« 返回题库列表2026最新CISSP题库免费下载|新版CISSP真题答案PDF+考试资料
问题 #1
In which state must a computer system operate to process input/output instructions?
A. User mode
B. Stateful inspection
C. Interprocess communication
D. Supervisor mode
问题 #2
What should be the size of a Trusted Computer Base?
A. Small - in order to permit it to be implemented in all critical system components without using excessive resources.
B. Small - in order to facilitate the detailed analysis necessary to prove that it meets design requirements.
C. Large - in order to accommodate the implementation of future updates without incurring the time and expense of recertification.
D. Large - in order to enable it to protect the potentially large number of resources in a typical commercial system environment.
问题 #3
Which one of the following are examples of security and controls that would be found in a "trusted" application system?
A. Data validation and reliability
B. Correction routines and reliability
C. File integrity routines and audit trail
D. Reconciliation routines and data labels
问题 #4
Which of the following is an operating system security architecture that provides flexible support for security policies?
A. OSKit
B. LOMAC
C. SE Linux
D. Flask
问题 #5
Which of the following statements pertaining to the security kernel is incorrect?
A. It is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept.
B. It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof
C. It must be small enough to be able to be tested and verified in a complete and comprehensive manner
D. Is an access control concept, not an actual physical component
问题 #6
What is a PRIMARY reason for designing the security kernel to be as small as possible?
A. The operating system cannot be easily penetrated by users.
B. Changes to the kernel are not required as frequently.
C. Due to its compactness, the kernel is easier to formally verify.
D. System performance and execution are enhanced.
问题 #7
Which of the following implements the authorized access relationship between subjects and objects of a system?
A. Security model
B. Reference kernel
C. Security kernel
D. Information flow model
问题 #8
The concept that all accesses must be meditated, protected from modification, and verifiable as correct is the concept of
A. Secure model
B. Security locking
C. Security kernel
D. Secure state
问题 #9
What is an error called that causes a system to be vulnerable because of the environment in which it is installed?
A. Configuration error
B. Environmental error
C. Access validation error
D. Exceptional condition handling error
问题 #10
Which of the following ensures that security is not breached when a system crash or other system failure occurs?
A. trusted recovery
B. hot swappable
C. redundancy
D. secure boot
问题 #11
What type of subsystem is an application program that operates outside the operating system and carries out functions for a group of users, maintains some common data for all users in the group, and protects the data from improper access by users in the g
A. Prevented subsystem
B. Protected subsystem
C. File subsystem
D. Directory subsystem
问题 #12
A 'Pseudo flaw' is which of the following?
A. An apparent loophole deliberately implanted in an operating system
B. An omission when generating Pseudo-code
C. Used for testing for bounds violations in application programming
D. A Normally generated page fault causing the system halt
问题 #13
Which of the following yellow-book defined types of system recovery happens after a system fails in an uncrontrolled manner in response to a TCB or media failure and the system cannot be brought to a consistent state?
A. Recovery restart
B. System reboot
C. Emergency system restart
D. System Cold start
问题 #14
Which one of the following describes a reference monitor?
A. Access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.
B. Audit concept that refers to monitoring and recording of all accesses to objects by subjects.
C. Identification concept that refers to the comparison of material supplied by a user with its reference profile.
D. Network control concept that distributes the authorization of subject accesses to objects.
问题 #15
What can best be described as an abstract machine which must mediate all access to subjects to objects?
A. A security domain
B. The reference monitor
C. The security kernel
D. The security perimeter
问题 #16
What is the PRIMARY component of a Trusted Computer Base?
A. The computer hardware
B. The security subsystem
C. The operating system software
D. The reference monitor
问题 #17
Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system?
A. Fail proof
B. Fail soft
C. Fail safe
D. Fail resilient
问题 #18
LOMAC uses what Access Control method to protect the integrity of processes and data?
A. Linux based EFS.
B. Low Water-Mark Mandatory Access Control.
C. Linux based NFS.
D. High Water-Mark Mandatory Access Control.
问题 #19
On Linux, LOMAC is implemented as:
A. Virtual addresses
B. Registers
C. Kernel built in functions
D. Loadable kernel module
问题 #20
LOMAC is a security enhancement for what operating system?
A. Linux
B. Netware
C. Solaris
问题 #21
What was introduced for circumventing difficulties in classic approaches to computer security by limiting damages produces by malicious programs?
