1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 41
Выбрать главу

323. A lattice security model is an example of which of the following access control policies?

a. Discretionary access control (DAC)

b. Non-DAC

c. Mandatory access control (MAC)

d. Non-MAC

323. b. A lattice security model is based on a nondiscretionary access control (non-DAC) model. A lattice model is a partially ordered set for which every pair of elements (subjects and objects) has a greatest lower bound and a least upper bound. The subject has the greatest lower bound, and the object has the least upper bound.

324. Which of the following is not a common type of electronic credential?

a. SAML assertions

b. X.509 public-key identity certificates

c. X.509 attribute certificates

d. Kerberos tickets

324. a. Electronic credentials are digital documents used in authentication that bind an identity or an attribute to a subscriber’s token. Security assertion markup language (SAML) is a specification for encoding security assertions in the extensible markup language (XML). SAML assertions have nothing to do with electronic credential because they can be used by a verifier to make a statement to a relying party about the identity of a claimant.

An X.509 public-key identity certificate is incorrect because binding an identity to a public key is a common type of electronic credential. X.509 attribute certificate is incorrect because binding an identity or a public key with some attribute is a common type of electronic credential. Kerberos tickets are incorrect because encrypted messages binding the holder with some attribute or privilege is a common type of electronic credential.

325. Registration fraud in electronic authentication can be deterred by making it more difficult to accomplish or by increasing the likelihood of which of the following?

a. Direction

b. Prevention

c. Detection

d. Correction

325. c. Making it more difficult to accomplish or increasing the likelihood of detection can deter registration fraud. The goal is to make impersonation more difficult.

326. Which one of the following access control policies treats users and owners as the same?

a. Discretionary access control (DAC)

b. Mandatory access control (MAC)

c. Role-based access control (RBAC)

d. Access control lists (ACLs)

326. a. A discretionary access control (DAC) mechanism enables users to grant or revoke access to any of the objects under their control. As such, users are said to be the owners of the objects under their control. Users and owners are different in the other three choices.

327. For electronic authentication protocol threats, which of the following are assumed to be physically able to intercept authentication protocol runs?

a. Eavesdroppers

b. Subscriber impostors

c. Impostor verifiers

d. Hijackers

327. a. Eavesdroppers are assumed to be physically able to intercept authentication protocol runs; however, the protocol may be designed to render the intercepted messages unintelligible, or to resist analysis that would allow the eavesdropper to obtain information useful to impersonate the claimant.

Subscriber impostors are incorrect because they need only normal communications access to verifiers or relying parties. Impostor verifiers are incorrect because they may have special network capabilities to divert, insert, or delete packets. But, in many cases, such attacks can be mounted simply by tricking subscribers with incorrect links or e-mails or on Web pages, or by using domain names similar to those of relying parties or verifiers. Therefore, the impostors do not necessarily need to have any unusual network capabilities. Hijackers are incorrect because they must divert communications sessions, but this capability may be comparatively easy to achieve today when many subscribers use wireless network access.

328. Which of the following is not commonly detected and reported by intrusion detection and prevention systems (IDPS)?

a. System scanning attacks

b. Denial-of-service attacks

c. System penetration attacks

d. IP address spoofing attacks

328. d. An attacker can send attack packets using a fake source IP address but arrange to wiretap the victims reply to the fake address. The attacker can do this without having access to the computer at the fake address. This manipulation of IP addressing is called IP address spoofing.

A system scanning attack occurs when an attacker probes a target network or system by sending different kinds of packets. Denial-of-service attacks attempt to slow or shut down targeted network systems or services. System penetration attacks involve the unauthorized acquisition and/or alteration of system privileges, resources, or data.

329. In-band attacks against electronic authentication protocols include which of the following?

a. Password guessing

b. Impersonation

c. Password guessing and replay

d. Impersonation and man-in-the-middle

329. c. In an in-band attack, the attacker assumes the role of a claimant with a genuine verifier. These include a password guessing attack and a replay attack. In a password guessing attack, an impostor attempts to guess a password in repeated logon trials and succeeds when he can log onto a system. In a replay attack, an attacker records and replays some part of a previous good protocol run to the verifier. In the verifier impersonation attack, the attacker impersonates the verifier and induces the claimant to reveal his secret token. A man-in-the-middle attack is an attack on the authentication protocol run in which the attacker positions himself between the claimant and verifier so that he can intercept and alter data traveling between them.

330. Which of the following access control policies or models provides a straightforward way of granting or denying access for a specified user?

a. Role-based access control (RBAC)

b. Access control lists (ACLs)

c. Mandatory access control (MAC)

d. Discretionary access control (DAC)

330. b. An access control list (ACL) is an object associated with a file and containing entries specifying the access that individual users or groups of users have to the file. ACLs provide a straightforward way to grant or deny access for a specified user or groups of users. Other choices are not that straightforward in that they use labels, tags, and roles.

331. What is impersonating a user or system called?

a. Snooping attack

b. Spoofing attack

c. Sniffing attack

d. Spamming attack

331. b. Spoofing is an unauthorized use of legitimate identification and authentication data such as user IDs and passwords. Intercepted user names and passwords can be used to impersonate the user on the login or file transfer server host that the user accesses.

~ 41 ~