CISSP Practice полностью

2. Repeatable results

3. Defensible results

4. Evidential results

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

106. d. The target of evaluation (TOE) in the Common Criteria (CC) leads to objective and repeatable results that are defensible and can be cited as evidence.

107. Regarding Common Criteria (CC), reference monitor concept is applied to enforce which of the following?

a. Security Target (ST)

b. Target of Evaluations (TOE)

c. Protection Profile (PP)

d. System Specifications

107. b. Reference monitor concept is an access control concept referring to an abstract machine that mediates all accesses to objects by subjects. It is applied to enforce target of evaluations (TOE) access control policies during the design of TOE. The Common Criteria (CC) contains criteria to be used by evaluators when forming judgments about the conformance of TOEs to their security requirements. The CC describes the set of general actions the evaluator is to carry out but does not specify procedures to be followed in carrying out those actions.

A protection profile (PP) is a template for a security target (ST). Whereas a ST always describes a specific TOE (e.g., firewall v18.5), a PP is intended to describe a TOE type (e.g., firewall). A PP is an implementation-independent statement of security needs for a product type and a ST is an implementation-dependent construct. The ST may be based on one or more PPs. System specifications refer to the roles that a ST or PP should or should not fulfill.

108. What is a communication channel that enables a process to transfer information in a manner that violates the system’s security policy called?

a. Communication channel

b. Covert channel

c. Exploitable channel

d. Overt channel

108. b. This is the definition of a covert channel. A communication channel is the physical media and device that provides the means for transmitting information from one component of a network to other components. An exploitable channel is usable or detectable by subjects external to the Trusted Computing Base (TCB). An overt channel is a path within a network designed for the authorized transfer of data. This is in contrast to a covert channel.

109. Perimeter-based network security technologies such as firewalls are inadequate to protect service-oriented architectures (SOAs) providing Web services due to which of the following reasons?

1. Transport layer security (TLS)

2. Hypertext transfer protocol (HTTP)

3. Simple object access protocol (SOAP)

4. Reverse SOAP

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

109. d. Perimeter-based network security technologies (e.g., firewalls) are inadequate to protect SOAs for the following reasons:

The Transport Layer Security (TLS), which is used to authenticate and encrypt Web-based messages, is inadequate for protecting SOAP messages because it is designed to operate between two endpoints. TLS cannot accommodate Web services’ inherent capability to forward messages to multiple other Web services simultaneously.

SOAP is transmitted over Hypertext Transfer Protocol (HTTP), which is allowed to flow without restriction through most firewalls. Application-aware firewalls in the form of HTTP proxies for HTTP-based traffic allow organizations to limit what an application-layer protocol can and cannot do.

Because SOAP travels over HTTP, it is traditionally left open for Web traffic at perimeter firewalls. Additionally, with the Reverse SOAP (PAOS) specification, SOAP messages can pass through firewalls that limit incoming HTTP traffic but allow outgoing HTTP traffic. Some firewalls have begun to support blocking or allowing SOAP requests based on the source or destination of the request, but more robust and intelligent firewalls are needed to defend networks against malicious SOAP attacks.

SOAs are dynamic and can seldom be fully constrained to the physical boundaries of a single network.

110. Which of the following cannot protect simple object access protocol (SOAP) messages in a service-oriented architecture (SOA) providing Web services?

a. XML encryption

b. XML gateway

c. XML signature

d. XML parser