Читаем CISSP Practice полностью

1. Symbolic link (symlink) attacks do not exist on which of the operating systems?

a. UNIX

b. Windows

c. LINUX

d. MINIX

1. b. Symbolic links are links on UNIX, MINIX, and LINUX systems that point from one file to another file. A symlink vulnerability is exploited by making a symbolic link from a file to which an attacker does have access to a file to which the attacker does not have access. Symlinks do not exist on Windows systems, so symlink attacks cannot be performed against programs or files on those systems. MINIX is a variation of UNIX and is small in size. A major difference between MINIX and UNIX is the editor where the former is faster and the latter is slower.

2. Which one of the following is not an authentication mechanism?

a. What the user knows

b. What the user has

c. What the user can do

d. What the user is

2. c. “What the user can do” is defined in access rules or user profiles, which come after a successful authentication. The other three choices are part of an authentication process.

3. Which of the following provides strong authentication for centralized authentication servers when used with firewalls?

a. User IDs

b. Passwords

c. Tokens

d. Account numbers

3. c. For basic authentication, user IDs, passwords, and account numbers are used for internal authentication. Centralized authentication servers such as RADIUS and TACACS/TACACS+ can be integrated with token-based authentication to enhance firewall administration security.

4. Which of the following does not provide robust authentication?

a. Kerberos

b. Secure RPC

c. Reusable passwords

d. Digital certificates

4. c. Robust authentication means strong authentication that should be required for accessing internal computer systems. Robust authentication is provided by Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure RPC. Reusable passwords provide weak authentication.

5. Which of the following authentication types is most effective?

a. Static authentication

b. Robust authentication

c. Intermittent authentication

d. Continuous authentication

5. d. Continuous authentication protects against impostors (active attacks) by applying a digital signature algorithm to every bit of data sent from the claimant to the verifier. Also, continuous authentication prevents session hijacking. Static authentication uses reusable passwords, which can be compromised by replay attacks. Robust authentication includes one-time passwords and digital signatures, which can be compromised by session hijacking. Intermittent authentication is not useful because of gaps in user verification.

6. What is the basis for a two-factor authentication mechanism?

a. Something you know and a password

b. Something you are and a fingerprint

c. Something you have and a key

d. Something you have and something you know

6. d. A two-factor authentication uses two different kinds of evidence. For example, a challenge-response token card typically requires both physical possession of the card (something you have, one factor) and a PIN (something you know, another factor). The other three choices have only one factor to authenticate.

7. Individual accountability does not include which of the following?

a. Unique identifiers

b. Access rules

c. Audit trails

d. Policies and procedures

7. d. A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards, such as unique (user) identifiers, audit trails, and access authorization rules. Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves, they do not exact individual accountability.

8. Which of the following user identification and authentication techniques depend on reference profiles or templates?

a. Memory tokens

b. Smart tokens

c. Cryptography

d. Biometric systems