CISSP应用题目
1.At what stage of the applications development process should the security department become involved?
a. Prior to the implementation
b. Prior to systems testing
c. During unit testing
d. During requirements development
2.System Development Controls are based on
a. a detailed set of business objectives.
b. a logical design for security testing.
c. an auditor designated review process.
d. a standard methodology for project performanc
e.
3. When verifying the key control objectives of a system design, the security specialist should ensure that the
a. Final system design has security administrator approval
b. Auditing procedures have been defined
c. Vulnerability assessment has been completed
d. Impact assessment has been approved
4. What is the final phase of the system development life-cycle?
a. System installation and test
b. System maintenance support
c. System certification
d. System accreditation
5.In an on-line computer application system, erroneous or invalid transactions that are detected by the computer program should be
a. dropped from processing.
b. written to a report and reviewed.
c. terminated and the process aborte
d.
d. written to a computer log.
6.Copies of essential application programs, documentation, and electronic data should be
a. stored with the computer system.
b. licensed by users.
c. maintained by the developers.
d. stored at a backup sit
e.
7.What is one disadvantage of content-dependent Access Control of information?
a. It increases processing overhead.
b. It requires additional password entry.
c. It exposes the system to data locking.
d. It limits the user's individual address spac
e.
8.What is one advantage of content-dependent Access Control of information?
a. It prevents data locking.
b. It limits the user's individual address space.
c. It provides highly granular control.
d. It confines access to authorized users of the system.
9.Which of the following is essential to the Open Software Foundation’s Distributed Computing Environment (DCE)?
a. User Identification String (UIDS)
b. Universal Unique Identifier (UUID)
c. Distributed Communications Control Element (DCCE)
d. Data Communication Cell Service (DCCS)
10.In what way could Java applets pose a security threat?
a. Their transport can interrupt the secure distribution of World Wide Web pages over
the Internet by removing SSL and S-HTTP
b. Java interpreters do not provide the ability to limit system access that an applet could have
on a client system.
c. Executables from the Internet may attempt an intentional attack when they are downloaded
on a client system.
d. Java does not check the bytecode at runtime or provide other safety mechanisms for program
isolation from the client system.
Answers of 1 to 10
1.d
2.d
3.c
4.d
5.b
6.d
7.a
8.c
9.b 10.c
11.What security concern is related to applications created with third-party software tools (i.e. APIs and libraries)?
a. They contain undocumented maintenance hooks
b. They operate in privileged mode
c. Their source code cannot be verified
d. They bypass key security functions
12.Which of the following is commonly used for retrofitting security to a Database Management System?
a. Trusted back-end
b. Audit trail
c. Trusted front-end
d. Controller
13.Which of the following has the objective to control and manage data from a central location?
a. Databases
b. Data dictionaries
c. Data access methods
d. Data storage
14. Department managers have READ access to the salaries of the employees in their departments but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically provide
a. content-dependent access control.
b. context-dependent access control.
c. least privileges access control.
d. ownership-based access control.
15. When a database error has been detected requiring a backing out
process, a mechanism that permits starting the process at designated places in the process is called a
a. restarter.
b. reboot.
c. checkpoint.
d. journal.
16. Which of the following controls is most effective in the restriction of views in a database?
a. User
b. Preventative
c. Corrective
d. Detective
17. Which of the following is NOT an effective deterrent against a database inference attack?
a. Partitioning
b. Small query sets
c. Noise and perturbation
d. Cell suppression
18. The purpose of polyinstantiation is to prevent
a. low-level users from accessing low-level data.
b. low-level users from inferring the existence of data in other databases.
c. high-level users from inferring the existence of data at lower levels.
d. low-level users from inferring the existence of higher level data.
19. Expert systems are commonly used to automate security log reviews for
a. user profiling.
b. intrusion detection.
c. system baselining.
d. access modeling
20. Expert systems use all of the following techniques for artificial
intelligence EXCEPT
a. automatic logical processing.
b. inference engine processing.
c. general methods of searching for problem solutions.
d. cyclic-based reasoning statements.
Answers of 11 to 20
11.c 12.c 13.b 14.a 15.c 16.b 17.b 18.d 19.b 20.d
21. In what way does inference play a critical role in knowledge based systems?
a. The knowledge base must contain not only facts but rules for combining those facts to form new ones.
b. New information developed through inference must be labeled based on the sensitivity of the
data used for the inference.
c. The knowledge gained through inference can alter the risk profile of the target system.
d. The accuracy of the information inferred can be questionable based on the rules that are applied.
22. What is the name of a malicious computer program that replicates itself by attaching to other programs?
a. Virus.
b. Worm.
c. Trap door.
d. Trojan hors
e.
23. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?
a. Logic bomb
b. Virus
c. Worm
d. Trojan horse
24. A system file that has been patched numerous times becomes infected
with a virus. The anti-virus software warns that disinfecting the file may damage it. What course of action should be taken?
a. Replace the file with the original version from master media
b. Proceed with automated disinfection
c. Research the virus to see if it is benign
d. Restore an uninfected version of the patched file from backup media
25. A shareware graphics program is down-loaded from a Web site. It is later discovered that this program is also recording network login attempts. Which type of malicious code does this represent?
a. Virus
b. Worm
c. Trojan Horse
d. Logic Bomb
26. What types of files do Macro viruses infect?
a. E-Mail Message Headers
b. Web Browsers
c. Knowledge Base files
d. Office Productivity files
27.Which one of the following BEST describes a logic bomb?
a. Functions triggered by a specified condition.
b. Cause the execution of unanticipated functions.
c. Used to remove data or copies of data from the computer.
d. Used to move assets from one system to another.
28.Which of the following is NOT an element in the change management control process?
a. Hardware configuration
b. Application configuration
c. Operating system configuration
d. Logical configuration
29. What is the final step in the change control management process?
a. Inform the users of the change.
b. Test the functionality of the change.
c. Update the procedure manual.
d. Report the change to management.
30. In which phase of a project development plan should security requirements be identified and defined?
a. Acceptance testing/Implementation
b. Project initiation
c. Functional design analysis and planning
d. Disposal
Answers of 21 to 30
21.a 22.a 23.c 24.d 25.c 26.d 27.a 28.d 29.d 30.c
31. In which phase of software development should a risk analysis be conducted?
a. Functional design analysis and planning
b. Project initiation
c. Software development
d. System design specifications
32. Ensuring that programmers are not the only ones who test their own code is an example of what?
a. Job rotation
b. Change control
c. Distributed environment
d. Separation of duties
33. Which of the following is not a characteristic of object-oriented programming?
a. Highly-modular
b. Expensive and time-sonsuming
c. Self-contained
d. Uses objects and classes
34. Why are macro viruses prevalent and popular?
a. They hide their activities when in stealth mode.
b. They hide in the boot sector and within the file system.
c. They are easily written.
d. They garble their code to evade detection.
35. Which of the following can be used as middleware in client/server relationships?
a. CASE
b. ADO
c. ICMP
d. ORB
36. Which of the following is am example of OLE?
a. Tokens used by HTTP to keep track of user profile information
b. Embedding a graphic into a document
c. Small mobile-code programs that run on a user’s browser
d. Scripts used to manipulate data that is inputted into a web site
37. Which of the following database terms is the intersection of a row and column?
a. Cell
b. Tuple
c. Attribute
d. Foreign key
38. Which of the following is the result of data mining?
a. DBMS
b. Schema
c. Metadata
d. Data warehouse
39. Which of the following automatically identifies patterns within an expert system?
a. If-then rules
b. Inference engine
c. Knowledge base
d. Numerical algorithms
40. Which of the following is not a part of a smurf attack?
a. Amplified network
b. ICMP
c. UDP
d. Victim
Answers of 31 to 40
31.b 32.d 33.b 34.c 35.d 36.b 37.a 38.c 39.b 40.c
41. Which of the following is used to control and maintain the database centrally?
a. Data dictionary
b. Primary key
c. Tuple and attributes
d. Foreign key
42. The definition "the science and art of specifying, designing, implementing and evolving programs, documentation and operating procedures whereby computers can be made useful to man" is that of:
a. Structured analysis/structured design (SA/SD)
b. Software engineering
c. An object-oriented system
d. Functional programming
43. In software engineering, the term verification is defined as:
a. To establish the truth of correspondence between a software product and its specification
b. A complete, validated specification of the required functions, interfaces, and performance for the software product
c. To establish the fitness or worth of a software product for its operational mission
d. A complete, verified specification of the overall hardware-software architecture, control structure, and data structure for the product
44. The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called:
a. Change control
b. Request control
c. Release control
d. Configuration management
45. A refinement to the basic Waterfall Model that states that software should be developed in increments of functional capability is called:
a. Functional refinement
b. Functional development
c. Incremental refinement
d. Incremental development
46. The Spiral Model of the software development process (B.W. Boehm, "A Spiral Model of Software Development and Enhancement," IEEE Computer, May 1988) uses the following metric relative to the spiral
a. The radial dimension represents the cost of each phase
b. The radial dimension represents progress made in completing each cycle
c. The angular dimension represents cumulative cost
d. The radial dimension represents cumulative cose
47. In the Capability Maturity Model (CMM) for software, the definition "describes the range of expected results that can be achieved by following a software process" is that of:
a. Structured analysis/structured design (SA/SD)
b. Software process capability
c. Software process performance
d. Software process maturity
48. Which of the following is NOT a Software CMM maturity level?
a. Initial
b. Repeatable
c. Behavioral
d. Managed
49. A distributed object model that has similarities to the Common Object Request Broker Architecture (CORBA) is:
a. Distributed Component Object Model (DCOM)
b. The Chinese Wall Model
c. Inference Model
d. Distributed Data Model
50. What key professional or professionals are required to develop an expert system?
a. Knowledge engineer and object designer
b. Knowledge engineer and domain expert
c. Domain expert
d. Domain expert and object designer
Answers of 41 to 50
41.a 42.b 43.a 44.d 45.d 46.d 47.b 48.c 49.a 50.b