Читаем CISSP Practice полностью

271. Out-of-band attacks against electronic authentication protocols include which of the following?

1. Password guessing attack

2. Replay attack

3. Verifier impersonation attack

4. Man-in-the-middle attack

a. 1 only

b. 3 only

c. 1 and 2

d. 3 and 4

271. d. In an out-of-band attack, the attack is against an authentication protocol run where the attacker assumes the role of a subscriber with a genuine verifier or relying party. The attacker obtains secret and sensitive information such as passwords and account numbers and amounts when a subscriber manually enters them into a one-time password device or confirmation code sent to the verifier or relying party.

In an out-of-band attack, the attacker alters the authentication protocol channel through session hijacking, verifier impersonation, or man-in-the-middle (MitM) attacks. In a verifier impersonation attack, the attacker impersonates the verifier and induces the claimant to reveal his secret token. The MitM attack is an attack on the authentication protocol run in which the attacker positions himself in between the claimant and verifier so that he can intercept and alter data traveling between them.

In a password guessing attack, an impostor attempts to guess a password in repeated logon trials and succeeds when he can log onto a system. In a replay attack, an attacker records and replays some part of a previous good protocol run to the verifier. Both password guessing and replay attacks are examples of in-band attacks. In an in-band attack, the attack is against an authentication protocol where the attacker assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. The goal of the attack is to gain authenticated access or learn authentication secrets.

272. Which of the following information security control families requires a cross-cutting approach?

a. Access control

b. Audit and accountability

c. Awareness and training

d. Configuration management

272. a. Access control requires a cross-cutting approach because it is related to access control, incident response, audit and accountability, and configuration management control families (areas). Cross-cutting means a control in one area affects the controls in other-related areas. The other three choices require a control-specific approach.

273. Confidentiality controls include which of the following?

a. Cryptography

b. Passwords

c. Tokens

d. Biometrics

273. a. Cryptography, which is a part of technical control, ensures the confidentiality goal. The other three choices are part of user identification and authentication controls, which are also a part of technical control.

274. Which of the following is not an example of authorization and access controls?

a. Logical access controls

b. Role-based access controls

c. Reconstruction of transactions

d. System privileges

274. c. Reconstruction of transactions is a part of audit trail mechanisms. The other three choices are a part of authorization and access controls.

275. Which of the following is not an example of access control policy?

a. Performance-based policy

b. Identity-based policy

c. Role-based policy

d. Rule-based policy

275. a. Performance-based policy is used to evaluate an employee’s performance annually or other times. The other three choices are examples of an access control policy where they control access between users and objects in the information system.

276. From security and safety viewpoints, which of the following does not support the static separation-of-duty constraints?

a. Mutually exclusive roles

b. Reduced chances of collusion

c. Conflict-of-interest in tasks

d. Implicit constraints

276. d. It is difficult to meet the security and safety requirements with flexible access control policies expressed in implicit constraints such as role-based access control (RBAC) and rule-based access control (RuBAC). Static separation-of-duty constraints require that two roles of an individual must be mutually exclusive, constraints must reduce the chances of collusion, and constraints must minimize the conflict-of-interest in task assignments to employees.

277. Which of the following are compatible with each other in the pair in performing similar functions in information security?

a. SSO and RSO

b. DES and DNS

c. ARP and PPP

d. SLIP and SKIP