Application Development Security Flashcards Preview

CISSP + Exams > Application Development Security > Flashcards

Flashcards in Application Development Security Deck (64)
Loading flashcards...
1

Which of the following is a facial feature identification product that can employ artificial intelligence and can require the system to learn from experience?
A. All of the choices.
B. Digital nervous system.
C. Neural networking
D. DSV

Answer: C
Explanation: There are facial feature identification products that are on the market that use other technologies or methods to capture one's face. One type of method used is neural networking technology. This type of technology can employ artificial intelligence that requires the system to "learn" from experience. This "learning" experience helps the system to close in on an identification of an individual. Most facial feature identification systems today only allow for two-dimensional frontal images of one's face. Not DSV: Signature biometrics are often referred to dynamic signature verification (DSV) and look at the way we sign our names. [15] The dynamic nature differentiates it from the study of static signatures on paper. Within DSV a number of characteristics can be extracted from the physical signing process. Examples of these behavioral characteristics are the angle of the pen is held, the time taken to sign, velocity and acceleration of the tip of the pen, number of times the pen is lifted from the paper. Despite the fact that the way we sign is mostly learnt during the years it is very hard to forge and replicate.

2

Which option is NOT a benefit derived from the use of neural networks?
A. Linearity
B. Input-Output Mapping
C. Adaptivity
D. Fault Tolerance

Answer: D
Explanation: Linearity: “If the sum of the weighted inputs then exceeds the threshold, the neuron will “fire” and there will be an output from that neuron. An alternative approach would be to have the output of the neuron be a linear function of the sum of the artificial neuron inputs.”
Input-Output Mapping: “For example, if a specific output vector was required for a specific input where the relationship between input and output was non-linear, the neural network would be trained by applying a set of input vector.”
Adaptivity: “The neural network would have then be said to have learned to provide the correct response for each input vector.”
Pg. 261 Krutz: The CISSP Prep Guide

3

Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structured problems
B. DSS emphasizes flexibility in the decision making approach of users
C. DSS supports only structured decision-making tasks
D. DSS combines the use of models with non-traditional data access and retrieval functions

Answer: B
Explanation:

4

Which of the following is a communication mechanism that enables direct conversation between two applications?
A. DDE
B. OLE
C. ODBC
D. DCOM

Answer: A
Explanation: "Dynamic Data Exchange (DDE) enables applications to share data by providing IPC. It is based on the client/server model and enables two programs to send commands to each other directly. DDE is a communication mechanism that enables direct conversation between two applications. The source of the data is called the server, and the receiver of the data is the client." Pg. 718 Shon Harris: All-In-One CISSP Certification Exam Guide

5

Which expert system operating mode allows determining if a given hypothesis is valid?
A. Vertical chaining
B. Lateral chaining
C. Forward chaining
D. Backward chaining

Answer: D
Explanation: "The expert system operates in either a forward-chaining or backward-chaining mode. In a forward-chaining mode, the expert system acquires information and comes to a conclusion based on that information. Forward-chaining is the reasoning approach that can be used when there is a small number of solutions relative to the number of inputs. In a backward chaining mode, the expert system backtracks to determine if a given hypothesis is valid. Backward-chaining is generally used when there are a large number of possible solutions relative to the number of inputs. Another type of expert system is the blackboard. A blackboard is an expert system-reasoning methodology in which a solution is generated by the use of a virtual "blackboard," wherein information or potential solutions are placed on the blackboard by the plurality of individuals or expert knowledge sources. As more information is placed on the blackboard in an iterative process, a solution is generated." Pg 354 Krutz: The CISSP Prep Guide: Gold Edition

6

Which one of the following is a security issue related to aggregation in a database?
A. Polyinstantiation
B. Inference
C. Partitioning
D. Data swapping

Answer: B
Explanation: Inference is the ability of users to infer or deduce information about data at sensitivity levels for which they do not have access privileges. –Ronald Krutz The CISSP PREP Guide (gold edition) pg 358 The other security issue is inference, which is very similar to aggregation. – Shon Harris All-in-one CISSP Certification Guide pg 727 Partitioning a database involves dividing the database into different parts, which makes it much harder for an unauthorized individual to find connecting pieces of data that can be brought together and other information that can be deduced or uncovered. – Shon Harris All-in-one CISSP Certification Guide pg 726 Polyinstantiation- This enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. – Shon Harris All-in-one CISSP Certification Guide pg 727

7

How is polyinstantiation used to secure a multilevel database?
A. It prevents low-level database users from inferring the existence of higher level data.
B. It confirms that all constrained data items within the system conform to integrity specifications.
C. It ensures that all mechanism in a system are responsible for enforcing the database security policy.
D. Two operations at the same layer will conflict if they operate on the same data item and at least one of them is an update.

