Читаем CISSP Practice полностью

149. b. Password strength is determined by a password’s length and its complexity, which is determined by the unpredictability of its characters. Passwords based on patterns such as keyspace may meet password complexity and length requirement, but they significantly reduce the keyspace because attackers are aware of these patterns. The ideal keyspace is a balanced one between maximum, most likely, and minimum scenarios. Simple and short passphrases have low entropy because they consist of concatenated dictionary words, which are easy to guess and attack. Therefore, passphrases should be complex and longer to provide high entropy. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases ensure password strength.

150. Regarding password management, which of the following enforces password strength requirements effectively?

a. Educate users on password strength.

b. Run a password cracker program to identify weak passwords.

c. Perform a cracking operation offline.

d. Use a password filter utility program.

150. d. One way to ensure password strength is to add a password filter utility program, which is specifically designed to verify that a password created by a user complies with the password policy. Adding a password filter is a more rigorous and proactive solution, whereas the other three choices are less rigorous and reactive solutions.

The password filter utility program is also referred to as a password complexity enforcement program.

151. Which of the following controls over telecommuting use tokens and/or one-time passwords?

a. Firewalls

b. Robust authentication

c. Port protection devices

d. Encryption

151. b. Robust authentication increases security in two significant ways. It can require the user to possess a token in addition to a password or personal identification number (PIN). Tokens, when used with PINs, provide significantly more security than passwords. For a hacker or other would-be impersonator to pretend to be someone else, the impersonator must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination. Robust authentication can also create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type in a password is not a threat with one-time passwords because each time a user is authenticated to the computer, a different “password” is used. (A hacker could learn the one-time password through electronic monitoring, but it would be of no value.)

The firewall is incorrect because it uses a secure gateway or series of gateways to block or filter access between two networks, often between a private network and a larger, more public network such as the Internet or public-switched network (e.g., the telephone system). Firewall does not use tokens and passwords as much as robust authentication.

A port protection device (PPD) is incorrect because it is fitted to a communications port of a host computer and authorizes access to the port itself, prior to and independent of the computer’s own access control functions. A PPD can be a separate device in the communications stream or may be incorporated into a communications device (e.g. a modem). PPDs typically require a separate authenticator, such as a password, to access the communications port. One of the most common PPDs is the dial-back modem. PPD does not use tokens and passwords as much as robust authentication.

Encryption is incorrect because it is more expensive than robust authentication. It is most useful if highly confidential data needs to be transmitted or if moderately confidential data is transmitted in a high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity (it detects changes to files). Encryption does not use tokens and passwords as much as robust authentication.

152. Which of the following statements about an access control system is not true?

a. It is typically enforced by a specific application.

b. It indicates what a specific user could have done.

c. It records failed attempts to perform sensitive actions.

d. It records failed attempts to access restricted data.

152. a. Some applications use access control (typically enforced by the operating system) to restrict access to certain types of information or application functions. This can be helpful to determine what a particular application user could have done. Some applications record information related to access control, such as failed attempts to perform sensitive actions or access restricted data.