191. d. Physical security is a part of the people principal, whereas all the other three choices are part of the operations principal.
192. Border routers, firewalls, and software/hardware guards provide which of the following?
a. First line-of-defense
b. Second line-of-defense
c. Last-of-defense
d. Multiple lines-of-defense
192. a. Border routers, firewalls, and software/hardware guards provide a first line-of-defense against network compromises (e.g., attacks by outsiders). The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.
193. How is a Common Gateway Interface (CGI) script vulnerable?
a. Because it is interpreted.
b. Because it gives root access.
c. Because it accepts checked input.
d. Because it can be precompiled.
193. a. The common gateway interface (CGI) scripts are interpreted, not precompiled. As such, there is a risk that a script can be modified in transit and not perform its original actions. CGI scripts should not accept unchecked input.
194. Which of the following form the basic component technology of the Active-X framework?
a. Active-X controls
b. Active-X containers
c. Active-X documents
d. Active-X scripts
194. a. Active-X is a framework for Microsoft’s software component technology that allows programs encapsulated in units called “controls” to be embedded in Web pages. A programmer can develop a program, wrap it in an Active-X interface, compile it, and place it on a Web page. When end users point their Web browsers (that support Active-X) at the Web page, the Active-X control downloads and attempts to execute on their computer. Because Active-X controls are simply programs, they can do anything that they are programmed to do, including causing damage by removing critical files.
Other Active-X technologies include Active-X containers, documents, and scripts. An Active-X container is an Active-X application, and an Active-X document is one kind of container. Documents allow the functionality of controls to be extended. Thus, Active-X controls form the basic component technology of the Active-X framework. Active-X containers and scripts pose security risks to the end user.
195. What is the first place to focus on security improvements in a client/server system?
a. Application software level
b. Database server level
c. Database level
d. Application server level
195. c. The first place to focus on security improvements is at the database level. One advantage is that security imposed at the database level will be consistent across all applications in a client/server system.
196. Poorly implemented session-tracking may provide an avenue for which of the following?
a. Browser-oriented attacks
b. Server-oriented attacks
c. Network-oriented attacks
d. User-oriented attacks
196. b. Web-based applications often use tracks, such as session identifiers, to provide continuity between transactions. Poorly implemented session-tracking may provide an avenue for server-oriented attacks.
197. Which of the following allows a layered security strategy for information systems?
1. Implementing lower assurance solutions with lower costs to protect less critical systems
2. Implementing all management, operational, and technical controls for all systems
3. Implementing all compensating and common controls for all systems
4. Implementing higher assurance solutions only at the most critical areas of a system
a. 1 and 2
b. 1 and 4
c. 2 and 3
d. 1, 2, 3, and 4
197. b. Management should recognize the uniqueness of each system to allow for a layered security strategy. This is achieved by implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas of a system. It is not practical or cost-effective to implement all management, operational, technical, compensating, and common controls for all systems.
198. Which of the following consists of a layered security approach to protect against a specific threat or to reduce vulnerability?
1. Use of packet-filtering routers
2. Use of an application gateway
3. Use of strong password controls
4. Adequate user training
a. 1 and 2
b. 1 and 3
