The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would
Correct Answer: B
Section: Software Development Security
Question 22
Which choice below is an incorrect description of a control?
Correct Answer: B
Controls are the countermeasures for vulnerabilities. There are many kinds, but generally they are categorized into four types: Deterrent controls reduce the likelihood of a deliberate attack. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact. Preventative controls inhibit attempts to violate security policy. Corrective controls reduce the effect of an attack. Detective controls discover attacks and trigger preventative or corrective controls. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums. Source: Introduction to Risk Analysis, "Corrective controls reduce the effect of an attack" & "Detective controls discover attacks and trigger preventative or corrective controls" Security Risk Analysis Group and NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.
Question 23
Which one of the following is the MOST critical characteristic of a biometrics system?
Correct Answer: B
We don't agree with the original answer, which was throughput. Granted throughput is vital but Krutz lists accuracy is most important. In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. Ronald Krutz The CISSP PREP Guide (gold edition) pg 51
Question 24
After acquiring the latest security updates, what must be done before deploying to production systems?
Correct Answer: B
After acquiring the latest security updates, the best practice is to install the patches on a test system before deploying them to the production systems. This is to ensure that the patches are compatible with the system configuration and do not cause any adverse effects or conflicts with the existing applications or services. The test system should be isolated from the production environment and should have the same or similar specifications and settings as the production system. * A. Use tools to detect missing system patches is not something that must be done after acquiring the latest security updates, but rather something that must be done before acquiring the security updates. This is to identify the current patch level and the patch requirements of the system. * C. Subscribe to notifications for vulnerabilities is not something that must be done after acquiring the latest security updates, but rather something that must be done as part of the ongoing patch management process. This is to stay informed of the latest security threats and vulnerabilities and the corresponding patches or mitigations. * D. Assess the severity of the situation is not something that must be done after acquiring the latest security updates, but rather something that must be done before acquiring the security updates. This is to prioritize the patching activities based on the risk and impact of the vulnerabilities. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 336; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 297
Question 25
Which Web Services Security (WS-Security) specification maintains a single authenticated identity across multiple dissimilar environments? Click on the correct specification in the image below.