6.
Multi-factor authentication is most closely related to which of the following security design principles?
- A.Separation of Duties.
- B.Defense in depth.
- C.Complete mediation.
- D.Open design.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Having more than one way of authentication provides for a layered defense which is the premise of the defense in depth security design principle. |
7.
Audit logs can be used for all of the following EXCEPT
- A.providing evidentiary information.
- B.assuring that the user cannot deny their actions.
- C.detecting the actions that were undertaken.
- D.preventing a user from performing some unauthorized operations.
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Audit log information can be a detective control (providing evidentiary information), a deterrent control when the users knows that they are being audited but it cannot prevent any unauthorized actions. When the software logs user actions, it also provides non-repudiation capabilities because the user cannot deny their actions. |
8.
Organizations often pre-determine the acceptable number of user
errors before recording them as security violations. This number is
otherwise known as:
- A.Clipping level.
- B.Known Error.
- C.Minimum Security Baseline.
- D.Maximum Tolerable Downtime.
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| The pre-determined number of acceptable user errors before recording the error as a potential security incident is referred to as clipping level. For example, if the number of allowed failed login attempts before the account is locked out is 3, then the clipping level for authentication attempts is 3. |
9.
A security principle that maintains the confidentiality, integrity and
availability of the software and data, besides allowing for rapid recovery
to the state of normal operations, when unexpected events occur is the
security design principle of
- A.defense in depth.
- B.economy of mechanisms.
- C.fail secure
- D.psychological acceptability
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
|
Fail secure principle prescribes that access decisions must be based on
permission rather than exclusion. This means that the default situation
is lack of access, and the protection scheme identifies conditions under
which access is permitted. The alternative, in which mechanisms attempt to
identify conditions under which access should be refused, presents the wrong
psychological base for secure system design. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation. |
10.
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before
installation of your software is an example of risk
- A.avoidance.
- B.mitigation.
- C.transference.
- D.acceptance.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| When an "AS-IS" disclaimer clause is used, the risk is transferred from the publisher of the software to the user of the software. |
|
|
||||||||||||||||||||||||||||
