1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 35
Выбрать главу

Freeware is incorrect because it is software made available to the public at no cost, but the author retains the copyright and can place restrictions on how the program is used. Some freeware can be harmless whereas others are harmful. Not all freeware violates a user’s privacy.

Firmware is incorrect because it is software that is permanently stored in a hardware device, which enables reading but not writing or modifying. The most common device for firmware is read-only-memory (ROM).

Crippleware is incorrect because it enables trial (limited) versions of vendor products that operate only for a limited period of time. Crippleware does not violate a user’s privacy.

267. Network-based intrusion prevention systems (IPS) are typically deployed:

a. Inline

b. Outline

c. Online

d. Offline

267. a. Network-based IPS performs packet sniffing and analyzes network traffic to identify and stop suspicious activity. They are typically deployed inline, which means that the software acts like a network firewall. It receives packets, analyzes them, and decides whether they should be permitted, and allows acceptable packets to pass through. They detect some attacks on networks before they reach their intended targets. The other three choices are not relevant here.

268. Identity thieves can get personal information through which of the following means?

1. Dumpster diving

2. Skimming

3. Phishing

4. Pretexting

a. 1 only

b. 3 only

c. 1 and 3

d. 1, 2, 3, and 4

268. d. Identity thieves get personal information by stealing records or information while they are on the job, bribing an employee who has access to these records, hacking electronic records, and conning information out of employees. Sources of personal information include the following: Dumpster diving, which includes rummaging through personal trash, a business’ trash, or public trash dumps.

Skimming includes stealing credit card or debit card numbers by capturing the information in a data storage device. Phishing and pretexting deal with stealing information through e-mail or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known as phishing online or pretexting (social engineering) by phone respectively.

269. Which of the following application-related authentication types is risky?

a. External authentication

b. Proprietary authentication

c. Pass-through authentication

d. Host/user authentication

269. c. Pass-through authentication refers to passing operating system credentials (e.g., username and password) unencrypted from the operating system to the application system. This is risky due to unencrypted credentials. Note that pass-through authentications can be encrypted or unencrypted.

External authentication is incorrect because it uses a directory server, which is not risky. Proprietary authentication is incorrect because username and passwords are part of the application, not the operating system. This is less risky. Host/user authentication is incorrect because it is performed within a controlled environment (e.g., managed workstations and servers within an organization). Some applications may rely on previous authentication performed by the operating system. This is less risky.

270. Inference attacks are based on which of the following?

a. Hardware and software

b. Firmware and freeware

c. Data and information

d. Middleware and courseware

270. c. An inference attack is where a user or an intruder can deduce information to which he had no privilege from information to which he has privilege.

271. Out-of-band attacks against electronic authentication protocols include which of the following?

1. Password guessing attack

2. Replay attack

3. Verifier impersonation attack

4. Man-in-the-middle attack

a. 1 only

b. 3 only

c. 1 and 2

d. 3 and 4

271. d. In an out-of-band attack, the attack is against an authentication protocol run where the attacker assumes the role of a subscriber with a genuine verifier or relying party. The attacker obtains secret and sensitive information such as passwords and account numbers and amounts when a subscriber manually enters them into a one-time password device or confirmation code sent to the verifier or relying party.

In an out-of-band attack, the attacker alters the authentication protocol channel through session hijacking, verifier impersonation, or man-in-the-middle (MitM) attacks. In a verifier impersonation attack, the attacker impersonates the verifier and induces the claimant to reveal his secret token. The MitM attack is an attack on the authentication protocol run in which the attacker positions himself in between the claimant and verifier so that he can intercept and alter data traveling between them.

In a password guessing attack, an impostor attempts to guess a password in repeated logon trials and succeeds when he can log onto a system. In a replay attack, an attacker records and replays some part of a previous good protocol run to the verifier. Both password guessing and replay attacks are examples of in-band attacks. In an in-band attack, the attack is against an authentication protocol where the attacker assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. The goal of the attack is to gain authenticated access or learn authentication secrets.

272. Which of the following information security control families requires a cross-cutting approach?

a. Access control

b. Audit and accountability

c. Awareness and training

d. Configuration management

272. a. Access control requires a cross-cutting approach because it is related to access control, incident response, audit and accountability, and configuration management control families (areas). Cross-cutting means a control in one area affects the controls in other-related areas. The other three choices require a control-specific approach.

273. Confidentiality controls include which of the following?

a. Cryptography

b. Passwords

c. Tokens

d. Biometrics

273. a. Cryptography, which is a part of technical control, ensures the confidentiality goal. The other three choices are part of user identification and authentication controls, which are also a part of technical control.

274. Which of the following is not an example of authorization and access controls?

a. Logical access controls

b. Role-based access controls

c. Reconstruction of transactions

d. System privileges

274. c. Reconstruction of transactions is a part of audit trail mechanisms. The other three choices are a part of authorization and access controls.

~ 35 ~