For a federated identity solution, a third-party Identity Provider (IdP) is PRIMARILY responsible for which of the following?
Correct Answer: C
Question 87
Which of the following is NOT a technical control?
Correct Answer: C
Explanation/Reference: Explanation: Technical controls, also called logical access control mechanisms, work in software to provide confidentiality, integrity, or availability protection. Some examples are passwords, identification and authentication methods, security devices, auditing, and the configuration of the network. Physical controls are controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls. Monitoring for physical intrusion is an example of a physical control, not a technical control. Incorrect Answers: A: Password and resource management is an example of a technical control. B: Identification and authentication methods are an example of a technical control. D: Intrusion Detection Systems are an example of a technical control. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 28
Question 88
The Wireless Transport Layer Security (WTLS) Protocol in the Wireless Application Protocol (WAP) stack is based on which Internet Security Protocol?
Correct Answer: A
TLS is discussed in the answer to question 5 . WTLS has to incorporate functionality that is provided for in TLS by TCP in the TCP/IP Protocol suite in that WTLS can operate over UDP. WTLS supports data privacy, authentication and integrity. Because WTLS has to incorporate a large number of handshakes when security is implemented, significant delays may occur. During a WTLS handshake session, WTLS can set up the following security classes: Class 1. No certificates Class 2. The client does not have a certificate; the server has a certificate Class 3. The client and server have certificates
Question 89
Which of the following statements pertaining to Kerberos is TRUE?
Correct Answer: A
The question was asking for a TRUE statement and the only correct statement is "Kerberos does not address availability". Kerberos addresses the confidentiality and integrity of information. It does not directly address availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).
Question 90
Of the following, which multiple access method for computer networks does 802.11 Wireless Local Area Network use?
Correct Answer: A
Back in the time when network hubs were commonly used in networks all sent packets were received by all stations but only the intended destination MAC address was supposed to listen. (Sniffers respond to all destination MAC addresses and can save those packets for examination.) Hub did not provide for any security or privacy. Hub networks turned out not to be scalable because of the high amount of frame collisions on the network as the number of nodes and the amount of traffic would increase. Collisions are where two stations speak on the wire at the same time and both frames being sent are damaged and must be re-transmitted. Wireless networks are like hub networks because all stations "see" all traffic sent on the wire. This situation is mitigated by the CSMA/CA access method. With CSMA/CA the node wishing to send listens to the network to see if anybody is transmitting and if they are they will wait. Otherwise they send their traffic. CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. Unlike CSMA/CD (Carrier Sense Multiple Access/Collision Detect) which deals with transmissions after a collision has occurred, CSMA/CA acts to prevent collisions before they happen. In CSMA/CA, as soon as a node receives a packet that is to be sent, it checks to be sure the channel is clear (no other node is transmitting at the time). If the channel is clear, then the packet is sent. If the channel is not clear, the node waits for a randomly chosen period of time, and then checks again to see if the channel is clear. This period of time is called the backoff factor, and is counted down by a backoff counter. If the channel is clear when the backoff counter reaches zero, the node transmits the packet. If the channel is not clear when the backoff counter reaches zero, the backoff factor is set again, and the process is repeated. The following answers are incorrect: CSMA/CD: CSMA/CD doesn't support wireless networks well due to the problem of latency and "hidden nodes" are not visible to other nodes but are visible to the AP - Access Point. This means that Collision Detection won't work because control frames won't be received. This is used only on wired networks. Carrier Sense Multiple Access/Collision Detect (CSMA/CD) is the protocol for carrier transmission access in Ethernet networks. On Ethernet, any device can try to send a frame at any time. Each device senses whether the line is idle and therefore available to be used. If it is, the device begins to transmit its first frame. If another device has tried to send at the same time, a collision is said to occur and the frames are discarded. Each device then waits a random amount of time and retries until successful in getting its transmission sent. CSMA/CD is specified in the IEEE 802.3 standard. 802.11 Doesn't support multiple access methods: This isn't correct. 802.11 wireless supports multiple access to the wireless medium using CSMA/CA. 8 02.11 RTS/CTS Exchange: This isn't an access control method, rather they're supplemental packets to CSMA/CA where nodes request to send (RTS) clear to send (CTS) Packets exchanged by nodes to enhance signaling. The following reference(s) were/was used to create this question: CEH - Certified Ethical Hacker: Sybex, Kimberly Graves - Wiley Publishing, INC 2010
