Читаем CISSP Practice полностью

122. d. It is good to limit the number of attempts any user can unsuccessfully attempt to authenticate. A session lock should be placed where the system locks the user out and logs a security event whenever a user exceeds a certain amount of failed logon attempts within a specified timeframe.

The other three choices cannot stop unsuccessful authentication attempts. For example, if an adversary can repeatedly submit fake biometric data hoping for an exact match, it creates a security breach without a session lock. In addition, rejecting exact matches creates ill will with the genuine user.

123. In the single sign-on technology, timestamps thwart which of the following?

a. Man-in-the-middle attack

b. Replay attack

c. Social engineering attack

d. Phishing attack

123. b. Timestamps or other mechanisms to thwart replay attacks should be included in the single sign-on (SSO) credential transmissions. Man-in-the-middle (MitM) attacks are based on authentication and social engineering, and phishing attacks are based on passwords.

124. Which of the following correctly represents the flow in the identity and authentication process involved in the electronic authentication?

a. Claimant⇒Authentication Protocol⇒Verifier

b. Claimant⇒Authenticator⇒Verifier

c. Verifier⇒Claimant⇒Relying Party

d. Claimant⇒Verifier⇒Relying Party

124. d. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier. When a claimant successfully demonstrates possession and control of a token in an online authentication to a verifier through an authentication protocol, the verifier can verify that the claimant is the subscriber. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier must verify that the claimant has possession and control of the token that verifies his identity. A claimant authenticates his identity to a verifier by the use of a token and an authentication protocol, called proof-of-possession protocol.

The other three choices are incorrect as follows:

The flow of authentication process involving Claimant⇒Authentication Protocol⇒Verifier: The authentication process establishes the identity of the claimant to the verifier with a certain degree of assurance. It is implemented through an authentication protocol message exchange, as well as management mechanisms at each end that further constrain or secure the authentication activity. One or more of the messages of the authentication protocol may need to be carried on a protected channel.

The flow of tokens and credentials involving Claimant⇒Authenticator⇒Verifier: Tokens generally are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. In E-authentication, the claimant authenticates to a system or application over a network by proving that he has possession of a token. The token produces an output called an authenticator and this output is used in the authentication process to prove that the claimant possesses and controls the token.

The flow of assertions involving Verifier⇒Claimant⇒Relying Party: Assertions are statements from a verifier to a relying party that contain information about a subscriber (claimant). Assertions are used when the relying party and the verifier are not collocated (e.g., they are connected through a shared network). The relying party uses the information in the assertion to identify the claimant and make authorization decisions about his access to resources controlled by the relying party.

125. Which of the following authentication techniques is appropriate for accessing nonsensitive IT assets with multiple uses of the same authentication factor?

a. Single-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Multifactor authentication

125. a. Multiple uses of the same authentication factor (e.g., using the same password more than once) is appropriate for accessing nonsensitive IT assets and is known as a single-factor authentication. The other three factors are not needed for authentication of low security risk and nonsensitive assets.