« 返回题库列表2026最新CISSP全英文历年真题及答案|题库PDF免费下载+考试资料汇总
问题 #1
Which of the following are proprietarily implemented by CISCO?
A. RADIUS+
B. TACACS
C. XTACACS and TACACS+
D. RADIUS
问题 #2
What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server?
A. IPSec
B. RADIUS
C. L2TP
D. PPTP
问题 #3
RADIUS is defined by which RFC?
A. 2168
B. 2148
C. 2138
D. 2158
问题 #4
In a RADIUS architecture, which of the following acts as a client?
A. A network Access Server.
B. None of the choices.
C. The end user.
D. The authentication server.
问题 #5
In a RADIUS architecture, which of the following can ac as a proxy client?
A. The end user.
B. A Network Access Server.
C. The RADIUS authentication server.
D. None of the choices.
问题 #6
Which of the following statements pertaining to RADIUS is incorrect?
A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains.
B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy
C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes
D. Most RADIUS servers can work with DIAMETER servers.
问题 #7
Which of the following is the weakest authentication mechanism?
A. Passphrases
B. Passwords
C. One-time passwords
D. Token devices
问题 #8
What is the PRIMARY use of a password?
A. Allow access to files
B. Identify the user
C. Authenticate the user
问题 #9
Software generated passwords have what drawbacks?
A. Passwords are not easy to remember.
B. Password are too secure.
C. None of the choices.
D. Passwords are unbreakable.
问题 #10
What are the valid types of one time password generator?
A. All of the choices.
B. Transaction synchronous
C. Synchronous/PIN synchronous
D. Asynchronous/PIN asynchronous
问题 #11
Which of the following will you consider as most secure?
A. Password
B. One time password
C. Login phrase
D. Login ID
问题 #12
What type of password makes use of two totally unrelated words?
A. Login phrase
B. One time password
C. Composition
D. Login ID
问题 #13
Which of the following is the correct account policy you should follow?
A. All of the choices.
B. All active accounts must have a password.
C. All active accounts must have a long and complex pass phrase.
D. All inactive accounts must have a password.
问题 #14
Which of the following are the advantages of using passphrase?
A. Difficult to crack using brute force.
B. Offers numerous characters.
C. Easier to remember.
D. All of the choices.
问题 #15
Which of the following are the correct guidelines of password deployment?
A. Passwords must be masked.
B. All of the choices.
C. Password must have a minimum of 8 characters.
D. Password must contain a mix of both alphabetic and non-alphabetic characters.
问题 #16
Why would a 16 characters password not desirable?
A. Hard to remember
B. Offers numerous characters.
C. Difficult to crack using brute force.
D. All of the choices.
问题 #17
Which of the following is NOT a good password deployment guideline?
A. Passwords must not be he same as user id or login id.
B. Password aging must be enforced on all systems.
C. Password must be easy to memorize.
D. Passwords must be changed at least once every 60 days, depending on your environment.
问题 #18
Routing password can be restricted by the use of:
A. Password age
B. Password history
C. Complex password
D. All of the choices
问题 #19
What should you do immediately if the root password is compromised?
A. Change the root password.
B. Change all passwords.
C. Increase the value of password age.
D. Decrease the value of password history.
问题 #20
Which of the following is the most secure way to distribute password?
A. Employees must send in an email before obtaining a password.
B. Employees must show up in person and present proper identification before obtaining a password.
C. Employees must send in a signed email before obtaining a password.
D. None of the choices.
问题 #21
Which of the following does not apply to system-generated passwords?
A. Passwords are harder to remember for users
B. If the password-generating algorithm gets to be known, the entire system is in jeopardy
C. Passwords are more vulnerable to brute force and dictionary attacks.
D. Passwords are harder to guess for attackers
问题 #22
Passwords can be required to change monthly, quarterly, or any other intervals:
A. depending on the criticality of the information needing protection
问题 #23
In SSL/TLS protocol, what kind of authentication is supported?
A. Peer-to-peer authentication
B. Only server authentication (optional)
C. Server authentication (mandatory) and client authentication (optional)
D. Role based authentication scheme
问题 #24
Which of the following correctly describe the difference between identification and authentication?
