CISSP: Security Architecture and Design Flashcards Preview

CISSP > CISSP: Security Architecture and Design > Flashcards

Flashcards in CISSP: Security Architecture and Design Deck (18)
Loading flashcards...
0

1. The four CPU operating states include all the following except

A. Operating
B. Problem
C. Wait
D. Virtual

D. Virtual

The four CPU operating states are operating (or run), problem (or application), supervisory, and wait. Review “CPU.”

1

2. A computer system that alternates execution of multiple subprograms on a single processor describes what type of system?

A. Multiprogramming
B. Multitasking
C. Multiuser
D. Multiprocessing

B. Multitasking

A multiprogramming computer alternates execution of multiple programs on a single processor. A multiuser computer supports several users. A multiprocessing computer executes multiple programs on multiple processors. Review “CPU.”

2

3. An address used as the origin for calculating other addresses describes

A. Base addressing
B. Indexed addressing
C. Indirect addressing
D. Direct addressing

A. Base addressing

Indexed addressing specifies an address relative to an index register. Indirect addressing specifies the address of the desired location. Direct addressing specifies the desired location. Review “Memory.”

3

4. The four main functions of the operating system include all the following except

A. Process management
B. BIOS management
C. I/O device management
D. File management

B. BIOS management

The four main functions of an OS are process management, I/O device management, memory management, and file management. The system BIOS operates independently of the OS. Review “Software.”

4

5. The total combination of protection mechanisms within a computer system, including hardware, firmware, and software, which is responsible for enforcing a security policy defines

A. Reference monitor
B. Security kernel
C. Trusted Computing Base
D. Protection domain

C. Trusted Computing Base

A reference monitor enforces access controls on an object. A security kernel implements the reference monitor concept. A protection ring is a security concept that implements the principle of least privilege. Review “Trusted Computing Base (TCB).”

5

6. A system that continues to operate following failure of a network component describes which type of system?

A. Fault-tolerant
B. Fail-safe
C. Fail-soft
D. Failover

A. Fault-tolerant

A fail-safe system terminates program execution. A fail-soft system continues functioning in a degraded mode. A failover system automatically switches to a hot backup. Review “Recovery procedures.”

6

7. Which of the following access control models addresses availability issues?

A. Bell-LaPadula
B. Biba
C. Clark-Wilson
D. None of the above

D. None of the above

Bell-LaPadula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access Control Models.”

7

8. The four basic control requirements identified in the Orange Book include all the following except

A. Role-based access control
B. Discretionary access control
C. Mandatory access control
D. Object reuse

A. Role-based access control

The four basic control requirements identified in the Orange Book are discretionary access control, mandatory access control, object reuse, and labels. Review “Trusted Computer System Evaluation Criteria (TCSEC).”

8

9 The purpose of session management in a web application is

A. To prevent Denial of Service attacks
B. To collect session-based security metrics
C. To control the number of concurrent sessions
D. To protect sessions from unauthorized access

D. To protect sessions from unauthorized access.

Session management, usually implemented through cookies, hidden variables, or URL variables, is used to track individual application user sessions. Review “Vulnerabilities in security architectures.”

9

10. Which of the following ITSEC classification levels is equivalent to TCSEC level B3?

A. E3
B. E4
C. E5
D. E6

C. E5

E3 is equivalent to TCSEC level B1, E4 to B2, and E6 to A1. Review “European Information Technology Security Evaluation Criteria (ITSEC).”

10

Which security model is specifically designed to protect the integrity of information in a government computing environment?
a. The Sherwood Applied Business Security Architecture (SABSA)
b. The Bell-LaPadula model
c. The Biba model
d. The Zachman Framework

C. The Biba model addresses integrity in a government computer environment (MAC).

11

Which of the following would eliminate the vulnerability that allows the buffer overflow attack?
a. Monitoring the process state table
b. Preemptive multitasking
c. Compiling code instead of interpreting code into machine language
d. Qualifying the data required by processes

D. The buffer overflow attack is possible because developers allow users (attackers) to input more data than the buffer has space for. This overflows the data buffer and overwrites the pointer and possibly instructions with whatever the attacker wants to inject. Developers should control the quantity and type of data being sent to the buffer.

12

The ODBC driver resides at which layer of the application architecture?
a. The client layer
b. The presentation layer
c. The middleware layer
d. The application layer

C. The ODBC driver normalizes and converts data into a standard format as required by the application. It resides in the middleware layer.

13

Which of the following types of memory is not volatile?
a. EPROM
b. Level 1 cache memory
c. RAM
d. Level 1 cache memory

A. The erasable/programmable read-only memory (EPROM) is an example of nonvolatile memory. It retains its data even when the power to the system is removed.

14

Which system evaluation process can provide an Evaluation Assurance Level (EAL)?
a. Capability Maturity Model Integration (CMMI)
b. Trusted Computing System Evaluation Criteria (TCSEC)
c. Information Technology Security Evaluation Criteria (ITSEC)
d. Common Criteria

D. The Common Criteria provides seven evaluated assurance levels, EAL 1 through EAL 7.

15

Which system evaluation process offers seven granular levels of certification and ranges from A1 through D?
a. Capability Maturity Model Integration (CMMI)
b. Trusted Computing System Evaluation Criteria (TCSEC)
c. Information Technology Security Evaluation Criteria (ITSEC)
d. Common Criteria

B. The TCSEC was based on the Bell-LaPadula confidentiality model and identifies four primary levels of protection, ranging from A to D; (A) formally verified protection, (B) mandatory access control protection, (C) discretionary access control protection, and (D) minimal protection. The granular designation are, from weakest to strongest protection, D, C1, C2, B1, B2, B3, A1.

16

Which of the following best describes the differences between certification and accreditation?
a. Certification shows that the system(s) can perform the function, and accreditation shows that the systems(s) can perform the function every time under the specified conditions.
b. Certification shows that the system(s) meets a specified standard, and accreditation shows that the system(s) can perform the function every time under the specified conditions.
c. Certification shows that the system(s) meets a specified standard, and accreditation is management's acceptance of the risks of operating the system(s).
d. Certification shows that the system(s) can perform the function, and accreditation is management's acceptance of the risks of operating the system(s).

C. Certification shows that the system(s) meets a specified standard, and accreditation is management's acceptance of the risk of operating the system(s).

17

Which of the following best describes a large array of computing systems and resources to provide exceptional accessibility, availability, performance, and scalability?
a. Infrastructure as a service (IaaS)
b. Service-oriented architecture
c. Cloud computing
d. Platform as a service (PaaS)

C. Cloud computing is a large array of computing systems and resources that provides exceptional accessibility, availability, performance, and scalability.