【计算机类职业资格】计算机CISSP认证-2及答案解析.doc

1、计算机 CISSP 认证-2 及答案解析(总分：100.00，做题时间：90 分钟)1.What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?（分数：2.50）A.XMLB.SPMLC.SGMLD.HTML2.There are several different types of centralized access control protocols. Which

2、of the following is illustrated in the graphic that follows? （分数：2.50）A.DiameterB.WatchdogC.RADIUSD.TACACS+3.An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as? Access Co

3、ntrol Matrix（分数：2.50）A.Capability tableB.Constrained interfaceC.Role-based valueD.ACL4.What technology within identity management is illustrated in the graphic that follows? （分数：2.50）A.User provisioningB.Federated identityC.DirectoriesD.Web access management5.There are several different types of sin

4、gle sign-on protocols and technologies in use today. What type of technology is illustrated in the graphic that follows? （分数：2.50）A.KerberosB.Discretionary access controlC.SESAMED.Mandatory access control6.There are different ways that specific technologies can create one-time passwords for authenti

5、cation purposes. What type of technology is illustrated in the graphic that follows? （分数：2.50）A.Counter synchronous tokenB.Asynchronous tokenC.Mandatory tokenD.Synchronous token7.Sally is carrying out a software analysis on her company“s proprietary application. She has found out that it is possible

6、 for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place?（分数：2.50）A.BackdoorB.Maintenance hookC.Race conditionD.Data validation error8.Which of the following best d

7、escribes how SAML, SOAP, and HTTP commonly work together in an environment that provides Web services?（分数：2.50）A.Security attributes are put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in an HTTP connection.B.Security attribut

8、es are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection over TLS.C.Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message i

9、s transmitted in an HTTP connection.D.Authentication data are put into SAML format. HTTP request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection.9.Tom works at a large retail company that recently deployed radio-frequency identification (RFID)

10、 to better manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the f

11、ollowing is the most likely reason for the existence of this type of vulnerability?（分数：2.50）A.The company“s security team does not understand how to secure this type of technology.B.The cost of integrating security within RFID is cost prohibitive.C.The technology has low processing capabilities and

12、encryption is very processor-intensive.D.RFID is a new and emerging technology, and the industry does not currently have ways to secure it.10.Tanya is the security administrator for a large distributed retail company. The company“s network has many different network devices and software appliances t

13、hat generate logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement?（分数：2.50）A.Securit

14、y information and event managementB.Event correlation toolsC.Intrusion detection systemsD.Security event correlation management tools11.Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network.

15、 The CISO has asked her to oversee the development of a threat model for the network. Which of the following best describes what this model is and what it would be used for?（分数：2.50）A.A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to

16、 minimize or eradicate the threats.B.A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole.C.A threat model is a risk-based model that is used to calculate the probabilities of the vari

17、ous risks identified during the vulnerability tests.D.A threat model is used in software development practices to uncover programming errors.12.Lacy“s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compare

18、s their ratings. Which of the following are the evaluation criteria most in use today for these types of purposes?（分数：2.50）A.ITSECB.Common CriteriaC.Red BookD.Orange Book13.Certain types of attacks have been made more potent by which of the following advances to microprocessor technology?（分数：2.50）A.

19、Increased circuits, cache memory, and multiprogrammingB.Dual mode computationC.Direct memory access I/OD.Increases in processing power14.CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode?（

20、分数：2.50）A.The user and applicationB.The program that is loaded into memoryC.The operating systemD.The CPU and user15.Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage?（分数：2.50）A.More than one process uses

21、the same resource.B.It allows cookies to remain persistent in memory.C.It allows for side-channel attacks to take place.D.Two processes can carry out a denial-of-service.16.Which of the following is a common association of the Clark-Wilson access model?（分数：2.50）A.Chinese WallB.Access tupleC.Read up

22、and write down ruleD.Subject and application binding17.Which of the following correctly describes the relationship between the reference monitor and the security kernel?（分数：2.50）A.The security kernel implements and enforces the reference monitor.B.The reference monitor is the core of the trusted com

23、puting base, which is made up of the security kernel.C.The reference monitor implements and enforces the security kernel.D.The security kernel, aka abstract machine, implements the reference monitor concept.18.The trusted computing base (TCB) ensures security within a system when a process in one do

24、main must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner?（分数：2.50）A.I/O operational executionB.Process deactivationC.Execution domain switchingD.Virtual memory to real memory mapping19.The Zachman A

25、rchitecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework?（分数：2.50）A.A two-dimensional model that uses communication interrogatives intersecting with different levelsB.A security-oriented model that giv

26、es instructions in a modular fashionC.Used to build a robust enterprise architecture versus a technical security architectureD.Uses six perspectives to describe a holistic information infrastructure20.John has been told to report to the board of directors with a vendor-neutral enterprise architectur

27、e framework that will help the company reduce fragmentation that results from the misalignment of IT and business processes. Which of the following frameworks should he suggest?（分数：2.50）A.DoDAFB.CMMIC.ISO/IEC 42010D.TOGAF21.Protection profiles used in the Common Criteria evaluation process contain f

