1、CISSP认证考试(访问控制)模拟试卷 1及答案与解析 1 Which of the following does not correctly describe a directory service? ( A) It manages objects within a directory by using namespaces. ( B) It enforces security policy by carrying out access control and identity management functions. ( C) It assigns namespaces to each
2、object in databases that are based on the X.509 standard and are accessed by LDAP. ( D) It allows an administrator to configure and manage how identification takes place within the network. 2 Hannah has been assigned the task of installing Web access management(WAM) software. What is the best descri
3、ption for what WAM is commonly used for? ( A) Control external entities requesting access through X.500 databases ( B) Control external entities requesting access to internal objects ( C) Control internal entities requesting access through X.500 databases ( D) Control internal entities requesting ac
4、cess to external objects 3 There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised
5、? ( A) Management password reset ( B) Self-service password reset ( C) Password synchronization ( D) Assisted password reset 4 A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesnt try to compromise a flaw or weakness. Which of the following is not
6、a side-channel attack? ( A) Differential power analysis ( B) Microprobing analysis ( C) Timing analysis ( D) Electromagnetic analysis 5 Which of the following does not describe privacy-aware role-based access control? ( A) It is an example of a discretionary access control model. ( B) Detailed acces
7、s controls indicate the type of data that users can access based on the datas level of privacy sensitivity. ( C) It is an extension of role-based access control. ( D) It should be used to integrate privacy policies and access control policies. 6 What was the direct predecessor to Standard Generalize
8、d Markup Language(SGML)? ( A) Hypertext Markup Language (HTML) ( B) Extensible Markup Language (XML) ( C) LaTeX ( D) Generalized Markup Language (GML) 7 Brian has been asked to work on the virtual directory of his companys new identity management system. Which of the following best describes a virtu
9、al directory? ( A) Meta-directory ( B) User attribute information stored in an HR database ( C) Virtual container for data from multiple sources ( D) A service that allows an administrator to configure and manage how identification takes place 8 Emily is listening to network traffic and capturing pa
10、sswords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this? ( A) Brute-force attack ( B) Dictionary attack ( C) Social engineering attack ( D) Replay attack 9 Which of the following correctly describes a federated ide
11、ntity and its role within identity management processes? ( A) A nonportable identity that can be used across business boundaries ( B) A portable identity that can be used across business boundaries ( C) An identity that can be used within intranet virtual directories and identity stores ( D) An iden
12、tity specified by domain names that can be used across business boundaries 10 Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming? ( A) Personal information is collected from victims through legitimate-looking Web sites in phishi
13、ng attacks, while personal information is collected from victims via e-mail in pharming attacks. ( B) Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from vict
14、ims. ( C) Victims are pointed to a fake Web site with a domain name that looks similar to a legitimate sites in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS server ( D) Phishing is a technical attack,
15、 while pharming is a type of social engineering. 11 Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency? ( A) User activities are monitored and tracked without negatively affecting system performance. ( B) User activities are m
16、onitored and tracked without the user knowing about the mechanism that is carrying this out. ( C) Users are allowed access in a manner that does not negatively affect business processes. ( D) Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is
