Читаем CISSP Practice полностью

138. c. Instant messaging (IM) systems authenticate users for communication by linking user accounts to directory services (i.e., Active Directory and Lightweight Directory Access Protocol, LDAP) to associate with valid accounts and provide role-based access permissions. IM authentication could be enhanced using two-factor authentication because it is more secure. Two-factor authentication identifies users using two distinctive factors such as something they have (e.g., token or smart card), something they know (e.g., password or PIN), or something they are (e.g., a biometric sample). Requiring two forms of electronic identification reduces the risk of fraud.

139. Which of the following extensible authentication protocol (EAP) methods does not fully satisfy the security requirements for a robust security network (RSN) such as wireless local-area network (WLAN) using the IEEE 802.11i standard?

a. EAP transport layer security (EAP-TLS)

b. EAP tunneled TLS (EAP-TTLS)

c. EAP flexible authentication via secure tunneling (EAP-FAST)

d. Protected EAP (PEAP)

139. c. The extensible authentication protocol (EAP) provides the authentication framework for IEEE 802.11 RSNs that use IEEE 802.11X port-based access control. The EAP provides mutual authentication between an access point (AP), a station (STA), and an authentication server (AS). EAP-FAST is especially suitable for unsophisticated devices (e.g., household appliances, vending machines, and other small devices not connected to WLANs) that might not have the computing power to perform TLS handshakes, and as such its security is limited for robust WLANs. The other three EAP methods are secure. It is important that organizations should select the EAP methods based on a risk assessment of the target environment.

140. Which of the following is a part of transport layer security policies and is not a part of data link layer security policies to prevent network congestion problems?

a. Retransmission policy

b. Timeout determination policy

c. Out-of-order caching policy

d. Flow control policy

140. b. The timeout determination policy is a part of the transport layer security policies but not a part of the data link layer security policies. The other three choices are the same between these two layer’s policies.

141. Which of the following protects the confidentiality of data in transit in a file-sharing environment?

a. Network file sharing (NFS)

b. Apple filing protocol (AFP)

c. Server message block (SMB)

d. Secure file transfer protocol (SFTP)

141. d. Secure FTP (SFTP) and Secure Copy (SCP) encrypt their network communications to protect the confidentiality of data in transit. Examples of commonly used client/server file sharing services are file transfer protocol (FTP), network file sharing, Apple filing protocol, and server message block. These are standardized protocols without encryption that do not protect the confidentiality of the data in transit, including any supplied authentication credentials such as passwords.

142. Countermeasures against time-of-check to time-of-use (TOC-TOU) attacks include which of the following?

1. Use traffic padding techniques.

2. Apply task sequence rules.

3. Apply encryption tools.

4. Implement strong access controls.

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1 and 3

142. b. Time-of-check to time-of-use (TOC-TOU) attack is an example of asynchronous attacks where it takes advantage of timing differences between two events. Applying task sequence rules combined with encryption tools are effective against such attacks. Traffic padding technique is effective against traffic analysis attacks, and access controls are good against data inference attacks.

143. In a legacy wireless local-area network (WLAN) environment using wired equivalent privacy (WEP) protocol (IEEE 802.11), a bit-flipping attack results in which of the following?

a. Loss of confidentiality

b. Loss of integrity

c. Loss of availability

d. Loss of accountability