1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 36
Выбрать главу

275. Which of the following is not an example of access control policy?

a. Performance-based policy

b. Identity-based policy

c. Role-based policy

d. Rule-based policy

275. a. Performance-based policy is used to evaluate an employee’s performance annually or other times. The other three choices are examples of an access control policy where they control access between users and objects in the information system.

276. From security and safety viewpoints, which of the following does not support the static separation-of-duty constraints?

a. Mutually exclusive roles

b. Reduced chances of collusion

c. Conflict-of-interest in tasks

d. Implicit constraints

276. d. It is difficult to meet the security and safety requirements with flexible access control policies expressed in implicit constraints such as role-based access control (RBAC) and rule-based access control (RuBAC). Static separation-of-duty constraints require that two roles of an individual must be mutually exclusive, constraints must reduce the chances of collusion, and constraints must minimize the conflict-of-interest in task assignments to employees.

277. Which of the following are compatible with each other in the pair in performing similar functions in information security?

a. SSO and RSO

b. DES and DNS

c. ARP and PPP

d. SLIP and SKIP

277. a. A single sign-on (SSO) technology allows a user to authenticate once and then access all the resources the user is authorized to use. A reduced sign-on (RSO) technology allows a user to authenticate once and then access many, but not all, of the resources the user is authorized to use. Hence, SSO and RSO perform similar functions.

The other three choices do not perform similar functions. Data encryption standard (DES) is a symmetric cipher encryption algorithm. Domain name system (DNS) provides an Internet translation service that resolves domain names to Internet Protocol (IP) addresses and vice versa. Address resolution protocol (ARP) is used to obtain a node’s physical address. Point-to-point protocol (PPP) is a data-link framing protocol used to frame data packets on point-to-point lines. Serial line Internet protocol (SLIP) carries Internet Protocol (IP) over an asynchronous serial communication line. PPP replaced SLIP. Simple key management for Internet protocol (SKIP) is designed to work with the IPsec and operates at the network layer of the TCP/IP protocol, and works very well with sessionless datagram protocols.

278. How is identification different from authentication?

a. Identification comes after authentication.

b. Identification requires a password, and authentication requires a user ID.

c. Identification and authentication are the same.

d. Identification comes before authentication.

278. d. Identification is the process used to recognize an entity such as a user, program, process, or device. It is performed first, and authentication is done next. Identification and authentication are not the same. Identification requires a user ID, and authentication requires a password.

279. Accountability is not related to which of the following information security objectives?

a. Identification

b. Availability

c. Authentication

d. Auditing

279. b. Accountability is typically accomplished by identifying and authenticating system users and subsequently tracing their actions through audit trails (i.e., auditing).

280. Which of the following statements is true about mandatory access control?

a. It does not use sensitivity levels.

b. It uses tags.

c. It does not use security labels.

d. It reduces system performance.

280. d. Mandatory access control is expensive and causes system overhead, resulting in reduced system performance of the database. Mandatory access control uses sensitivity levels and security labels. Discretionary access controls use tags.

281. What control is referred to when an auditor reviews access controls and logs?

a. Directive control

b. Preventive control

c. Corrective control

d. Detective control

281. d. The purpose of auditors reviewing access controls and logs is to find out whether employees follow security policies and access rules, and to detect any violations and anomalies. The audit report helps management to improve access controls.

282. Logical access controls are a technical means of implementing security policy decisions. It requires balancing the often-competing interests. Which of the following trade-offs should receive the highest interest?

a. User-friendliness

b. Security principles

c. Operational requirements

d. Technical constraints

282. a. A management official responsible for a particular application system, subsystem, or group of systems develops the security policy. The development of an access control policy may not be an easy endeavor. User-friendliness should receive the highest interest because the system is designed for users, and the system usage is determined by whether the system is user-friendly. The other three choices have a competing interest in a security policy, but they are not as important as the user-friendliness issue. An example of a security principle is “least privilege.”

283. Which of the following types of passwords is counterproductive?

a. System-generated passwords

b. Encrypted passwords

c. Nonreusable passwords

d. Time-based passwords

283. a. A password-generating program can produce passwords in a random fashion, rather than relying on user-selected ones. System-generated passwords are usually hard to remember, forcing users to write them down. This defeats the whole purpose of stronger passwords.

Encrypted passwords protect from unauthorized viewing or using. The encrypted password file is kept secure with access permission given to security administration for maintenance or to the passwords system itself. This approach is productive in keeping the passwords secure and secret.

Nonreusable passwords are used only once. A series of passwords are generated by a cryptographic secure algorithm and given to the user for use at the time of login. Each password expires after its initial use and is not repeated or stored anywhere. This approach is productive in keeping the passwords secure and secret.

In time-based passwords, the password changes every minute or so. A smart card displays some numbers that are a function of the current time and the user’s secret key. To get access, the user must enter a number based on his own key and the current time. Each password is a unique one and therefore need not be written down or guessed. This approach is productive and effective in keeping the passwords secure and secret.

284. Which of the following issues is closely related to logical access controls?

~ 36 ~