17、carrying this out. 12 What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules? ( A) XML ( B) SPML ( C) XACML ( D) GML 13 The importance of protecting audit logs generated by computers and network devices is hi
18、ghlighted by the fact that it is required by many of todays regulations. Which of the following does not explain why audit logs should be protected? ( A) If not properly protected, these logs may not be admissible during a prosecution. ( B) Audit logs contain sensitive data and should only be access
19、ible to a certain subset of people. ( C) Intruders may attempt to scrub the logs to hide their activities. ( D) The format of the logs should be unknown and unavailable to the intruder. 14 Harrison is evaluating access control products for his company. Which of the following is not a factor he needs
20、 to consider when choosing the products? ( A) Classification level of data ( B) Level of training that employees have received ( C) Logical access controls provided by products ( D) Legal and regulation issues 15 There are several types of intrusion detection systems (IDSs). What type of IDS builds
21、a profile of an environments normal activities and assigns an anomaly score to packets based on the profile? ( A) State-based ( B) Statistical anomaly-based ( C) Misuse detection system ( D) Protocol signature-based 16 A rule-based IDS takes a different approach than a signature-based or anomalybase
22、d system. Which of the following is characteristic of a rule-based IDS? ( A) Uses IF/THEN programming within expert systems ( B) Identifies protocols used outside of their common bounds ( C) Compares patterns to several activities at once ( D) Can detect new attacks 17 Sam plans to establish mobile
23、phone service using the personal information he has stolen from his former boss. What type of identity theft is this? ( A) Phishing ( B) True name ( C) Pharming ( D) Account takeover 18 Of the following, what is the primary item that a capability listing is based upon? ( A) A subject ( B) An object
24、( C) A product ( D) An application 19 Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures? ( A) They are the same thing with different
25、titles. ( B) They are administrative controls that enforce access control and protect the companys resources. ( C) Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position. ( D) J
26、ob rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position. 20 What type of markup language allows company interfaces to pass service requests and the receiving company provision acc
27、ess to these services? ( A) XML ( B) SPML ( C) SGML ( D) HTML 21 There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows? ( A) Diameter ( B) Watchdog ( C) RADIUS ( D) TACACS+ 22 An access control matrix is used in m
28、any operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as?( A) Capability table ( B) Constrained interface ( C) Role-based value ( D) ACL 23 What technology within identity management is illustrated in the graphic
29、that follows?( A) User provisioning ( B) Federated identity ( C) Directories ( D) Web access management 24 There are several different types of single sign-on protocols and technologies in use today. What type of technology is illustrated in the graphic that follows?( A) Kerberos ( B) Discretionary
30、access control ( C) SESAME ( D) Mandatory access control 25 There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows?( A) Counter synchronous token ( B) Asynchronous token ( C) Ma
31、ndatory token ( D) Synchronous token 26 Sally is carrying out a software analysis on her companys proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue w
32、ould allow for this type of compromise to take place? ( A) Backdoor ( B) Maintenance hook ( C) Race condition ( D) Data validation error 27 Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides Web services? ( A) Security attributes are
33、 put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in an HTTP connection. ( B) Security attributes are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted
34、in an HTTP connection over TLS. ( C) Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection. ( D) Authentication data are put into SAML format. HTTP request and authentication data are
