Читаем CISSP Practice полностью

187. c. For basic authentication, user IDs, passwords, and account numbers are used for internal authentication. Centralized authentication servers such as RADIUS and TACACS/TACACS+ can be integrated with token-based authentication to enhance firewall administration security.

188. How is authorization different from authentication?

a. Authorization comes after authentication.

b. Authorization and authentication are the same.

c. Authorization is verifying the identity of a user.

d. Authorization comes before authentication.

188. a. Authorization comes after authentication because a user is granted access to a program (authorization) after he is fully authenticated. Authorization is permission to do something with information in a computer. Authorization and authentication are not the same, where the former is verifying the user’s permission and the latter is verifying the identity of a user.

189. Which of the following is required to thwart attacks against a Kerberos security server?

a. Initial authentication

b. Pre-authentication

c. Post-authentication

d. Re-authentication

189. b. The simplest form of initial authentication uses a user ID and password, which occurs on the client. The server has no knowledge of whether the authentication was successful. The problem with this approach is that anyone can make a request to the server asserting any identity, allowing an attacker to collect replies from the server and successfully launching a real attack on those replies.

In pre-authentication, the user sends some proof of his identity to the server as part of the initial authentication process. The client must authenticate prior to the server issuing a credential (ticket) to the client. The proof of identity used in pre-authentication can be a smart card or token, which can be integrated into the Kerberos initial authentication process. Here, post-authentication and re-authentication processes do not apply because it is too late to be of any use.

190. Which of the following statements is not true about discretionary access control?

a. Access is based on the authorization granted to the user.

b. It uses access control lists.

c. It uses grant or revoke access to objects.

d. Users and owners are different.

190. d. Discretionary access control (DAC) permits the granting and revoking of access control privileges to be left to the discretion of individual users. A discretionary access control mechanism enables users to grant or revoke access to any of the objects under the control. As such, users are said to be the owners of the objects under their control. It uses access control lists.

191. Which of the following does not provide robust authentication?

a. Kerberos

b. Secure remote procedure calls

c. Reusable passwords

d. Digital certificates

191. c. Robust authentication means strong authentication that should be required for accessing internal computer systems. Robust authentication is provided by Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure remote procedure calls (Secure RPC). Reusable passwords provide weak authentication.

192. Which of the following statements is not true about Kerberos protocol?

a. Kerberos uses an asymmetric key cryptography.

b. Kerberos uses a trusted third party.

c. Kerberos is a credential based authentication system.

d. Kerberos uses a symmetric key cryptography.

192. a. Kerberos uses symmetric key cryptography and a trusted third party. Kerberos users authenticate with one another using Kerberos credentials issued by a trusted third party. The bit size of Kerberos is the same as that of DES, which is 56 bits because Kerberos uses a symmetric key algorithm similar to DES.

193. Which of the following authentication types is most effective?

a. Static authentication

b. Robust authentication

c. Intermittent authentication

d. Continuous authentication

193. d. Continuous authentication protects against impostors (active attacks) by applying a digital signature algorithm to every bit of data sent from the claimant to the verifier. Also, continuous authentication prevents session hijacking and provides integrity.

Static authentication uses reusable passwords, which can be compromised by replay attacks. Robust authentication includes one-time passwords and digital signatures, which can be compromised by session hijacking. Intermittent authentication is not useful because of gaps in user verification.