Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Question 478
Which of the following statements pertaining to RADIUS is incorrect:
Correct Answer: D
This is the correct answer because it is FALSE. Diameter is an AAA protocol, AAA stands for authentication, authorization and accounting protocol for computer networks, and it is a successor to RADIUS. The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius). The main differences are as follows: Reliable transport protocols (TCP or SCTP, not UDP) The IETF is in the process of standardizing TCP Transport for RADIUS Network or transport layer security (IPsec or TLS) The IETF is in the process of standardizing Transport Layer Security for RADIUS Transition support for RADIUS, although Diameter is not fully compatible with RADIUS Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits) Client-server protocol, with exception of supporting some server-initiated messages as well Both stateful and stateless models can be used Dynamic discovery of peers (using DNS SRV and NAPTR) Capability negotiation Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539) Error notification Better roaming support More easily extended; new commands and attributes can be defined Aligned on 32-bit boundaries Basic support for user-sessions and accounting A Diameter Application is not a software application, but a protocol based on the Diameter base protocol (defined in RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs. Adding a new optional AVP does not require a new application. Examples of Diameter applications: Diameter Mobile IPv4 Application (MobileIP, RFC 4004) Diameter Network Access Server Application (NASREQ, RFC 4005) Diameter Extensible Authentication Protocol (EAP) Application (RFC 4072) Diameter Credit-Control Application (DCCA, RFC 4006) Diameter Session Initiation Protocol Application (RFC 4740) Various applications in the 3GPP IP Multimedia Subsystem All of the other choices presented are true. So Diameter is backwork compatible with Radius (to some extent) but the opposite is false. Reference(s) used for this question: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 38. and https://secure.wikimedia.org/wikipedia/en/wiki/Diameter_%28protocol%29
Question 479
A business continuity plan is an example of which of the following?
Correct Answer: A
Business Continuity Plans are designed to minimize the damage done by the event, and facilitate rapid restoration of the organization to its full operational capacity. They are for use "after the fact", thus are examples of corrective controls. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 273). and Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Location 8069). Elsevier Science (reference). Kindle Edition. and
Question 480
Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio transmissions?
Correct Answer: C
Infrared is generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).
Question 481
Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?
Correct Answer: A
Section: Access Control Explanation/Reference: The questions specifically said: "within a different function" which eliminate Job Rotation as a choice. Management monitoring of audit logs is a detective control and it would not prevent collusion. Changing passwords regularly would not prevent such attack. This question validates if you understand the concept of separation of duties and least privilege. By having operators that have only the minimum access level they need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.