Читаем CISSP Practice полностью

The statements in the other three choices are true. The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier. When a subscriber needs to authenticate to perform a transaction, he becomes a claimant to a verifier. A relying party relies on results of an online authentication to establish the identity or attribute of a subscriber for the purpose of some transaction. Relying parties use a subscriber’s authenticated identity and other factors to make access control or authorization decisions. The verifier and the relying party may be the same entity, or they may be separate entities. In some cases the verifier does not need to directly communicate with the CSP to complete the authentication activity (e.g., the use of digital certificates), which represents a logical link between the two entities rather than a physical link. In some implementations, the verifier, the CSP functions, and the relying party may be distributed and separated.

217. Location-based authentication techniques for transportation firms can be effectively used to provide which of the following?

a. Static authentication

b. Intermittent authentication

c. Continuous authentication

d. Robust authentication

217. c. Transportation firms can use location-based authentication techniques continuously, as there are no time and resource limits. It does not require any secret information to protect at either the host or user end. Continuous authentication is better than robust authentication, where the latter can be intermittent.

218. System administrators pose a threat to computer security due to their access rights and privileges. Which of the following statements is true for an organization with one administrator?

a. Masquerading by a system administrator can be prevented.

b. A system administrator’s access to the system can be limited.

c. Actions by the system administrator can be detected.

d. A system administrator cannot compromise system integrity.

218. c. Authentication data needs to be stored securely, and its value lies in the data’s confidentiality, integrity, and availability. If confidentiality is compromised, someone may use the information to masquerade as a legitimate user. If system administrators can read the authentication file, they can masquerade as another user. Many systems use encryption to hide the authentication data from the system administrators.

Masquerading by system administrators cannot be entirely prevented. If integrity is compromised, authentication data can be added, or the system can be disrupted. If availability is compromised, the system cannot authenticate users, and the users may not be able to work. Because audit controls would be out of the control of the administrator, controls can be set up so that improper actions by the system administrators can be detected in audit records. Due to their broader responsibilities, the system administrators’ access to the system cannot be limited. System administrators can compromise a system’s integrity; again their actions can be detected in audit records.

It makes a big difference whether an organization has one or more than one system administrator for separation of duties or for “least privilege” principle to work. With several system administrators, a system administrator account could be set up for one person to have the capability to add accounts. Another administrator could have the authority to delete them. When there is only one system administrator employed, breaking up the duties is not possible.

219. Logical access controls provide a technical means of controlling access to computer systems. Which of the following is not a benefit of logical access controls?

a. Integrity

b. Availability

c. Reliability

d. Confidentiality

219. c. Computer-based access controls are called logical access controls. These controls can prescribe not only who or what is to have access to a specific system resource but also the type of access permitted, usually in software. Reliability is more of a hardware issue.

Logical access controls can help protect (i) operating systems and other systems software from unauthorized modification or manipulation (and thereby help ensure the system’s integrity and availability); (ii) the integrity and availability of information by restricting the number of users and processes with access; and (iii) confidential information from being disclosed to unauthorized individuals.