Читаем CISSP Practice полностью

229. Which one of the following items is a more reliable authentication device than the others?

a. Fixed callback system

b. Variable callback system

c. Fixed and variable callback system

d. Smart card system

229. d. Authentication is providing assurance about the identity of a subject or object; for example, ensuring that a particular user is who he claims to be. A smart card system uses cryptographic-based smart tokens that offer great flexibility and can solve many authentication problems such as forgery and masquerading. A smart token typically requires a user to provide something the user knows (i.e., a PIN or password), which provides a stronger control than the smart token alone. Smart cards do not require a callback because the codes used in the smart card change frequently, which cannot be repeated.

Callback systems are used to authenticate a person. A fixed callback system calls back to a known telephone associated with a known place. However, the called person may not be known, and it is a problem with masquerading. It is not only insecure but also inflexible because it is tied to a specific place. It is not applicable if the caller moves around. A variable callback system is more flexible than the fixed one but requires greater maintenance of the variable telephone numbers and locations. These phone numbers can be recorded or decoded by a hacker.

230. What does an example of a drawback of smart cards include?

a. A means of access control

b. A means of storing user data

c. A means of gaining unauthorized access

d. A means of access control and data storage

230. c. Because valuable data is stored on a smart card, the card is useless if lost, damaged, or forgotten. An unauthorized person can gain access to a computer system in the absence of other strong controls. A smart card is a credit card-sized device containing one or more integrated circuit chips, which performs the functions of a microprocessor, memory, and an input/output interface.

Smart cards can be used (i) as a means of access control, (ii) as a medium for storing and carrying the appropriate data, and (iii) a combination of (1) and (2).

231. Which of the following is a more simple and basic login control?

a. Validating username and password

b. Monitoring unsuccessful logins

c. Sending alerts to the system operators

d. Disabling accounts when a break-in occurs

231. a. Login controls specify the conditions users must meet for gaining access to a computer system. In most simple and basic cases, access will be permitted only when both a username and password are provided. More complex systems grant or deny access based on the type of computer login; that is, local, dialup, remote, network, batch, or subprocess. The security system can restrict access based on the type of the terminal, or the remote computer’s access will be granted only when the user or program is located at a designated terminal or remote system. Also, access can be defined by the time of day and the day of the week. As a further precaution, the more complex and sophisticated systems monitor unsuccessful logins, send messages or alerts to the system operator, and disable accounts when a break-in occurs.

232. There are trade-offs among controls. A security policy would be most useful in which of the following areas?

1. System-generated passwords versus user-generated passwords

2. Access versus confidentiality

3. Technical controls versus procedural controls

4. Manual controls versus automated controls

a. 1 and 2

b. 3 and 4

c. 2 and 3

d. 2 and 4

232. c. A security policy is the framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organizational commitment for a computer system. It is a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.

There are trade-offs among controls such as technical controls and procedural controls. If technical controls are not available, procedural controls might be used until a technical solution is found. Nevertheless, technical controls are useless without procedural controls and a robust security policy.