Answer: A
Explanation: “Polyinstantiation is the development of a detailed version of an object from another object using different values in the new object. In the database information security, this term is concerned with the same primary key for different relations at different classification levels being stored in the same database. For example, in a relational database, the same of a military unit may be classified Secret in the database and may have an identification number as the primary key. If another user at a lower classification level attempts to create a confidential entry for another military unit using the same identification number as a primary key, a rejection of this attempt would imply to the lower level user that the same identification number existed at a higher level of classification. To avoid this inference channel of information, the lower level user would be issued the same identification number for their unit and the database management system would manage this situation where the same primary key was used for different units.” Pg 352-353 Krutz: The CISSP Prep Guide: Gold Edition.
“Polyinstantiation occurs when to or more rows in the Normally, this database contains the exact position of each ship stored at the level with secret classification. However, on particular ship, the USS UpToNoGood, is on an undercover mission to a top-secret location. Military commanders do not want anyone to know that the ship deviated from its normal patrol. If the database administrators simply change the classification of the UpToNoGood’s location to top secret, a user with secret clearance would know that something unusual was going on when they couldn’t query the location of the ship. However, if polyinstantiation is used, two records could be inserted into the table. The first one, classified at the top secret level, would reflect the true location of the ship and be available only to users with the appropriate top secret security clearance. The second record, classified at the secret level, would indicate that the ship was on routine patrol and would be returned to users with a secret clearance.”
Pg. 191 Tittel: CISSP Study Guide Second Edition

8

Which of the following defines the software that maintains and provides access to the database?
A. database management system (DBMS)
B. relational database management systems (RDBMS)
C. database identification system (DBIS)
D. Interface Definition Language system (IDLS)

Answer: A
Explanation:

9

Which of the following is not a responsibility of a database administrator?
A. Maintaining databases
B. Implementing access rules to databases
C. Reorganizing databases
D. Providing access authorization to databases

Answer: D
Explanation:

10

SQL commands do not include which of the following?
A. Select, Update
B. Grant, Revoke
C. Delete, Insert
D. Add, Replace

Answer: D
Explanation: “SQL commands include Select, Update, Delete, Insert, Grant, and Revoke.” Pg 62 Krutz: CISSP Prep Guide: Gold Edition

11

A persistent collection of interrelated data items can be defined as which of the following?
A. database
B. database management system
C. database security
D. database shadowing

Answer: A
Explanation:

12

Which one of the following is commonly used for retrofitting multilevel security to a Database Management System?
A. Trusted kernel
B. Kernel controller
C. Front end controller
D. Trusted front-end

Answer: D
Explanation:

13

Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both?
A. object-relational database
B. object-oriented database
C. object-linking database
D. object-management database

Answer: A
Explanation:

14

A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?
A. content-dependent access control
B. context-dependent access control
C. least privileges access control
D. ownership-based access control

Answer: A
Explanation: “Database security takes a different approach than operating system security. In an operating system, the identity and authentication of the subject controls access. This is done through access control lists (ACLs), capability tables, roles, and security labels. The operating system only makes decisions about where a subject can access a file; it does not make this decision based on the contents of the file itself. If Mitch can access file A, it does not matter if that file contains information about a cookie recipe or secret information from the Cold War. On the other hand, database security does look at the contents of a file when it makes an access control decision, which is referred to as content-dependent access control. This type of access control increases processing overhead, but it provides higher granular control.” Pg. 677 Shon Harris:

15

Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key?
A. Normalization
B. Assimilation
C. Reduction
D. Compaction

Answer: A
Explanation:

16

Which of the following does not address Database Management Systems (DBMS) Security?
A. Perturbation
B. Cell suppression
C. Padded Cells
D. Partitioning

Answer: C
Explanation:

17

Which of the following is commonly used for retrofitting multilevel security to a database management system?
A. trusted front-end
B. trusted back-end
C. controller
D. kernel

