Читаем CISSP Practice полностью

32. In electronic authentication, which of the following is used to verify proof-of-possession of registered devices or identifiers?

a. Lookup secret token

b. Out-of-band token

c. Token lock-up feature

d. Physical security mechanism

32. b. Out-of-band tokens can be used to verify proof-of-possession of registered devices (e.g., cell phones) or identifiers (e.g., e-mail IDs). The other three choices cannot verify proof-of-possession. Lookup secret tokens can be copied. Some tokens can lock up after a number of repeated failed activation attempts. Physical security mechanisms can be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities.

33. In electronic authentication, which of the following are examples of weakly bound credentials?

1. Unencrypted password files

2. Signed password files

3. Unsigned public key certificates

4. Signed public key certificates

a. 1 only

b. 1 and 3

c. 1 and 4

d. 2 and 4

33. b. Unencrypted password files and unsigned public key certificates are examples of weakly bound credentials. The association between the identity and the token within a weakly bound credential can be readily undone, and a new association can be readily created. For example, a password file is a weakly-bound credential because anyone who has “write” access to the password file can potentially update the association contained within the file.

34. In electronic authentication, which of the following are examples of strongly bound credentials?

1. Unencrypted password files

2. Signed password files

3. Unsigned public key certificates

4. Signed public key certificates

a. 1 only

b. 1 and 3

c. 1 and 4

d. 2 and 4

34. d. Signed password files and signed public key certificates are examples of strongly bound credentials. The association between the identity and the token within a strongly bound credential cannot be easily undone. For example a digital signature binds the identity to the public key in a public key certificate; tampering of this signature can be easily detected through signature verification.

35. In electronic authentication, which of the following can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token?

a. Private credentials

b. Public credentials

c. Paper credentials

d. Electronic credentials

35. a. A private credential object links a user’s identity to a representation of the token in a way that the exposure of the credential to unauthorized parties can lead to any exposure of the token secret. A private credential can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token. Therefore, it is important that the contents of the private credential be kept confidential (e.g., a hashed password values).

Public credentials are shared widely, do not lead to an exposure of the token secret, and have little or no confidentiality requirements. Paper credentials are documents that attest to the identity of an individual (e.g., passports, birth certificates, and employee identity cards) and are based on written signatures, seals, special papers, and special inks. Electronic credentials bind an individual’s name to a token with the use of X.509 certificates and Kerberos tickets.

36. Authorization controls are a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

36. b. Authorization controls such as access control matrices and capability tests are a part of preventive controls because they block unauthorized access. Preventive controls deter security incidents from happening in the first place.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.