Читаем CISSP Practice полностью

8. b. In wireless LANs, the stronger node could block the weaker one, substitute its own messages, and even acknowledge responses from other nodes. Similarly, theft of equipment is a major risk in wireless LANs due to their portability. When equipment moves around, things can easily become missing. Eavesdropping and masquerading are common to both the wired and wireless LANs. Eavesdropping is an unauthorized interception of information. Masquerading is an attempt to gain access to a computer system by posing as an authorized user.

9. The World Wide Web (WWW) can be protected against the risk of eavesdropping in an economical and convenient manner through the use of which of the following?

a. Link and document encryption

b. Secure sockets layer and secure HTTP

c. Link encryption and secure socket layer

d. Document encryption and secure HTTP

9. b. The risk of eavesdropping occurs on the Internet in at least two ways: traffic analysis and stealing of sensitive information such as credit card numbers. Secure sockets layer (SSL) provides an encrypted TCP/IP pathway between two hosts on the Internet. SSL can be used to encrypt any TCP/IP, such as HTTP, TELNET, or FTP. SSL can use a variety of public key and token-based systems for exchanging a session key. SHTTP (secure HTTP) is an encryption system designed for HTTP and works only with HTTP.

Link encryption provides encryption for all traffic, but it can be performed only with prior arrangement. It is expensive. Document encryption is cumbersome because it requires the documents to be encrypted before they are placed on the server, and they must be decrypted when they are received. Link and document encryption can use either TCP/IP or other protocols.

10. An effective way to run a World Wide Web (WWW) service is not by:

a. Disabling automatic directory listings

b. Placing the standalone WWW computer outside the firewall in the DMZ

c. Implementing encryption

d. Relying on third-party providers

10. d. Important security features of WWW include (i) disabling automatic directory listings for names and addresses, (ii) placing the standalone, stripped-down WWW computer outside the firewall in the demilitarized zone (DMZ), and (iii) providing encryption when sensitive or personal information is transmitted or stored. There is a potential risk posed by dependence on a limited number of third-party providers in terms of performance and availability of service.

11. For Web services, which of the following uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality?

a. Web service interoperability (WS-I)

b. Web services security (WS-Security)

c. Web services description languages (WSDL)

d. Web-Oriented architecture (WOA)

11. b. The Web service is a software component or system designed to support an interoperable machine or application-oriented interaction over a network. The Web service has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using simple object access protocol (SOAP) messages, typically conveyed using hypertext transfer protocol (HTTP) with an extensible markup language (XML) serialization with other Web-related standards. Web services security (WS-Security) is a mechanism for incorporating security information into SOAP messages. WS-Security uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality.

The other three choices do not provide the same security services as the WS-Security. The Web service interoperability (WS-I) basic profile is a set of standards and clarifications to standards that vendors must follow for basic interoperability with SOAP products. The Web services description language (WSDL) is an XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information. WSDL complements the universal description, discovery, and integration (UDDI) standard by providing a uniform way of describing the abstract interface and protocol bindings and deployment details of arbitrary network services. The Web-oriented architecture (WOA) is a set of Web protocols (e.g., HTTP and plain XML) to provide dynamic, scalable, and interoperable Web services.

12. Radio frequency identification technologies rely on which of the following to ensure security?