var quiz = { questions : [ { text : 'Which TCSEC publication addresses computer systems for government and military use?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Red Book', 'B. Brown Book', 'C. Green Book', 'D. Orange Book' ], answer : 3, score : 1, expandedAnswer : '
\nThe Trusted Computer System Evaluation Criteria (TCSEC) was developed by the Department of Defense to evaluate their own computer systems. The Orange Book evaluates security features within operating systems, devices and applications and uses TCSEC’s assurance levels as its measurements.', moreInfo : '' }, { text : 'A processor and operating system can work in different modes depending upon the privilege of the process that made a request. If a process is able to directly communicate to hardware, what state is the processor and system running in?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Problem state', 'B. Wait state', 'C. Run state', 'D. Supervisory state' ], answer : 3, score : 1, expandedAnswer : '
\nThe main modes a processor and operating system work in are user mode and privileged mode. Privileged mode is also called supervisor or supervisory mode. If a process of lower privilege makes a request, the request will be fulfilled in user mode. If a process has the privilege level to be able to carry out something critical, like communicating directly with hardware, then the processor and operating system will carry out its request in privileged mode.', moreInfo : '' }, { text : 'What is it called when two or more processes commit resources, but can\'t carry out their tasks because the other required resources are currently committed?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Stalemate', 'B. Deadlock', 'C. Buffer overflow', 'D. Crash' ], answer : 1, score : 1, expandedAnswer : '
\nThe way that operating systems handle the input and output of system resources is critical. When resources are not released properly, it can lead to a deadlock situation. This means there aren\'t enough resources for other programs to execute because too many are tied up with already-running applications. A true deadlock situation is when process one has committed resource A and requires resource B to finish its task. But process two has committed resource B and requires resource A. Neither process can finish its work until the other releases the necessary resource. So they are both suspended or hung.', moreInfo : '' }, { text : 'There are different types of security models, as in Bell-LaPadula, Biba and state machine. Which of the following is the correct definition of "security model"?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. A framework that outlines the requirements necessary to support a security policy', 'B. A beta version operating system', 'C. Strict guidelines at a company level based on procedures to follow regarding computer security and access controls', 'D. Identifying, assessing and reducing security risks' ], answer : 0, score : 1, expandedAnswer : '
\nSecurity models are used to help implement security policies. While policies state specific objectives that must be accomplished, the security model will detail how to achieve those particular objectives. Basically, models explain how a system should control subject and object relationships and interactivity.', moreInfo : '' }, { text : 'A multi-threading computer can do what?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Run multiple processes at one time', 'B. Run and process multiple requests at one time', 'C. Run multiple programs at one time', 'D. Run multiple tasks at one time' ], answer : 1, score : 1, expandedAnswer : '
\nComputers have many capabilities; some are capable of multi-threading, multi-processing and multi-tasking. \n

\nThese capabilities defined are:\nMulti-threading -- processing more than one request or thread at one time.\nMulti-tasking -- processing more than one task or process at one time.\nMulti-processing -- having multiple CPUs and processing separate instructions in parallel.', moreInfo : '' }, { text : 'A product that has been evaluated as providing discretionary protection according to the TCSEC would have what classification rating?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. A', 'B. B', 'C. C', 'D. D' ], answer : 2, score : 1, expandedAnswer : '
\nThe Trusted Computer System Evaluation Criteria (TCSEC) has four classification rankings: A = Verified protection, B = Mandatory protection, C= Discretionary protection, D= Minimal security. Each class has subrankings that provide more detail of the security criteria that the product was evaluated against.', moreInfo : '' }, { text : 'Products that pass through the Trusted Products Evaluation Program (TPEP) are published in what?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Orange Book', 'B. Evaluated Product List', 'C. National Accreditation Report', 'D. Computing Society Product Evaluation Report' ], answer : 1, score : 1, expandedAnswer : '
\nAfter successful evaluation, products are published in the Evaluated Product List (EPL). Similar to Consumer Reports, the EPL is a publication that consumers can use to gain information about products, their rankings and their features.', moreInfo : '' }, { text : 'What are the distinguishing factors between a product with a TCSEC rating of A1 and one with a rating of B3?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Architecture features', 'B. Protection features', 'C. Verified protection', 'D. Security policies' ], answer : 2, score : 1, expandedAnswer : '
