Читаем CISSP Practice полностью

108. In a legacy wireless local-area network (WLAN) environment using the IEEE 802.11 standard, which of the following provides a defense-in-depth strategy?

1. Wi-Fi protected access 2 (WPA2)

2. Wired equivalent privacy (WEP)

3. IPsec VPNs and SSL VPNs

4. Dedicated wired network or a VLAN

a. 1 only

b. 1 and 2

c. 3 only

d. 3 and 4

108. d. Both WPA2 and WEP do not provide a defense-in-depth strategy because they are weak in security. An alternative method for WPA2 and WEP for achieving confidentiality and integrity protection is to use virtual private network (VPN) technologies such as Internet Protocol security (IPsec) VPNs and secure sockets layer (SSL) VPNs. Because VPNs do not eliminate all risk from wireless networking, it is good to place the WLAN traffic on a dedicated wired network or a virtual local-area network (VLAN) as an option to VPN technologies. VLAN can also protect against denial-of-service (DoS) attacks. Therefore, IPsec VPNs, SSL VPNs, dedicated wired network, or a VLAN provides a defense-in-depth strategy.

109. Information systems security testing is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

109. c. Information systems security testing is a part of detective controls because it includes vulnerability scanners, penetration tests, and war dialing. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation because they rely more on human judgment.

110. In a public cloud computing environment, which of the following is mostly needed to establish a level of trust among cloud service providers and subscribers?

a. Compensating controls

b. Third-party audits

c. Threshold for alerts

d. Service contracts

110. b. Establishing a level of trust about a cloud service is dependent on the degree of control an organization can exert on the service provider to protect the organization’s data and applications. Evidence is needed about the effectiveness of security controls over such data and applications. Third-party audits may be used to establish a level of trust and evidence if it is not feasible to verify through normal means. If the level of trust in the service falls below expectations and the organization cannot employ compensating controls, it must either reject the service or accept a greater degree of risk. Threshold for alerts and notification is needed to keep visibility on the cloud service provider.

111. Which of the following is an example of a personal firewall?

a. Network-based firewalls

b. Host-based firewalls

c. Source-based IP address

d. Destination-based IP address

111. b. Host-based firewalls, also known as personal firewalls, can be effective at preventing unauthorized access to endpoints if configured to block unwanted activity. Host-based firewalls might need to be reconfigured from their typical settings to permit legitimate activity, such as enabling an IPsec endpoint. Accordingly, organizations should consider providing information to external endpoint administrators and users on which services, protocols, or port numbers the host-based firewalls should permit for necessary services. The other three choices are not related to personal firewalls.

112.Which of the following is not used by an individual or a specialized computer program to read an online advertisement displayed by the Internet search engine without the intention of buying a product or service?

a. Honeynets

b. Pay-per-click feature

c. Botnets

d. Third parties

112. a. This question relates to click fraud. Honeynets are networks of honeypots, which are used to create fake production systems to attract attackers to study their behaviors and actions with an information system. Honeynets are not used in click fraud.