Читаем CISSP Practice полностью

89. Which of the following user actions are permitted without identification or authentication?

1. Access to public websites

2. Emergency situations

3. Unsuccessful login attempts

4. Reestablishing a session lock

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

89. c. Access to public websites and emergency situations are examples of user permitted actions that don't require identification or authentication. Both unsuccessful login attempts and reestablishing a session lock require proper identification or authentication procedures. A session lock is retained until proper identification or authentication is submitted, accepted, and reestablished.

90. Which of the following circumstances require additional security protections for mobile devices after unsuccessful login attempts?

a. When a mobile device requires a login to itself, and not a user account on the device

b. When a mobile device is accessing a removable media without a login

c. When information on the mobile device is encrypted

d. When the login is made to any one account on the mobile device

90. a. Additional security protection is needed for a mobile device (e.g., PDA) requiring a login where the login is made to the mobile device itself, not to any one account on the device. Additional protection is not needed when removable media is accessed without a login and when the information on the mobile device is encrypted. A successful login to any account on the mobile device resets the unsuccessful login count to zero.

91. An information system dynamically reconfigures with which of the following as information is created and combined?

a. Security attributes and data structures

b. Security attributes and security policies

c. Security attributes and information objects

d. Security attributes and security labels

91.b. An information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined. The system supports and maintains the binding of security attributes to information in storage, in process, and in transmission. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structures (e.g., records, buffers, and files) for that object.

92. For identity management, international standards do not use which of the following access control policies for making access control decisions?

1. Discretionary access control (DAC)

2. Mandatory access control (MAC)

3. Identity-based access control (IBAC)

4. Rule-based access control (RuBAC)

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 3 and 4

92. a. International standards for access control decisions do not use the U.S.-based discretionary or mandatory access control policies. Instead, they use identity-based and rule-based access control policies.

93. Which of the following is an example of less than secure networking protocols for remote access sessions?

a. Secure shell-2

b. Virtual private network with blocking mode enabled

c. Bulk encryption

d. Peer-to-peer networking protocols

93. d. An organization must ensure that remote access sessions for accessing security functions employ security measures and that they are audited. Bulk encryption, session layer encryption, secure shell-2 (SSH-2), and virtual private networking (VPN) with blocking enabled are standard security measures. Bluetooth and peer-to-peer (P2P) networking are examples of less than secure networking protocols.

94. For wireless access, in which of the following ways does an organization confine wireless communications to organization-controlled boundaries?

1. Reducing the power of the wireless transmission and controlling wireless emanations

2. Configuring the wireless access path such that it is point-to-point in nature

3. Using mutual authentication protocols

4. Scanning for unauthorized wireless access points and connections

a. 1 only

b. 3 only

c. 2 and 4

d. 1, 2, 3, and 4