Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

sscp > 2. Access Controls > Flashcards

2. Access Controls Flashcards

1
Q

Access control systems use what 2 items:

A

identification and authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identification occurs…

A

when a subject professes an identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

authentication occurs…

A

when the user proves the identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the three factors of authentication?

A

The three factors of authentication are something you know (such as passwords), something you have (such as proximity cards), and something you are (using biometrics).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are examples of something you have?

A

Proximity cards, smart cards, and hardware tokens

Gibson, Darril (2011-11-17). SSCP Systems Security Certified Practitioner All-in-One Exam Guide (Kindle Location 1529). McGraw-Hill Education. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When more than one authentication factor is used, it is called…

A

multifactor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When evaluating the effectiveness of biometrics, you should consider…

A

the type 1 and type 2 errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Type 1 error?

A

False Reject Rate (FRR or type 1 error) refers to the percentage of times a system falsely rejects a known user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Type 2 error?

A

False Accept Rate (FAR or type 2 error) refers to the percentage of times a biometric system falsely identifies an unknown user as a known user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a CER?

A

The Crossover Error Rate (CER) indicates the point where the FAR and FRR are equal. Lower CERs indicate a better biometric system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Lower CERs indicate…

A

a better biometric system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Single sign-on (SSO) allows a user to authenticate…

A

once for a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Many SSO systems use…

A

federated access, providing centralized authentication for different systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are other technologies that use one-time passwords?

A

OPIE and S/KEY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security kernel (a central part of an operating system) enforces security for the operating system by doing what?

A

monitoring subjects and objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Examples of subjects are…

A

users, computers, and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Examples of objects include…

A

data, hardware, and facilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Access controls can be one of two things?

A

logical (implemented with technology such as a security kernel) or physical (such as locked doors).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which Access Control Model provides the most granular control?

A

The DAC model provides the most granular control. Individual users own the objects and can provide permissions to subjects as desired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

DAC is used with file systems such as…

A

NTFS and NFS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The RBAC model uses ?. Subjects (such as users) are placed into ?, and permissions to objects are assigned directly to the ?. What single word is missing?

A

role(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The MAC model is an example of a non-DAC model. Does it provide a higher or lower level of security than DAC?

A

It provides the highest level of security, is used by the military, and uses labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does MAC use to control access?

A

Labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How does MAC security work?

A

Both subjects and objects are assigned labels and when the labels match, access is granted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Several architectures are based on the MAC model. What are they?

A

Bell-LaPadula
Biba
Clark-Wilson
Chinese Wall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The Bell-LaPadula model has a primary goal of…

A

ensuring confidentiality and uses rules of no read up and no write down.

27
Q

The Biba model has a primary goal of…

A

ensuring integrity and uses rules of no read down and no write up.

28
Q

The Clark-Wilson model provides integrity by…

A

using certification and enforcement rules to enforce separation of duties.

29
Q

The Chinese Wall helps prevent conflicts of interest by…

A

preventing access to data organized in conflict-of-interest classes.

30
Q

Identity management includes:

A

provisioning, maintenance, and entitlement.

31
Q

Provisioning includes…

A

creating accounts and providing appropriate access.

32
Q

Entitlement refers to…

A

privileges granted to users and helps ensure that the principle of least privilege is followed.

33
Q

Although cloud computing provides reduced costs for many users, it also includes increased risk. Data hosted in the cloud can easily be compromised due to errors or problems with the cloud provider. How can this be mitigated?

A

Encrypting data on the client end can help provide confidentiality of data, but encrypting data using a cloud provider’s encryption services often does not provide adequate protection.

34
Q 
1. A user provides a user logon name to profess an identity. What is this called? 
A. Authentication 
B. Accountability 
C. Identification 
D. Accounting
A

C. Identification is the act of a user professing an identity to a system. Authentication occurs if the user can also provide other credentials, such as a password. Accountability is possible if a system can identify users and track their activities. Accounting is provided by logging.

