Читаем CISSP Practice полностью

154. c. Security controls are of three types: management, technical, and operational. Physical controls and procedural controls are part of operational controls. Penetration testing does not focus on management controls, such as policies and directives. Instead, it focuses on technical and operational controls dealing with ports, protocols, system services, and devices.

155. Which of the following is not used in creating static Web documents?

a. Hypertext markup language (HTML)

b. Joint photographic experts group (JPEG)

c. Hypertext preprocessor (PHP)

d. Extensible style language (XSL)

155. c. Hypertext preprocessor (PHP) is used in creating a dynamic Web document along with JavaScript and Active X controls. Static Web documents (pages) are written in HTML, XHTML, ASCII, JPEG, XML, and XSL.

156. All the following are work elements of penetration testing of security controls except:

a. Pretest analysis of the target system

b. Pretest identification of potential vulnerabilities

c. Independent verification and validation of vulnerabilities

d. Systematic determination of exploitability of identified vulnerabilities

156. c. Independent verification and validation of vulnerabilities is a form of security assurance testing, not the work element of security penetration testing. The other three choices are work elements of the penetration testing.

157. Which of the following refers to open-loop control to handle network congestion problems?

1. Good design principles

2. Preventive actions

3. Detective actions

4. Corrective actions

a. 2 only

b. 1 and 2

c. 2 and 3

d. 3 and 4

157. b. Open-loop control includes good design principles and preventive actions whereas closed-loop control includes detective actions and corrective actions. Tools for open-loop controls include deciding when to accept new traffic, deciding when to discard packets and which ones, and making scheduling decisions at various points in the network.

158. Which of the following configurations for private servers hosting instant messaging (IM) data can lead to man-in-the middle (MitM) attack when it is not installed, installed incorrectly, or implemented improperly?

a. Enclave perimeter

b. Demilitarized zone

c. Encrypted communication channel

d. Server services

158. c. Client-to-server architecture protects data by storing it on private servers as opposed to client computers or public servers. Private servers hosting instant messaging (IM) data will be configured with a network infrastructure that protects the servers from unauthorized access using an enclave perimeter with a firewall, a demilitarized zone (DMZ) for a gateway server, encryption for communication channel, and server services. Using protocols that do not encrypt network traffic can easily be hijacked, resulting in the man-in-the-middle (MitM) attack. The IM server services provide activities such as user registration, authentication, account management, logging, and software downloads for users. Those services not required for operation should be disabled to prevent the potential risk of attack on those services.

159. Which of the following virtual private network (VPN) architectures is transparent to users and to users’ systems?

a. Gateway-to-gateway

b. Host-to-gateway

c. Contractor-to-company

d. Host-to-host

159. a. Gateway-to-gateway virtual private networks (VPNs) are typically transparent to users who do not need to perform separate authentication just to use the VPN. Also, the users’ systems and the target hosts (e.g., servers) do not need to have any VPN client software installed, nor should they require any reconfiguration, to use the VPN.

A host-to-gateway VPN is incorrect because it is not transparent to users because they must be authenticated before using the VPN. Also, the user’s hosts need to have VPN client software configured. A contractor-to-company is incorrect because it is not transparent to users and needs to have VPN client software configured. A host-to-host VPN model is not transparent to users because they must be authenticated before using the VPN.

160. Which of the following is not a primary component of an Internet Protocol security (IPsec)?

a. IPComp

b. AH

c. ESP

d. IKE protocol