Читаем CISSP Practice полностью

260. Intrusion detection refers to the process of identifying attempts to penetrate a computer system and gain unauthorized access. Which of the following assists in intrusion detection?

a. Audit records

b. Access control lists

c. Security clearances

d. Host-based authentication

260. a. If audit records showing trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Usually, audit records contain pertinent data (e.g., date, time, status of an action, user IDs, and event ID), which can help in intrusion detection.

Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Security clearances are associated with a subject (e.g., person and program) to access an object (e.g., files, libraries, directories, and devices). Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. The other three choices have no facilities to record access activity and therefore cannot assist in intrusion detection.

261. Which of the following is the technique used in anomaly detection in intrusion detection systems where user and system behaviors are expressed in terms of counts?

a. Parametric statistics

b. Threshold detection measures

c. Rule-based measures

d. Nonparametric statistics

261. b. Anomaly detectors identify abnormal, unusual behavior (anomalies) on a host or network. In threshold detection measures, certain attributes of user and system behavior are expressed in terms of counts, with some level established as permissible. Such behavior attributes can include the number of files accessed by a user in a given period of time.

Statistical measures include parametric and nonparametric. In parametric measures the distribution of the profiled attributes is assumed to fit a particular pattern. In the nonparametric measures the distribution of the profiled attributes is “learned” from a set of historical data values, observed over time.

Rule-based measures are similar to nonparametric statistical measures in that observed data defines acceptable usage patterns but differs in that those patterns are specified as rules, not numeric quantities.

262. Which of the following is best to replace the use of personal identification numbers (PINs) in the world of automated teller machines (ATMs)?

a. Iris-detection technology

b. Voice technology

c. Hand technology

d. Fingerprint technology

262. a. An ATM customer can stand within three feet of a camera that automatically locates and scans the iris in the eye. The scanned bar code is then compared against previously stored code in the bank’s file. Iris-detection technology is far superior for accuracy compared to the accuracy of voice, face, hand, and fingerprint identification systems. Iris technology does not require a PIN.

263. Which of the following is true about biometrics?

a. Least expensive and least secure

b. Most expensive and least secure

c. Most expensive and most secure

d. Least expensive and most secure

263. c. Biometrics tends to be the most expensive and most secure. In general, passwords are the least expensive authentication technique and generally the least secure. Memory tokens are less expensive than smart tokens but have less functionality. Smart tokens with a human interface do not require reading equipment but are more convenient to use.

264. Which of the following is preferable for environments at high risk of identity spoofing?

a. Digital signature

b. One-time passwords

c. Digital certificate

d. Mutual authentication

264. d. If a one-way method is used to authenticate the initiator (typically a road warrior) to the responder (typically an IPsec gateway), a digital signature is used to authenticate the responder to the initiator. One-way authentication, such as one-time passwords or digital certificates on tokens is well suited for road warrior usage, whereas mutual authentication is preferable for environments at high risk of identity spoofing, such as wireless networks.

265. Which of the following is not a substitute for logging out of the information system?