Читаем CISSP Practice полностью

205. a. Discretionary access control is a process to identify users and objects. An access control matrix can be used to implement a discretionary access control mechanism where it places the names of users (subject) in each row and the names of objects in each column of a matrix. A subject is an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system’s state. An object is a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects include records, programs, pages, files, and directories. An access control matrix describes an association of objects and subjects for authentication of access rights.

206. Which situation is Kerberos not used in?

a. Managing distributed access rights

b. Managing encryption keys

c. Managing centralized access rights

d. Managing access permissions

206. a. Kerberos is a private key authentication system that uses a central database to keep a copy of all users’ private keys. The entire system can be compromised due to the central database. Kerberos is used to manage centralized access rights, encryption keys, and access permissions.

207. Which of the following security control mechanisms is simplest to administer?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

207. b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information.

Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

208. What implementation is an example of an access control policy for a bank teller?

a. Role-based policy

b. Identity-based policy

c. User-directed policy

d. Rule-based policy

208. a. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, bank teller, and manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies and for streamlining the security management process.

Identity-based and user-directed policies are incorrect because they are examples of discretionary access control. Identity-based access control is based only on the identity of the subject and object. In user-directed access controls, a subject can alter the access rights with certain restrictions. Rule-based policy is incorrect because it is an example of a mandatory type of access control and is based on specific rules relating to the nature of the subject and object.

209. Which of the following access mechanisms creates a potential security problem?

a. Location-based access mechanism

b. IP address-based access mechanism

c. Token-based access mechanism

d. Web-based access mechanism

209. b. IP address-based access mechanisms use Internet Protocol (IP) source addresses, which are not secure and subject to IP address spoofing attacks. The IP address deals with identification only, not authentication.

Location-based access mechanism is incorrect because it deals with a physical address, not IP address. Token-based access mechanism is incorrect because it uses tokens as a means of identification and authentication. Web-based access mechanism is incorrect because it uses secure protocols to accomplish authentication. The other three choices accomplish both identification and authentication and do not create a security problem as does the IP address-based access mechanism.

210. Rank the following authentication mechanisms providing most to least protection against replay attacks?

a. Password only, password and PIN, challenge response, and one-time password

b. Password and PIN, challenge response, one-time password, and password only

c. Challenge response, one-time password, password and PIN, and password only

d. Challenge-response, password and PIN, one-time password, and password only