\nThe major difference between Class A-ranked products and Class B-ranked products is the formality of design, development, documentation, testing and implementation. Most of the security features are similar. If a system is going to receive an A assurance rating, the evaluation team will go through every piece of that system\'s life cycle in a granular and detailed manner.', moreInfo : '' }, { text : 'Using a path that is not intended for communication transmissions to send and receive information is an example of a _______________.', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Covert channel', 'B. Salami attack', 'C. Piggybacking attack', 'D. Buffer overflow' ], answer : 0, score : 1, expandedAnswer : '
\nCovert channels can be used because the operating system is not anticipating this type of activity and thus does not protect against it. The use of covert channels violates the system\'s security policy. Systems with many covert channels typically have lower assurance ratings than systems with few covert channels. A covert channel is using resources for communication purposes in a way they were not designed for. An overt channel is using resources that were developed specifically for communication purposes.', moreInfo : '' }, { text : 'Which term describes a hidden set of software instructions created by the developer as a matter of convenience?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Covert channel', 'B. Software patch', 'C. Maintenance hook', 'D. GUI' ], answer : 2, score : 1, expandedAnswer : '
\nIt is common for software developers to create backdoors into their applications. This is done during the development stage so that they can have quick access into the program to make changes or run tests. It\'s important that these hidden access points are removed before the software is implemented. Backdoors that are implemented within programming code for this type of access are most accurately referred to as maintenance hooks.', moreInfo : '' }, { text : 'Which of the following is not a requirement of a B3 TCSEC rating?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Defines security administrator role', 'B. Monitors events and notifies appropriate personnel', 'C. Exhibits trusted recovery', 'D. Uses formal methods and procedures' ], answer : 3, score : 1, expandedAnswer : '
\nClass B3 requires all of the listed features except the use of formal methods and procedures. Only Class A-products require a system\'s design, development, implementation and documentation to be formalized.', moreInfo : '' }, { text : 'The Orange Book was developed in the 1970s with the purpose of evaluating specific items. There have been many criticisms of it because it is not overly robust and is very focused in nature. Which is not true about the Orange Book?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Places trust in the computer operating system', 'B. Does not address integrity and availability', 'C. Works with protection rankings, which is well suited for the commercial industry', 'D. Uses a small number of ratings that are not very flexible' ], answer : 2, score : 1, expandedAnswer : '
\nThe Orange Book was the first publication of the TCSEC evaluation criteria, and it has been the victim of many criticisms. Its classification scheme is well designed for government and military organizations, rather than the commercial industry. But to be fair it was developed for the DoD, so this makes sense. We have used it to evaluate products for the commercial sector instead of developing a separate evaluation criteria. The Common Criteria is the Orange Book\'s replacement and deals with military and commercial sectors more effectively.', moreInfo : '' }, { text : 'Which of the terms below is best described as a simulated environment for applications to run in?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. TCB', 'B. Virtual machine', 'C. Protection rings', 'D. Execution domains' ], answer : 1, score : 1, expandedAnswer : '
\nVirtual machines act as an operating area and holding area for different programs to run in. This serves as a protection mechanism for the operating system. The operating system communicates with the virtual machine, never having to directly interface with the untrusted program code. Virtual machines can manage the program code in a controlled manner.', moreInfo : '' }, { text : 'Which of the following is a way for one process to communicate to another by modulating the use of systems resources?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Covert timing channel', 'B. Covert storage channel', 'C. Maintenance hook', 'D. TOC/TOU' ], answer : 0, score : 1, expandedAnswer : '
\nA covert timing channel modulates the operating system\'s resources, which allows for communication between two processes. This is an example of a covert communication channel.', moreInfo : '' }, { text : 'Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'A. Evaluation, accreditation, certification', 'B. Evaluation, certification, accreditation', 'C. Certification, evaluation, accreditation', 'D. Certification, accreditation, evaluation' ], answer : 1, score : 1, expandedAnswer : '
\nThe first step is evaluation. Evaluation involves reviewing the product\'s protection functionality and assurance ratings. The next phase is certification. Certification involves testing the newly purchased product within the company\'s environment. The final stage is accreditation, which is management\'s formal approval.', moreInfo : '' } ] };