength of authentication varies with the type, implementation, and management of the authentication mechanisms. The SQL specification does not include auditing requirements, but SQL products may include some auditing functionality. Warning mechanisms are closely related to auditing requirements. If the SQL processor includes auditing, the operating system must have sufficient access controls to prevent modification of, or access to, the audit trail. Fault tolerance is not required by any SQL specification but is a feature of certain SQL implementations. Fault-tolerant systems address system failure; disk array technology can be used to address storage media failure.

147. Which of the following characterizes the relational database technology?

a. Rows and columns

b. Nodes and branches

c. Blocks and arrows

d. Parents and children

147. a. Relational database technology deals with tables, rows, and columns. A hierarchical data model (tree structure) consists of nodes and branches and parents and children. The highest node is called a root. The node types are called segment-types. The root node type is called the root-segment-type. Blocks and arrows can be found in the network data model.

148. In a relational database management system, which one of the following types of security locking mechanisms best achieves the concept of fine-grain locking?

a. Row-level locking

b. Table-level locking

c. Block-level locking

d. File-level locking