1、CISSP 认证考试(访问控制)-试卷 1 及答案解析(总分:60.00,做题时间:90 分钟)1.Which of the following does not correctly describe a directory service?(分数:2.00)A.It manages objects within a directory by using namespaces.B.It enforces security policy by carrying out access control and identity management functions.C.It assigns na
2、mespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.D.It allows an administrator to configure and manage how identification takes place within the network.2.Hannah has been assigned the task of installing Web access management(WAM) software. What is the
3、 best description for what WAM is commonly used for?(分数:2.00)A.Control external entities requesting access through X.500 databasesB.Control external entities requesting access to internal objectsC.Control internal entities requesting access through X.500 databasesD.Control internal entities requesti
4、ng access to external objects3.There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is comprom
5、ised?(分数:2.00)A.Management password resetB.Self-service password resetC.Password synchronizationD.Assisted password reset4.A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesnt try to compromise a flaw or weakness. Which of the following is not a si
6、de-channel attack?(分数:2.00)A.Differential power analysisB.Microprobing analysisC.Timing analysisD.Electromagnetic analysis5.Which of the following does not describe privacy-aware role-based access control?(分数:2.00)A.It is an example of a discretionary access control model.B.Detailed access controls
7、indicate the type of data that users can access based on the datas level of privacy sensitivity.C.It is an extension of role-based access control.D.It should be used to integrate privacy policies and access control policies.6.What was the direct predecessor to Standard Generalized Markup Language(SG
8、ML)?(分数:2.00)A.Hypertext Markup Language (HTML)B.Extensible Markup Language (XML)C.LaTeXD.Generalized Markup Language (GML)7.Brian has been asked to work on the virtual directory of his companys new identity management system. Which of the following best describes a virtual directory?(分数:2.00)A.Meta
9、-directoryB.User attribute information stored in an HR databaseC.Virtual container for data from multiple sourcesD.A service that allows an administrator to configure and manage how identification takes place8.Emily is listening to network traffic and capturing passwords as they are sent to the auth
10、entication server. She plans to use the passwords as part of a future attack. What type of attack is this?(分数:2.00)A.Brute-force attackB.Dictionary attackC.Social engineering attackD.Replay attack9.Which of the following correctly describes a federated identity and its role within identity managemen
11、t processes?(分数:2.00)A.A nonportable identity that can be used across business boundariesB.A portable identity that can be used across business boundariesC.An identity that can be used within intranet virtual directories and identity storesD.An identity specified by domain names that can be used acr
12、oss business boundaries10.Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming?(分数:2.00)A.Personal information is collected from victims through legitimate-looking Web sites in phishing attacks, while personal information is colle
13、cted from victims via e-mail in pharming attacks.B.Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from victims.C.Victims are pointed to a fake Web site with a
14、 domain name that looks similar to a legitimate sites in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS serverD.Phishing is a technical attack, while pharming is a type of social engineering.11.Security
15、 countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?(分数:2.00)A.User activities are monitored and tracked without negatively affecting system performance.B.User activities are monitored and tracked without the user knowing about the mec
16、hanism that is carrying this out.C.Users are allowed access in a manner that does not negatively affect business processes.D.Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.12.What markup language allows for the sharing of
17、 application security policies to ensure that all applications are following the same security rules?(分数:2.00)A.XMLB.SPMLC.XACMLD.GML13.The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of todays regulations. Whi
18、ch of the following does not explain why audit logs should be protected?(分数:2.00)A.If not properly protected, these logs may not be admissible during a prosecution.B.Audit logs contain sensitive data and should only be accessible to a certain subset of people.C.Intruders may attempt to scrub the log
19、s to hide their activities.D.The format of the logs should be unknown and unavailable to the intruder.14.Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing the products?(分数:2.00)A.Classification level of dataB.Lev
20、el of training that employees have receivedC.Logical access controls provided by productsD.Legal and regulation issues15.There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environments normal activities and assigns an anomaly score to packets based
21、 on the profile?(分数:2.00)A.State-basedB.Statistical anomaly-basedC.Misuse detection systemD.Protocol signature-based16.A rule-based IDS takes a different approach than a signature-based or anomalybased system. Which of the following is characteristic of a rule-based IDS?(分数:2.00)A.Uses IF/THEN progr
22、amming within expert systemsB.Identifies protocols used outside of their common boundsC.Compares patterns to several activities at onceD.Can detect new attacks17.Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft
23、 is this?(分数:2.00)A.PhishingB.True nameC.PharmingD.Account takeover18.Of the following, what is the primary item that a capability listing is based upon?(分数:2.00)A.A subjectB.An objectC.A productD.An application19.Alex works for a chemical distributor that assigns employees tasks that separate their
24、 duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?(分数:2.00)A.They are the same thing with different titles.B.They are administrative controls that enforce access control and protect the companys resources.C.Separation o
25、f duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.D.Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more
26、than one person knows the tasks of a position.20.What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?(分数:2.00)A.XMLB.SPMLC.SGMLD.HTML21.There are several different types of centralized access control protocols.
