Читаем CISSP Practice полностью

170. b. The need for layered security protection is most important when commercial off-the-shelf products are used from software vendors. Practical experience has shown that the current state-of-the-art for security quality in vendor’s commercial system products does not provide a high degree of protection against sophisticated attacks. Additional security controls are needed to provide a layered security protection because the vendor product is a generic product with minimal security controls for all customers’ use.

The systems in the other three choices are internal systems to an organization that are developed with a specific business purpose and with adequate security controls. General support system is an interconnected set of information resources under the same direct management control that share common functionality, including hardware, software, data/information, applications, communications, and people. An information system is classified as a major system when its development, maintenance, and operating cost are high and when it has a significant role in the overall operations of an organization.

171. Which of the following are required for an information system to become resilient?

1. Detect and respond capabilities

2. Manage single points-of-failure

3. Implement a response strategy

4. Develop a reporting system

a. 1 and 2

b. 2 and 3

c. 1 and 3

d. 1, 2, 3, and 4

171. d. For information systems to become resilient, organizations should establish detect and respond capabilities, manage single points-of-failure in their systems, implement a response strategy, and develop a reporting system for management.

172. Which of the following does not act as the first line-of-defense for protecting the data?

a. Passwords

b. Disk mirroring

c. Audit trails

d. Redundant array of independent disk

172. c. Audit trails provide information on an after-the-fact basis. They do not prevent bad things from happening.

Disk mirroring, redundant array of independent disk (RAID), and passwords are the first line-of-defenses. Disk mirroring and RAID act as the first line-of-defense for protecting against data loss. Incorrect entry of a password will be rejected thus disallowing an unauthorized person to enter into a computer system. Both disk mirroring and RAID provide redundant services.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

173. Which of the following is the last (final) line-of-defense for the defense-in-depth strategy?

a. Perimeter-based security

b. Network-based computing environment

c. Host-based computing environment

d. Host-based security

173. c. Detect and respond actions effectively mitigate the effects of attacks that penetrate and compromise the network. The host-based computing environment is the last (final) line-of-defense for the defense-in-depth strategy. The protection approach must take into account some facts such as workstations and servers can be vulnerable to attacks through poor security postures, misconfigurations, software flaws, or end-user misuse.

Perimeter-based security is incorrect because it is a technique of securing a network by controlling accesses to all entry and exit points of the network. Network-based computing environment is incorrect because it focuses on effective control and monitoring of data flow into and out of the enclave, which consists of multiple LANs, ISDNs, and WANs connected to the Internet. It provides a first line-of-defense. Host-based security is incorrect because it is a technique of securing an individual system from attacks.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

174. What do fundamental goals of the defense-in-depth include?

a. Sneak and peek

b. Trap and trace

c. Detect and respond

d. Protect and detect