Читаем CISSP Practice полностью

277. a. A single sign-on (SSO) technology allows a user to authenticate once and then access all the resources the user is authorized to use. A reduced sign-on (RSO) technology allows a user to authenticate once and then access many, but not all, of the resources the user is authorized to use. Hence, SSO and RSO perform similar functions.

The other three choices do not perform similar functions. Data encryption standard (DES) is a symmetric cipher encryption algorithm. Domain name system (DNS) provides an Internet translation service that resolves domain names to Internet Protocol (IP) addresses and vice versa. Address resolution protocol (ARP) is used to obtain a node’s physical address. Point-to-point protocol (PPP) is a data-link framing protocol used to frame data packets on point-to-point lines. Serial line Internet protocol (SLIP) carries Internet Protocol (IP) over an asynchronous serial communication line. PPP replaced SLIP. Simple key management for Internet protocol (SKIP) is designed to work with the IPsec and operates at the network layer of the TCP/IP protocol, and works very well with sessionless datagram protocols.

278. How is identification different from authentication?

a. Identification comes after authentication.

b. Identification requires a password, and authentication requires a user ID.

c. Identification and authentication are the same.

d. Identification comes before authentication.

278. d. Identification is the process used to recognize an entity such as a user, program, process, or device. It is performed first, and authentication is done next. Identification and authentication are not the same. Identification requires a user ID, and authentication requires a password.

279. Accountability is not related to which of the following information security objectives?

a. Identification

b. Availability

c. Authentication

d. Auditing

279. b. Accountability is typically accomplished by identifying and authenticating system users and subsequently tracing their actions through audit trails (i.e., auditing).

280. Which of the following statements is true about mandatory access control?

a. It does not use sensitivity levels.

b. It uses tags.

c. It does not use security labels.

d. It reduces system performance.

280. d. Mandatory access control is expensive and causes system overhead, resulting in reduced system performance of the database. Mandatory access control uses sensitivity levels and security labels. Discretionary access controls use tags.

281. What control is referred to when an auditor reviews access controls and logs?

a. Directive control

b. Preventive control

c. Corrective control

d. Detective control

281. d. The purpose of auditors reviewing access controls and logs is to find out whether employees follow security policies and access rules, and to detect any violations and anomalies. The audit report helps management to improve access controls.

282. Logical access controls are a technical means of implementing security policy decisions. It requires balancing the often-competing interests. Which of the following trade-offs should receive the highest interest?

a. User-friendliness

b. Security principles

c. Operational requirements

d. Technical constraints

282. a. A management official responsible for a particular application system, subsystem, or group of systems develops the security policy. The development of an access control policy may not be an easy endeavor. User-friendliness should receive the highest interest because the system is designed for users, and the system usage is determined by whether the system is user-friendly. The other three choices have a competing interest in a security policy, but they are not as important as the user-friendliness issue. An example of a security principle is “least privilege.”

283. Which of the following types of passwords is counterproductive?

a. System-generated passwords

b. Encrypted passwords

c. Nonreusable passwords

d. Time-based passwords

283. a. A password-generating program can produce passwords in a random fashion, rather than relying on user-selected ones. System-generated passwords are usually hard to remember, forcing users to write them down. This defeats the whole purpose of stronger passwords.