27、Which of the following is illustrated in the graphic that follows? (分数:2.00)A.DiameterB.WatchdogC.RADIUSD.TACACS+22.An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as? (分
28、数:2.00)A.Capability tableB.Constrained interfaceC.Role-based valueD.ACL23.What technology within identity management is illustrated in the graphic that follows?(分数:2.00)A.User provisioningB.Federated identityC.DirectoriesD.Web access management24.There are several different types of single sign-on p
29、rotocols and technologies in use today. What type of technology is illustrated in the graphic that follows? (分数:2.00)A.KerberosB.Discretionary access controlC.SESAMED.Mandatory access control25.There are different ways that specific technologies can create one-time passwords for authentication purpo
30、ses. What type of technology is illustrated in the graphic that follows?(分数:2.00)A.Counter synchronous tokenB.Asynchronous tokenC.Mandatory tokenD.Synchronous token26.Sally is carrying out a software analysis on her companys proprietary application. She has found out that it is possible for an attac
31、ker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place?(分数:2.00)A.BackdoorB.Maintenance hookC.Race conditionD.Data validation error27.Which of the following best describes how
32、 SAML, SOAP, and HTTP commonly work together in an environment that provides Web services?(分数:2.00)A.Security attributes are put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in an HTTP connection.B.Security attributes are put i
33、nto SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection over TLS.C.Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitte
34、d in an HTTP connection.D.Authentication data are put into SAML format. HTTP request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection.28.Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better
35、manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is
36、 the most likely reason for the existence of this type of vulnerability?(分数:2.00)A.The companys security team does not understand how to secure this type of technology.B.The cost of integrating security within RFID is cost prohibitive.C.The technology has low processing capabilities and encryption i
37、s very processor-intensive.D.RFID is a new and emerging technology, and the industry does not currently have ways to secure it.29.Tanya is the security administrator for a large distributed retail company. The companys network has many different network devices and software appliances that generate
38、logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement?(分数:2.00)A.Security information
39、 and event managementB.Event correlation toolsC.Intrusion detection systemsD.Security event correlation management tools30.Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network. The CISO has