A. Authentication is a means to verify who you are, while identification is what you are authorized to perform.
B. Identification is a means to verify who you are, while authentication is what you are authorized to perform.
C. Identification is another name of authentication.
D. Identification is the child process of authentication.
问题 #25
Identification establishes:
A. Authentication
B. Accountability
C. Authorization
D. None of the choices.
问题 #26
Identification usually takes the form of:
A. Login ID.
B. User password.
C. None of the choices.
D. Passphrase
问题 #27
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?
A. Authentication
B. Identification
C. Integrity
D. Confidentiality
问题 #28
What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?
A. Authentication
B. Identification
C. Integrity
D. Confidentiality
问题 #29
Identification and authentication are the keystones of most access control systems. Identification establishes:
A. user accountability for the actions on the system
B. top management accountability for the actions on the system
C. EDP department accountability for the actions of users on the system
D. authentication for actions on the system
问题 #30
Which one of the following authentication mechanisms creates a problem for mobile users?
A. address-based mechanism
B. reusable password mechanism
C. one-time password mechanism
D. challenge response mechanism
问题 #31
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines?
A. TACACS
B. Call-back
C. CHAP
D. RADIUS
问题 #32
Authentication is typically based upon:
A. Something you have.
B. Something you know.
C. Something you are.
D. All of the choices.
问题 #33
A password represents:
A. Something you have.
B. Something you know.
C. All of the choices.
D. Something you are.
问题 #34
A smart card represents:
A. Something you are.
B. Something you know.
C. Something you have.
D. All of the choices.
问题 #35
Which of the following is the most commonly used check on something you know?
A. One time password
B. Login phrase
C. Retinal
D. Password
问题 #36
Retinal scans check for:
A. Something you are.
B. Something you have.
C. Something you know.
D. All of the choices.
问题 #37
What type of authentication takes advantage of an individuals unique physical characteristics in order to authenticate that persons identity?
A. Password
B. Token
C. Ticket Granting
D. Biometric
问题 #38
What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics?
A. Biometrics
B. Micrometrics
C. Macrometrics
D. MicroBiometrics
问题 #39
Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier?
A. Dynamic authentication
B. Continuous authentication
C. Encrypted authentication
D. Robust authentication
问题 #40
In which situation would TEMPEST risks and technologies be of MOST interest?
A. Where high availability is vital.
B. Where the consequences of disclose are very high.
C. Where countermeasures are easy to implement
D. Where data base integrity is crucial
问题 #41
Which one of the following addresses the protection of computers and components from electromagnetic emissions?
A. TEMPEST
B. ISO 9000
C. Hardening
D. IEEE 802.2
问题 #42
Monitoring electromagnetic pulse emanations from PCs and CRTs provides a hacker with that significant advantage?
A. Defeat the TEMPEST safeguard
B. Bypass the system security application.
C. Gain system information without trespassing
D. Undetectable active monitoring.
问题 #43
What name is given to the study and control of signal emanations from electrical and electromagnetic equipment?
A. EMI
B. Cross Talk
C. EMP
D. TEMPEST
问题 #44
TEMPEST addresses
A. The vulnerability of time-dependent transmissions.
B. Health hazards of electronic equipment.
C. Signal emanations from electronic equipment.
D. The protection of data from high energy attacks.
问题 #45
Which one of the following is the MOST solid defense against interception of a network transmission?
A. Frequency hopping
B. Optical fiber
C. Alternate routing
D. Encryption
问题 #46
Which of the following media is MOST resistant to tapping?
A. Microwave
B. Twisted pair
C. Coaxial cable
D. Fiber optic
问题 #47
What type of wiretapping involves injecting something into the communications?
A. Aggressive
B. Captive
C. Passive
D. Active
问题 #48
Why would an Ethernet LAN in a bus topology have a greater risk of unauthorized disclosure than switched Ethernet in a hub-and-spoke or star topology?
A. IEEE 802.5 protocol for Ethernet cannot support encryption.
B. Ethernet is a broadcast technology.
C. Hub and spoke connections are highly multiplexed.
D. TCP/IP is an insecure protocol.
问题 #49
What type of attacks occurs when a smartcard is operating under normal physical conditions, but sensitive information is gained by examining the bytes going to and from the smartcard?
A. Physical attacks.
B. Logical attacks.
C. Trojan Horse attacks.
D. Social Engineering attacks.
问题 #50
What is an effective countermeasure against Trojan horse attack that targets smart cards?
