Term
| What primary security element does a trusted computing base provide and support? |
|
Definition
| Integrity - A trusted computing base is designed to provide and support the security element of integrity. The trusted computing base does not directly address or provide the security elements of availability, non repudiation, authentication, and confidentiality. |
|
|
Term
| Which of the following versions of Microsoft Windows does not allow administrators to restrict file access? |
|
Definition
| Microsoft Windows 95 - Windows 95 supports only the File Allocation Table (FAT) file system, which does not include file level access controls. Windows 2000, Windows XP, and Windows Server 2003 all support the NTFS file system, which does include file level access controls. |
|
|
Term
| Which of the following is not a reason to restrict the number of applications or services installed on a secured system? |
|
Definition
| Software Dependencies - Software dependencies often force you to install additional software in order to support a specific service or application. Reasons to restrict the number of installed services and applications include software specific attacks, additional avenues of attack, difficulty in managing access permissions and known vulnerabilities. |
|
|
Term
| Which of the following actions would reduce the attack surface of a computer system connected to the Internet? |
|
Definition
| Removing Internet Information Server - Of the options listed above, removing un-needed protocols and services is the only means to reduce the vulnerabilities and risks of the system, effectively reducing its attack surface. Installing new services or network interfaces increases the attack surface. Locking down access permissions might increase the difficulty of waging an attack, but the attack surface itself is unchanged. |
|
|
Term
| What types of patches or updates released by Microsoft should you apply only if you are experiencing the same issues they address? |
|
Definition
| Hot-fixes - Hot-fixes are patches and updates that are minimally tested so they can be released quickly. Thus, hot-fixes could cause problems in some environments and configurations. To avoid these problems, you should install a hot-fix only if you have the problem it was designed to address. As a general rule, you should install service packs and security roll-up packages. However, never install anything until you have tested the deployment on a non production system. Resource kit tools are not patches or updates; they should be installed only if you need the tools contained in the kit. |
|
|
Term
| Which of the following activities can be used to describe or identify the components of the IT solution that are included in a trusted computing base? |
|
Definition
| List all aspects of the computer, software, procedures, and policies that support and enforce the security policy. - The trusted computing base is the collection of components such as computer hardware, software, procedures, and policies that support and enforce the security policy. Not all hardware components of a computer are a part of the trusted computing base. Not all software installed on a system is part of the trusted computing base. Not all hardware and software but that involved in communications is part of the trusted computing base. |
|
|
Term
| Managing and maintaining the trusted computing base is an essential element of maintaining security. Which of the following is not needed to maintain the trusted computing base? |
|
Definition
| Maintaining a backup of the trusted computing base components - In general,backups are an essential part of a security solution. However, managing and maintaining the trusted computing base does not involve backups, especially since not all components o the trusted computing base are software. Monitoring, enforcing procedures, secure design, and regular updates are part of managing and maintaining the trust computing base. |
|
|
Term
| You own a company that builds client and server computers. You've decided to become a government-approved purchasing organization so you can sell your products to government agencies and government contractors. In order to qualify with the purchasing requirements established by the United Stages government, what must you do? |
|
Definition
| Obtain certification of your products. - Most government purchasing requirements include requiring the products to comply with a specific evaluation criteria. Proof of compliance with such criteria is known as certification. Current certifications should be in compliance with Common Criteria. Specific security templates, quick format utilities, onsite technical support contracts, and security degrees are typically not elements of government purchasing contracts. |
|
|
Term
| When performing access control, a secured computer system performs two functions. Which of the following statements describes the first function? |
|
Definition
| Proving an identity - The first function or step when performing access control is to prove the identity of user (authentication). The second function or step is authorization. Receiving a claimed identity is the initial sub-step of authentication. Tracking user activity occurs after access control or authorization. |
|
|
Term
| Which of the following is not a reason that passwords are considered a weak security mechanism? |
|
Definition
| Single Sign-on - A single sign-on solution does not necessarily need to use passwords. Furthermore, even if it does, that does not relate to the issue of passwords being insecure or a weak mechanism. Passwords are insecure because they can be intercepted with Trojan horse key loggers, captured through network traffic eavesdropping, and stolen through shoulder surfing |
|
|
Term
| Which of the following should be the determining factor when you are selecting between two biometric devices from different vendors? |
|
Definition
| CER (Crossover Error Rate) - You should use the CER to select the more accurate device when you are selecting from several models of the same type of biometric scanner. False rejection rate (Type 1) errors and false acceptance rate (Type 2) errors are graphed to define the CER for a device. Acceptability is take into account when selecting what form of biometric scanner to use. Once you are deciding between two different products, you have already decided what biometric factor you want to use and you just need to select the best device for your environment. |
|
|
Term
| You are designing the log on security system for a bank environment. Which of the following represents the strongest authentication solution? |
|
Definition
| A password and a token - A password and token are the strongest set of authentications listed here, since they are two different authentication factors. All of the other examples are two of the same factor. |
|
|
