Читаем CISSP Practice полностью

4. Chinese Wall policy

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

66. b. Separation of duty constraints require that two roles be mutually exclusive because no user should have the privileges from both roles. Both role-based and rule-based access controls are examples of static separation of duty.

Dynamic separation of duty is enforced at access time, and the decision to grant access refers to the past access history. Examples of dynamic separation of duty include workflow policy and the Chinese Wall policy.

67. In biometrics-based identification and authentication techniques, which of the following statements are true about biometric errors?

1. High false rejection rate is preferred.

2. Low false acceptance rate is preferred.

3. High crossover error rate represents low accuracy.

4. Low crossover error rate represents low accuracy.

a. 1 and 3

b. 1 and 4

c. 2 and 3

d. 2 and 4

67. c. The goal of biometrics-based identification and authentication techniques about biometric errors is to obtain low numbers for both false rejection rate and false acceptance rate errors. Another goal is to obtain a low crossover error rate because it represents high accuracy or a high crossover error rate because it represents low accuracy.

68. For password management, user-selected passwords generally contain which of the following?

1. Less entropy

2. Easier for users to remember

3. Weaker passwords

4. Easier for attackers to guess

a. 2 only

b. 2 and 3

c. 2, 3, and 4

d. 1, 2, 3, and 4

68. d. User-selected passwords generally contain less entropy, are easier for users to remember, use weaker passwords, and at the same time are easier for attackers to guess or crack.

69. As a part of centralized password management solution, which of the following architectures for single sign-on technology becomes a single point-of-failure?

a. Kerberos authentication service

b. Lightweight directory access protocol

c. Domain passwords

d. Centralized authentication server

69. d. A common architecture for single sign-on (SSO) is to have an authentication service, such as Kerberos, for authenticating SSO users, and a database or directory service such as lightweight directory access protocol (LDAP) that stores authentication information for the resources the SSO handles authentication for. By definition, the SSO technology uses a password, and an SSO solution usually includes one or more centralized servers containing authentication credentials for many users. Such a server becomes a single point-of-failure for authentication to many resources, so the availability of the server affects the availability of all the resources that rely on that server.

70. If proper mutual authentication is not performed, what is the single sign-on technology vulnerable to?

a. Man-in-the-middle attack

b. Replay attack

c. Social engineering attack

d. Phishing attack

70. a. User authentication to the single sign-on (SSO) technology is important. If proper mutual authentication is not performed, the SSO technology using passwords is vulnerable to a man-in-the-middle (MitM) attack. Social engineering and phishing attacks are based on passwords, and replay attacks do not use passwords.

71. From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of dynamic separation of duties?

1. Two-person rule

2. History-based separation of duty

3. Design-time

4. Run-time

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

71. a. The two-person rule states that the first user can be any authorized user, but the second user can be any authorized user different from the first. History-based separation of duty regulates that the same subject (role or user) cannot access the same object (program or device) for a variable number of times. Design-time and run-time are used in the workflow policy.

72. From an access control point of view, the Chinese Wall policy focuses on which of the following?

a. Confidentiality

b. Integrity

c. Availability

d. Assurance