Application Development Security Flashcards
QUESTION NO: 411 Which of the following is a facial feature identification product that can employ artificial intelligence and can require the system to learn from experience? A. All of the choices. B. Digital nervous system. C. Neural networking D. DSV
Answer: C Explanation: There are facial feature identification products that are on the market that use other technologies or methods to capture one’s face. One type of method used is neural networking technology. This type of technology can employ artificial intelligence that requires the system to “learn” from experience. This “learning” experience helps the system to close in on an identification of an individual. Most facial feature identification systems today only allow for two-dimensional frontal images of one’s face. Not DSV: Signature biometrics are often referred to dynamic signature verification (DSV) and look at the way we sign our names. [15] The dynamic nature differentiates it from the study of static signatures on paper. Within DSV a number of characteristics can be extracted from the physical signing process. Examples of these behavioral characteristics are the angle of the pen is held, the time taken to sign, velocity and acceleration of the tip of the pen, number of times the pen is lifted from the paper. Despite the fact that the way we sign is mostly learnt during the years it is very hard to forge and replicate.
QUESTION NO: 412 Which option is NOT a benefit derived from the use of neural networks? A. Linearity B. Input-Output Mapping C. Adaptivity D. Fault Tolerance
Answer: D Explanation: Linearity: “If the sum of the weighted inputs then exceeds the threshold, the neuron will “fire” and there will be an output from that neuron. An alternative approach would be to have the output of the neuron be a linear function of the sum of the artificial neuron inputs.” Input-Output Mapping: “For example, if a specific output vector was required for a specific input where the relationship between input and output was non-linear, the neural network would be trained by applying a set of input vector.” Adaptivity: “The neural network would have then be said to have learned to provide the correct response for each input vector.”
QUESTION NO: 413 Which of the following is a characteristic of a decision support system (DSS)? A. DSS is aimed at solving highly structured problems B. DSS emphasizes flexibility in the decision making approach of users C. DSS supports only structured decision-making tasks D. DSS combines the use of models with non-traditional data access and retrieval functions
Answer: B
QUESTION NO: 414 Which of the following is a communication mechanism that enables direct conversation between two applications? A. DDE B. OLE C. ODBC D. DCOM
Answer: A Explanation: “Dynamic Data Exchange (DDE) enables applications to share data by providing IPC. It is based on the client/server model and enables two programs to send commands to each other directly. DDE is a communication mechanism that enables direct conversation between two applications. The source of the data is called the server, and the receiver of the data is the client.”
QUESTION NO: 415 Which expert system operating mode allows determining if a given hypothesis is valid? A. Vertical chaining B. Lateral chaining C. Forward chaining D. Backward chaining
Answer: D Explanation: “The expert system operates in either a forward-chaining or backward-chaining mode. In a forward-chaining mode, the expert system acquires information and comes to a conclusion based on that information. Forward-chaining is the reasoning approach that can be used when there is a small number of solutions relative to the number of inputs. In a backwardchaining mode, the expert system backtracks to determine if a given hypothesis is valid. Backward-chaining is generally used when there are a large number of possible solutions relative to the number of inputs. Another type of expert system is the blackboard. A blackboard is an expert system-reasoning methodology in which a solution is generated by the use of a virtual “blackboard,” wherein information or potential solutions are placed on the blackboard by the plurality of individuals or expert knowledge sources. As more information is placed on the blackboard in an iterative process, a solution is generated.”
QUESTION NO: 416 Which one of the following is a security issue related to aggregation in a database? A. Polyinstantiation B. Inference C. Partitioning D. Data swapping
Answer: B Explanation: Inference is the ability of users to infer or deduce information about data at sensitivity levels for which they do not have access privileges. –Ronald Krutz The CISSP PREP Guide (gold edition) pg 358 The other security issue is inference, which is very similar to aggregation. – Shon Harris All-in-one CISSP Certification Guide pg 727 Partitioning a database involves dividing the database into different parts, which makes it much harder for an unauthorized individual to find connecting pieces of data that can be brought together and other information that can be deduced or uncovered. – Shon Harris All-in-one CISSP Certification Guide pg 726 Polyinstantiation- This enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level.
QUESTION NO: 417 How is polyinstantiation used to secure a multilevel database? A. It prevents low-level database users from inferring the existence of higher level data. B. It confirms that all constrained data items within the system conform to integrity specifications. C. It ensures that all mechanism in a system are responsible for enforcing the database security policy. D. Two operations at the same layer will conflict if they operate on the same data item and at least one of them is an update.
