Читаем CISSP Practice полностью

105. c. Examples of user identifiers include internal users, contractors, external users, guests, passwords, tokens, and biometrics. Examples of user authenticators include passwords, PINs, tokens, biometrics, PKI/digital certificates, and key cards. When an individual has accounts on multiple information systems, there is the risk that if one account is compromised and the individual uses the same user identifier and authenticator, other accounts will be compromised as well. Possible alternatives include (i) having the same user identifier but different authenticators on all systems, (ii) having different user identifiers and different user authenticators on each system, (iii) employing a single sign-on mechanism, or (iv) having one-time passwords on all systems.

106. For authenticator management, which of the following is the least risky situation when compared to the others?

a. Authenticators embedded in an application system

b. Authenticators embedded in access scripts

c. Authenticators stored on function keys

d. Identifiers created at run-time

106. d. It is less risky to dynamically manage identifiers, attributes, and access authorizations. Run-time identifiers are created on-the-fly for previously unknown entities. Information security management should ensure that unencrypted, static authenticators are not embedded in application systems or access scripts or not stored on function keys. This is because these approaches are risky. Here, the concern is to determine whether an embedded or stored authenticator is in the encrypted or unencrypted form.

107. Which of the following access authorization policies applies to when an organization has a list of software not authorized to execute on an information system?

a. Deny-all, permit-by-exception

b. Allow-all, deny-by-exception

c. Allow-all, deny-by-default

d. Deny-all, accept-by-permission

107. a. An organization employs a deny-all, permit-by-exception authorization policy to identify software not allowed to execute on the system. The other three choices are incorrect because the correct answer is based on specific access authorization policy.

108. Encryption is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

108. b. Encryption prevents unauthorized access and protects data and programs when they are in storage (at rest) or in transit. Preventive controls deter security incidents from happening in the first place.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

109. Which of the following access authorization policies applies to external networks through managed interfaces employing boundary protection devices such as gateways or firewalls?

a. Deny-all, permit-by-exception

b. Allow-all, deny-by-exception

c. Allow-all, deny-by-default

d. Deny-all, accept-by-permission

109. a. Examples of managed interfaces employing boundary protection devices include proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels on a demilitarized zone (DMZ). This policy “deny-all, permit-by-exception” denies network traffic by default and enables network traffic by exception only.

The other three choices are incorrect because the correct answer is based on specific access authorization policy. Access control lists (ACL) can be applied to traffic entering the internal network from external sources.

110. Which of the following are needed when the enforcement of normal security policies, procedures, and rules are difficult to implement?

1. Compensating controls

2. Close supervision

3. Team review of work

4. Peer review of work

a. 1 only

b. 2 only

c. 1 and 2

d. 1, 2, 3, and 4