211. c. The common gateway interface (CGI) is an industry standard for communicating between a Web server and another program. It is a part of a generic Web server. Java, Active X, and plug-ins are incorrect because they are a part of a generic Web browser.
212. Masquerading is an example of which of the following threat categories that apply to systems on the Internet?
a. Browser-oriented
b. Software-oriented
c. Server-oriented
d. Network-oriented
212. a. Internet-related threats are broken down into three categories: browser-oriented, server-oriented, and network-oriented. Software-oriented is a generic category useful to the other categories. Software-oriented threats may result from software complexity, configuration, and quality. Web servers can launch attacks against Web browser components and technologies. Because browsers can support multiple associations with different Web servers as separate windowed contexts, the mobile code of one context can also target another context. Unauthorized access may occur simply through a lack of adequate access control mechanisms or weak identification and authentication controls, which allow untrusted code to act or masquerade as a trusted component. After access is gained, information residing at the platform can be disclosed or altered.
213. Which of the following is required to ensure a foolproof security over a mobile code?
a. Firewalls
b. Antivirus software
c. Intrusion detection and prevention systems
d. Cascaded defense-in-depth measures
213. d. Cascaded defense-in-depth measures come close to providing foolproof security over a mobile code with examples such as firewalls, antivirus software, intrusion detection and prevention systems, and behavior blocking technologies. Although firewalls, antivirus software, and intrusion detection and prevention systems provide useful safeguards, they do not provide strong security due to the existence of a variety of techniques for deception such as mutation, segmentation, and disguise via extended character set encoding.
214. The Common Criteria (CC) permits which of the following between the results of independent security evaluations?
a. Usability
b. Comparability
c. Scalability
d. Reliability
214. b. The Common Criteria (CC) permits comparability between the results of independent security evaluations. The evaluation process establishes a level of confidence that the security functionality of IT products and the assurance measures applied to these IT products meet a common set of requirements. The CC is applicable to IT security functionality implemented in hardware, firmware, or software.
Usability is incorrect because it means such things as easy to learn and remember, productivity enhancing, error resistant, and friendly features.
Scalability is incorrect because it means the system can be made to have more or less computational power by configuring it with a larger or smaller number of processors, amount of memory, interconnection bandwidth, input/output bandwidth, and amount of mass storage. Reliability is incorrect because it means the system can be counted upon to perform as expected.
215. The Common Criteria (CC) is not useful as a guide for which of the following when evaluating the security functionality of IT products?
a. Development
b. Evaluation
c. Procurement
d. Implementation
215. d. The CC is useful as a guide for the development, evaluation, and/or procurement of products with IT security functionality. The CC is not useful in implementation because implementation scenarios can vary from organization to organization.
216. The Common Criteria (CC) addresses which of the following in an uncommon way?
a. Confidentiality
b. Risks
c. Integrity
d. Availability
216. b. The Common Criteria (CC) addresses information protection from unauthorized disclosure (confidentiality), modification (integrity), or loss of use (availability), which is a common way. The CC is also applicable to risks arising from human activities (malicious or otherwise) and to risks arising from nonhuman activities, which is an uncommon way.
217. The scope of Common Criteria (CC) covers which of the following?
a. Physical protection
b. Administrative security
c. Electromagnetic emanation control
d. Quality of cryptographic algorithm
