219. a. Web applications frequently use cryptographic functions to protect information and credentials in storage. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
220. Protection mechanisms defined in security design architecture include which of the following?
a. Layering, abstraction, and data hiding
b. Isolation, segmentation, and separation
c. Security kernel, reference monitor, and system high
d. Accountability, integrity, and confidentiality
220. a. Layering, abstraction, and data hiding are part of security design architecture. The other three choices deal with security control architecture. Layering uses multiple, overlapping protection mechanisms to address the people, technology, and operational aspects of IT. Abstraction is related to stepwise refinement and modularity of computer programs. Data hiding is closely related to modularity and abstraction and, subsequently, to program maintainability.
221. Which of the following best defines adequate information security?
1. Security commensurate with risk and harm.
2. Operating systems and applications operate effectively.
3. Operating systems and applications meet security objectives.
4. Operating systems and applications use cost-effective security controls.
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
221. d. Adequate information security means (i) security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information, (ii) operating systems and applications operate effectively, (iii) operating systems and applications provide appropriate confidentiality (C), integrity (I), and availability (A), known as CIA security objectives, and (iv) security objectives use cost-effective management, operational, and technical controls (security controls).
222. Computer viruses continue to pose a threat to the following computer services except:
a. Integrity
b. Availability
c. Confidentiality
d. Usability
222. c. Confidentiality is not affected by the presence of computer viruses in computer systems because confidentiality is ensuring that data is disclosed only to authorized subjects. However, computer viruses affect integrity, availability, and usability. Computer programs can be deleted or modified, thus losing their integrity, the computer system may not be available due to disruption or denial of computer services, and end users may not use the system due to loss of files or disruption of services.
223. Which of the following should have extremely limited access in a client/server environment?
a. Source code
b. Object code
c. Executable code
d. Machine code
223. a. Access to source code can provide tremendous assistance to any criminal wishing to penetrate a system’s security. Without the source code, an intruder has to probe through a system to find its flaws. Access to the source code helps the intruder to identify gaps or flaws in security. It is important to ensure that adequate security is provided for the system’s source code. It is not good to allow source code to reside on client machines or on the server. It should be located only on a workstation belonging to the configuration management group. The workstation should have extremely limited access. If the workstation can be disconnected from the network most of the time, that would provide additional security for the source code. Moreover, the source code is in human-readable format while the other three types of codes listed are not.
224. In the context of a reference monitor concept, a reference validation mechanism doesn't need to meet which one of the following design requirements?
a. The reference validation mechanism must be tamperproof.
b. The reference validation mechanism must be large.
c. The reference validation mechanism must not be bypassed.
d. The reference validation mechanism must always be invoked.
