Читаем CISSP Practice полностью

37. In electronic authentication, after a credential has been created, which of the following is responsible for maintaining the credential in storage?

a. Verifier

b. Relying party

c. Credential service provider

d. Registration authority

37. c. The credential service provider (CSP) is the only one responsible for maintaining the credential in storage. The verifier and the CSP may or may not belong to the same entity. The other three choices are incorrect because they are not applicable to the situation here.

38. Which of the following is the correct definition of privilege management?

a. Privilege management = Entity attributes + Entity policies

b. Privilege management = Attribute management + Policy management

c. Privilege management = Resource attributes + Resource policies

d. Privilege management = Environment attributes + Environment policies

38. b Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity’s request for access to some resource should be granted. Privilege management is conceptually split into two parts: attribute management and policy management. The attribute management is further defined in terms of entity attributes, resource attributes, and environment attributes. Similarly, the policy management is further defined in terms of entity policies, resource policies, and environment policies.

39. The extensible access control markup language (XACML) does not define or support which of the following?

a. Trust management

b. Privilege management

c. Policy language

d. Query language

39. a. The extensible access control markup language (XACML) is a standard for managing access control policy and supports the enterprise-level privilege management. It includes a policy language and a query language. However, XACML does not define authority delegation and trust management.

40. For intrusion detection and prevention system (IDPS) security capabilities, which of the following prevention actions should be performed first to reduce the risk of inadvertently blocking benign activity?

1. Alert enabling capability.

2. Alert disabling capability.

3. Sensor learning mode ability.

4. Sensor simulation mode ability.

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

40. d. Some intrusion detection and prevention system (IDPS) sensors have a learning mode or simulation mode that suppresses all prevention actions and instead indicates when a prevention action should have been performed. This ability enables administrators to monitor and fine-tune the configuration of the prevention capabilities before enabling prevention actions, which reduces the risk of inadvertently blocking benign activity. Alerts can be enabled or disabled later.

41. In the electronic authentication process, which of the following is weakly resistant to man-in-the-middle (MitM) attacks?

a. Account lockout mechanism

b. Random data

c. Sending a password over server authenticated TLS

d. Nonce

41. c. A protocol is said to have weak resistance to MitM attacks if it provides a mechanism for the claimant to determine whether he is interacting with the real verifier, but still leaves the opportunity for the nonvigilant claimant to reveal a token authenticator to an unauthorized party that can be used to masquerade as the claimant to the real verifier. For example, sending a password over server authenticated transport layer security (TLS) is weakly resistant to MitM attacks. The browser enables the claimant to verify the identity of the verifier; however, if the claimant is not sufficiently vigilant, the password will be revealed to an unauthorized party who can abuse the information. The other three choices do not deal with MitM attacks, but they can enhance the overall electronic authentication process.

An account lockout mechanism is implemented on the verifier to prevent online guessing of passwords by an attacker who tries to authenticate as a legitimate claimant. Random data and nonce can be used to disguise the real data.