Answer: A
Explanation:

18

Normalizing data within a database includes all of the following except which?
A. Eliminating repeating groups by putting them into separate tables
B. Eliminating redundant data
C. Eliminating attributes in a table that are not dependent on the primary key of that table
D. Eliminating duplicate key fields by putting them into separate tables

Answer: D
Explanation: “Data Normalization Normalization is an important part of database design that ensures that attributes in a table depend only on the primary key. This process makes it easier to maintain data and have consistent reports.
Normalizing data in the database consists of three steps: 1.)Eliminating any repeating groups by putting them into separate tables 2.)Eliminating redundant data (occurring in more than one table) 3.)Eliminating attributes in a table that are not dependent on the primary key of that table”
Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition

19

SQL commands do not include which of the following?
A. Select, Update
B. Grant, Revoke
C. Delete, Insert
D. Add, Replace

Answer: D
Explanation: “SQL commands include Select, Update, Delete, Grant, and Revoke.” Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition
"Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition.

20

QUESTION NO: 430
SQL security issues include which of the following?
A. The granularity of authorizations
B. The size of databases
C. The complexity of key structures
D. The number of candidate key elements

Answer: A
Explanation: Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to
another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition

21

Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server?
A. Bind variables
B. Assimilation variables
C. Reduction variables
D. Resolution variables

Answer: A
Explanation:

22

What ensures that attributes in a table depend only on the primary key?
A. Referential integrity
B. The database management system (DBMS)
C. Data Normalization
D. Entity integrity

Answer: C
Explanation:

23

Which of the following represent the rows of the table in a relational database?
A. attributes
B. records or tuples
C. record retention
D. relation

Answer: B
Explanation:

24

With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance?
A. Object-Oriented Data Bases (OODB)
B. Object-Relational Data Bases (ORDB)
C. Relational Data Bases
D. Data Base management systems (DBMS)

Answer: A
Explanation:

25

Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following?
A. Object-Oriented Data Bases (OODB)
B. Object-Relational Data Bases
C. Relational Data Bases
D. Data base management systems (DBMS)

Answer: A
Explanation:

26

Which of the following refers to the number of columns in a table?
A. Schema
B. Relation
C. Degree
D. Cardinality

Answer: C
Explanation:

27

Which of the following refers to the number of rows in a relation?
A. cardinality
B. degree
C. depth
D. breadth

Answer: A
Explanation:

28

Which of the following refers to the number of columns in a relation?
A. degree
B. cardinality
C. depth
D. breadth

Answer: A
Explanation:

29

What is one disadvantage of content-dependent protection of information?
A. It increases processing overhead
B. It requires additional password entry
C. It exposes the system to data locking
D. It limits the user's individual address space

Answer: A
Explanation: Content-Dependent Access Control
"Just like the name sounds, access to objects is determined by the content within the object. This is used many times in databases and the type of Web-based material a firewall allows...If a table within the database contains information about employees' salaries, the managers were not allowed to view it, but they could view information about an employee's work history. The content of the database fields dictates which user can see specific information within the database tables." pg 161 Shon Harris: All-In-One CISSP Certification. Decisions will have to be made about the content, therefore increasing processing overhead.

30

Which one of the following control steps is usually NOT performed in data warehousing applications?
A. Monitor summary tables for regular use.
B. Control meta data from being used interactively.
C. Monitor the data purging plan.
D. Reconcile data moved between the operations environment and data warehouse.

Answer: A
Explanation: Not B: It is important to control meta data from being used interactively by unauthorized users. “Data warehouses and data mining are significant to security professionals for two reasons. First, as previously mentioned, data warehouses contain large amounts of potentially sensitive information vulnerable to aggregation and inference attacks, and security practitioners must ensure that adequate access controls and other security measures are in place to safeguard this data.” Pg 192 Tittel: CISSP Study Guide
Not C: “The data in the data warehouse must be maintained to ensure that it is timely and valid. The term data scrubbing refers to maintenance of the data warehouse by deleting information that is unreliable or no longer relevant.” Pg 358-359 Krutz: The CISSP Prep Guide: Gold Edition Not D: “To create a data warehouse, data is taken from an operational database, redundancies are removed, and the data is “cleaned up” in general.” Pg 358 Krutz: The CISSP Prep Guide: Gold Edition