28、ive elements. Which of the following establishes the type and intensity of the evaluation?（分数：2.50）A.Descriptive elementsB.Evaluation assurance requirementsC.Evaluation assurance levelD.Security target22.Which of the following best defines a virtual machine?（分数：2.50）A.A virtual instance of an operat

29、ing systemB.A piece of hardware that runs multiple operating system environments simultaneouslyC.A physical environment for multiple guestsD.An environment that can be fully utilized while running legacy applications23.Bethany is working on a mandatory access control (MAC) system. She has been worki

30、ng on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. W

31、hich of the following refers to a concept that attempts to prevent this type of scenario from occurring?（分数：2.50）A.Covert storage channelB.Inference attackC.NoninterferenceD.Aggregation24.Virtualization offers many benefits. Which of the following incorrectly describes virtualization?（分数：2.50）A.Virt

32、ualization simplifies operating system patching.B.Virtualization can be used to build a secure computing platform.C.Virtualization can provide fault and error containment.D.Virtual machines offer powerful debugging capabilities.25.Which security architecture model defines how to securely develop acc

33、ess rights between subjects and objects?（分数：2.50）A.Brewer-NashB.Clark-WilsonC.Graham-DenningD.Bell-LaPadula26.Operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take p

34、lace between two processes and no process can interact with the other“s internal programming code?（分数：2.50）A.Virtual mappingB.Encapsulation of objectsC.Time multiplexingD.Naming distinctions27.Which of the following is not a responsibility of the memory manager?（分数：2.50）A.Use complex controls to ens

35、ure integrity and confidentiality when processes need to use the same shared memory segments.B.Limit processes to interact only with the memory segments assigned to them.C.Swap contents from RAM to the hard drive as needed.D.Run an algorithm to identify unused committed memory and inform the operati

36、ng system that the memory is available.28.Several types of read-only memory devices can be modified after they are manufactured. Which of the following statements correctly describes the differences between two types of ROM?（分数：2.50）A.PROM can only be programmed once, while EEPROM can be programmed

37、multiple limes.B.A UV light is used to erase data on EEPROM, while onboard programming circuitry and signals erase data on EPROM.C.The process used to delete data on PROM erases one byte at a time, while to erase data on an EPROM chip, you must remove it from the hardware.D.The voltage used to write

38、 bits into the memory cells of EPROM bums out the fuses that connect individual memory cells, while UV light is used to write to the memory cells of PROM.29.There are different ways that operating systems can carry out software I/O procedures. Which of the following is used when the CPU sends data t

39、o an I/O device and then works on another process“s request until the I/O device is ready for more data?（分数：2.50）A.I/O using DMAB.Interrupt-driven I/OC.Programmable I/OD.Premapped I/O30.The Information Technology Infrastructure Library (ITIL) consists of five sets of instructional books. Which of th

40、e following is considered the core set and focuses on the overall planning of the intended IT services?（分数：2.50）A.Service OperationB.Service DesignC.Service TransitionD.Service Strategy31.Widgets Inc.“s software development processes are documented and the organization is capable of producing its ow

41、n standard of software processes. Which of the following Capability Maturity Model Integration levels best describes Widgets Inc.?（分数：2.50）A.InitialB.RepeatableC.DefinedD.Managed32.There are several different important pieces to the Common Criteria. Which of the following best describes the first of

42、 the missing components? （分数：2.50）A.Target of evaluationB.Protection profileC.Security targetD.EALs33.Different access control models provide specific types of security measures and functionality in applications and operating systems. What model is being expressed in the graphic that follows? （分数：2.

43、50）A.NoninterferenceB.BibaC.Bell-LaPadulaD.Chinese Wall34.There are many different types of access control mechanisms that are commonly embedded into all operating systems. Which of the following is the mechanism that is missing in this graphic? （分数：2.50）A.Trusted computing baseB.Security perimeterC

44、Reference monitorD.Domain35.There are several security enforcement components that are commonly built into operating systems. Which component is illustrated in the graphic that follows? （分数：2.50）A.Virtual machinesB.InterruptC.Cache memoryD.Protection rings36.A multitasking operating system can have

45、 several processes running at the same time. What are the components within the processes that are shown in the graphic that follows? （分数：2.50）A.ThreadsB.RegistersC.Address busesD.Process tablesCharlie is a new security manager at a textile company that develops its own proprietary software for inte

46、rnal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed

47、 for a specific class of security vulnerabilities.（分数：5.00）(1).Which of the following best describes the standard Charlie“s team needs to comply with?（分数：2.50）A.International standard on system design to allow for better quality, interoperability, extensibility, portability, and securityB.Internatio

48、nal Standard on system security to allow for better threat modelingC.International standard on system architecture to allow for better quality, interoperability, extensibility, portability, and securityD.International standard on system architecture to allow for better quality, extensibility, portab

49、ility, and security(2).Which of the following is Charlie most likely concerned with in this situation?（分数：2.50）A.Injection attacksB.Memory blockC.Buffer overflowsD.Browsing attacksTim“s development team is designing a new operating system. One of the requirements of the new product is that critical

50、memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses.（分数：2.00）(1).Which of the fol