A. Integrity-preserving
B. Ref Mon
C. Integrity-monitoring
D. Non-Interference
问题 #22
A feature deliberately implemented in an operating system as a trap for intruders is called a:
A. Trap door
B. Trojan horse
C. Pseudo flaw
D. Logic bomb
问题 #23
Fault tolerance countermeasures are designed to combat threats to
A. an uninterruptible power supply
B. backup and retention capability
C. design reliability
D. data integrity
问题 #24
A 'Psuedo flaw' is which of the following?
A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders
B. An omission when generating Psuedo-code
C. Used for testing for bounds violations in application programming
D. A normally generated page fault causing the system to halt
问题 #25
What Distributed Computing Environment (DCE) component provides a mechanism to ensure that services are made available only to properly designated parties?
A. Directory Service
B. Remote Procedure Call Service
C. Distributed File Service
D. Authentication and Control Service
问题 #26
What can be accomplished by storing on each subject a list of rights the subject has for every object?
A. Object
B. Capabilities
C. Key ring
D. Rights
问题 #27
In the Information Flow Model, what relates two versions of the same object?
A. Flow
B. State
C. Transformation
D. Successive points
问题 #28
What is a security requirement that is unique to Compartmented Mode Workstations (CMW)?
A. Sensitivity Labels
B. Object Labels
C. Information Labels
D. Reference Monitors
问题 #29
The Common Criteria (CC) represents requirements for IT security of a product or system under which distinct categories?
A. Functional and assurance
B. Protocol Profile (PP) and Security Target (ST)
C. Targets of Evaluation (TOE) and Protection Profile (PP)
D. Integrity and control
问题 #30
What are the assurance designators used in the Common Criteria (CC)?
A. EAL 1, EAL 2, EAL 3, EAL 4, EAL 5, EAL 6, and EAL 7
B. A1, B1, B2, B3, C2, C1, and D
C. E0, E1, E2, E3, E4, E5, and E6
D. AD0, AD1, AD2, AD3, AD4, AD5, and AD6
问题 #31
Which of the following uses protection profiles and security targets?
A. ITSEC
B. TCSEC
C. CTCPEC
D. International Standard 15408
问题 #32
According to Common Criteria, what can be described as an intermediate combination of security requirement components?
A. Protection profile (PP)
B. Security target (ST)
C. Package
D. The Target of Evaluation (TOE)
问题 #33
The Common Criteria construct which allows prospective consumers or developers to create standardized sets of security requirements to meet there needs is
A. a Protection Profile (PP).
B. a Security Target (ST).
C. an evaluation Assurance Level (EAL).
D. a Security Functionality Component Catalog (SFCC).
问题 #34
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?
A. integrity and confidentiality
B. confidentiality and availability
C. integrity and availability
D. none of the above
问题 #35
Which of the following was developed by the National Computer Security Center (NCSC)?
A. TCSEC
B. ITSEC
C. DITSCAP
D. NIACAP
问题 #36
The Trusted Computer Security Evaluation Criteria (TBSEC) provides
A. a basis for assessing the effectiveness of security controls built into automatic data-processing system products
B. a system analysis and penetration technique where specifications and document for the system are analyzed.
C. a formal static transition model of computer security policy that describes a set of access control rules.
D. a means of restricting access to objects based on the identity of subjects and groups to which they belong.
问题 #37
Which Orange Book evaluation level is described as "Verified Design"?
问题 #38
Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection?
问题 #39
Which Orange Book security rating requires that formal techniques are used to prove the equivalence between the TCB specifications and the security policy model?
问题 #40
According to the Orange Book, which security level is the first to require trusted recovery?
问题 #41
According to the Orange Book, which security level is the first to require a system to protect against covert timing channels?
问题 #42
Which of the following is not an Orange Book-defined operational assurance requirement?
A. System architecture
B. Trusted facility management
C. Configuration management
D. Covert channel analysis
问题 #43
Which of the following is least likely to be found in the Orange Book?
A. Security policy
B. Documentation
C. Accountability
D. Networks and network components
问题 #44
According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator rules?
问题 #45
Which of the following is not an Orange book-defined life cycle assurance requirement?
A. Security testing
B. Design specification and testing
C. Trusted distribution
D. System integrity
问题 #46
At what Trusted Computer Security Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (ITSEC) security level are database elements FIRST required to have security labels?
A. A1/E6
B. B1/E3
C. B2/E4
D. C2/E2
问题 #47
Which of the following statements pertaining to the Trusted Computer System Evaluation Criteria (TCSEC) is incorrect?