35
Q 
2. What must occur before a system can implement access controls? 
A. Identification and authentication 
B. Identification and accountability 
C. Authentication and accounting 
D. Accountability and availability
A

A. Identification and authentication

Identification and authentication are the primary controls of most access control systems. Identification is the act of a user professing an identity, and authentication occurs when the user’s credentials (such as a password) are verified with a database. Accountability is not provided if users have not been identified and authenticated. Similarly, you can’t provide accurate accounting if users haven’t been identified and authenticated.

36
Q
  1. Which of the following methods are used for authentication?
    A. Something you say, something you think, and something you are
    B. Something you know, something you have, and something you type
    C. Something you know, something you say, and something you are
    D. Something you know, something you have, and something you are
A

D. Something you know, something you have, and something you are

The three factors of authentication are something you know, something you have, and something you are. These factors are not known as something you think, something you type, or something you say.

37
Q
  1. You are planning a password policy for your organization. What is the recommended minimum amount of time that can elapse before a password should be changed?
    A. Passwords should be changed before at least one day has elapsed.
    B. Passwords should be changed before at least five days has elapsed.
    C. Passwords should be changed at least every 90 days.
    D. Passwords should be changed at least every 120 days.
A

C. Passwords should be changed at least every 90 days.

Passwords should be changed at least every 90 days, but more secure organizations decrease this time to somewhere between 30 and 60 days. It’s often recommended that the maximum (not minimum) amount of time before changing the password be set to at least one day. Waiting four months (120 days) is too long.

38
Q
  1. Which of the following choices does not ensure that a password is strong?
    A. Ensuring that the password is of a sufficient length
    B. Ensuring that the password is changed frequently
    C. Ensuring that the password has a mixture of different character types
    D. Ensuring that the password does not include any part of the user’s name
A

B. Ensuring that the password is changed frequently

A password should be changed regularly but, by doing so, it doesn’t ensure the password is strong. For example, if it is changed from “pass” to “word,” it is not strong. The other options all contribute to the strength of a password.

39
Q
  1. When is it acceptable for a user to give out a password to another person?
    A. Never
    B. Only when asked to by the user’s banking facility
    C. Only when asked to by the user’s Internet service provider (ISP)
    D. Only when asked to by a fellow worker whom they trust
A

A. Never

It is never acceptable for a user to give out a password to another person. The password proves a user’s identity, and if others have it, they can impersonate the user. Social engineers often ask users to give out their passwords (such as in phishing e-mails) and many users do, only to have their identities stolen.

40
Q
  1. What form(s) of authentication are individuals using when they authenticate with a smart card and a PIN?
    A. Something they have only
    B. Something they know only
    C. Something they have and something they know
    D. Something they have and something they are
A

C. Something they have and something they know

The two factors of authentication are something they have (the smart card) and something they know (the PIN). The third factor of authentication is something you are (using biometrics), but neither a smart card nor a PIN uses biometrics.

41
Q 
8. Of the following choices, what is not used for biometrics? A. Fingerprints 
B. Retinal scans 
C. Voice recognition 
D. Patter recognition 
E. Keyboard dynamics
A

D. Pattern recognition

Pattern recognition is not a specific method used for biometrics, but fingerprints, retinal scans, voice recognition, and face recognition are all biometric methods.

42
Q 
9. When evaluating a biometric system for accuracy, what should you consider? 
A. FRF 
B. FAER 
C. CER 
D. CEFR
A

C. CER

The Crossover Error Rate (CER) identifies where the False Accept Rate (FAR) matches the False Reject Rate (FRR). CER, FAR, and FRR are three main performance measurements used in biometrics. The acronyms are not used for biometric accuracy.

43
Q
  1. What is SSO?
    A. A system that requires user credentials once and uses the same credentials for the entire session
    B. An authentication system that requires users to use different credentials for each resource they access
    C. A secure system used for operations
    D. Any network that employs secure access controls
A

A. A system that requires user credentials once and uses the same credentials for the entire session

Single sign-on requires users to log on once and it uses the same credentials for any other resources accessed during the session. Users are not required to use different credentials for each resource.

