Читаем CISSP Practice полностью

100. Which of the following can prevent replay attacks in an authentication process for network access to privileged and non-privileged accounts?

1. Nonces

2. Challenges

3. Time synchronous authenticators

4. Challenge-response one-time authenticators

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

100. d. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address the replay attacks include protocols that use nonces or challenges (e.g., TLS) and time synchronous or challenge-response one-time authenticators.

101. For device identification and authentication, the authentication between devices and connections to networks is an example of a(n):

a. Bidirectional authentication

b. Group authentication

c. Device-unique authentication

d. Individual authentication

101. a. An information system authenticates devices before establishing remote and wireless network connections using bidirectional authentication between devices that are cryptographically-based. Examples of device identifiers include media access control (MAC) addresses, IP addresses, e-mail IDs, and device-unique token identifiers. Examples of device authenticators include digital/PKI certificates and passwords. The other three choices are not correct because they lack two-way authentication.

102. For device identification and authentication, dynamic address allocation process for devices is standardized with which of the following?

a. Dynamic host configuration protocol

b. Dynamic authentication

c. Dynamic hypertext markup language

d. Dynamic binding

102. a. For dynamic address allocation for devices, dynamic host configuration protocol (DHCP)-enabled clients obtain leases for Internet Protocol (IP) addresses from DHCP servers. Therefore, the dynamic address allocation process for devices is standardized with DHCP. The other three choices do not have the capability to obtain leases for IP addresses.

103. For identifier management, service-oriented architecture implementations do not reply on which of the following?

a. Dynamic identities

b. Dynamic attributes and privileges

c. Preregistered users

d. Pre-established trust relationships

103. c. Conventional approaches to identifications and authentications employ static information system accounts for known preregistered users. Service-oriented architecture (SOA) implementations do not rely on static identities but do rely on establishing identities at run-time for entities (i.e., dynamic identities) that were previously unknown. Dynamic identities are associated with dynamic attributes and privileges as they rely on pre-established trust relationships.

104. For authenticator management, which of the following presents a significant security risk?

a. Stored authenticators

b. Default authenticators

c. Reused authenticators

d. Refreshed authenticators

104. b. Organizations should change the default authenticators upon information system installation or require vendors and/or manufacturers to provide unique authenticators prior to delivery. This is because default authenticator credentials are often well known, easily discoverable, and present a significant security risk, and therefore, should be changed upon installation. A stored or embedded authenticator can be risky depending on whether it is encrypted or unencrypted. Both reused and refreshed authenticators are less risky compared to default and stored authenticators because they are under the control of the user organization.

105. For authenticator management, use of which of the following is risky and leads to possible alternatives?

a. A single sign-on mechanism

b. Same user identifier and different user authenticators on all systems

c. Same user identifier and same user authenticator on all systems

d. Different user identifiers and different user authenticators on each system