1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 37
Выбрать главу

a. Employee issues

b. Hardware issues

c. Operating systems software issues

d. Application software issues

284. a. The largest risk exposure remains with employees. Personnel security measures are aimed at hiring honest, competent, and capable employees. Job requirements need to be programmed into the logical access control software. Policy is also closely linked to personnel issues. A deterrent effect arises among employees when they are aware that their misconduct (intentional or unintentional) may be detected. Selecting the right type and access level for employees, informing which employees need access accounts and what type and level of access they require, and informing changes to access requirements are also important. Accounts and accesses should not be granted or maintained for employees who should not have them in the first place. The other three choices are distantly related to logical access controls when compared to employee issues.

285. Which of the following password methods are based on fact or opinion?

a. Static passwords

b. Dynamic passwords

c. Cognitive passwords

d. Conventional passwords

285. c. Cognitive passwords use fact-based and opinion-based cognitive data as a basis for user authentication. It uses interactive software routines that can handle initial user enrollment and subsequent cue response exchanges for system access. Cognitive passwords are based on a person’s lifetime experiences and events where only that person, or his family, knows about them. Examples include the person’s favorite high school teachers’ names, colors, flowers, foods, and places. Cognitive password procedures do not depend on the “people memory” often associated with the conventional password dilemma. However, implementation of a cognitive password mechanism could cost money and take more time to authenticate a user. Cognitive passwords are easier to recall and difficult for others to guess.

Conventional (static) passwords are difficult to remember whether user-created or system-generated and are easy to guess by others. Dynamic passwords change each time a user signs on to the computer. Even in the dynamic password environment, a user needs to remember an initial code for the computer to recognize him. Conventional passwords are reusable whereas dynamic ones are not. Conventional passwords rely on memory.

286. Which of the security codes is the longest, thereby making it difficult to guess?

a. Passphrases

b. Passwords

c. Lockwords

d. Passcodes

286. a. Passphrases have the virtue of length (e.g., up to 80 characters), making them both difficult to guess and burdensome to discover by an exhaustive trial-and-error attack on a system. The number of characters used in the other three choices is smaller (e.g., four to eight characters) than passphrases. All four security codes are user identification mechanisms.

Passwords are uniquely associated with a single user. Lockwords are system-generated terminal passwords shared among users. Passcodes are a combination of password and ID card.

287. Anomaly detection approaches used in intrusion detection systems (IDS) require which of the following?

a. Tool sets

b. Skill sets

c. Training sets

d. Data sets

287. c. Anomaly detection approaches often require extensive training sets of system event records to characterize normal behavior patterns. Skill sets are also important for the IT security analyst. Tool sets and data sets are not relevant here because the tool sets may contain software or hardware, and the data sets may contain data files and databases.

288. What is a marking assigned to a computing resource called?

a. Security tag

b. Security label

c. Security level

d. Security attribute

288. b. A security label is a marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. A security tag is an information unit containing a representation of certain security-related information (e.g., a restrictive attribute bitmap).

A security level is a hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy enforced, a specific level of protection. A security attribute is a security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bitmap, or numbers. Compartments, caveats, and release markings are examples of security attributes.

289. Which of the following is most risky?

a. Permanent access

b. Guest access

c. Temporary access

d. Contractor access

289. c. The greatest problem with temporary access is that once temporary access is given to an employee, it is not reverted back to the previous status after the project has been completed. This can be due to forgetfulness on both sides of employee and employer or the lack of a formal system for change notification. There can be a formal system of change notification for permanent access, and guest or contractor accesses are removed after the project has been completed.

290. Which of the following deals with access control by group?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

290. a. Discretionary access controls deal with the concept of control objectives, or control over individual aspects of an enterprise’s processes or resources. They are based on the identity of the users and of the objects they want to access. Discretionary access controls are implemented by one user or the network/system administrator to specify what levels of access other users are allowed to have.

Mandatory access controls are implemented based on the user’s security clearance or trust level and the particular sensitivity designation of each file. The owner of a file or object has no discretion as to who can access it.

An access control list is based on which user can access what objects. Logical access controls are based on a user-supplied identification number or code and password. Discretionary access control is by group association whereas mandatory access control is by sensitivity level.

291. Which of the following provides a finer level of granularity (i.e., more restrictive security) in the access control process?

a. Mandatory access control

b. Discretionary access control

c. Access control list

d. Logical access control

291. b. Discretionary access control offers a finer level of granularity in the access control process. Mandatory access controls can provide access to broad categories of information, whereas discretionary access controls can be used to fine-tune those broad controls, override mandatory restrictions as needed, and accommodate special circumstances.

292. For identity management, which of the following is supporting the determination of an authentic identity?

1. X.509 authentication framework

~ 37 ~