Читаем CISSP Practice полностью

c. Discretionary access control and access control list

d. Physical access control to hardware and access control list with discretionary access control

293. a. The best control for protecting sensitive files is using mandatory access controls supplemented by discretionary access controls and implemented through the use of an access control list. A complementary mandatory access control mechanism can prevent the Trojan horse attack that can be allowed by the discretionary access control. The mandatory access control prevents the system from giving sensitive information to any user who is not explicitly authorized to access a resource.

294. Which of the following security control mechanisms is simplest to administer?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

294. b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information. Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

295. Which of the following use data by row to represent the access control matrix?

a. Capabilities and profiles

b. Protection bits and access control list

c. Profiles and protection bits

d. Capabilities and access control list

295. a. Capabilities and profiles are used to represent the access control matrix data by row and connect accessible objects to the user. On the other hand, a protection bit-based system and access control list represents the data by column, connecting a list of users to an object.

296. The process of identifying users and objects is important to which of the following?

a. Discretionary access control

b. Mandatory access control

c. Access control

d. Security control

296. a. Discretionary access control is a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. In a mandatory access control mechanism, the owner of a file or object has no discretion as to who can access it. Both security control and access control are too broad and vague to be meaningful here.

297. Which of the following is a hidden file?

a. Password aging file

b. Password validation file

c. Password reuse file

d. Shadow password file

297. d. The shadow password file is a hidden file that stores all users’ passwords and is readable only by the root user. The password validation file uses the shadow password file before allowing the user to log in. The password-aging file contains an expiration date, and the password reuse file prevents a user from reusing a previously used password. The files mentioned in the other three choices are not hidden.

298. From an access control point of view, which of the following are examples of task transactions and separation of conflicts-of-interests?

1. Role-based access control

2. Workflow policy

3. Rule-based access control

4. Chinese Wall policy

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

298. c. Workflow policy is a process that operates on rules and procedures. A workflow is specified as a set of tasks and a set of dependencies among the tasks, and the sequencing of these tasks is important (i.e., task transactions). The various tasks in a workflow are usually carried out by several users in accordance with organizational rules represented by the workflow policy. The Chinese Wall policy addresses conflict-of-interest issues, with the objective of preventing illicit flows of information that can result in conflicts of interest. The Chinese Wall policy is simple and easy to describe but difficult to implement. Both role- and rule-based access control can create conflict-of-interest situations because of incompatibility between employee roles and management rules.

299. For identity management, which of the following qualifies as continuously authenticated?

a. Unique ID

b. Signed X.509 certificate

c. Password with access control list

d. Encryption