Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys. The following answers are incorrect: It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys (symmetric ciphers). It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption and decryption of the keys. It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and not the system you are accessing. References: MIT http://web.mit.edu/kerberos/ Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 OIG CBK Access Control (pages 181 - 184) AIOv3 Access Control (pages 151 - 155)
Question 418
Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design?
Correct Answer: C
Section: Security Operation Adimnistration Explanation/Reference: A security policy is an important document to develop while designing an information system. The security policy begins with the organization's basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. The policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and assurance) the system should support, and these goals guide the procedures, standards and controls used in the IT security architecture design. The policy also should require definition of critical assets, the perceived threat, and security-related roles and responsibilities. Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page 6).
Question 419
Which of the following access methods is used by Ethernet?
Correct Answer: A
Explanation/Reference: Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to minimize the effect of broadcast collisions. The following answers are incorrect: CSU/DSU Is incorrect because Channel Service Unit/Digital Service Unit(CSU/DSU) is a digital interface normally used to connect a router to a digital circuit. TCP/IP Is incorrect because Transmission Control Protocol/Internet Protocol(TCP/IP) is a network protocol not an access method. FIFO Is incorrect as it is a distractor. First In, First Out (FIFO) is typically a processing methodology in which first come, first served. Ethernet is a frame based network technology. References: OIG CBK Telecommunications and Network Security (pages 437 - 438) Wikipedia http://en.wikipedia.org/wiki/FIFO
Question 420
Who is responsible for initiating corrective measures and capabilities used when there are security violations?
Correct Answer: C
Management is responsible for protecting all assets that are directly or indirectly under their control. They must ensure that employees understand their obligations to protect the company's assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations. Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
Question 421
Which of the following keys has the SHORTEST lifespan?
Correct Answer: C
As session key is a symmetric key that is used to encrypt messages between two users. A session key is only good for one communication session between users. For example , If Tanya has a symmetric key that she uses to encrypt messages between Lance and herself all the time , then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However , using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If , on the other hand , a new symmetric key were generated each time Lance and Tanya wanted to communicate , it would be used only during their dialog and then destroyed. if they wanted to communicate and hour later , a new session key would be created and shared. The other answers are not correct because : Public Key can be known to anyone. Private Key must be known and used only by the owner. Secret Keys are also called as Symmetric Keys, because this type of encryption relies on each user to keep the key a secret and properly protected. REFERENCES: SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 8 : Cryptography , Page : 619-