Answer: A Explanation: “Polyinstantiation is the development of a detailed version of an object from another object using different values in the new object. In the database information security, this term is concerned with the same primary key for different relations at different classification levels being stored in the same database. For example, in a relational database, the same of a military unit may be classified Secret in the database and may have an identification number as the primary key. If another user at a lower classification level attempts to create a confidential entry for another military unit using the same identification number as a primary key, a rejection of this attempt would imply to the lower level user that the same identification number existed at a higher level of classification. To avoid this inference channel of information, the lower level user would be issued the same identification number for their unit and the database management system would manage this situation where the same primary key was used for different units.” Pg 352-353 Krutz: The CISSP Prep Guide: Gold Edition. “Polyinstantiation occurs when to or more rows in the same table appear to have identical primary key elements but contain different data for use at differing classification levels. Polyinstantiation is often used as a defense against some types of inference attacks. For example, consider a database table containing the location of various naval ships on patrol. Normally, this database contains the exact position of each ship stored at the level with secret classification. However, on particular ship, the USS UpToNoGood, is on an undercover mission to a top-secret location. Military commanders do not want anyone to know that the ship deviated from its normal patrol. If the database administrators simply change the classification of the UpToNoGood’s location to top secret, a user with secret clearance would know that something unusual was going on when they couldn’t query the location of the ship. However, if polyinstantiation is used, two records could be inserted into the table. The first one, classified at the top secret level, would reflect the true location of the ship and be available only to users with the appropriate top secret security clearance. The second record, classified at the secret level, would indicate that the ship was on routine patrol and would be returned to users with a secret clearance.”
QUESTION NO: 418 Which of the following defines the software that maintains and provides access to the database? A. database management system (DBMS) B. relational database management systems (RDBMS) C. database identification system (DBIS) D. Interface Definition Language system (IDLS)
Answer: A
QUESTION NO: 419 Which of the following is not a responsibility of a database administrator? A. Maintaining databases B. Implementing access rules to databases C. Reorganizing databases D. Providing access authorization to databases
Answer: D
QUESTION NO: 420 SQL commands do not include which of the following? A. Select, Update B. Grant, Revoke C. Delete, Insert D. Add, Replace
Answer: D Explanation: “SQL commands include Select, Update, Delete, Insert, Grant, and Revoke.”
QUESTION NO: 421 A persistent collection of interrelated data items can be defined as which of the following? A. database B. database management system C. database security D. database shadowing
Answer: A
QUESTION NO: 422 Which one of the following is commonly used for retrofitting multilevel security to a Database Management System? A. Trusted kernel B. Kernel controller C. Front end controller D. Trusted front-end
Answer: D
QUESTION NO: 423 Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both? A. object-relational database B. object-oriented database C. object-linking database D. object-management database
Answer: A
QUESTION NO: 424 A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following? A. content-dependent access control B. context-dependent access control C. least privileges access control D. ownership-based access control
Answer: A Explanation: “Database security takes a different approach than operating system security. In an operating system, the identity and authentication of the subject controls access. This is done through access control lists (ACLs), capability tables, roles, and security labels. The operating system only makes decisions about where a subject can access a file; it does not make this decision based on the contents of the file itself. If Mitch can access file A, it does not matter if that file contains information about a cookie recipe or secret information from the Cold War. On the other hand, database security does look at the contents of a file when it makes an access control decision, which is referred to as content-dependent access control. This type of access control increases processing overhead, but it provides higher granular control.”
QUESTION NO: 425 Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key? A. Normalization B. Assimilation C. Reduction D. Compaction
Answer: A
QUESTION NO: 426 Which of the following does not address Database Management Systems (DBMS) Security? A. Perturbation B. Cell suppression C. Padded Cells D. Partitioning
Answer: C
QUESTION NO: 427 Which of the following is commonly used for retrofitting multilevel security to a database management system? A. trusted front-end B. trusted back-end C. controller D. kernel
Answer: A
QUESTION NO: 428 Normalizing data within a database includes all of the following except which? A. Eliminating repeating groups by putting them into separate tables B. Eliminating redundant data C. Eliminating attributes in a table that are not dependent on the primary key of that table D. Eliminating duplicate key fields by putting them into separate tables
Answer: D Explanation: “Data Normalization Normalization is an important part of database design that ensures that attributes in a table depend only on the primary key. This process makes it easier to maintain data and have consistent reports. Normalizing data in the database consists of three steps: 1.)Eliminating any repeating groups by putting them into separate tables 2.)Eliminating redundant data (occurring in more than one table) 3.)Eliminating attributes in a table that are not dependent on the primary key of that table”
QUESTION NO: 429 SQL commands do not include which of the following? A. Select, Update B. Grant, Revoke C. Delete, Insert D. Add, Replace
Answer: D Explanation: “SQL commands include Select, Update, Delete, Grant, and Revoke.” Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition “Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to another user, such as user B. SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
QUESTION NO: 430 SQL security issues include which of the following? A. The granularity of authorizations B. The size of databases C. The complexity of key structures D. The number of candidate key elements
Answer: A Explanation: Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to another user, such as user B. SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
QUESTION NO: 431 Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server? A. Bind variables B. Assimilation variables C. Reduction variables D. Resolution variables
Answer: A
QUESTION NO: 432 What ensures that attributes in a table depend only on the primary key? A. Referential integrity B. The database management system (DBMS) C. Data Normalization D. Entity integrity
Answer: C
QUESTION NO: 433 Which of the following represent the rows of the table in a relational database? A. attributes B. records or tuples C. record retention D. relation
Answer: B
QUESTION NO: 434 With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance? A. Object-Oriented Data Bases (OODB) B. Object-Relational Data Bases (ORDB) C. Relational Data Bases D. Data Base management systems (DBMS)
Answer: A
QUESTION NO: 435 Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following? A. Object-Oriented Data Bases (OODB) B. Object-Relational Data Bases C. Relational Data Bases D. Data base management systems (DBMS)
Answer: A