Читаем CISSP Practice полностью

319. Which of the following is the correct sequence of actions in access control mechanisms?

a. Access profiles, authentication, authorization, and identification

b. Security rules, identification, authorization, and authentication

c. Identification, authentication, authorization, and accountability

d. Audit trails, authorization, accountability, and identification

319. c. Identification comes before authentication, and authorization comes after authentication. Accountability is last where user actions are recorded.

320. The principle of least privilege is most closely linked to which of the following security objectives?

a. Confidentiality

b. Integrity

c. Availability

d. Nonrepudiation

320. b. The principle of least privilege deals with access control authorization mechanisms, and as such the principle ensures integrity of data and systems by limiting access to data/information and information systems.

321. Which of the following is a major vulnerability with Kerberos model?

a. User

b. Server

c. Client

d. Key-distribution-server

321. d. A major vulnerability with the Kerberos model is that if the key distribution server is attacked, every secret key used on the network is compromised. The principals involved in the Kerberos model include the user, the client, the key-distribution-center, the ticket-granting-service, and the server providing the requested services.

322. For electronic authentication, identity proofing involves which of the following?

a. CSP

b. RA

c. CSP and RA

d. CA and CRL

322. c. Identity proofing is the process by which a credential service provider (CSP) and a registration authority (RA) validate sufficient information to uniquely identify a person. A certification authority (CA) is not involved in identity proofing. A CA is a trusted entity that issues and revokes public key certificates. A certificate revocation list (CRL) is not involved in identity proofing. A CRL is a list of revoked public key certificates created and digitally signed by a CA.

323. A lattice security model is an example of which of the following access control policies?

a. Discretionary access control (DAC)

b. Non-DAC

c. Mandatory access control (MAC)

d. Non-MAC

323. b. A lattice security model is based on a nondiscretionary access control (non-DAC) model. A lattice model is a partially ordered set for which every pair of elements (subjects and objects) has a greatest lower bound and a least upper bound. The subject has the greatest lower bound, and the object has the least upper bound.

324. Which of the following is not a common type of electronic credential?

a. SAML assertions

b. X.509 public-key identity certificates

c. X.509 attribute certificates

d. Kerberos tickets

324. a. Electronic credentials are digital documents used in authentication that bind an identity or an attribute to a subscriber’s token. Security assertion markup language (SAML) is a specification for encoding security assertions in the extensible markup language (XML). SAML assertions have nothing to do with electronic credential because they can be used by a verifier to make a statement to a relying party about the identity of a claimant.

An X.509 public-key identity certificate is incorrect because binding an identity to a public key is a common type of electronic credential. X.509 attribute certificate is incorrect because binding an identity or a public key with some attribute is a common type of electronic credential. Kerberos tickets are incorrect because encrypted messages binding the holder with some attribute or privilege is a common type of electronic credential.

325. Registration fraud in electronic authentication can be deterred by making it more difficult to accomplish or by increasing the likelihood of which of the following?

a. Direction

b. Prevention

c. Detection

d. Correction

325. c. Making it more difficult to accomplish or increasing the likelihood of detection can deter registration fraud. The goal is to make impersonation more difficult.

326. Which one of the following access control policies treats users and owners as the same?

a. Discretionary access control (DAC)

b. Mandatory access control (MAC)

c. Role-based access control (RBAC)