Читаем CISSP Practice полностью

60. Media sanitization activity is usually most intense during which of the following phases of the system development life cycle (SDLC)?

a. Development/acquisition

b. Implementation

c. Operation/maintenance

d. Disposal

60. d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.

61. The security certification assessor is involved with which of the following activities?

a. System development

b. System controls

c. System implementation

d. System operations

61. b. The security certification assessor is involved in assessing security controls in an information system to provide an unbiased opinion. The assessor’s independence implies that he is not involved in the information system development, implementation, or operation.

62. Which of the following threats rely entirely on social engineering techniques?

1. Trojan horse

2. Mobile code

3. Phishing

4. Virus hoaxes

a. 1 and 2

b. 2 and 3

c. 1 and 3

d. 3 and 4

62. d. Both phishing and virus hoaxes rely entirely on social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. Phishing refers to using deceptive computer-based means to trick individuals into disclosing sensitive personal information. Virus hoaxes are false virus warnings. The majority of virus alerts that are sent via e-mail among users are actually hoaxes.

Trojan horse is incorrect because it is a nonreplicating program that appears to be benign but actually has a hidden malicious purpose.

Mobile code is incorrect because it is software that is transmitted from a remote system to be executed on a local system, typically without the user’s explicit instruction. Trojan horse and mobile code do not rely on social engineering.

63. Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist in analyzing routers?

a. Security administrators

b. System administrators

c. Network administrators

d. Desktop administrators

63. c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of administrators defined in the other three choices are different due to separation of duties, independence, and objectivity viewpoints.

64. Which of the following is not a part of software and information integrity for commercial off-the-shelf application security?

a. Parity checks

b. Cyclical redundancy checks

c. Failed security tests

d. Cryptographic hashes

64. c. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions.

The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

65. Attackers can exploit which of the following flaws to access user accounts, view sensitive files, or use unauthorized functions?

a. Broken access control

b. Invalidated input

c. Broken authentication

d. Cross-site scripting flaws