Читаем CISSP Practice полностью

153. What occurs in a man-in-the-middle (MitM) attack on an electronic authentication protocol?

1. An attacker poses as the verifier to the claimant.

2. An attacker poses as the claimant to the verifier.

3. An attacker poses as the CA to RA.

4. An attacker poses as the RA to CA.

a. 1 only

b. 3 only

c. 4 only

d. 1 and 2

153. d. In a man-in-the-middle (MitM) attack on an authentication protocol, the attacker interposes himself between the claimant and verifier, posing as the verifier to the claimant, and as the claimant to the verifier. The attacker thereby learns the value of the authentication token. Registration authority (RA) and certification authority (CA) has no roles in the MitM attack.

154. Which of the following is not a preventive measure against network intrusion attacks?

a. Firewalls

b. Auditing

c. System configuration

d. Intrusion detection system

154. b. Auditing is a detection activity, not a preventive measure. Examples of preventive measures to mitigate the risks of network intrusion attacks include firewalls, system configuration, and intrusion detection system.

155. Smart card authentication is an example of which of the following?

a. Proof-by-knowledge

b. Proof-by-property

c. Proof-by-possession

d. Proof-of-concept

155. c. Smart cards are credit card-size plastic cards that host an embedded computer chip containing an operating system, programs, and data. Smart card authentication is perhaps the best-known example of proof-by-possession (e.g., key, card, or token). Passwords are an example of proof-by-knowledge. Fingerprints are an example of proof-by-property. Proof-of-concept deals with testing a product prior to building an actual product.

156. For token threats in electronic authentication, countermeasures used for which one of the following threats are different from the other three threats?

a. Online guessing

b. Eavesdropping

c. Phishing and pharming

d. Social engineering

156. a. In electronic authentication, a countermeasure against the token threat of online guessing uses tokens that generate high entropy authenticators. Common countermeasures against the threats listed in the other three choices are the same and they do not use high entropy authenticators. These common countermeasures include (i) use of tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator and (ii) use of tokens that generate authenticators based on a token input value.

157. Which of the following is a component that provides a security service for a smart card application used in a mobile device authentication?

a. Challenge-response protocol

b. Service provider

c. Resource manager

d. Driver for the smart card reader

157. a. The underlying mechanism used to authenticate users via smart cards relies on a challenge-response protocol between the device and the smart card. For example, a personal digital assistant (PDA) challenges the smart card for an appropriate and correct response that can be used to verify that the card is the one originally enrolled by the PDA device owner. The challenge-response protocol provides a security service. The three main software components that support a smart card application include the service provider, a resource manager, and a driver for the smart card reader.

158. Which of the following is not a sophisticated technical attack against smart cards?

a. Reverse engineering

b. Fault injection

c. Signal leakage

d. Impersonating

158. d. For user authentication, the fundamental threat is an attacker impersonating a user and gaining control of the device and its contents. Of all the four choices, impersonating is a nonsophisticated technical attack. Smart cards are designed to resist tampering and monitoring of the card, including sophisticated technical attacks that involve reverse engineering, fault injection, and signal leakage.

159. Which of the following is an example of nonpolled authentication?

a. Smart card

b. Password

c. Memory token

d. Communications signal