Which of the following is a vulnerability in Public Key Cryptography (PKC) that allows a chosen ciphertext attack occur?
Correct Answer: D
Question 122
What is the primary reason for the chain of custody of evidence?
Correct Answer: C
Question 123
Which choice below is the BEST description of a Protection Profile (PP), as defined by the Common Criteria (CC)?
Correct Answer: A
The Common Criteria (CC) is used in two ways: As a standardized way to describe security requirements for IT products and systems As a sound technical basis for evaluating the security features of these products and systems The CC defines three useful constructs for building IT security requirements: the Protection Profile (PP), the Security Target (ST), and the PackagE. The PP is an implementation-independent statement of security needs for a set of IT security products. The PP contains a set of security requirements and is intended to be a reusable definition of product security requirements that are known to be useful and effectivE. APP gives consumers a means of referring to a specific set of security needs and communicating them to manufacturers and helps future product evaluation against those needs. Answer a defines the Security Target (ST). The ST is a statement of security claims for a particular IT security product or system. The ST parallels the structure of the PP, though it has additional elements that include product-specific detailed information. An ST is the basis for agreement among all parties as to what security the product or system offers, and therefore the basis for its security evaluation. *Answer "An intermediate combination of security requirement components" describes the PackagE. The Package is an intermediate combination of security requirements components. The package permits the expression of a set of either functional or assurance requirements that meet some particular need, expressed as a set of security objectives. *Answer "The IT product or system to be evaluated" describes the Target of Evaluation (TOE). The TOE is an IT product or system to be evaluated, the security characteristics of which are described in specific terms by a corresponding ST, or in more general terms by a PP. This evaluation consists of rigorous analysis and testing performed by an accredited, independent laboratory. The scope of a TOE evaluation is set by the Evaluation Assurance Level (EAL) and other requirements specified in the ST. Part of this process is an evaluation of the ST itself, to ensure that it is correct, complete, and internally consistent and can be used as the baseline for the TOE evaluation. Source: Common Criteria Project.
Question 124
Which phases of an acquisition process should software assurance be integrated?
Correct Answer: D
Question 125
Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right.
Correct Answer:
Explanation Mandatory Access Control - End user cannot set controls Discretionary Access Control (DAC) - Subject has total control over objects Role Based Access Control (RBAC) - Dynamically assigns roles permissions to particular duties based on job function Rule Based access control - Dynamically assigns roles to subjects based on criteria assigned by a custodian.
