Читаем CISSP Practice полностью

239. Use of login IDs and passwords is the most commonly used mechanism for which of the following?

a. Providing dynamic verification of a user

b. Providing static verification of a user

c. Providing a strong user authentication

d. Batch and online computer systems alike

239. b. By definition, a static verification takes place only once at the start of each login session. Passwords may or may not be reusable.

Dynamic verification of a user takes place when a person types on a keyboard and leaves an electronic signature in the form of keystroke latencies in the elapsed time between keystrokes. For well-known, regular type strings, this signature can be quite consistent. Here is how a dynamic verification mechanism works: When a person wants to access a computer resource, he is required to identify himself by typing his name. The latency vector of the keystrokes of this name is compared with the reference signature stored in the computer. If this claimant’s latency vector and the reference signature are statistically similar, the user is granted access to the system. The user is asked to type his name a number of times to provide a vector of mean latencies to be used as a reference. This can be viewed as an electronic signature of the user.

Passwords do not provide a strong user authentication. If they did, there would not be a hacker problem today. Passwords provide the weakest user authentication due to their sharing and guessable nature. Only online systems require a user ID and password from a user due to their interactive nature. Only batch jobs and files require a user ID and password when submitting a job or modifying a file. Batch systems are not interactive.

240. Which of the following password selection procedures would be the most difficult to remember?

a. Reverse or rearrange the characters in the user’s birthday

b. Reverse or rearrange the characters in the user’s annual salary

c. Reverse or rearrange the characters in the user’s spouse’s name

d. Use randomly generated characters

240. d. Password selection is a difficult task to balance between password effectiveness and its remembrance by the user. The selected password should be simple to remember for oneself and difficult for others to know. It is no advantage to have a scientifically generated password if the user cannot remember it. Using randomly generated characters as a password is not only difficult to remember but also easy to publicize. Users will be tempted to write them down in a conspicuous place if the password is difficult to remember.

The approaches in the other three choices would be relatively easy to remember due to the user familiarity with the password origin. A simple procedure is to use well-known personal information that is rearranged.

241. How does a role-based access control mechanism work?

a. Based on job enlargement concept

b. Based on job duties concept

c. Based on job enrichment concept

d. Based on job rotation concept

241. b. Users take on assigned roles such as doctor, nurse, teller, and manager. With role-based access control mechanism, access decisions are based on the roles that individual users have as part of an organization, that is, job duties. Job enlargement means adding width to a job; job enrichment means adding depth to a job; and job rotation makes a person well rounded.

242. What do the countermeasures against a rainbow attack resulting from a password cracking threat include?

a. One-time password and one-way hash

b. Keyspace and passphrase

c. Salting and stretching

d. Entropy and user account lockout

242. c. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. Larger salts effectively make the use of rainbow tables infeasible. Stretching involves hashing each password and its salt thousands of times. This makes the creation of the rainbow tables correspondingly more time-consuming, while having little effect on the amount of effort needed by the organization’s systems to verify password authentication attempts.

Keyspace is the large number of possible key values (keys) created by the encryption algorithm to use when transforming the message. Passphrase is a sequence of characters transformed by a password system into a virtual password. Entropy is a measure of the amount of uncertainty that an attacker faces to determine the value of a secret.