准备CISSP考试的都进来看看

qqone

突然看到几道题，准备CISSP考试的都进来看看，讨论讨论啊……\r\n\r\n1\r\nSection A\r\nQUESTION NO: 1\r\nEnsuring the integrity of business information is the PRIMARY concern of\r\nA. Encryption Security\r\nB. Procedural Security.\r\nC. Logical Security\r\nD. On-line Security\r\nAnswer: B\r\nQUESTION NO: 2\r\nWhich one of the following actions should be taken FIRST after a fire has been detected?\r\nA. Turn off power to the computers\r\nB. Call the fire department\r\nC. Notify management\r\nD. Evacuate all personnel\r\nAnswer: D\r\nQUESTION NO: 3\r\nWhich one of the following is the Open Systems Interconnection (OSI) protocol for message handling?\r\nA. X.25\r\nB. X.400\r\nC. X.500\r\nD. X.509\r\nAnswer: A

qqone

QUESTION NO: 4\r\nWhich of the following is a weakness of both statistical anomaly detection and pattern matching?\r\nA. Lack of ability to scale.\r\nB. Lack of learning model.\r\nC. Inability to run in real time.\r\nD. Requirement to monitor every event.\r\nAnswer: B\r\nQUESTION NO: 5\r\nDigital signature users register their public keys with a certification authority, which distributes a\r\ncertificate containing the user\'s public key and digital signature of the certification authority. In\r\ncreate the certificate, the user\'s public key and the validity period are combined with what other\r\ninformation before computing the digital signature?\r\nA. Certificate issuer and the Digital Signature Algorithm identifier\r\nB. User\'s private key and the identifier of the master key code\r\nC. Name of secure channel and the identifier of the protocol type\r\nD. Key authorization and identifier of key distribution center\r\nAnswer: B\r\nQUESTION NO: 6\r\nWhy are macro viruses easy to write?\r\nA. Active contents controls can make direct system calls\r\nB. The underlying language is simple and intuitive to apply.\r\nC. Only a few assembler instructions are needed to do damage.\r\nD. Office templates are fully API compliant.\r\nAnswer: B\r\nQUESTION NO: 7\r\nTracing violations, or attempted violations of system security to the user responsible is a function of A. authentication\r\nB. access management\r\nC. integrity checking\r\nD. accountability\r\nAnswer: D\r\nQUESTION NO: 8\r\nWhich one of the following is concerned with masking the frequency, length, and origin-destination\r\npatterns of the communications between protocol entities?\r\nA. Masking analysis\r\nB. Protocol analysis\r\nC. Traffic analysis\r\nD. Pattern analysis\r\nAnswer: C\r\nQUESTION NO: 9\r\nIn which situation would TEMPEST risks and technologies be of MOST interest?\r\nA. Where high availability is vital.\r\nB. Where the consequences of disclose are very high.\r\nC. Where countermeasures are easy to implement\r\nD. Where data base integrity is crucial\r\nAnswer: B\r\nQUESTION NO: 10\r\nIn which state must a computer system operate to process input/output instructions?\r\nA. User mode\r\nB. Stateful inspection\r\nC. Interprocess communication\r\nD. Supervisor mode\r\nAnswer: D

qqone

QUESTION NO: 11\r\nAll of the following are basic components of a security policy EXCEPT the\r\nA. definition of the issue and statement of relevant terms.\r\nB. statement of roles and responsibilities\r\nC. statement of applicability and compliance requirements.\r\nD. statement of performance of characteristics and requirements.\r\nAnswer: D\r\nQUESTION NO: 12\r\nWhat set of principles is the basis for information systems controls?\r\nA. Authentication, audit trails, and awareness briefings\r\nB. Individual accountability, auditing, and separation of duties\r\nC. Need to know, identification, and authenticity\r\nD. Audit trails, limited tenure, and awareness briefings\r\nAnswer: B\r\nQUESTION NO: 13\r\nWhy do vendors publish MD5 hash values when they provide software patches for their customers to\r\ndownload from the Internet?\r\nA. Recipients can verify the software\'s integrity after downloading.\r\nB. Recipients can confirm the authenticity of the site from which they are downloading the patch.\r\nC. Recipients can request future updates to the software by using the assigned hash value.\r\nD. Recipients need the hash value to successfully activate the new software.\r\nAnswer: A\r\nQUESTION NO: 14\r\nWhich one of the following is NOT a requirement before a search warrant can be issued?\r\nA. There is a probably cause that a crime has been committed.\r\nB. There is an expectation that evidence exists of the crime.\r\nC. There is probably cause to enter someone\'s home or business.\r\nD. There is a written document detailing the anticipated evidence.\r\nAnswer: A\r\nQUESTION NO: 15\r\nThe Trusted Computer Security Evaluation Criteria (TBSEC) provides\r\nA. a basis for assessing the effectiveness of security controls built into automatic data-processing\r\nsystem products\r\nB. a system analysis and penetration technique where specifications and document for the system are\r\nanalyzed.\r\nC. a formal static transition model of computer security policy that describes a set of access control\r\nrules.\r\nD. a means of restricting access to objects based on the identity of subjects and groups to which they\r\nbelong.\r\nAnswer: C

