CISSP Practice полностью

Callback or dial-back systems and magnetic cards with personal identification numbers provide medium protection, whereas user identification numbers and passwords provide minimum protection. Callback systems can be negated through the use of call forwarding features in a telephone system. Magnetic cards can be lost, stolen, or counterfeited. User IDs and passwords can be shared with others or guessed by others, a control weakness.

170. To achieve effective security over transmission, what is the best area where stronger encryption can be applied the most?

a. Packet level

b. Record level

c. File level

d. Field level

170. d. Encryption can protect anything from one message field to an entire message packet in the transmission over network lines. Because the message field is the lowest level element and an important element in terms of message content and value, security is effective and enhanced. Here, encryption is focused on where it matters the most. Note that the field-level encryption is stronger than file-, record-, and packet-level encryption although encryption can be applied at each of these levels.

171. What is the least powerful method of protecting confidential data or program files?

a. Scrambling the data

b. Encoding the data before transmission

c. Decoding the data after transmission

d. Using passwords and other identification codes

171. d. Use of passwords and other identification codes is not powerful due to their sharing and guessable nature. Scrambling, encoding, and decoding are cryptographic methods used in data transmission. Encryption is used in scrambling, encoding (encrypting), and decoding (decrypting) of data. Encryption is the process of transforming data to an unintelligible form in such a way that the original data either cannot be obtained (one way encryption) or cannot be obtained without using the inverse decryption process (two-way encryption). Authorized users of encrypted computer data must have the key that was used to encrypt the data to decrypt it. The unique key chosen for use in a particular application makes the results of encrypting data using the algorithm unique. Using a different key causes different results. The cryptographic security of the data depends on the security provided for the keys used to encrypt and decrypt the data.

172. What is the best technique to thwart network masquerading?

a. Dial-back technique

b. Dial-forward technique

c. File encryption only

d. Dial-back combined with data encryption

172. d. Personal computers (PCs) are in increasing use as computer terminal devices are connected to larger host systems and when two or more PCs are connected to networks. Information transmitted over unprotected telecommunications lines can be intercepted by someone masquerading as an authorized user, thereby actively receiving sensitive information.

Encryption can be adapted as a means of remote user authorization. A user key, entered at the keyboard, authenticates the user. A second encryption key can be stored in encrypted form in the calling system firmware that authenticates the calling system as an approved communications endpoint. When dial-back is used with two-key encryption, data access can be restricted to authorized users (with the user key) with authorized systems (those whose modems have the correct second key), located at authorized locations (those with phone numbers listed in the answering system’s phone directory).

Dial-back technique alone cannot guarantee protection against masquerading because hackers can use the dial-forward technique to reroute calls and spoof the connection. File encryption only may not be adequate because an intruder may have an opportunity to intercept the key while it is in transit. Managing the encryption key is critical.

173. Which of the following describes message authentication correctly?

a. A process of guaranteeing that the message was sent as received by the party identified in the header of the message.

b. A process of guaranteeing that the message was sent as received by the party identified in the footer of the message.

c. A process of guaranteeing that the message sent was received at the same time regardless of the location.

d. A process of guaranteeing that all delivered and undelivered messages are reconciled immediately.