A. Singe-access device driver architecture.
B. Handprint driver architecture.
C. Fingerprint driver architecture.
D. All of the choices.
问题 #51
Which of the following could illegally capture network user passwords?
A. Data diddling
B. Sniffing
C. Spoofing
D. Smurfing
问题 #52
Which of the following statements is incorrect?
A. Since the early days of mankind humans have struggled with the problems of protecting assets
B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost cards problems
C. There has never been a problem of lost keys
D. Human guard is an inefficient and sometimes ineffective method of protecting resources
问题 #53
A system uses a numeric password with 1-4 digits. How many passwords need to be tried before it is cracked?
A. 1024
B. 10000
C. 100000
D. 1000000
问题 #54
Which of the following can be used to protect your system against brute force password attack?
A. Decrease the value of password history.
B. Employees must send in a signed email before obtaining a password.
C. After three unsuccessful attempts to enter a password, the account will be locked.
D. Increase the value of password age.
问题 #55
Which of the following is an effective measure against a certain type of brute force password attack?
A. Password used must not be a word found in a dictionary.
B. Password history is used.
C. Password reuse is not allowed.
D. None of the choices.
问题 #56
Which type of attack will most likely provide an attacker with multiple passwords to authenticate to a system?
A. Password sniffing
B. Dictionary attack
C. Dumpster diving
D. Social engineering
问题 #57
Which of the following are measures against password sniffing?
A. Passwords must not be sent through email in plain text.
B. Passwords must not be stored in plain text on any electronic medi
A.
C. You may store passwords electronically if it is encrypted.
D. All of the choices.
问题 #58
Which one of the following conditions is NOT necessary for a long dictionary attack to succeed?
A. The attacker must have access to the target system.
B. The attacker must have read access to the password file.
C. The attacker must have write access to the password file.
D. The attacker must know the password encryption mechanism and key variable.
问题 #59
What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain access to a target computer system?
A. Keyspace for the password.
B. Expertise of the person performing the attack.
C. Processing speed of the system executing the attack.
D. Encryption algorithm used for password transfer.
问题 #60
Which one of the following BEST describes a password cracker?
A. A program that can locate and read a password file.
B. A program that provides software registration passwords or keys.
C. A program that performs comparative analysis.
D. A program that obtains privileged access to the system.
问题 #61
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
问题 #62
Which of the following actions can increase the cost of an exhaustive attack?
A. Increase the age of a password.
B. Increase the length of a password.
C. None of the choices.
D. Increase the history of a password.
问题 #63
Which of the following attacks focus on cracking passwords?
A. SMURF
B. Spamming
C. Teardrop
D. Dictionary
问题 #64
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector?
A. Using TACACS+ server
B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall.
C. Setting modem ring count to at least 5
D. Only attaching modems to non-networked hosts.
问题 #65
What is known as decoy system designed to lure a potential attacker away from critical systems?
A. Honey Pots
B. Vulnerability Analysis Systems
C. File Integrity Checker
D. Padded Cells
问题 #66
Which of the following will you consider as a program that monitors data traveling over a network?
A. Smurfer
B. Sniffer
C. Fragmenter
D. Spoofer
问题 #67
Which of the following is NOT a system-sensing wireless proximity card?
A. magnetically striped card
B. passive device
C. field-powered device
D. transponder
问题 #68
Attacks on smartcards generally fall into what categories?
A. Physical attacks.
B. Trojan Horse attacks.
C. Logical attacks.
D. All of the choices, plus Social Engineering attacks.
问题 #69
Which of the following attacks could be the most successful when the security technology is properly implemented and configured?
A. Logical attacks
B. Physical attacks
C. Social Engineering attacks
D. Trojan Horse attacks
问题 #70
What type of attacks occurs when normal physical conditions are altered in order to gain access to sensitive information on the smartcard?
A. Physical attacks
B. Logical attacks
C. Trojan Horse attacks
D. Social Engineering attacks
问题 #71
Which one of the following is an example of electronic piggybacking?
A. Attaching to a communications line and substituting dat
A.
B. Abruptly terminating a dial-up or direct-connect session.
C. Following an authorized user into the computer room.
D. Recording and playing back computer transactions.
问题 #72
A system using Discretionary Access Control (DAC) is vulnerable to which one of the following attacks?