40、 asked her to oversee the development of a threat model for the network. Which of the following best describes what this model is and what it would be used for?(分数:2.00)A.A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or
41、eradicate the threats.B.A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole.C.A threat model is a risk-based model that is used to calculate the probabilities of the various risks ide
42、ntified during the vulnerability tests.D.A threat model is used in software development practices to uncover programming errors.CISSP 认证考试(访问控制)-试卷 1 答案解析(总分:60.00,做题时间:90 分钟)1.Which of the following does not correctly describe a directory service?(分数:2.00)A.It manages objects within a directory by
43、using namespaces.B.It enforces security policy by carrying out access control and identity management functions.C.It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP. D.It allows an administrator to configure and manage how identification t
44、akes place within the network.解析:解析:C 正确。大多数企业都有包含公司网络资源和用户信息的某种类型的目录。基于 X500 标准(不是 X509)和一种协议类型,即轻量目录访问协议(Lightweight Directory Access Protocol,LDAP),大多数目录都遵循分层的数据库结构,允许主体和应用程序与这个目录进行交互。应用程序可以通过向目录提出一个 LDAP 请求来获得某一特定用户的信息;用户也可以使用相似请求获得某个特定资源的信息。目录服务基于 X500 标准,给数据库中的每个客体分配一个 LDAP 可访问的可分辨名称(distingui
45、shed names)。每一个可分辨名称都代表着某个特定客体的属性的集合,并作为一个条目存储在目录中。 A 不正确。因为层次数据库中的客体都是通过日录服务进行管理的。目录服务允许管理员配置和管理网络内的身份识别、身份验证、授权和访问控制如何进行。目录内的客体都被贴上标签并用命名空间来标识,这也是目录服务保证客体有序的方式。 B 不正确。因为目录服务的确通过控制访问和身份管理功能加强了配置好的安全策略。例如,当用户登录到 Windows 环境中的一个域控制器时,目录服务(活动目录,Active Directory)便可以确定出他能访问哪些网络资源,不能访问哪些资源。 D 不正确。因为目录服务的确
46、允许管理员配置和管理网络内部身份识别的方式。它同时也允许对身份验证、授权和访问控制进行配置和管理。2.Hannah has been assigned the task of installing Web access management(WAM) software. What is the best description for what WAM is commonly used for?(分数:2.00)A.Control external entities requesting access through X.500 databasesB.Control external enti
47、ties requesting access to internal objects C.Control internal entities requesting access through X.500 databasesD.Control internal entities requesting access to external objects解析:解析:B 正确。Web 访问管理(Web Access Management,WAM)软件控制着用户在使用 Web 浏览器与基于 Web 的企业资产进行交互时能访问的内容。随着电子商务、在线银行、内容提供和 Web 服务等使用的日益增长,这
48、类技术变得越来越强大,应用也越来越多。Web 访问控制管理流程中最基本的部分和活动如下: a)用户向 Web 服务器发送证书; b)Web 服务器验证用户的证书; c)用户请求访问某个资源(客体);d) Web 服务器使用安全策略确定是否允许该用户执行此操作: e)Web 服务器允许拒绝访问请求访问的资源。 A 不正确。因为目录服务应该在 X500 数据库不是 Web 访问管理软件的目录中进行访问控制。目录服务管理入口和数据,并通过实施强制访问控制和身份管理功能来巩固已配置的安全策略。活动目录和 NetWare 目录服务(NDS)就属于目录服务的例子。尽管基于 Web 的访问请求可能针对的是数
49、据库中的客体,但 WAM 主要控制 Web 浏览器和服务器之间的通信。Web 服务器通常通过目录服务与后端数据库进行通信。 C 不正确。因为当内部实体使用 LDAP 请求访问 X500 数据库时,目录服务应该执行访问控制。这种类型的数据库为所有客体(主体和资源)提供了一种分层结构。目录服务为每一个客体制定一个独一无二的可分辨名称,并根据需要将对应的属性追加到每个客体后面。目录服务实行安全策略(由管理员配置)来控制主体和客体的交互方式。如果基于 Web 的访问请求针对的可能是数据库中的客体,WAM 主要控制的是 Web 浏览器和服务器之间的通信。尽管 WAM 可以用于内部到内部的通信,但它主要是为了外部到内部的通信而开发的。B 选项是这 4 个选项中的最佳答案。 D 不正确。因为 WAM 软件主要用于控制外部实体对内部客体的请求访问,而不是这个答案项所描述的。例如,银行可能会使用 WAM 控制顾客访问后端账户数据。3.There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also cri