Читаем CISSP Practice полностью

110. d. When the enforcement of normal security policies, procedures, and rules is difficult, it takes on a different dimension from that of requiring contracts, separation of duties, and system access controls. Under these situations, compensating controls in the form of close supervision, followed by peer and team review of quality of work are needed.

111. Which of the following is critical to understanding an access control policy?

a. Reachable-state

b. Protection-state

c. User-state

d. System-state

111. b. A protection-state is that part of the system-state critical to understanding an access control policy. A system must be either in a protection-state or reachable-state. User-state is not critical because it is the least privileged mode.

112. Which of the following should not be used in Kerberos authentication implementation?

a. Data encryption standard (DES)

b. Advanced encryption standard (AES)

c. Rivest, Shamir, and Adelman (RSA)

d. Diffie-Hellman (DH)

112. a. DES is weak and should not be used because of several documented security weaknesses. The other three choices can be used. AES can be used because it is strong. RSA is used in key transport where the authentication server generates the user symmetric key and sends the key to the client. DH is used in key agreement between the authentication server and the client.

113. From an access control decision viewpoint, failures due to flaws in permission-based systems tend to do which of the following?

a. Authorize permissible actions

b. Fail-safe with permission denied

c. Unauthorize prohibited actions

d. Grant unauthorized permissions

113. b. When failures occur due to flaws in permission-based systems, they tend to fail-safe with permission denied. There are two types of access control decisions: permission-based and exclusion-based.

114. Host and application system hardening procedures are a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

114. b. Host and application system hardening procedures are a part of preventive controls, as they include antivirus software, firewalls, and user account management. Preventive controls deter security incidents from happening in the first place.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

115. From an access control decision viewpoint, fail-safe defaults operate on which of the following?

1. Exclude and deny

2. Permit and allow

3. No access, yes default

4. Yes access, yes default

a. 1 only

b. 2 only

c. 2 and 3

d. 4 only

115. c. Fail-safe defaults mean that access control decisions should be based on permit and allow policy (i.e., permission rather than exclusion). This equates to the condition in which lack of access is the default (i.e., no access, yes default). “Allow all and deny-by-default” refers to yes-access, yes-default situations.

116. For password management, automatically generated random passwords usually provide which of the following?

1. Greater entropy

2. Passwords that are hard for attackers to guess

3. Stronger passwords

4. Passwords that are hard for users to remember

a. 2 only

b. 2 and 3

c. 2, 3, and 4

d. 1, 2, 3, and 4

116. d. Automatically generated random (or pseudo-random) passwords usually provide greater entropy, are hard for attackers to guess or crack, stronger passwords, but at the same time are hard for users to remember.

117. In biometrics-based identification and authentication techniques, which of the following indicates that security is unacceptably weak?

a. Low false acceptance rate

b. Low false rejection rate

c. High false acceptance rate

d. High false rejection rate