1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 24
Выбрать главу

c. It uses grant or revoke access to objects.

d. Users and owners are different.

190. d. Discretionary access control (DAC) permits the granting and revoking of access control privileges to be left to the discretion of individual users. A discretionary access control mechanism enables users to grant or revoke access to any of the objects under the control. As such, users are said to be the owners of the objects under their control. It uses access control lists.

191. Which of the following does not provide robust authentication?

a. Kerberos

b. Secure remote procedure calls

c. Reusable passwords

d. Digital certificates

191. c. Robust authentication means strong authentication that should be required for accessing internal computer systems. Robust authentication is provided by Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure remote procedure calls (Secure RPC). Reusable passwords provide weak authentication.

192. Which of the following statements is not true about Kerberos protocol?

a. Kerberos uses an asymmetric key cryptography.

b. Kerberos uses a trusted third party.

c. Kerberos is a credential based authentication system.

d. Kerberos uses a symmetric key cryptography.

192. a. Kerberos uses symmetric key cryptography and a trusted third party. Kerberos users authenticate with one another using Kerberos credentials issued by a trusted third party. The bit size of Kerberos is the same as that of DES, which is 56 bits because Kerberos uses a symmetric key algorithm similar to DES.

193. Which of the following authentication types is most effective?

a. Static authentication

b. Robust authentication

c. Intermittent authentication

d. Continuous authentication

193. d. Continuous authentication protects against impostors (active attacks) by applying a digital signature algorithm to every bit of data sent from the claimant to the verifier. Also, continuous authentication prevents session hijacking and provides integrity.

Static authentication uses reusable passwords, which can be compromised by replay attacks. Robust authentication includes one-time passwords and digital signatures, which can be compromised by session hijacking. Intermittent authentication is not useful because of gaps in user verification.

194. For major functions of intrusion detection and prevention system technologies, which of the following statements are true?

1. It is not possible to eliminate all false positives and false negatives.

2. Reducing false positives increases false negatives and vice versa.

3. Decreasing false negatives is always preferred.

4. More analysis is needed to differentiate false positives from false negatives.

a. 1 only

b. 2 only

c. 3 only

d. 1, 2, 3, and 4

194. d. Intrusion detection and prevention system (IDPS) technologies cannot provide completely accurate detection at all times. All four items are true statements. When an IDPS incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred.

195. Which of the following authentication techniques is impossible to forge?

a. What the user knows

b. What the user has

c. What the user is

d. Where the user is

195. d. Passwords and PINs are often vulnerable to guessing, interception, or brute force attack. Devices such as access tokens and crypto-cards can be stolen. Biometrics can be vulnerable to interception and replay attacks. A location cannot be different than what it is. The techniques used in the other three choices are not foolproof. However, “where the user is” based on a geodetic location is foolproof because it cannot be spoofed or hijacked.

Geodetic location, as calculated from a location signature, adds a fourth and new dimension to user authentication and access control mechanisms. The signature is derived from the user’s location. It can be used to determine whether a user is attempting to log in from an approved location. If unauthorized activity is detected from an authorized location, it can facilitate finding the user responsible for that activity.

196. How does a rule-based access control mechanism work?

a. It is based on filtering rules.

b. It is based on identity rules.

c. It is based on access rules.

d. It is based on business rules.

196. c. A rule-based access control mechanism is based on specific rules relating to the nature of the subject and object. These specific rules are embedded in access rules. Filtering rules are specified in firewalls. Both identity and business rules are inapplicable here.

197. Which of the following is an example of a system integrity tool used in the technical security control category?

a. Auditing

b. Restore to secure state

c. Proof-of-wholeness

d. Intrusion detection tool

197. c. The proof-of-wholeness control is a system integrity tool that analyzes system integrity and irregularities and identifies exposures and potential threats. The proof-of-wholeness principle detects violations of security policies.

Auditing is a detective control, which enables monitoring and tracking of system abnormalities. “Restore to secure state” is a recovery control that enables a system to return to a state that is known to be secure, after a security breach occurs. Intrusion detection tools detect security breaches.

198. Individual accountability does not include which of the following?

a. Unique identifiers

b. Access rules

c. Audit trails

d. Policies and procedures

198. d. A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects.

The concept of individual accountability drives the need for many security safeguards, such as unique (user) identifiers, audit trails, and access authorization rules. Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves, they do not exact individual accountability.

199. From an access control viewpoint, which of the following is computed from a passphrase?

a. Access password

b. Personal password

c. Valid password

d. Virtual password

199.d. A virtual password is a password computed from a passphrase that meets the requirements of password storage (e.g., 56 bits for DES). A passphrase is a sequence of characters, longer than the acceptable length of a regular password, which is transformed by a password system into a virtual password of acceptable length.

~ 24 ~