Читаем CISSP Practice полностью

125. a. At a minimum, organizations should consider establishing backup and recovery sites for their key PKI components (RA, CA, and Directories) that supply the services necessary for application programs to use certificates. A PKI is an infrastructure, like a highway. By itself, it does little. It is useful when application programs employ the certificates and services that it supports. The PKI is a combination of products, services, software, hardware, facilities, policies, procedures, agreements, and people that provide for and sustain secure interactions on open networks such as the Internet. The other three choices are the side effects of using a PKI, which also needs to be developed.

126. Which of the following can mitigate threats to integrity when public key cryptography is used?

a. Data checksums and secure hashes

b. Public key signatures and secure hashes

c. Cyclic redundancy checks and secure hashes

d. Simple checksums and secure hashes

126. b. Public key cryptography verifies integrity by using public key signatures and secure hashes. A secure hash algorithm (SHA) is used to create a message digest (hash). The hash can change if the message is modified. The hash is then signed with a private key. The hash may be stored or transmitted with the data. When the integrity of the data is to be verified, the hash is recalculated, and the corresponding public key is used to verify the integrity of the message.

127. Which of the following mitigate threats to nonrepudiation?

a. Secure hashes

b. Message digest 4

c. Message digest 5

d. Digital signatures and certificates

127. d. Data is electronically signed by applying the originator’s private key to the data. The resulting digital signature can be stored or transmitted with the data. Any party using the public key of the signer can verify the signature. If the signature is verified, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer. A digital certificate binds the public key to the identity of the signer.

128. Regarding data sanitization practices in a cloud computing environment, which of the following is affected most when data from one subscriber is physically commingled with the data of other subscribers?

a. Data at rest

b. Data in transit

c. Data in use

d. Data to recover

128. d. The data sanitization practices have serious implications for security and data recovery in the cloud computing environment and are most affected. Sanitization is the removal of sensitive data from a storage device such as (i) when a storage device is removed from service or moved elsewhere to be stored, (ii) when residual data remains upon termination of service, and (iii) when backup copies are made for recovery and restoration of service. Data sanitization matters can get complicated when data from one subscriber is physically commingled with the data of other subscribers. It is also possible to recover data from failed drives (for example, hard drives and flash drives) that are not disposed of properly by cloud providers.

Procedures for protecting data at rest are not as well standardized in a cloud computing environment. Cryptography can be used to protect data in transit. Trust mechanisms such as requiring service contracts and performing risk assessments can protect data in use because this is an emerging area of cryptography.

129. Which of the following provides a unique user ID for a digital certificate?

a. User name

b. User organization

c. User e-mail

d. User message digest

129. d. The digital certificate contains information about the user’s identity (for example, name, organization, and e-mail), but this information may not necessarily be unique. A one-way (hash) function can be used to construct a fingerprint (message digest) unique to a given certificate using the user’s public key.

130. Which of the following is not included in the digital signature standard (DSS)?

a. Digital signature algorithm (DSA)

b. Data encryption standard (DES)

c. Rivest, Shamir, and Adelman algorithm (RSA)

d. Elliptic curve digital signature algorithm (ECDSA)

130. b. DSA, RSA, and ECDSA are included in the DSS that specifies a digital signature used in computing and verifying digital signatures. DES is a symmetric algorithm and is not included in the DSS. DES is a block cipher and uses a 56-bit key.