Читаем CISSP Practice полностью

145. a. Products such as volume encryption, virtual disk encryption, or file/folder encryption may use the operating system’s authentication for single sign-on (SSO). After a user authenticates to the operating system at login time, the user can access the encrypted file without further authentication, which is risky. You should not use the same single-factor authenticator for multiple purposes. A full-disk encryption provides better security than the other three choices because the entire disk is encrypted, as opposed to part of it.

146. Which of the following security mechanisms for high-risk storage encryption authentication products provides protection against authentication-guessing attempts and favors security over functionality?

a. Alert consecutive failed login attempts.

b. Lock the computer for a specified period of time.

c. Increase the delay between attempts.

d. Delete the protected data from the device.

146. d. For high-security situations, storage encryption authentication products can be configured so that too many failed attempts cause the product to delete all the protected data from the device. This approach strongly favors security over functionality. The other three choices can be used for low-security situations.

147. Recovery mechanisms for storage encryption authentication solutions require which of the following?

a. A trade-off between confidentiality and security

b. A trade-off between integrity and security

c. A trade-off between availability and security

d. A trade-off between accountability and security

147. c. Recovery mechanisms increase the availability of the storage encryption authentication solutions for individual users, but they can also increase the likelihood that an attacker can gain unauthorized access to encrypted storage by abusing the recovery mechanism. Therefore, information security management should consider the trade-off between availability and security when selecting and planning recovery mechanisms. The other three choices do not provide recovery mechanisms.

148. For identity management, which of the following requires multifactor authentication?

a. User-to-host architecture

b. Peer-to-peer architecture

c. Client host-to-server architecture

d. Trusted third-party architecture

148. a. When a user logs onto a host computer or workstation, the user must be identified and authenticated before access to the host or network is granted. This process requires a mechanism to authenticate a real person to a machine. The best methods of doing this involve multiple forms of authentication with multiple factors, such as something you know (password), something you have (physical token), and something you are (biometric verification). The other three choices do not require multifactor authentication because they use different authentication methods.

Peer-to-peer architecture, sometimes referred to as mutual authentication protocol, involves the direct communication of authentication information between the communicating entities (e.g., peer-to-peer or client host-to-server).

The architecture for trusted third-party (TTP) authentication uses a third entity, trusted by all entities, to provide authentication information. The amount of trust given the third entity must be evaluated. Methods to establish and maintain a level of trust in a TTP include certification practice statements (CPS) that establishes rules, processes, and procedures that a certificate authority (CA) uses to ensure the integrity of the authentication process and use of secure protocols to interface with authentication servers. A TTP may provide authentication information in each instance of authentication, in real-time, or as a precursor to an exchange with a CA.

149. For password management, which of the following ensures password strength?

a. Passwords with maximum keyspace, shorter passphrases, low entropy, and simple passphrases

b. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases

c. Passwords with minimum keyspace, shorter passphrases, high entropy, and simple passphrases

d. Passwords with most likely keyspace, longer passphrases, low entropy, and complex passphrases