Читаем CISSP Practice полностью

187. Which of the following is an example of risk on the client side of a network?

a. Software development tools

b. Scripts

c. Document formats

d. Active-X controls

187. d. On the browser (client) side, unnecessary plug-ins, add-ons, or Active-X controls should be removed. It is also recommended to substitute programs with lesser functionality in lieu of fully capable helper applications or plug-ins.

The other three choices are risks from the server side. On the server side, any unnecessary software not needed in providing Web services should be removed as well, particularly any software development tools that could be used to further an attack if an intruder should gain an initial foothold. Ideally, server-side scripts should constrain users to a small set of well-defined functionality and validate the size and values of input parameters so that an attacker cannot overrun memory boundaries or piggyback arbitrary commands for execution. Scripts should be run only with minimal privileges (i.e., nonadministrator) to avoid compromising the entire website in case the scripts have security flaws. Potential security weaknesses can be exploited even when Web applications run with low privilege settings. For example, a subverted script could have enough privileges to mail out the system password file, examine the network information maps, or launch a login to a high numbered port.

Whenever possible, content providers and site operators should provide material encoded in less harmful document formats. For example, if document distillers are not available to convert textual documents into portable document format (PDF), an alternative is to make available a version in .rtf (rich text format), rather than a proprietary word processing format.

188. Which of the following is an issue when dealing with information cross-domains?

a. Authentication policy

b. Level of trust

c. Common infrastructure

d. Shared infrastructure

188. b. An information domain is a set of active entities (e.g., person, process, or devices) and their data objects. The level of trust is always an issue when dealing with cross-domain interactions due to untrusted sources.

Authentication policy and the use of a common and shared infrastructure with appropriate protections at the operating system, application system, and workstation levels are some of solutions for ensuring effective cross-domain interactions.

189. Which of the following approaches isolates public-access systems from mission-critical resources?

1. Physical isolation

2. Demilitarized zones

3. Screened subnets

4. Security policies and procedures

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 1, 2, 3, and 4

189. d. Mission-critical resources include data, systems, and processes, which should be protected from public-access systems either physically or logically. Physical isolation may include ensuring that no physical connection exists between an organization’s public information resources and an organization’s critical information. When implementing a logical isolation solution, layers of security services and mechanisms should be established between public systems and secure private systems responsible for protecting mission-critical resources. Security layers may include using network architecture designs such as demilitarized zones (DMZ) and screened subnets. Finally, system designers and administrators should enforce organizational security policies and procedures regarding use of public-access systems.

190. Enclave boundary for information assurance is defined as which of the following?

1. The point at which information enters an organization

2. The point at which information leaves an enclave

3. The physical location is relevant to an organization

4. The logical location is relevant to an enclave

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

190. d. The enclave boundary is the point at which information enters or leaves the enclave or organization. Due to multiple entry and exit points, a layer of protection is needed to ensure that the information entering does not affect the organization’s operation or resources, and that the information leaving is authorized. Information assets exist in physical and logical locations and boundaries exist between these locations.

191. Operations, one of the principal aspects of the defense-in-depth strategy does not include which of the following?

a. Readiness assessments

b. Security management

c. Cryptographic key management

d. Physical security