35、 encapsulated in a SOAP message. Message is transmitted in an HTTP connection. 28 Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better manage its inventory processes. Employees use scanners to gather product-related information instead of manuall
36、y looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability? ( A) The companys security team does n
37、ot understand how to secure this type of technology. ( B) The cost of integrating security within RFID is cost prohibitive. ( C) The technology has low processing capabilities and encryption is very processor-intensive. ( D) RFID is a new and emerging technology, and the industry does not currently
38、have ways to secure it. 29 Tanya is the security administrator for a large distributed retail company. The companys network has many different network devices and software appliances that generate logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log f
39、iles when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement? ( A) Security information and event management ( B) Event correlation tools ( C) Intrusion detection systems ( D) Security event corr
40、elation management tools 30 Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network. The CISO has asked her to oversee the development of a threat model for the network. Which of the following
41、 best describes what this model is and what it would be used for? ( A) A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats. ( B) A threat model combines the output of the various vulnerability tests an
42、d the penetration tests carried out to understand the security posture of the network as a whole. ( C) A threat model is a risk-based model that is used to calculate the probabilities of the various risks identified during the vulnerability tests. ( D) A threat model is used in software development
43、practices to uncover programming errors. CISSP认证考试(访问控制)模拟试卷 1答案与解析 1 【正确答案】 C 【试题解析】 C正确。大多数企业都有包含公司网络资源和用户信息的某种类型的目录。基于 X 500标准 (不是 X 509)和一种协议类型,即轻量目录访问协议(Lightweight Directory Access Protocol, LDAP),大多数目录都遵循分层的数据库结构,允许主体和应用程序与这个目录进行交互。应用程序可以通过向目录提出一 个 LDAP请求来获得某一特定用户的信息;用户也可以使用相似请求获得某个特定资源的信息。目录
44、服务基于 X 500标准,给数据库中的每个客体分配一个LDAP可访问的可分辨名称 (distinguished names)。每一个可分辨名称都代表着某个特定客体的属性的集合,并作为一个条目存储在目录中。 A不正确。因为层次数据库中的客体都是通过日录服务进行管理的。目录服务允许管理员配置和管理网络内的身份识别、身份验证、授权和访问控制如何进行。目录内的客体都被贴上标签并用命名空间来标识,这也是目录服务保证客体有序的方式。 B不正确。因为目录服务的确通过控制访问和身份管理功能加强了配置好的安全策略。例如,当用户登录到 Windows环境中的一个域控制器时,目录服务 (活动目录, Active D
45、irectory)便可以确定出他能访问哪些网络资源,不能访问哪些资源。 D不正确。因为目录服务的确允许管理员配置和管理网络内部身份识别的方式。它同时也允许对身份验证、授权和访问控制进行配置和管理。 【知识模块】 访问控制 2 【正确答案】 B 【试题解析】 B正确。 Web访问管理 (Web Access Management, WAM)软件控制着用户在使用 Web浏览器与基于 Web的企业资产进行交互时能访问的内容。随着电子商务、在线银行、内容提供和 Web服务等使用的日益增长,这类技术变得越来越强大,应用也越来越多。 Web访问控制管理流程中最基本的部分和活动如下: a)用户向 Web服务
46、器发送证书; b)Web服务器验证用户的证书; c)用户请求访问某个资源 (客体 ); d) Web服务器使用安全策略确定是否允许该用户执行此操作: e)Web服务器允许拒绝访问请求访问的资源。 A不正确。因为目录服务应该在 X 500数据库 不是 Web访问 管理软件 的目录中进行访问控制。目录服务管理入口和数据,并通过实施强制访问控制和身份管理功能来巩固已配置的安全策略。活动目录和 NetWare目录服务 (NDS)就属于目录服务的例子。尽管基于 Web的访问请求可能针对的是数据库中的客体,但 WAM主要控制 Web浏览器和服务器之间的通信。 Web服务器通常通过目录服务与后端数据库进行通
47、信。 C不正确。因为当内部实体使用 LDAP请求访问 X 500数据库时,目录服务应该执行访问控制。这种类型的数据库为所有客体 (主体和资源 )提供了一种分层结构。目录服务为每一个客体制定一个 独一无二的可分辨名称,并根据需要将对应的属性追加到每个客体后面。目录服务实行安全策略 (由管理员配置 )来控制主体和客体的交互方式。如果基于 Web的访问请求针对的可能是数据库中的客体, WAM主要控制的是 Web浏览器和服务器之间的通信。尽管 WAM可以用于内部到内部的通信,但它主要是为了外部到内部的通信而开发的。 B选项是这 4个选项中的最佳答案。 D不正确。因为 WAM软件主要用于控制外部实体对内
48、部客体的请求访问,而不是这个答案项所描述的。例如,银行可能会使用 WAM控制顾客访问后端账户数据。 【知识模块】 访问控 制 3 【正确答案】 C 【试题解析】 C正确。密码同步 (password synchronization)的设计初衷是为了减少不同系统使用不同密码的复杂性。密码同步技术允许用户通过把密码透明地同步到其他系统和应用程序,从而能够为多个系统只维护一个密码,而不必记住多个系统的多个密码。这种方法减少了信息台的电话量。这种方法的缺点是,因为只用一个密码便可访问不同的资源,那么黑客仅须破解这一个凭据集便可未经授权访问所有的资源。 A不正确。因为没有这样的管理密码重置。这是一个干扰
49、项。最常见的密码管理方法有 密码同步、自助密码重置和辅助密码重置。 B不正确。因为自助密码重置不一定需要处理多个密码。然而,它的确有助于减低密码有关信息台的整体电话流量。在自助密码重置的情况下,用户可以重新设置他们的密码。例如,如果一个用户忘记了自己的密码,他可能立即会被提示回答他在注册过程中设定的问题。如果他的回答与他在注册时提供的信息一致,那么他便可以更改密码。 D不正确。因为辅助密码重置不一定需要处理多个密码。它先让信息台验证用户的信息,然后才允许用户重置密码,这样缩短了密码问题的解决流程。必须通过密码管理工具对呼叫者的身份进行 识别和验证后才能允许其更改密码。一旦密码被更新,正在认证用户的这个系统应该要求该用户再次更改其密码。这样可以确保只有该用户 (而不是其他用户或信息中心的人 )知道这个密码。这种辅助密码重置产品的目的是减少支持呼叫的成本,并确保所有的呼叫都以统一、连贯和安全的方式得到处理。 【知识模块】 访问控制 4 【正确答案】 B 【试题解析】 B正确。非侵入性攻击是指攻击者观察事物的工作方式以及不同情况下的反应方式、而不是指采取更多的侵入措施试图侵入的攻击方式。旁道攻击的例子有故障生成、差分功率分析、电磁分 析、时序分析和软件攻击等。这种类型的攻击常用来发现关于组件在不破解任何类型的缺陷或弱点的情况下如何工作的敏感信息。更
