Security Architecture and Design Flashcards
1. What is the final step in authorizing a system for use in an environment?
A. Certification
B. Security evaluation and rating
C. Accreditation
D. Verification
C - Certification is a technical review of a product, and accreditation is management’s formal approval of the findings of the certification process. This question asked you which step was the final step in authorizing a system before it is used in an environment, and that is what accreditation is all about.
2. What feature enables code to be executed without the usual security checks?
A. Temporal isolation
B. Maintenance hook
C. Race conditions
D. Process multiplexing
B - Maintenance hooks get around the system’s or application’s security and access control checks by allowing whomever knows the key sequence to access the application and most likely its code. Maintenance hooks should be removed from any code before it gets into production.
3. If a component fails, a system should be designed to do which of the following?
A. Change to a protected execution domain
B. Change to a problem state
C. Change to a more secure state
D. Release all data held in volatile memory
C - The state machine model dictates that a system should start up securely, carry out secure state transitions, and even fail securely. This means that if the system encounters something it deems unsafe, it should change to a more secure state for self-preservation and protection.
4. Which is the first level of the Orange Book that requires classification labeling of data?
A. B3
B. B2
C. B1
D. C2
C - These assurance ratings are from the Orange Book. B levels on up require security labels be used, but the question asks which is the first level to require this. B1 comes before B2 and B3, so it is the correct answer.
5. The Information Technology Security Evaluation Criteria was developed for which of the following?
A. International use
B. U.S. use
C. European use
D. Global use
C - In ITSEC, the I does not stand for international; it stands for information. This set of criteria was developed to be used by European countries to evaluate and rate their products.
6. A guard is commonly used with a classified system. What is the main purpose of implementing and using a guard?
A. To ensure that less trusted systems only receive acknowledgments and not messages
B. To ensure proper information flow
C. To ensure that less trusted and more trusted systems have open architectures and interoperability
D. To allow multilevel and dedicated mode systems to communicate
B - The guard accepts requests from the less trusted entity, reviews the request to make sure it is allowed, and then submits the request on behalf of the less trusted system. The goal is to ensure that information does not flow from a high security level to a low security level in an unauthorized manner.