A. With TCSEC, functionality and assurance are evaluated separately.
B. TCSEC provides a means to evaluate the trustworthiness of an information system
C. The Orange Book does not cover networks and communications
D. Database management systems are not covered by the TCSEC
问题 #48
Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles?
问题 #49
Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions?
问题 #50
Which of the following statements pertaining to the trusted computing base (TCB) is false?
A. It addresses the level of security a system provides
B. It originates from the Orange Book
C. It includes hardware, firmware, and software
D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity
问题 #51
Which of the following is not an Orange book-defined operational assurance requirement?
A. System architecture
B. Trusted facility management
C. Configuration management
D. Covert channel analysis
问题 #52
Which of the following focuses on the basic features and architecture of a system?
A. operational assurance
B. life cycle assurance
C. covert channel assurance
D. level A1
问题 #53
Which level(s) must protect against both covert storage and covert timing channels?
A. B3 and A1
B. B2, B3 and A1
C. A1
D. B1, B2, B3 and A1
问题 #54
According to the Orange Book, trusted facility management is not required for which of the following security levels?
问题 #55
Which factor is critical in all systems to protect data integrity?
A. Data classification
B. Information ownership
C. Change control
D. System design
问题 #56
Which of the following is not a common integrity goal?
A. Prevent unauthorized users from making modifications
B. Maintain internal and external consistency
C. Prevent authorized users from making improper modifications
D. Prevent paths that could lead to inappropriate disclosure
问题 #57
Which security model introduces access to objects only through programs?
A. The Biba model
B. The Bell-LaPadula model
C. The Clark-Wilson model
D. The information flow model
问题 #58
To ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed.These rules are:
A. Processing rules and enforcement rules.
B. Integrity-bouncing rules.
C. Certification rules and enforcement rules.
D. Certification rules and general rules.
问题 #59
What can be defined as a formal security model for the integrity of subjects and objects in a system?
A. Biba
B. Bell LaPadulaLattice
C. Lattice
D. Info Flow
问题 #60
The Clark Wilson model has its emphasis on:
A. Security
B. Integrity
C. Accountability
D. Confidentiality
问题 #61
What does * (star) integrity axiom mean in the Biba model?
A. No read up
B. No write down
C. No read down
D. No write up
问题 #62
Which access control model states that for integrity to be maintained data must not flow from a receptacle of given integrity to a receptacle of higher integrity?
A. Lattice Model
B. Bell-LaPadula Model
C. Biba Model
D. Take-Grant Model
问题 #63
Which one of the following is a KEY responsibility for the "Custodian of Data"?
A. Data content and backup
B. Integrity and security of data
C. Authentication of user access
D. Classification of data elements
问题 #64
Which one of the following is true about information that is designated with the highest of confidentiality in a private sector organization?
A. It is limited to named individuals and creates and audit trail.
B. It is restricted to those in the department of origin for the information.
C. It is available to anyone in the organization whose work relates to the subject and requires authorization for each access.
D. It is classified only by the information security officer and restricted to those who have made formal requests for access.
问题 #65
Related to information security, confidentiality is the opposite of which of the following?
A. closure
B. disclosure
C. disposal
D. disaster
问题 #66
What is the main concern of the Bell-LaPadula security model?
A. Accountability
B. Integrity
C. Confidentiality
D. Availability
问题 #67
Which of the following are the limitations of the Bell-LaPadula model?
A. No policies for changing access data control.
B. All of the choices.
C. Contains covert channels.
D. Static in nature.
问题 #68
Which of the following is a state machine model capturing confidentiality aspects of access control?
A. Clarke Wilson
B. Bell-LaPadula
C. Chinese Wall
D. Lattice
问题 #69
With the BLP model, access permissions are defined through:
A. Filter rules
B. Security labels
C. Access Control matrix
D. Profiles
问题 #70
With the BLP model, security policies prevent information flowing downwards from a:
A. Low security level
B. High security level
C. Medium security level
D. Neutral security level
问题 #71
When will BLP consider the information flow that occurs?
