Читаем CISSP Practice полностью

235. a. Packet replay is one of the most common security threats to network systems, similar to impersonation and eavesdropping in terms of damage, but dissimilar in terms of functions. Packet replay refers to the recording and retransmission of message packets in the network. It is a significant threat for programs that require authentication-sequences because an intruder could replay legitimate authentication sequence messages to gain access to a system. Packet replay is frequently undetectable but can be prevented by using packet timestamping and packet-sequence counting.

Forgery is incorrect because it is one of the ways an impersonation attack is achieved. Forgery is attempting to guess or otherwise fabricate the evidence that the impersonator knows or possesses.

Relay is incorrect because it is one of the ways an impersonation attack is achieved. Relay is where one can eavesdrop upon another’s authentication exchange and learn enough to impersonate a user.

Interception is incorrect because it is one of the ways an impersonation attack is achieved. Interception is where one can slip in between the communications and “hijack” the communications channel.

236. Which of the following security features is not supported by the principle of least privilege?

a. All or nothing privileges

b. The granularity of privilege

c. The time bounding of privilege

d. Privilege inheritance

236. a. The purpose of a privilege mechanism is to provide a means of granting specific users or processes the ability to perform security-relevant actions for a limited time and under a restrictive set of conditions, while still permitting tasks properly authorized by the system administrator. This is the underlying theme behind the security principle of least privilege. It does not imply an “all or nothing” privilege.

The granularity of privilege is incorrect because it is one of the security features supported by the principle of least privilege. A privilege mechanism that supports granularity of privilege can enable a process to override only those security-relevant functions needed to perform the task. For example, a backup program needs to override only read restrictions, not the write or execute restriction on files.

The time bounding of privilege is incorrect because it is one of the security features supported by the principle of least privilege. The time bounding of privilege is related in that privileges required by an application or a process can be enabled and disabled as the application or process needs them.

Privilege inheritance is incorrect because it is one of the security features supported by the principle of least privilege. Privilege inheritance enables a process image to request that all, some, or none of its privileges get passed on to the next process image. For example, application programs that execute other utility programs need not pass on any privileges if the utility program does not require them.

237. Authentication is a protection against fraudulent transactions. Authentication process does not assume which of the following?

a. Validity of message location being sent

b. Validity of the workstations that sent the message

c. Integrity of the message that is transmitted

d. Validity of the message originator

237. c. Authentication assures that the data received comes from the supposed origin. It is not extended to include the integrity of the data or messages transmitted. However, authentication is a protection against fraudulent transactions by establishing the validity of messages sent, validity of the workstations that sent the message, and the validity of the message originators. Invalid messages can come from a valid origin, and authentication cannot prevent it.

238. Passwords are used as a basic mechanism to identify and authenticate a system user. Which of the following password-related factors cannot be tested with automated vulnerability testing tools?

a. Password length

b. Password lifetime

c. Password secrecy

d. Password storage

238. c. No automated vulnerability-testing tool can ensure that system users have not disclosed their passwords; thus secrecy cannot be guaranteed.

Password length can be tested to ensure that short passwords are not selected. Password lifetime can be tested to ensure that they have a limited lifetime. Passwords should be changed regularly or whenever they may have been compromised. Password storage can be tested to ensure that they are protected to prevent disclosure or unauthorized modification.