Читаем CISSP Practice полностью

26. c. The role of site security policy is important for firewall administration. A firewall should be viewed as an implementation of a policy; the policy should never be made by the firewall implementation. In other words, agreement on what protocols to filter, what application gateways to use, how network connectivity will be made, and what the protocol filtering rules are all need to be codified beforehand because ad hoc decisions will be difficult to defend and will eventually complicate firewall administration.

27. Which of the following reduces the need to secure every user endpoint?

1. Diskless nodes

2. Thin client technology

3. Client honeypots

4. Thick client technology

a. 1 only

b. 1 and 2

c. 3 only

d. 3 and 4

27. b. A deployment of information system components with minimal functionality (e.g., diskless nodes and thin client technology) reduces the need to secure every user endpoint and may reduce the exposure of data/information, information systems, and services to a successful attack. Client honeypots are devices that actively seek out Web-based malicious code by posing as clients. Thick client technology is not recommended because it cannot protect the user endpoints, and it is less secure than the thin client technology in the way encryption keys are handled.

28. Communications between computers can take several approaches. Which of the following approaches is most secure?

a. Public telephone network

b. Fiber optic cables

c. Direct wiring of lines between the computer and the user workstation

d. Microwave transmission or satellites

28. b. Due to their design, fiber optic cables are relatively safer and more secure than other types of computer links. A dial-up connection through a public telephone network is not secure unless a dial-back control is established. Direct wiring of lines between the computer and the user workstation is relatively secure when compared to the public telephone network. Microwave transmissions or satellites are subject to sabotage, electronic warfare, and wiretaps.

29. Which of the following is risky for transmission integrity and confidentiality when a network commercial service provider is engaged to provide transmission services?

a. Commodity service

b. Cryptographic mechanisms

c. Dedicated service

d. Physical measures

29. a. An information system should protect the integrity and confidentiality of transmitted information whether using a network service provider. If the provider transmits data as a commodity service rather than a fully dedicated service, it is risky. Cryptographic mechanisms that include use of encryption and physical measures include a protected distribution system.

30. Network security and integrity do not depend on which of the following controls?

a. Logical access controls

b. Business application system controls

c. Hardware controls

d. Procedural controls

30. b. Application system controls include data editing and validation routines to ensure integrity of the business-oriented application systems such as payroll and accounts payable. It has nothing to do with the network security and integrity.

Logical access controls prevent unauthorized users from connecting to network nodes or gaining access to applications through computer terminals.

Hardware controls include controls over modem usage, the dial-in connection, and the like. A public-switched network is used to dial into the internal network. Modems enable the user to link to a network from a remote site through a dial-in connection.

Procedural controls include (i) limiting the distribution of modem telephone numbers on a need to know basis, (ii) turning the modem off when not in use, and (iii) frequent changes of modem telephone numbers.

31. Which of the following questions must be answered first when planning for secure telecommuting?

a. What data is confidential?

b. What systems and data do employees need to access?

c. What type of access is needed?

d. What is the sensitivity of systems and data?