Читаем CISSP Practice полностью

220. Which of the following internal access control methods offers a strong form of access control and is a significant deterrent to its use?

a. Security labels

b. Passwords

c. Access control lists

d. Encryption

220. a. Security labels are a strong form of access control. Unlike access control lists, labels cannot ordinarily be changed. Because labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. Security labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.

Passwords are a weak form of access control, although they are easy to use and administer. Although encryption is a strong form of access control, it is not a deterrent to its use when compared to labels. In reality, the complexity and difficulty of encryption can be a deterrent to its use.

221. It is vital that access controls protecting a computer system work together. Which of the following types of access controls should be most specific?

a. Physical

b. Application system

c. Operating system

d. Communication system

221. b. At a minimum, four basic types of access controls should be considered: physical, operating system, communications, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective, they need to be supported by operating system and communications system access controls. Otherwise, access can be made to application resources without going through the application. Operating system, communication, and application access controls need to be supported by physical access controls such as physical security and contingency planning.

222. Which of the following types of logical access control mechanisms does not rely on physical access controls?

a. Encryption controls

b. Application system access controls

c. Operating system access controls

d. Utility programs

222. a. Most systems can be compromised if someone can physically access the CPU machine or major components by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).

Application systems, operating systems, and utility programs are heavily dependent on logical access controls to protect against unauthorized use.

223. A system mechanism and audit trails assist business managers to hold individual users accountable for their actions. To utilize these audit trails, which of the following controls is a prerequisite for the mechanism to be effective?

a. Physical

b. Environmental

c. Management

d. Logical access

223. d. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log. Audit trails work in concert with logical access controls, which restrict use of system resources. Because logical access controls are enforced through software, audit trails are used to maintain an individual’s accountability. The other three choices collect some data in the form of an audit trail, and their use is limited due to the limitation of useful data collected.

224. Which of the following is the best place to put the Kerberos protocol?

a. Application layer

b. Transport layer

c. Network layer

d. All layers of the network

224. d. Placing the Kerberos protocol below the application layer and at all layers of the network provides greatest security protection without the need to modify applications.