Читаем CISSP Practice полностью

91. c. Improper error handling during a transmission between a sender and a receiver can result in side channel attacks, which can result in integrity failures. A security policy should define the response to such a failure. Remedies for integrity failures can include retransmission limited to a predetermined number of times and storing the error data in an audit log for later identification of the source of the error.

The other three choices do not allow side channel attacks because they do not deal with transmission errors. Confidentiality deals with privacy and nondisclosure of information, and more. Availability deals with making data and systems within the reach of users. Labels are used to identify attributes, parameters, or the intended use of a key.

92. Public key authentication systems:

a. Are faster than private key systems

b. Do not use digital signatures

c. Are slower than private key systems

d. Do not use alpha characters in the key

92. c. Public key methods are much slower than private methods and cause overhead, which are their main disadvantages. The public key contains alphanumeric characters. The public key systems use digital signatures for authentication.

93. Which of the following is not a common route to data interception?

a. Direct observation

b. Data encryption

c. Interception of data transmission

d. Electromagnetic interception

93. b. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception. Data encryption can be a solution to data interception.

94. The combination of XEX tweakable block cipher with ciphertext stealing and advanced encryption standard (XTS-AES) algorithm was designed to provide which of the following?

1. Encryption of data on storage devices

2 Encryption of data in transit

3. Confidentiality for the protected data

4. Authentication of data

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

94. c. The XTS-AES mode was designed for the cryptographic protection of data on storage devices that use fixed length data units, and it was not designed for encryption of data in transit. This mode also provides confidentiality for the protected data but not authentication of data or access control.

95. Which of the following is not used for public key infrastructure-based (PKI-based) authentication of system users?

a. Validates certificates by constructing a certification path to an accepted trust anchor

b. Establishes user control of the corresponding private key

c. Maps the authenticated identity to the user account

d. Uses a radius server with extensible authentication protocol and transport layer security authentication

95. d. A radius server with extensible authentication protocol (EAP) and transport layer security (TLS) authentication is used to identify and authenticate devices on LANs and/or WANs. It is not used for authenticating system users. The other three choices are used for PKI-based authentication of system users.

96. Message authentication code (MAC) provides which of the following security services?

a. Confidentiality and integrity

b. Authentication and integrity

c. Accountability and availability

d. Assurance and reliability

96. b. The message authentication code (MAC) provides data authentication and integrity. A MAC is a cryptographic checksum on the data that is used to provide assurance that the data has not changed and that the MAC was computed by the expected entity. It cannot provide other security services.

97. Which of the following are countermeasures against traffic analysis attacks?

1. Traffic flow signal control

2. Traffic encryption key

3. Traffic flow security

4. Traffic padding

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

97. d. Traffic flow security is a technique to counter traffic analysis attacks, which is the protection resulting from encrypting the source and destination addresses of valid messages transmitted over a communications circuit. Security is assured due to use of link encryption and because no part of the data is known to an attacker. Traffic padding, which generates mock communications or data units to disguise the amount of real data units being sent, also protects traffic analysis attacks.