Читаем CISSP Practice полностью

d. It can lead passwords to become unsynchronized.

21. a. All four choices are problems with password synchronization solution. Because the same password is used for many resources, the compromise of any one instance of the password compromises all the instances, therefore becoming a single point-of-failure. Password synchronization forces the use of the lowest common denominator approach to password strength, resulting in weaker passwords due to character and length constraints. Passwords can become unsynchronized when a user changes a resource password directly with that resource instead of going through the password synchronization user interface. A password could also be changed due to a resource failure that requires restoration of a backup.

22. RuBAC is rule-based access control; RAdAC is risk adaptive access control; UDAC is user-directed access control; MAC is mandatory access control; ABAC is attribute-based access control; RBAC is role-based access control; IBAC is identity-based access control; and PBAC is policy-based access control. From an access control viewpoint, separation of domains is achieved through which of the following?

a. RuBAC or RAdAC

b. UDAC or MAC

c. ABAC or RBAC

d. IBAC or PBAC

22. c. Access control policy may benefit from separating Web services into various domains or compartments. This separation can be implemented in ABAC using resource attributes or through additional roles defined in RBAC. The other three choices cannot handle separation of domains.

23. Regarding local administrator password selection, which of the following can become a single point-of-failure?

a. Using the same local root account password across systems

b. Using built-in root accounts

c. Storing local passwords on the local system

d. Authenticating local passwords on the local system

23. a. Having a common password shared among all local administrator or root accounts on all machines within a network simplifies system maintenance, but it is a widespread security weakness, becoming a single point-of-failure. If a single machine is compromised, an attacker may recover the password and use it to gain access to all other machines that use the shared password. Therefore, it is good to avoid using the same local administrator or root account passwords across many systems. The other three choices, although risky in their own way, do not yield a single point-of-failure.

24. In electronic authentication, which of the following statements is not true about a multistage token scheme?

a. An additional token is used for electronic transaction receipt.

b. Multistage scheme assurance is higher than the multitoken scheme assurance using the same set of tokens.

c. An additional token is used as a confirmation mechanism.

d. Two tokens are used in two stages to raise the assurance level.

24. b. In a multistage token scheme, two tokens are used in two stages, and additional tokens are used for transaction receipt and confirmation mechanism to achieve the required assurance level. The level of assurance of the combination of the two stages can be no higher than that possible through a multitoken authentication scheme using the same set of tokens.

25. Online guessing is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the online guessing threat?

a. Use tokens that generate high entropy authenticators.

b. Use hardware cryptographic tokens.

c. Use tokens with dynamic authenticators.

d. Use multifactor tokens.

25. a. Entropy is the uncertainty of a random variable. Tokens that generate high entropy authenticators prevent online guessing of secret tokens registered to a legitimate claimant and offline cracking of tokens. The other three choices cannot prevent online guessing of tokens or passwords.

26. Token duplication is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the token duplication threat?