A boundary system can establish external boundaries and internal boundaries to monitor and control communications between systems. A boundary system employs boundary protection devices (e.g., proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels) at managed interfaces. An open system is a vendor-independent system designed to readily connect with other vendors’ products. A closed system is the opposite of an open system in that it uses a vendor-dependent system.
62. A flaw in a computer system is exploitable. Which of the following provides the best remedy?
a. Hire more IT security analysts.
b. Hire more IT system auditors.
c. Install more IT layered protections.
d. Hire more IT security contractors.
62. c. Layered security protections (defense-in-depth) can be installed to prevent exploitability. Architectural system design can also help prevent exploitability. Layered security protections include least privilege, object reuse, process separation, modularity, and trusted systems. The other three choices do not provide best remedy.
63. For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objectives of building and maintaining a secure network?
a. Install firewall configurations.
b. Do not use defaults for system passwords.
c. Encrypt transmission of cardholder data.
d. Do not use defaults for security parameters.
63. c. The encryption of transmission of cardholder data across open, public networks meets a different control objective of protecting cardholder data, not the control objective of building and maintaining a secure network. The other three choices meet the objective of building and maintaining a secure network.
64. For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objective of maintaining a vulnerability management program?
a. Regularly update antivirus software.
b. Protect stored cardholder data.
c. Maintain secure operating systems.
d. Maintain secure application systems.
64. b. Protecting stored cardholder data meets a different control objective than protecting cardholder data, not the one in the question. The other three choices meet the control objective of maintaining a vulnerability management program.
65. Use of cookies on the Web raises which of the following?
a. Integrity issue
b. Privacy issue
c. Connectivity issue
d. Accountability issue
65. b. Cookies were invented to enable websites to remember its users from visit to visit. Because cookies collect personal information about the Web user, it raises privacy issues such as what information is collected and how it is used. Cookies do not raise integrity, connectivity, or accountability issues.
66. Which of the following is not a risk by itself for a Structured Query Language (SQL) server?
a. Concurrent transactions
b. Deadlock
c. Denial-of-service
d. Loss of data integrity
66. a. The concurrent transaction is not a risk by itself. The SQL server must ensure orderly access to data when concurrent transactions attempt to access and modify the same data. The SQL server must provide appropriate transaction management features to ensure that tables and elements within the tables are synchronized. The other three choices are risks resulting from handling concurrent transactions.
67. System assurance cannot be increased by which of the following?
a. Applying more complex technical solutions
b. Using more trustworthy components
c. Limiting the extent of a vulnerability
d. Installing nontechnical countermeasures
67. a. System assurance is grounds for confidence that an entity meets its security objectives as well as system characteristics that enable confidence that the system fulfills its intended purpose. Applying more complex technical solutions can create more complexity in implementing security controls. Simple solutions are better. The other three choices can increase system assurance.
68. Which of the following security services are applicable to the confidentiality security objective?
a. Prevention services
b. Detection services
c. Correction services
