Читаем CISSP Practice полностью

b. Server-oriented attacks

c. Network-oriented attacks

d. User-oriented attacks

179. c. An attacker may modify the domain name system (DNS) mechanism to direct it to a false website. These techniques are often used to perform pharming attacks, where users may divulge sensitive information. Note that pharming attacks can also be initiated by subverting the victim’s host computer files.

180. Which of the following is an example of a single point-of-failure?

a. Security administration

b. Single sign-on

c. Multiple passwords

d. Network changes

180. b. The single sign-on (SSO) system is an example of a single point-of-failure, where the risk is concentrated rather than diffused. If the sign-on system is compromised, the entire system is vulnerable.

The other three choices are examples of multiple points-of-failure, where many things can go wrong in many places by many individuals. Every time an employee is terminated or parts of the network changed, the security administrator must deactivate all the employee’s passwords and reconfigure the network. Here, the risk is spread out, not concentrated.

181. Which of the following is an example of a second line-of-defense in attack recognition?

a. Firewall

b. Attack detection software

c. Password

d. Internal controls

181. b. A firewall, a password, and internal controls are first lines-of-defenses against attacks and fraud. The firewall can be bypassed by a clever attacker using an Internet protocol (IP) spoof attack or by bypassing it completely and gaining access to the network directly through a modem. Because of the difficulty in configuring a firewall, a second line-of-defense is needed, and it is the attack detection software installed either on host or network. If an attack cannot be prevented, it must at least be detected.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

182. Which of the following physical security mechanisms provides a first line-of-defense for a data center?

a. Interior areas within a building

b. Exterior walls of a building

c. Perimeter barriers outside a building

d. Ceilings of a building

182. c. The perimeter barriers such as gates and guards, which are located at an outer edge of a property, provide a first line-of-defense. Exterior walls, ceilings, roofs, and floors of a building themselves provide a second line-of-defense. Interior areas within a building such as doors and windows provide a third line-of-defense. All these examples are physical security mechanisms. The first line-of-defense is always better than the other lines-of-defenses due to cost, time, and effectiveness factors.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

183. Which of the following is the correct approach for an information system to separate user functionality from management functionality?

a. Application partitioning

b. Boundary protection

c. Security parameters

d. Controlled interfaces

183. a. Application partitioning means the information system physically or logically separates user interface services (e.g., public Web pages) from information system storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or combinations of these or other methods.

Boundary protection is incorrect because it means controlling communications at the external boundary of an information system and at key internal boundaries within the system. The organization physically allocates publicly accessible information system components (e.g., public Web servers) to separate sub-networks with separate, physical network interfaces.

Security parameters are incorrect because they include security labels and markings, which are associated with information exchanged between information systems.