qqone

QUESTION NO: 16\r\nWhich factor is critical in all systems to protect data integrity?\r\nA. Data classification\r\nB. Information ownership\r\nC. Change control\r\nD. System design\r\nAnswer: A\r\nQUESTION NO: 17\r\nAudit trails based upon access and identification codes establish…\r\nA. intrustion detection thresholds\r\nB. individual accontabbility\r\nC. audit review critera\r\nD. individual authentication\r\nAnswer: B

qqone

Section B\r\nQUESTION NO: 1\r\nIn a discretionary mode, which of the following entities is authorized to grant information access to\r\nother people?\r\nA. Manager\r\nB. Group leader\r\nC. Security manager\r\nD. User\r\nAnswer: D\r\nExplanation: Discretionary control is the most common type of access control mechanism implemented in\r\ncomputer systems today. The basis of this kind of security is that an individual user, or program operating on\r\nthe user\'s behalf, is allowed to specify explicitly the types of access other users (or programs executing on\r\ntheir behalf) may have to information under the user\'s control. Discretionary security differs from mandatory\r\nsecurity in that it implements the access control decisions of the user. Mandatory controls are driven by the\r\nresults of a comparison between the user\'s trust level or clearance and the sensitivity designation of the\r\ninformation.\r\nQUESTION NO: 2\r\nWhich DES mode of operation is best suited for database encryption?\r\nA. Cipher Block Chaining (CBC) mode\r\nB. Cycling Redundancy Checking (CRC) mode\r\nC. Electronic Code Book (ECB) mode\r\nD. Cipher Feedback (CFB) mode\r\nAnswer: C\r\nExplanation: The DES algorithm in Electronic Codebook (ECB) mode is used for DEK and MIC\r\nencryption when symmetric key management is employed. The character string \"DES-ECB\" within an\r\nencapsulated PEM header field indicates use of this algorithm/mode combination.\r\nA compliant PEM implementation supporting symmetric key management shall support this algorithm/mode\r\ncombination. This mode of DES encryption is the best suited for database encryption because of its low\r\noverhead.\r\nECB Mode has some weakness, here they are:\r\n1. ECB Mode encrypts a 64-bit block independently of all other 64-bit blocks\r\n2. Given the same key, identical plaintext will encrypt the same way\r\n3. Data compression prior to ECB can help (as with any mode)\r\n4. Fixed block size of 64 bits therefore incomplete block must be padded

