Читаем CISSP Practice полностью

219. d. Both zone transfer and dynamic update transactions use transaction signature (TSIG). In TSIG, mutual identification of servers is based on a shared secret key.

A DNS query/response is incorrect because IETF’s DNSSEC standard is used in a DNS query/response transaction. A DNS NOTIFY message is incorrect because IETF specifies hosts from which messages can be received for DNS NOTIFY message transactions.

220. Which of the following statements about red teams are not true?

1. They can be effective when insider work is suspected.

2. They represent another independent attack on the system.

3. They prove that a computer system is secure.

4. They are a substitute for methodical testing.

a. 1 and 2

b. 1 and 3

c. 3 and 4

d. 2 and 4

220. c. A red team is a team of independent experts hired to attempt to breach a system’s security. The red team cannot prove that a system is secure. Also, the red team’s approach is not a substitute for methodical security testing. What it can do is be effective when insider work is suspected because it can show the areas of vulnerability. Also, the red team approach should be viewed as another independent attack on the system’s integrity and security. If the system has not been thoroughly tested prior to red team testing, it is a waste of effort and money because the approach will be ineffective.

221. Which of the following firewalls is most secure?

a. Packet filtering firewall

b. Screened subnet firewall

c. Screened host firewall

d. Dual-homed gateway firewall

221. b. The screened subnet firewall adds an extra layer of security by creating a network where the bastion host resides. Often called a perimeter network, the screened subnet firewall separates the internal network from the external. This leads to stronger security.

222. Who should not be given access to firewalls?

a. Primary firewall administrator

b. Functional users

c. Backup firewall administrator

d. Network service manager

222. b. Firewalls should not be used as general-purpose servers. The only access accounts on the firewalls should be those of the primary and backup firewall administrators and the network service manager, where the latter manages both administrators. Functional users should not be given access to firewalls because they do not contain business-related application systems.

223. Most common attacks against wireless technologies include which of the following?

a. Spamming and loss of availability

b. Spoofing and loss of integrity

c. Eavesdropping and loss of confidentiality

d. Cracking and loss of authenticity

223. c. Wireless technologies invite privacy and fraud violations more easily than wired technologies due to their broadcast nature. The privacy implications of widespread use of mobile wireless technologies are potentially serious for both individuals and businesses. There will be a continuing need to guard against eavesdropping and breaches of confidentiality, as hackers and scanners develop ways to listen in and track wireless communications devices. For example, wired equivalent privacy (WEP) protocol can be attacked, and Wi-Fi protected access (WPA) and its version 2 (WPA2) can be attacked using rainbow tables. Attacks mentioned in the other three choices are not that common, but they do happen.

224. Which of the following merits most protection in the use of wireless technologies?

1. Privacy of location

2. Privacy of equipment

3. Privacy of transmission contents

4. Privacy of third parties

a. 1 and 2

b. 1 and 3

c. 3 and 4

d. 2 and 3

224. b. There are two main types of information that merit most protection in the wireless context: the contents of a call or transmission and the location of the sender or recipient. Privacy of equipment and third parties are not relevant here.

225. Which of the following involves a complicated technique that combines the public-key encryption method with a hashing algorithm that prevents reconstructing the original message?

a. Digital signature

b. Voice over Internet Protocol

c. Electronic signature

d. Firewalls

225. a. Two steps are involved in creating a digital signature. First, the encryption software uses a hashing algorithm to create a message digest from the file being transmitted. Second, the software uses a sender’s private (secret) key to encrypt the message digest. The result is a digital signature for that specific file.