1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 25
Выбрать главу

An access password is a password used to authorize access to data and is distributed to all those who are authorized to have similar access to that data. A personal password is a password known by only one person and is used to authenticate that person’s identity. A valid password is a personal password that authenticates the identity of an individual when presented to a password system. It is also an access password that enables the requested access when presented to a password system.

200. Which of the following is an incompatible function for a database administrator?

a. Data administration

b. Information systems administration

c. Systems security

d. Information systems planning

200. c. The database administrator (DBA) function is concerned with short-term development and use of databases, and is responsible for the data of one or several specific databases. The DBA function should be separate from the systems’ security function due to possible conflict of interest for manipulation of access privileges and rules for personal gain. The DBA function can be mixed with data administration, information systems administration, or information systems planning because there is no harm to the organization.

201. Kerberos uses which of the following to protect against replay attacks?

a. Cards

b. Timestamps

c. Tokens

d. Keys

201. b. A replay attack refers to the recording and retransmission of message packets in the network. Although a replay attack is frequently undetected, but it can be prevented by using packet timestamping. Kerberos uses the timestamps but not cards, tokens, and keys.

202. Which of the following user identification and authentication techniques depend on reference profiles or templates?

a. Memory tokens

b. Smart cards

c. Cryptography

d. Biometric systems

202. d. Biometric systems require the creation and storage of profiles or templates of individuals wanting system access. This includes physiological attributes such as fingerprints, hand geometry, or retina patterns, or behavioral attributes such as voice patterns and hand-written signatures.

Memory tokens and smart cards involve the creation and distribution of a token device with a PIN, and data that tell the computer how to recognize valid tokens or PINs. Cryptography requires the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.

203. When security products cannot provide sufficient protection through encryption, system administrators should consider using which of the following to protect intrusion detection and prevention system management communications?

1. Physically separated network

2. Logically separated network

3. Virtual private network

4. Encrypted tunneling

a. 1 and 4

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

203. c. System administrators should ensure that all intrusion detection and prevention system (IDPS) management communications are protected either through physical separation (management network) or logical separation (virtual network) or through encryption using transport layer security (TLS). However, for security products that do not provide sufficient protection through encryption, administrators should consider using a virtual private network (VPN) or other encrypted tunneling method to protect the network traffic.

204. What is the objective of separation of duties?

a. No one person has complete control over a transaction or an activity.

b. Employees from different departments do not work together well.

c. Controls are available to protect all supplies.

d. Controls are in place to operate all equipment.

204. a. The objective is to limit what people can do, especially in conflict situations or incompatible functions, in such a way that no one person has complete control over a transaction or an activity from start to finish. The goal is to limit the possibility of hiding irregularities or fraud. The other three choices are not related to separation of duties.

205. What names does an access control matrix place?

a. Users in each row and the names of objects in each column

b. Programs in each row and the names of users in each column

c. Users in each column and the names of devices in each row

d. Subjects in each column and the names of processes in each row

205. a. Discretionary access control is a process to identify users and objects. An access control matrix can be used to implement a discretionary access control mechanism where it places the names of users (subject) in each row and the names of objects in each column of a matrix. A subject is an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system’s state. An object is a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects include records, programs, pages, files, and directories. An access control matrix describes an association of objects and subjects for authentication of access rights.

206. Which situation is Kerberos not used in?

a. Managing distributed access rights

b. Managing encryption keys

c. Managing centralized access rights

d. Managing access permissions

206. a. Kerberos is a private key authentication system that uses a central database to keep a copy of all users’ private keys. The entire system can be compromised due to the central database. Kerberos is used to manage centralized access rights, encryption keys, and access permissions.

207. Which of the following security control mechanisms is simplest to administer?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

207. b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information.

Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

208. What implementation is an example of an access control policy for a bank teller?

a. Role-based policy

b. Identity-based policy

c. User-directed policy

d. Rule-based policy

208. a. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, bank teller, and manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies and for streamlining the security management process.

~ 25 ~