A. Trojan horse
B. Phreaking
C. Spoofing
D. SYN flood
问题 #73
Which of the following is an example of an active attack?
A. Traffic analysis
B. Masquerading
C. Eavesdropping
D. Shoulder surfing
问题 #74
What attack involves actions to mimic one's identity?
A. Brute force
B. Exhaustive
C. Social engineering
D. Spoofing
问题 #75
Which access control model enables the owner of the resource to specify what subjects can access specific resources?
A. Discretionary Access Control
B. Mandatory Access Control
C. Sensitive Access Control
D. Role-based Access Control
问题 #76
The type of discretionary access control that is based on an individual's identity is called:
A. Identity-based access control
B. Rule-based access control
C. Non-Discretionary access control
D. Lattice-based access control
问题 #77
Which of the following access control types gives "UPDATE" privileges on Structured Query Language (SQL) database objects to specific users or groups?
A. Supplemental
B. Discretionary
C. Mandatory
D. System
问题 #78
With Discretionary access controls, who determines who has access and what privilege they have?
A. End users.
B. None of the choices.
C. Resource owners.
D. Only the administrators.
问题 #79
What defines an imposed access control level?
问题 #80
Under MAC, who can change the category of a resource?
A. All users.
B. Administrators only.
C. All managers.
D. None of the choices.
问题 #81
Under MAC, who may grant a right of access that is explicitly forbidden in the access control policy?
A. None of the choices.
B. All users.
C. Administrators only.
D. All managers.
问题 #82
You may describe MAC as:
A. Opportunistic
B. Prohibitive
C. None of the choices.
D. Permissive
问题 #83
Under MAC, which of the following is true?
A. All that is expressly permitted is forbidden.
B. All that is not expressly permitted is forbidden.
C. All that is not expressly permitted is not forbidden.
D. None of the choices.
问题 #84
Under MAC, a clearance is a:
A. Sensitivity
B. Subject
C. Privilege
D. Object
问题 #85
Under MAC, a file is a(n):
A. Privilege
B. Subject
C. Sensitivity
D. Object
问题 #86
Under MAC, classification reflects:
A. Sensitivity
B. Subject
C. Privilege
D. Object
问题 #87
MAC is used for:
A. Defining imposed access control level.
B. Defining user preferences.
C. None of the choices.
D. Defining discretionary access control level.
问题 #88
With MAC, who may make decisions that bear on policy?
A. None of the choices.
B. All users.
C. Only the administrator.
D. All users except guests.
问题 #89
With MAC, who may NOT make decisions that derive from policy?
A. All users except the administrator.
B. The administrator.
C. The power users.
D. The guests.
问题 #90
Under the MAC control system, what is required?
A. Performance monitoring
B. Labeling
C. Sensing
D. None of the choices
问题 #91
Access controls that are not based on the policy are characterized as:
A. Secret controls
B. Mandatory controls
C. Discretionary controls
D. Corrective controls
问题 #92
DAC are characterized by many organizations as:
A. Need-to-know controls
B. Preventive controls
C. Mandatory adjustable controls
D. None of the choices
问题 #93
Which of the following correctly describe DAC?
A. It is the most secure method.
B. It is of the B2 class.
C. It can extend beyond limiting which subjects can gain what type of access to which objects.
D. It is of the B1 class.
问题 #94
Under DAC, a subjects rights must be ________ when it leaves an organization altogether.
A. recycled
B. terminated
C. suspended
D. resumed
问题 #95
In a discretionary mode, which of the following entities is authorized to grant information access to other people?
A. manager
B. group leader
C. security manager
D. user
问题 #96
With RBAC, each user can be assigned:
A. One or more roles.
B. Only one role.
C. A token role.
D. A security token.
问题 #97
With RBAC, roles are:
A. Based on labels.
B. All equal
C. Hierarchical
D. Based on flows.
问题 #98
With __________, access decisions are based on the roles that individual users have as part of an organization.
A. Server based access control.
B. Rule based access control.
C. Role based access control.
D. Token based access control.
问题 #99
Under Role based access control, access rights are grouped by:
A. Policy name
B. Rules
C. Role name
D. Sensitivity label
问题 #100
Which of the following will you consider as a "role" under a role based access control system?
A. Bank rules
B. Bank computer
C. Bank teller
D. Bank network
闽公网安备 35012102500533号
|
闽ICP备18010967号-7