qqone

QUESTION NO: 3\r\nWithin the realm of IT security, which of the following combinations best defines risk?\r\nA. Threat coupled with a breach.\r\nB. Threat coupled with a vulnerability.\r\nC. Vulnerability coupled with an attack.\r\nD. Threat coupled with a breach of security.\r\nAnswer: B\r\nExplanation: This is the main concept, when we talk about a possible risk we always have a possible\r\nvulnerability in the system attacked. This vulnerability can make a threat to be successful. We can say that\r\nthe level of risk can be measures through the level of vulnerabilities in our current systems and the ability of\r\nthe attackers to exploit them to make a threat successful.\r\nQUESTION NO: 4\r\nWhich of the following would be the best reason for separating the test and development\r\nenvironments?\r\nA. To restrict access to systems under test.\r\nB. To control the stability of the test environment.\r\nC. To segregate user and development staff.\r\nD. To secure access to systems under development.\r\nAnswer: B\r\nExplanation: This is the right answer, with a separation of the two environments (Test and development),\r\nwe can get a more stable and more “in control” environment, Since we are making tests in the development\r\nenvironment, we don’t want our production processes there, we don’t want to experiment things in our\r\nproduction processes. With a separation of the environments we can get a more risk free production\r\nenvironment and more control and flexibility over the test environment for the developers.\r\nQUESTION NO: 5\r\nWhich of the following statements pertaining to dealing with the media after a disaster occurred and\r\ndisturbed the organizations activities is incorrect?\r\nA. The CEO should always be the spokesperson for the company during a disaster.\r\nB. The disaster recover plan must include how the media is to be handled during the disaster.\r\nC. The organization’s spokesperson should report bad news before the press gets a hold of it through\r\nanother channel.\r\nD. An emergency press conference site should be planned ahead.\r\nAnswer: A\r\nExplanation: This is not a good practice, we cannot involves the CEO of the company to deal with the\r\nmedia in every case we have a disaster, depending on the severity of the disaster we can make the CEO talk,\r\nbut the best practice in the real world is to have a well-known person with that role, with special speaking\r\ncapabilities and knowledge about press methods. In general, the CEO always gets news of what happened,\r\nand he decides the company politics, then another designed employee (Usually from the disaster recovery\r\nteam) deals with the media.\r\nQUESTION NO: 6\r\nWhich Orange book security rating introduces security labels?\r\nA. C2\r\nB. B1\r\nC. B2\r\nD. B3\r\nAnswer: B\r\nExplanation: Class (B1) or “Labeled Security Protection” systems require all the features required for class\r\n(C2). In addition, an informal statement of the security policy model, data labeling, and mandatory access\r\ncontrol over named subjects and objects must be present. The capability must exist for accurately labeling\r\nexported information. Any flaws identified by testing must be removed.\r\nQUESTION NO: 7\r\nA Business Impact Analysis (BIA) does not:\r\nA. Recommend the appropriate recovery solution.\r\nB. Determine critical and necessary business functions and their resource dependencies.\r\nC. Identify critical computer applications and the associated outage tolerance.\r\nD. Estimate the financial impact of a disruption.\r\nAnswer: A\r\nExplanation: Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and\r\nidentifying possible issues about our infrastructure, in this kind of analysis we don’t make suggestions about\r\nwhat to do to recover from them. This is not an action plan, It’s an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other words, how\r\nmuch many we loose with our systems down.

qqone

QUESTION NO: 8\r\nWhich access control model enables the owner of the resource to specify what subjects can access\r\nspecific resources?\r\nA. Discretionary Access Control\r\nB. Mandatory Access Control\r\nC. Sensitive Access Control\r\nD. Role-based Access Control\r\nAnswer: A\r\nExplanation: Discretionary Access Control (DAC) is used to control access by restricting a subject\'s access\r\nto an object. It is generally used to limit a user\'s access to a file. In this type of access control it is the owner\r\nof the file who controls other users\' accesses to the file.\r\nUsing a DAC mechanism allows users control over access rights to their files. When these rights are\r\nmanaged correctly, only those users specified by the owner may have some combination of read, write,\r\nexecute, etc. permissions to the file.\r\nQUESTION NO: 9\r\nWhat type of cable is used with 100Base-TX Fast Ethernet?\r\nA. Fiber-optic cable\r\nB. Four pairs of Category 3, 4 or 5 unshielded twisted-par (UTP) wires.\r\nC. Two pairs of Category 5 unshielded twisted-pair (UTP) or Category 1 shielded twisted-pair (STP)\r\nwires.\r\nD. RG.58 cable.\r\nAnswer: C\r\nExplanation: 100BaseTX is a 100-Mbps baseband Fast Ethernet specification using two pairs of either UTP\r\nor STP wiring. The first pair of wires is used to receive data; the second is used to transmit. To guarantee\r\nproper signal timing, a 100BaseTX segment cannot exceed 100 meters in length. This specification of\r\nEthernet is based on the IEEE 802.3 standard.\r\nQUESTION NO: 10\r\nWhich of the following best describes the Secure Electronic Transaction (SET) protocol?\r\nA. Originated by VISA and MasterCard as an Internet credit card protocol.\r\nB. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures.\r\nC. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer.\r\nD. Originated by VISA and MasterCard as an Internet credit card protocol using SSL.\r\nAnswer: B\r\nExplanation: This protocol was created by VISA and MasterCard as a common effort to make the buying\r\nprocess over the Internet secure through the distribution line of those companies. It is located in layer 7 of\r\nthe OSI model.\r\nSET uses a system of locks and keys along with certified account IDs for both consumers and merchants.\r\nThen, through a unique process of \"encrypting\" or scrambling the information exchanged between the\r\nshopper and the online store, SET ensures a payment process that is convenient, private and most of all\r\nsecure. Specifically, SET:\r\n1. Establishes industry standards to keep your order and payment information confidential.\r\n2. Increases integrity for all transmitted data through encryption.\r\n3. Provides authentication that a cardholder is a legitimate user of a branded payment card account.\r\n4. Provides authentication that a merchant can accept branded payment card transactions through its\r\nrelationship with an acquiring financial institution.\r\n5. Allows the use of the best security practices and system design techniques to protect all legitimate\r\nparties in an electronic commerce transaction.\r\nThe SET process relies strongly on the use of certificates and digital signatures for the process of\r\nauthentication and integrity of the information.\r\nQUESTION NO: 11\r\nAt which of the following phases of a software development life cycle are security and access controls\r\nnormally designed?\r\nA. Coding\r\nB. Product design\r\nC. Software plans and requirements\r\nD. Detailed design\r\nAnswer: D\r\nExplanation: Security controls and access controls are normally designed in the “Detailed” phase of design.\r\nIn this phase you have the design of many of the security features of your development like authentication,\r\nconfidentiality functionality, non repudiation capabilities. In this phase you can also define what is going to\r\nbe the access control method for the software, we can make it discretionary (less restrictive), mandatory\r\n(more restrictive), role based and others.

