Читаем CISSP Practice полностью

8. d. Biometric systems require the creation and storage of profiles or templates of individuals wanting system access. This includes physiological attributes such as fingerprints, hand geometry, or retina patterns, or behavioral attributes such as voice patterns and hand-written signatures. Memory tokens and smart tokens involve the creation and distribution of token/PINs and data that tell the computer how to recognize valid tokens or PINs. Cryptography requires the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.

9. Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is least efficient and least effective for re-authentication?

a. Recurring passwords

b. Nonrecurring passwords

c. Memory tokens

d. Smart tokens

9. a. Recurring passwords are static passwords with reuse and are considered to be a relatively weak security mechanism. Users tend to use easily guessed passwords. Other weaknesses include spoofing users, users stealing passwords through observing keystrokes, and users sharing passwords. The unauthorized use of passwords by outsiders (hackers) or insiders is a primary concern and is considered the least efficient and least effective security mechanism for re-authentication.

Nonrecurring passwords is incorrect because they provide a strong form of re-authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only. Tokens can help in re-authenticating a user or transaction. Memory tokens store but do not process information. Smart tokens expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.

Sources and References

“Access Control in Support of Information Systems, Security Technical Implementation Guide (DISA-STIG, Version 2 and Release 2),” Defense Information Systems Agency (DISA), U.S. Department of Defense (DOD), December 2008.

“Assessment of Access Control Systems (NISTIR 7316),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2006.

“Electronic Authentication Guideline (NIST SP800-63R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2008.

“Guide to Enterprise Password Management (NIST SP800-118 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, April 2009.

“Guide to Intrusion Detection and Prevention Systems (NIST SP800-94),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2007.

“Guide to Storage Encryption Technologies (NIST SP 800-111),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2007.

“Interfaces for Personal Identity Verification (NIST SP 800-73R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2006.

“Privilege Management (NISTIR 7657 V0.4 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2009.

Domain 2

Telecommunications and Network Security

Traditional Questions, Answers, and Explanations

1. If QoS is quality of service, QoP is quality of protection, QA is quality assurance, QC is quality control, DoQ is denial of quality, and DoS is denial of service, which of the following affects a network system’s performance?

1. QoS and QoP

2. QA and QC

3. DoQ

4. DoS

a. 1 only

b. 1 and 4

c. 2 and 3

d. 1, 2, 3, and 4

1. d. All four items affect a network system performance. QoS parameters include reliability, delay, jitter, and bandwidth, where applications such as e-mail, file transfer, Web access, remote login, and audio/video require different levels of the parameters to operate at different quality levels (i.e., high, medium, or low levels).