CISSP访问控制问题.doc

Access Control1. Which of the following is not used in biometric systems to authenticate individuals?A. FingerprintingB. Keyboard dynamicsC. Iris ScanD. Cognitive password2. Which of the following is the ost important when evaluating different biometric systems?A. Type I errorB. CERC. Type II errorD. The total amount of errors between Type I and Type II3. Which of the following attacks is most commonly used to uncover passwords?A. SpoofingB. Dictionary attackC. DoSD. WinNuke4. Which of the following is not a weakness of Kerberos?A. The KDC is a single point of failureB. Kerberos is vulnerable to password guessingC. All devices must have Kerberos software to participateD. Kerberos is the de facto standard for distributed networks5. A capability table is bound to which of the following?A. SubjectB. ObjectC. ACLsD. Permissions6. Which of the following best describes the difference between memory and smart cards?A. A memory card has microprocessor and integrated circuits used to process data, whereas a smart card has a magnetic strip that is used to hold informationB. A smart card has a microprocessor and integrated circuits used to process data, whereas a memory card has a magnetic strip that is used to hold informationC. Memory cards are more tamperproof than smart cardsD. Memory cards are cheaper to develop, create, and maintain7. Which of the following is a true statement pertaining to intrusion detection systems?A. Signature-based systems can detect new attack typesB. Signature-based systems cause more false positives than behavior-based systemsC. Behavior-based systems maintain a database of patterns to match packets and attacks againstD. Behavior-based systems have higher false positives than signature-based systems8. Which of the following is a countermeasure to traffic analysis attacks?A. Control zoneB. Keystroke monitoringC. White noiseD. Traffic padding9. If several subjects access the same media or memory segments, sensitive data may be at risk of being uncovered. This is referred to as:A. DegaussingB. ZeroizationC. Object reuseD. Mandatory access10. Which of the following is not an example of centralized access control administration technology?A. RADIUSB. TEMPESTC. TACACSD. DiameterAnswers of 1 to 101.D. 2.B. 3.B. 4.B. 5.A. 6.B. 7.D. 8.D. 9.C. 10.B11. The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and somethingA. You needB. You readC. You areD. You do12. Which term describes a confidential series of characters used to verify a users identity?A. EncryptionB. User IDC. PasswordD. Encoding13. What is the definition of granularity as it applies to computer security?A. The fineness with which a trusted system can authenticate usersB. The fineness with which imperfections of a trusted system can be measuredC. The fineness with which an access control system can be adjustedD. The fineness with which a packet can be filtered14. Which of the following is the LEAST important information to record when logging a security violation?A. UsernameB. User IDC. Type of violationD. Date and time of the violation15. A timely review of system access audit records would be an example of which basic security function?A. AvoidanceB. DeterrenceC. PreventionD. Detection16. Which one of the following validates a users identity by a confidential number?A. KeyB. PINC. ChallengeD. Algorithm17. In a discretionary mode, who has delegation authority to grant access to information to other people?A. UserB. Security OfficerC. Group leaderD. Owner18. What determines the assignment of data classifications in a mandatory access control philosophy?A. The analysis of the users in conjunction with the audit departmentB. The assessment by the information security departmentC. The stewards evaluation of the particular information elementD. The requirement of the organizations published security policy19. An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?A. Discretionary AccessB. Least PrivilegeC. Mandatory AccessD. Separation of Duties20. Which of the following mechanisms could bypass logical access controls?A. Discretionary AccessB. Role-based AccessC. Trusted PathD. Trap DoorAnswers of 11 to 2011.C. 12.C. 13.C. 14.A. 15.D. 16.B. 17.D. 18.D. 19.B. 20.D.21. Tokens, smart cards, and biometric devices used for identification and authentication provide robust authentication of the individual by practicing which of the following principles?A. Multi-party authenticationB. Two-factor authenticationC. Mandatory authenticationD. Discretionary authentication22. What role does biometrics have in logical access control?A. IdentificationB. AuthorizationC. AuthenticationD. Confirmation23. Which of the following could be considered a single point of failure within single sign-on?A. The users workstationB. The authentication serverC. The application serverD. The login script24. Which of the following procedures could BEST be utilized to validate the continued need for privileged user access to system resources?A. Periodic review and recertification of privileged usercodes.B. Periodic review of audit logsC. Revoke processes which can grant access to sensitive files.D. Periodic review of data classifications by management.25. What is the BEST method of storing user passwords for a system?A. Password-protected file.B. File restricted to one