A. When a subject alters on object.
B. When a subject accesses an object.
C. When a subject observer an object.
D. All of the choices.
问题 #72
In the Bell-LaPadula model, the Star-property is also called:
A. The simple security property
B. The confidentiality property
C. The confinement property
D. The tranquility property
问题 #73
The Lattice Based Access Control model was developed MAINLY to deal with:
A. Affinity
B. None of the choices.
C. Confidentiality
D. Integrity
问题 #74
With the Lattice Based Access Control model, a security class is also called a:
A. Control factor
B. Security label
C. Mandatory number
D. Serial ID
问题 #75
Under the Lattice Based Access Control model, a container of information is a(n):
A. Object
B. Model
C. Label
问题 #76
What Access Control model was developed to deal mainly with information flow in computer systems?
A. Lattice Based
B. Integrity Based
C. Flow Based
D. Area Based
问题 #77
The Lattice Based Access Control model was developed to deal mainly with ___________ in computer systems.
A. Access control
B. Information flow
C. Message routes
D. Encryption
问题 #78
In the Lattice Based Access Control model, controls are applied to:
A. Scripts
B. Objects
C. Models
D. Factors
问题 #79
Access control techniques do not include:
A. Rule-Based Access Controls
B. Role-Based Access Controls
C. Mandatory Access Controls
D. Random Number Based Access Control
问题 #80
An access control policy for a bank teller is an example of the implementation of which of the following?
A. rule-based policy
B. identity-based policy
C. user-based policy
D. role-based policy
问题 #81
Access control techniques do not include which of the following choices?
A. Relevant Access Controls
B. Discretionary Access Controls
C. Mandatory Access Controls
D. Lattice Based Access Controls
问题 #82
What is called a type of access control where a central authority determines what subjects can have access to certain objects, based on the organizational security policy?
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-discretionary Access Control
D. Rule-based access control
问题 #83
In non-discretionary access control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on:
A': ") the society's role in the organization", 'B': ") the individual's role in the organization", 'C': ") the group-dynamics as they relate to the individual's role in the organization", 'D. the group-dynamics as they relate to the master-slave role in the organization
问题 #84
This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. What best describes this sc
A. Excessive Rights
B. Excessive Access
C. Excessive Permissions
D. Excessive Privileges
问题 #85
The default level of security established for access controls should be
A. All access
B. Update access
C. Read access
D. No access
问题 #86
Access Control techniques do not include which of the following choices?
A. Relevant Access Controls
B. Discretionary Access Control
C. Mandatory Access Control
D. Lattice Based Access Controls
问题 #87
Which of the following is a type of mandatory access control?
A. Rule-based access control
B. Role-based access control
C. User-directed access control
D. Lattice-based access control
问题 #88
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access Control
问题 #89
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
A. A capacity table
B. An access control list
C. An access control matrix
D. A capability table
问题 #90
What access control methodology facilitates frequent changes to data permissions?
A. Rule-based
B. List-based
C. Role-based
D. Ticket-based
问题 #91
Which of the following is a means of restricting access to objects based on the identity of the subject to which they belong?
A. Mandatory access control
B. Group access control
C. Discretionary access control
D. User access control
问题 #92
What is the method of coordinating access to resources based on the listening of permitted IP addresses?
A. MAC
B. ACL
C. DAC
D. None of the choices.
问题 #93
What control is based on a specific profile for each user?
A. Lattice based access control.
B. Directory based access control.
C. Rule based access control.
D. ID based access control.
问题 #94
In a very large environment, which of the following is an administrative burden?
A. Rule based access control.
B. Directory based access control.
C. Lattice based access control
D. ID bases access control
问题 #95
Which of the following is a feature of the Rule based access control?
A. The use of profile.
B. The use of information flow label.
C. The use of data flow diagram.
D. The use of token.
问题 #96
What is an access control model?
A. A formal description of access control ID specification.
B. A formal description of security policy.
C. A formal description of a sensibility label.
D. None of the choices.
问题 #97
Which of the following is true about MAC?
A. It is more flexible than DAC.
B. It is more secure than DAC.
C. It is less secure than DAC.
D. It is more scalable than DAC.
问题 #98
Which of the following is true regarding a secure access model?
A. Secure information cannot flow to a more secure user.
B. Secure information cannot flow to a less secure user.
C. Secure information can flow to a less secure user.
D. None of the choices.
问题 #99
In the Information Flow Model, what acts as a type of dependency?
A. State
B. Successive points
C. Transformation
D. Flow
问题 #100
A firewall can be classified as a:
A. Directory based access control.
B. Rule based access control.
C. Lattice based access control.
D. ID based access control.
闽公网安备 35012102500533号
|
闽ICP备18010967号-7