Читаем CISSP Practice полностью

225. An inherent risk is associated with logical access that is difficult to prevent or mitigate but can be identified via a review of audit trails. Which of the following types of access is this risk most associated with?

a. Properly used authorized access

b. Misused authorized access

c. Unsuccessful unauthorized access

d. Successful unauthorized access

225. b. Properly authorized access, as well as misused authorized access, can use audit trail analysis but more so of the latter due to its high risk. Although users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. Similarly, unauthorized access attempts, whether successful or not, can be detected through the analysis of audit trails.

226. Many computer systems provide maintenance accounts for diagnostic and support services. Which of the following security techniques is least preferred to ensure reduced vulnerability when using these accounts?

a. Call-back confirmation

b. Encryption of communications

c. Smart tokens

d. Password and user ID

226. d. Many computer systems provide maintenance accounts. These special login accounts are normally preconfigured at the factory with preset, widely known weak passwords. It is critical to change these passwords or otherwise disable the accounts until they are needed. If the account is to be used remotely, authentication of the maintenance provider can be performed using callback confirmation. This helps ensure that remote diagnostic activities actually originate from an established phone number at the vendor’s site. Other techniques can also help, including encryption and decryption of diagnostic communications, strong identification and authentication techniques, such as smart tokens, and remote disconnect verification.

227. Below is a list of pairs, which are related to one another. Which pair of items represents the integral reliance on the first item to enforce the second?

a. The separation of duties principle, the least privilege principle

b. The parity check, the limit check

c. The single-key system, the Rivest-Shamir-Adelman (RSA) algorithm

d. The two-key system, the Data Encryption Standard (DES) algorithm

227. a. The separation of duties principle is related to the “least privilege” principle; that is, users and processes in a system should have the least number of privileges and for the minimal period of time necessary to perform their assigned tasks. The authority and capacity to perform certain functions should be separated and delegated to different individuals. This principle is often applied to split the authority to write and approve monetary transactions between two people. It can also be applied to separate the authority to add users to a system and other system administrator duties from the authority to assign passwords, conduct audits, and perform other security administrator duties.

There is no relation between the parity check, which is hardware-based, and the limit check, which is a software-based application. The parity check is a check that tests whether the number of ones (1s) or zeros (0s) in an array of binary digits is odd or even. Odd parity is standard for synchronous transmission and even parity for asynchronous transmission. In the limit check, a program tests the specified data fields against defined high or low value limits for acceptability before further processing. The RSA algorithm is incorrect because it uses two keys: private and public. The DES is incorrect because it uses only one key for both encryption and decryption (secret or private key).

228. Which of the following is the most effective method for password creation?

a. Using password generators

b. Using password advisors

c. Assigning passwords to users

d. Implementing user selected passwords

228. b. Password advisors are computer programs that examine user choices for passwords and inform the users if the passwords are weak. Passwords produced by password generators are difficult to remember, whereas user selected passwords are easy to guess. Users write the password down on a paper when it is assigned to them.