qqone

A. Originated by VISA and MasterCard as an Internet credit card protocol.\r\nB. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures.\r\nC. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer.\r\nD. Originated by VISA and MasterCard as an Internet credit card protocol using SSL.\r\nAnswer: B\r\nExplanation: This protocol was created by VISA and MasterCard as a common effort to make the buying\r\nprocess over the Internet secure through the distribution line of those companies. It is located in layer 7 of\r\nthe OSI model.\r\nSET uses a system of locks and keys along with certified account IDs for both consumers and merchants.\r\nThen, through a unique process of \"encrypting\" or scrambling the information exchanged between the\r\nshopper and the online store, SET ensures a payment process that is convenient, private and most of all\r\nsecure. Specifically, SET:\r\n1. Establishes industry standards to keep your order and payment information confidential.\r\n2. Increases integrity for all transmitted data through encryption.\r\n3. Provides authentication that a cardholder is a legitimate user of a branded payment card account.\r\n4. Provides authentication that a merchant can accept branded payment card transactions through its\r\nrelationship with an acquiring financial institution.\r\n5. Allows the use of the best security practices and system design techniques to protect all legitimate\r\nparties in an electronic commerce transaction.\r\nThe SET process relies strongly on the use of certificates and digital signatures for the process of\r\nauthentication and integrity of the information.\r\nQUESTION NO: 11\r\nAt which of the following phases of a software development life cycle are security and access controls\r\nnormally designed?\r\nA. Coding\r\nB. Product design\r\nC. Software plans and requirements\r\nD. Detailed design\r\nAnswer: D\r\nExplanation: Security controls and access controls are normally designed in the “Detailed” phase of design.\r\nIn this phase you have the design of many of the security features of your development like authentication,\r\nconfidentiality functionality, non repudiation capabilities. In this phase you can also define what is going to\r\nbe the access control method for the software, we can make it discretionary (less restrictive), mandatory\r\n(more restrictive), role based and others.\r\nQUESTION NO: 14\r\nWhich of the following is not an Orange Book-defined life cycle assurance requirement?\r\nA. Security testing\r\nB. Design specification and testing\r\nC. Trusted distribution\r\nD. System integrity\r\nAnswer: D\r\nExplanation: As stated in the Orange Book from the National Computer Security Center.\r\nThe following is a sample list of what shall be identified and maintained under configuration management:\r\n* the baseline TCB including hardware, software, and firmware\r\n* any changes to the TCB hardware, software, and firmware since the previous baseline\r\n* design and user documentation\r\n* software tests including functional and system integrity tests\r\n* tools used for generating current configuration items (required at TCSEC class A1 only)\r\nConfiguration management procedures should make it possible to accurately reproduce any past TCB\r\nconfiguration. In the event a security vulnerability is discovered in a version of the TCB other than the most\r\ncurrent one, analysts will need to be able to reconstruct the past environment.\r\nAs we can see, Answer D is not part of the life cycle assurance, its part of Configuration management.\r\nQUESTION NO: 15\r\nWhat is another name for the Orange Book?\r\nA. The Trusted Computer System Evaluation Criteria (TCSEC)\r\nB. The Trusted Computing Base (TCB)\r\nC. The Information Technology Security Evaluation Criteria (ITSEC)\r\nD. The Common Criteria\r\nAnswer: A\r\nExplanation: The Trusted Computer System Evaluation Criteria (TCSEC) is a collection of criteria used to\r\ngrade or rate the security offered by a computer system product. The TCSEC is sometimes referred to as\r\n\"the Orange Book\" because of its orange cover. The current version is dated 1985 (DOD 5200.28-STD,\r\nLibrary No.S225,711) The TCSEC, its interpretations and guidelines all have different color covers, and are\r\nsometimes known as the \"Rainbow Series\".

