Читаем CISSP Practice полностью

Encryption is incorrect because it implements confidentiality security service. Encryption refers to cryptographic technology using keys. Two classes of encryption exist: symmetric (using secret key) and asymmetric (using public key).

Traffic padding is incorrect because it provides confidentiality services. It is the observation of traffic patterns, even when enciphered, which may yield information to an intruder. This mechanism may be used to confound the analysis of traffic patterns.

Routing control is incorrect because it provides confidentiality service. With routing control, routes can be chosen so as to use only secure links in the communication line.

94. Which of the following is not an example of information system entry and exit points to protect from malicious code?

a. Firewalls

b. Electronic mail servers

c. Workstations

d. Web servers

94. c. An organization employs malicious code protection mechanisms at critical information system entry and exit points such as firewalls, e-mail servers, Web servers, proxy servers, and remote access servers. Workstations are internal to an organization and do not provide direct entry and exit points.

95. Which of the following statements about data gateways is not correct?

a. Data gateways cannot standardize communication protocols.

b. Data gateways are devices to adapt heterogeneous clients to servers.

c. Data gateways absorb diversity in implementation details.

d. Data gateways provide access control and authentication mechanisms.

95. a. Gateways translate between incompatible protocols, such as between IBM’s SNA and TCP/IP. Data gateways, then, are devices to adapt heterogeneous clients and servers. They may simply absorb diversity in implementation details and provide access control and authentication mechanisms. It is incorrect to say that data gateways cannot standardize communication protocols.

96. Which of the following is not used in creating dynamic Web documents?

a. Common gateway interface (CGI)

b. Extensible markup language (XML)

c. JavaServer page (JSP)

d. ActiveServer page (ASP)

96. b. Extensible markup language (XML) is used in creating a static Web document. Dynamic Web documents (pages) are written in CGI, JSP, and ASP.

97. Which of the following is not a server-side script used in dynamic hypertext markup language (HTML)?

a. Common gateway interface (CGI)

b. ActiveServer page (ASP)

c. JavaApplets

d. Perl

97. c. A JavaApplet is a client-side script. Dynamic hypertext markup language (dynamic HTML) is a collection of dynamic HTML technologies for generating Web page contents on-the-fly. It uses the server-side scripts (e.g., CGI, ASP, JSP, PHP, and Perl) and the client-side scripts (e.g., JavaScript, JavaApplets, and Active -X controls).

98. Which of the following can provide a false sense of security?

1. Encryption protocols

2. Digital signatures

3. Firewalls

4. Certified authorities

a. 1 and 2

b. 2 and 3

c. 1 and 3

d. 2 and 4

98. c. Both encryption protocols and firewalls can provide a false sense of security. Encryption is used to provide confidentiality of data from the point of leaving the end user’s software client to the point of being decrypted on the server system. After the data is stored “in the clear” on the server, data confidentiality is no longer ensured. Data confidentiality aside, encryption cannot prevent malicious attackers from breaking into the server systems and destroying data and transaction records. Firewalls have been used to protect internal computer systems from outside attacks and unauthorized inside users. The effectiveness of a firewall is usually in providing a deterrent for would be attacks. However, the bigger issue with firewalls is misconfiguration.

Digital signatures and certified authorities provide a good sense of security because they work together to form a trusted relationship. A digital signature stamped by the certifying authority can certify that the client and the server can be trusted.

99. The normal client/server implementation uses which of the following?

a. One-tier architecture

b. Two-tier architecture

c. Three-tier architecture

d. Four-tier architecture

99. b. The normal client/server implementation is a two-tiered architecture for simple networks (i.e., one client and one server). Multitiered architectures use one client and several servers.