CISSP Practice полностью

16. c. Discretionary access controls (DAC) define access control security policy. The other choices are examples of protected communications controls, which ensure the integrity, availability, and confidentiality of sensitive information while it is in transit.

Cryptographic technologies include data encryption standard (DES), Triple DES (3DES), and secure hash standard. Data encryption methods include virtual private networks (VPNs) and Internet Protocol security (IPsec). Escrowed encryption algorithms include Clipper.

17. For risk mitigation strategies, which of the following is not a proper and effective action to take when a determined attacker’s potential or actual cost is too great?

a. Apply security design principles.

b. Decrease an attacker’s motivation.

c. Implement security architectural design.

d. Establish nontechnical security controls.

17. b. Usually, protection mechanisms to deter a normal and casual attacker are applied to decrease an attacker’s motivation by increasing the attacker’s cost when the attacker’s cost is less than the potential gain for the attacker. However, these protection mechanisms may not prevent a determined attacker because the attacker’s potential gain could be more than the cost or the attacker is seeking for a strategic and competitive advantage with the attack.

The other three choices are proper and effective actions to take when the potential or actual cost for an attacker is too great, whether the attacker is a normal, casual, or determined, because they are stronger protection mechanisms. Both technical and nontechnical security controls can be used to limit the extent of the attack.

18. Which of the following actions are required to manage residual risk when new or enhanced security controls are implemented?

1. Eliminate some of the system’s vulnerabilities.

2. Reduce the number of possible threat-source/vulnerability pairs.

3. Add a targeted security control.

4. Reduce the magnitude of the adverse impact.

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

18. d. Implementation of new or enhanced security controls can mitigate risk by (i) eliminating some of the system’s vulnerabilities (flaws and weaknesses) thereby reducing the number of possible threat-source/vulnerability pairs, (ii) adding a targeted control to reduce the capacity and motivation of a threat-source, and (iii) reducing the magnitude of the adverse impact by limiting the extent of a vulnerability.

19. Which of the following ongoing security monitoring activities are more valuable in determining the effectiveness of security policies and procedures implementation?

a. Plans of action and milestones

b. Configuration management

c. Incident statistics

d. Network monitoring

19. c. All four choices are examples of ongoing security monitoring activities. Incident and event statistics are more valuable in determining the effectiveness of security policies and procedures implementation. These statistics provide security managers with further insight into the status of security programs under their control and responsibility.

20. Which of the following pairs of security objectives, rules, principles, and laws are in conflict with each other?

a. All-or-nothing access principle and the security perimeter rule

b. Least privilege principle and employee empowerment

c. File protection rules and access granularity principle

d. Trans-border data flows and data privacy laws

20. b. Least privilege is a security principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage resulting from an accident, error, or unauthorized use. This is in great conflict with employee empowerment in which employees are given freedom to do a wide variety of tasks in a given time period. Much discretion is left to each employee to achieve the stated goals.

The all-or-nothing access principle means access is either to all objects or none at all. The security perimeter rule uses increasingly strong defenses as one approach the core information or resources sought. Both strengthen the security practices.