CISSP Practice полностью

278. b. Rules or rulesets are used in routers and firewalls. Adding new rules to a router or firewall could have a substantial negative impact on the device’s performance, causing network slowdowns or even a denial-of-service (DoS). The information security management should carefully consider where filtering should be implemented (e.g., border router, boundary router, and firewall). A boundary router is located at the organization’s boundary to an external network.

The other three choices do not use rules or rulesets. A sensor is an intrusion detection and prevention system (IDPS) component that monitors and analyzes network activity. A switch is a mechanical, electromechanical, or electronic device for making, breaking, or changing the connections in or among circuits. A hardware/software guard is designed to provide a secure information path for sharing data between multiple system networks operating at different security levels. A gateway transfers information and converts it to a form compatible with the receiving network’s protocols. A connector is an electromechanical device on the ends of cables that permit them to be connected with, and disconnected from, other cables. A concentrator gathers together several lines in one central location.

279. Countermeasures against sniffers do not include which of the following?

a. Using recent version of secure shell protocol.

b. Applying end-to-end encryption.

c. Using packet filters.

d. Implementing robust authentication techniques.

279. c. Packet filters are good against flooding attacks. Using either recent version of secure shell (e.g., SSHv2) or IPsec protocol, using end-to-end encryption, and implementing robust authentication techniques are effective against sniffing attacks.

280. Secure remote procedure call (RPC) provides which one of the following security services?

a. Authentication

b. Confidentiality

c. Integrity

d. Availability

280. a. Secure remote procedure call (RPC) provides authentication services only. Confidentiality, integrity, and availability services must be provided by other means.

281. Which of the following does not provide confidentiality protection for Web services?

a. Extensible markup language (XML) encryption

b. Web services security (WS-Security)

c. Advanced encryption standard (AES)

d. Hypertext transfer protocol secure (HTTPS)

281. c. The advanced encryption standard (AES) does not provide confidentiality protection for Web services. However, the AES is used for securing sensitive but unclassified information.

The other three choices provide confidentiality protection for Web services because most Web service data is stored in the form of extensible markup language (XML). Using XML encryption before storing data should provide confidentiality protection while maintaining compatibility. Web services security (WS-Security) and HTTPS are generally used to protect confidentiality of simple object access protocol (SOAP) messages in transit, leaving data at rest vulnerable to attacks.

282. Firewalls cannot provide a “line of perimeter defense” against attacks from which of the following?

a. Traffic entering a network

b. Traffic to and from the Internet

c. Traffic to host systems

d. Traffic leaving a network

282. b. Firewalls police network traffic that enters and leaves a network. Firewalls can stop many penetrating attacks by disallowing many protocols that an attacker could use to penetrate a network. By limiting access to host systems and services, firewalls provide a necessary line of perimeter defense against attack. The new paradigm of transaction-based Internet services makes these “perimeter” defenses less effective as their boundaries between friendly and unfriendly environments blur.

283. Sources of legal rights and obligations for privacy over electronic mail do not include which of the following?

a. Law of the country

b. Employer practices

c. Employee practices

d. Employer policies