qqone

QUESTION NO: 16\r\nA password that is the same for each log-on session is called a?\r\nA. “one-time password”\r\nB. “two-time password”\r\nC. static password\r\nD. dynamic password\r\nAnswer: C\r\nExplanation: A Static password is one that remains the same until its changed. Its like the password that we\r\nuse in the operating systems, you set it, and then you always use the same password to logon to the system\r\nfor the time of the session. This password will give us access to the system and will be the vehicle to create\r\nour access token in a successful way to get our privileges. A one-time password is only valid for one use,\r\ndynamic ones change every certain condition is met, and two-time passwords can only be used two times.\r\nWe can provide certain times of access with this kind of passwords.\r\nQUESTION NO: 17\r\nWhich of the following backup methods is most appropriate for off-site archiving?\r\nA. Incremental backup method.\r\nB. Off-site backup method.\r\nC. Full backup method.\r\nD. Differential backup method.\r\nAnswer: C\r\nExplanation: Since we want to maintain the backups offsite, its always better to send FULL-Backups\r\nbecause they contain a consistent base of the system. We perform the beginning of a restore through a full\r\nbackup. Remember that the backups stored offsite are in most cases in a secure place, full backup in there\r\nare a best practice for any network administrator. With incremental or differential backups we don’t have all\r\nwe need to restore a system to a consistent state. We need to start from the full backup. “Offsite Backup” is\r\nnot a valid backup method.\r\nQUESTION NO: 18\r\nWhich of the following is not a weakness of symmetric cryptography?\r\nA. Limited security\r\nB. Key distribution\r\nC. Speed\r\nD. Scalability\r\nAnswer: C

qqone

Section C – Practice questions\r\n\r\nQUESTION NO: 1\r\nCovert channel is a communication channel that can be used for:\r\nA. Hardening the system.\r\nB. Violating the security policy.\r\nC. Protecting the DMZ.\r\nD. Strengthening the security policy.\r\nAnswer: B\r\nExplanation:\r\nCovert channel is a communication channel that allows transfer of information in a\r\nmanner that violates the system\'s security policy.\r\nQUESTION NO: 2\r\nTo ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed.\r\nThese rules are:\r\nA. Processing rules and enforcement rules.\r\nB. Integrity-bouncing rules.\r\nC. Certification rules and enforcement rules.\r\nD. Certification rules and general rules.\r\nAnswer: C\r\nExplanation:\r\nTo ensure that integrity is attained and preserved, Clark and Wilson assert, certain\r\nintegrity-monitoring and integrity-preserving rules are needed. Integrity-monitoring\r\nrules are called certification rules, and integrity-preserving rules are called\r\nenforcement rules.\r\nQUESTION NO: 3\r\nWhat was introduces for circumventing difficulties in classic approaches to computer security by\r\nlimiting damages produces by malicious programs?\r\nA. Integrity-preserving\r\nB. Ref Mon\r\nC. Integrity-monitoring\r\nD. Non-Interference\r\nAnswer: D\r\nExplanation:\r\nNon-Interference (NI for short) was introduced in order to circumvent difficulties in\r\nclassic approaches to computer security. In order to limit, and possibly avoid, the\r\ndamages produced by malicious programs (often called ``Trojan Horses\'\') which try to\r\nleak secret information, it was suggested to impose some access control rules which\r\nlimit the action of these programs.