Читаем CISSP Practice полностью

287. c. Anomaly detection approaches often require extensive training sets of system event records to characterize normal behavior patterns. Skill sets are also important for the IT security analyst. Tool sets and data sets are not relevant here because the tool sets may contain software or hardware, and the data sets may contain data files and databases.

288. What is a marking assigned to a computing resource called?

a. Security tag

b. Security label

c. Security level

d. Security attribute

288. b. A security label is a marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. A security tag is an information unit containing a representation of certain security-related information (e.g., a restrictive attribute bitmap).

A security level is a hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy enforced, a specific level of protection. A security attribute is a security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bitmap, or numbers. Compartments, caveats, and release markings are examples of security attributes.

289. Which of the following is most risky?

a. Permanent access

b. Guest access

c. Temporary access

d. Contractor access

289. c. The greatest problem with temporary access is that once temporary access is given to an employee, it is not reverted back to the previous status after the project has been completed. This can be due to forgetfulness on both sides of employee and employer or the lack of a formal system for change notification. There can be a formal system of change notification for permanent access, and guest or contractor accesses are removed after the project has been completed.

290. Which of the following deals with access control by group?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

290. a. Discretionary access controls deal with the concept of control objectives, or control over individual aspects of an enterprise’s processes or resources. They are based on the identity of the users and of the objects they want to access. Discretionary access controls are implemented by one user or the network/system administrator to specify what levels of access other users are allowed to have.

Mandatory access controls are implemented based on the user’s security clearance or trust level and the particular sensitivity designation of each file. The owner of a file or object has no discretion as to who can access it.

An access control list is based on which user can access what objects. Logical access controls are based on a user-supplied identification number or code and password. Discretionary access control is by group association whereas mandatory access control is by sensitivity level.

291. Which of the following provides a finer level of granularity (i.e., more restrictive security) in the access control process?

a. Mandatory access control

b. Discretionary access control

c. Access control list

d. Logical access control

291. b. Discretionary access control offers a finer level of granularity in the access control process. Mandatory access controls can provide access to broad categories of information, whereas discretionary access controls can be used to fine-tune those broad controls, override mandatory restrictions as needed, and accommodate special circumstances.

292. For identity management, which of the following is supporting the determination of an authentic identity?

1. X.509 authentication framework

2. Internet Engineering Task Force’s PKI

3. Secure DNS initiatives

4. Simple public key infrastructure

a. 1 only

b. 2 only

c. 3 only

d. 1, 2, 3, and 4

292. d. Several infrastructures are devoted to providing identities and the means of authenticating those identities. Examples of these infrastructures include the X.509 authentication framework, the Internet Engineering Task Force’s PKI (IETF’s PKI), the secure domain name system (DNS) initiatives, and the simple public key infrastructure (SPKI).

293. Which one of the following methodologies or techniques provides the most effective strategy for limiting access to individual sensitive files?

a. Access control list and both discretionary and mandatory access control

b. Mandatory access control and access control list