224. d. Attacks can be launched against the network infrastructure used to communicate between the browser and server. An attacker can gain information by masquerading as a Web server using a man-in-the middle attack, whereby requests and responses are conveyed via the impostor as a watchful intermediary. Such a Web spoofing attack allows the impostor to shadow not only a single targeted server, but also every subsequent server accessed. Other obvious attack methods lie outside the browser-server framework and involve targeting either the communications or the supporting platforms. Denial-of-service (DoS) attacks through available network interfaces are another possibility, as are exploits involving any existing platform vulnerability.
225. In the trusted computing base (TCB) environment, which of the following is referred to when a security administrator accidentally or intentionally configures the access tables incorrectly?
a. Compromise from above
b. Compromise from within
c. Compromise from below
d. Compromise from cross domains
225. b. Compromise from within results when a security administrator accidentally or intentionally configures the access tables incorrectly. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from below occurs as a result of accidental failure of an underlying trusted component. Compromise from cross domains is not relevant here.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 12.
The SRC Company is a software development firm serving major military markets. It builds off-the-shelf software, which eventually is bought by the public. For certification and accreditation purposes, it is applying for evaluation of assurance level (EAL)–4 for two of its new products. The company has a repeatable software development process in place. It semi-formally designs and tests each product. It methodically reviews the development process.
1. Regarding Common Criteria (CC), which of the following provides an implementation-independent statement of security needs?
a. Target of evaluation (TOE)
b. Security target (ST)
c. Protection profile (PP)
d. Evaluation of assurance level (EAL)
1. c. Protection profile (PP) is an implementation-independent statement of security needs for a product type. TOE is incorrect because it is a product that has been installed and is being operated according to its guidance. ST is incorrect because it is an implementation-dependent statement of security needs for a specific identified TOE. EAL is incorrect because it is an assurance package, consisting of assurance requirements, representing a point on the CC predefined assurance scale.
2. The Common Criteria (CC) permits which of the following between the results of independent security evaluations?
a. Usability
b. Comparability
c. Scalability
d. Reliability
2. b. The Common Criteria (CC) permits comparability between the results of independent security evaluations. The evaluation process establishes a level of confidence that the security functionality of IT products and the assurance measures applied to these IT products meet a common set of requirements. The CC is applicable to IT security functionality implemented in hardware, firmware, or software. Usability is incorrect because it means easy to learn and remember, productivity enhancing, error resistant, and friendly. Scalability is incorrect because it means the system can be made to have more or less computational power by configuring it with a larger or smaller number of processors, amount of memory, interconnection bandwidth, input/output bandwidth, and amount of mass storage. Reliability is incorrect because it means the system can be counted upon to perform as expected.
3. The Common Criteria (CC) is not useful as a guide for which of the following when evaluating the security functionality of IT products?
a. Development
b. Evaluation
c. Procurement
d. Implementation
3. d. The Common Criteria (CC) is useful as a guide for the development, evaluation, and/or procurement of products with IT security functionality. Implementation scenarios can vary from organization to organization.
