Читаем CISSP Practice полностью

46. b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion reuse, the assertion should include a timestamp and a short lifetime of validity. The other three choices are incorrect because they are not applicable to the situation here.

47. In electronic authentication, which of the following can mitigate the threat of assertion repudiation?

a. Digital signature and TLS/SSL

b. Timestamp and short lifetime of validity

c. Digital signature with a key supporting nonrepudiation

d. HTTP and TLS

47. c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion repudiation, the assertion may be digitally signed by the verifier using a key that supports nonrepudiation. The other three choices are incorrect because they are not applicable to the situation here.

48. In electronic authentication, which of the following can mitigate the threat of assertion substitution?

a. Digital signature and TLS/SSL

b. Timestamp and short lifetime of validity

c. Digital signature with a key supporting nonrepudiation

d. HTTP and TLS

48. d. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion substitution, the assertion may include a combination of HTTP to handle message order and TLS to detect and disallow malicious reordering of packets. The other three choices are incorrect because they are not applicable to the situation here.

49. Serious vulnerabilities exist when:

a. An untrusted individual has been granted an unauthorized access.

b. A trusted individual has been granted an authorized access.

c. An untrusted individual has been granted an authorized access.

d. A trusted individual has been granted an unauthorized access.

49. a. Vulnerabilities typically result when an untrusted individual is granted unauthorized access to a system. Granting unauthorized access is riskier than granting authorized access to an untrusted individual, and trusted individuals are better than untrusted individuals. Both trust and authorization are important to minimize vulnerabilities. The other three choices are incorrect because serious vulnerabilities may not exist with them.

50. In mobile device authentication, password and personal identification number (PIN) authentication is an example of which of the following?

a. Proof-by-possession

b. Proof-by-knowledge

c. Proof-by-property

d. Proof-of-origin

50. b. Proof-by-knowledge is where a claimant authenticates his identity to a verifier by the use of a password or PIN (i.e., something you know) that he has knowledge of.

Proof-by-possession and proof-by-property, along with proof-by-knowledge, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin.

51. In mobile device authentication, fingerprint authentication is an example of which of the following?

a. Proof-by-possession

b. Proof-by-knowledge

c. Proof-by-property

d. Proof-of-origin

51. c. Proof-by-property is where a claimant authenticates his identity to a verifier by the use of a biometric sample such as fingerprints (i.e., something you are).

Proof-by-possession and proof-by-knowledge, along with proof-by-property, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin.

52. Which of the following actions is effective for reviewing guest/anonymous accounts, temporary accounts, inactive accounts, and emergency accounts?

a. Disabling

b. Auditing

c. Notifying

d. Terminating

52. b. All the accounts mentioned in the question can be disabled, notified, or terminated, but it is not effective. Auditing of account creation, modification, notification, disabling, and termination (i.e., the entire account cycle) is effective because it can identify anomalies in the account cycle process.