individual.C. One-way encrypted file.D. Two-way encrypted file.26. What is the purpose of a ticket-oriented security mechanism?A. Permits the subjects access to objectsB. Assigns access modes to objectsC. Grants subjects discretionary controlD. Assures user access accountability27. Why is the concept of single sign-on appealing to users?A. Fewer logonsB. Shorter passwordsC. Longer periods between password changesD. Computer generated passwords28. Remote access using a synchronous one-time password scheme is most closely associated with which of the following?A. Something you areB. Something you haveC. Something you calculateD. Something you know29. Which of the following security principles are supported by role-based access control?A. Discretionary access control, confidentiality, and non-repudiationB. Mandatory access control, auditing, and integrityC. Least privilege, separation of duties, and discretionary access controlD. Least privilege, mandatory access control, and data sensitivity30. With role-based access control, access decisions are predicated on?A. the privileges and groups of access rights assigned to users.B. the job functions that individual users have as part of an organization.C. effective means for developing and enforcing enterprise-specific security policies.D. a computer-based organizational access control policy.Answers of 21 to 3021.B. 22.C 23.B. 24.A. 25.C. 26.A. 27.A. 28.B. 29.C 30.B.31. Role-based access control offers the enterprise which of the following capabilities to ease the administrative burden of maintaining authorization data?A. It is a non-traditional, non-discretionary access control mechanism.B. System administrator responsibilities are at the local organizational level.C. It enforces enterprise-specific security policies.D. User membership in roles can be easily revoked and new memberships established as job assignments dictate.32. The act of validating a user with a unique identifier is called:A. identificationB. authorizationC. authenticationD. registration33. Which type of access control allows users to specify who can access their files?A. MandatoryB. DiscretionaryC. RelationalD. Administrative34. Which of the following is used to implement access control matrices?A. MandatoryB. DiscretionaryC. RelationalD. Administrative35. Which of the following is NOT a part of the Kerberos authentication scheme?A. Authentication serverB. Ticket granting serviceC. Users and programsD. Message Authentication Code36. Penetration testing is security testing in which:A. hackers with no knowledge of the system are hired to attempt to break into a system to demonstrate protection flaws.B. penetrators attempt to circumvent the security features of the system to identify where weaknesses exist, so that they may be strengthened.C. foreign agents use sophisticated tools such as “password grabbers” and “dictionary attacks” to overcome the identification and authentication mechanisms of a system for future intrusions.D. physical penetration is perpetrated in order to perform manual activities only possible with physical access to the system.37. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called:A. keystroke capturingB. access validation testingC. brute force testingD. accountability testing38. Which of the following results would NOT routinely be expected from a penetration test?A. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system.B. A description of the companys vulnerabilitiesC. A risk analysis showing the extent to which a company is at risk within each exposureD. Evidence of destruction of any data obtained but not delivered39. What is the analysis used to determine the feasibility and methods for defeating controls of a system called?A. Security filterB. Penetration studyC. Disaster planD. Residual risk40. Which one of the following is the key element when performing a penetration test?A. The tester should have the same access constraints as a normal user.B. The tester should have access to the system source code.C. The tester should have access to network diagrams.D. The tester should have access to vendor manuals and system documentation.Answers of 31 to 4031.D. 32.C. 33.B. 34.B. 35.D 36.B 37.C. 38.C 39.B. 40.A41. What type of attack often tries all possible solutions?A. Trojan horseB. Trap doorC. CloneD. Brute force42. Which of the following defines a denial of service attack?A. An action that prevents a system from functioning in accordance with its intended purpose.B. An action that allows unauthorized users to access some of the computing services available.C. An action that allows a hacker to compromise system information.D. An action that allows authorized users to access some of the computing services available.43. Spoofing can be defined as:A. the listening to a conversation between people or systems to obtain information.B. a person or a process pretending to be a person or process in order to obtain access to the system.C. a hostile or unexpected entity concealed within another entity.D. the testing of all possibilities to obtain information.44. What type attack is eavesdropping?A. ActiveB. PassiveC. AggressiveD. Masquerading45. An important control that should be in place for external connections to a network that uses call back schemes is:A. Breaking of a dial-up connection at the