157. c. System risk assessment is a part of the technology principal, whereas the other choices are part of the operations principal. Defense-in depth strategy focuses on people, technology, and operations.
158. Technology, one of the principal aspects of the defense-in-depth strategy does not include which of the following?
a. Information assurance architecture
b. Facilities countermeasures
c. Information assurance criteria
d. Acquisition integration of evaluated products
158. b. Facilities countermeasures are a part of the people principal, whereas all the other choices are part of the technology principal. Defense-in depth strategy focuses on people, technology, and operations.
159. A strategy of layered protections is needed for which of the following?
1. Multiple points of vulnerability
2. Single points-of-failure
3. Network boundaries
4. Legacy information systems
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
159. c. Information infrastructures are composed of complicated systems with multiple points of vulnerability, single points-of-failure, and critical areas such as network boundaries. Layers of technology solutions are needed to establish an adequate information assurance posture. Organizations have spent considerable amounts of money on developing large legacy information systems to satisfy unique mission or business needs. These legacy systems will remain in place for some time to come, and slowly will be replaced by commercial off-the-shelf software products. Layered protection is not needed for legacy systems that will be expired soon.
160. Access to all the following should be denied except:
a. HTTP cookies
b. CGI scripts
c. PGP cookie cutter program
d. Applets
160. c. The full name of a cookie is a Persistent Client State HTTP Cookie, which can be an intrusion into the privacy of a Web user. A cookie is a basic text file, transferred between the Web server and the Web client (browser) that tracks where a user went on the website, how long the user stayed in each area, and so on. The collection of this information behind the scenes can be seen as an intrusion into privacy. Access to hypertext transfer protocol (HTTP) cookies can be denied. The pretty good privacy (PGP) cookie cutter program can prevent information about a user from being captured.
A common gateway interface (CGI) script is a small program to execute a single task on a Web server. These scripts are useful for filling out and submitting Web forms and hold information about the server on which they run. This information is also useful to an attacker, which makes its risky. The script can be attacked while running. Applets enable a small computer program to be downloaded along with a Web page.
Applets have both good and bad features. Making a Web page look richer in features is a good aspect. Siphoning off files and erasing a hard drive are some examples of bad aspects.
161. What is the least effective way to handle the Common Gateway Interface (CGI) scripts?
a. Avoid them.
b. Delete them.
c. Execute them.
d. Move them away.
161. c. Some hypertext transfer protocol (HTTP) servers come with a default directory of CGI scripts. The best thing is to delete or avoid these programs, or move them away to another location. The CGI scripts are dangerous because they are vulnerable to attack while executing.
162. Which of the following action items is not a part of the security principle of “increase resilience”?
a. Implement layered security to ensure no single point of vulnerability.
b. Use common languages in developing security requirements.
c. Limit or contain vulnerabilities.
d. Use boundary mechanisms to separate computing systems and networks.
162. b. The action item “Use common languages in developing security requirements” is a part of ease-of-use security principle. The other three choices are part of the increase resilience security principle.
163. Which of the following is not the common security approach taken by Java and Active-X?
a. Hardware
b. Software
c. Human judgment
d. Digital signature
163. a. Active-X technology relies on human judgment and the use of digital signatures. Java relies more on software. They are not dependent on hardware.
164. What is the most effective control against Active-X programs?
a. Use digital signatures.
b. Issue a policy statement.
c. Accept only approved Active-X programs.