44
Q 
11. Which of the following is not used for SSO? 
A. Kerberos 
B. Decentralized authentication 
C. KryptoKnight 
D. SESAME
A

B. Decentralized authentication

Centralized (not decentralized) authentication systems are needed for advanced single sign-on (SSO). SSO allows a user to log on once, and then the same credentials are used to access resources without requiring the user to log on again. Kerberos, KryptoKnight, and SESAME are all technologies used to implement SSO.

45
Q 
12. What can be used to allow users to access multiple systems owned and managed by different organizations after logging on only once? 
A. Clark-Wilson 
B. Chinese Wall 
C. Federated access 
D. Software-as-a-Service
A

C. Federated access

Federated access single sign-on (SSO) systems allow users to access systems owned and managed by different organizations by logging once using credentials recognized by the federated access system. Clark-Wilson and Chinese Wall are access control models, and both enforce separation of duties. Software-as-a-Service (SaaS) is a cloud computing technology that provides users with access to software or application over the Internet.

46
Q
  1. Of the following choices, which one is true for a one-time password?
    A. Hardware tokens are asynchronous.
    B. OPIE uses AES to encrypt the password.
    C. Bell-LaPadula uses synchronous one-time passwords.
    D. S/KEY uses MD4 or MD5 to create a hash.
A

D. S/KEY uses MD4 or MD5 to create a hash.

Both S/KEY and OPIE use MD4 or MD5 to create a hash used in one-time passwords. Hardware tokens are synchronous, not asynchronous. Bell-LaPadula is an access control architecture that enforces confidentiality.

47
Q
  1. Of the following choices, what enforces logical access controls?
    A. The security kernel enforces logical access controls.
    B. The security guards enforce logical access controls.
    C. Alarm systems enforce logical access controls.
    D. Cipher locks enforce logical access controls.
A

A. The security kernel enforces logical access controls.

The security kernel enforces logical access controls on an operating system. All the other access controls are examples of physical access controls.

48
Q 
15. Of the following choices, what is not an example of a technology that uses a one-time password? 
A. S/Key 
B. OPIE 
C. Biometrics 
D. Hardware-based token
A

C. Biometrics

Biometrics authenticates an individual based on his or her physical characteristics, such as the user’s fingerprint or keyboard dynamics. The other three are examples of technologies that use one-time passwords.

49
Q 
16. Which of the following models help to enforce the principle of separation of duties? 
A. Chinese Wall and Clark-Wilson 
B. Chinese Wall and Biba 
C. Clark-Wilson and Bell-LaPadula 
D. Biba and Bell-LaPadula
A

A. Chinese Wall and Clark-Wilson

Both the Clark-Wilson and Chinese Wall access control models enforce the principle of separation of duties. The Clark-Wilson model also enforces integrity and the Chinese Wall model also enforces confidentiality. Biba enforces integrity. Bell-LaPadula enforces confidentiality.

50
Q 
17. What is RBAC? 
A. Role-based Access Control 
B. Risk-based Access Control 
C. Risk Buffer Acceptance Containment 
D. Role-based Accountability Computer
A

A. Role-based Access Control

RBAC is an acronym for Role-based Access Control. Permissions are assigned to subjects based on theirs roles.

51
Q 
18. What can be used to prevent a user from reusing the same password? 
A. Minimum password age 
B. Maximum password age 
C. Password length 
D. Password history
A

D. Password history

Password history remembers a user’s previous passwords (such as the user’s past 24 passwords) and prevents users from reusing any password in the history. The minimum password age is used with the password history to prevent users from changing their password repeatedly to get back to the original password. It is often set to one day. The maximum password age identifies when users must change their passwords. The password length identifies the minimum number of characters in the password.

52
Q
  1. What should be done if a user leaves the company?
    A. Delete the user’s account as soon as possible.
    B. Disable the user’s account as soon as possible.
    C. Change the user’s password as soon as possible.
    D. Change the user’s permissions as soon as possible.
A

B. Disable the user’s account as soon as possible.

User accounts should be disabled as soon as possible after the user leaves the company under any circumstances. The account should not be disabled until it’s determined that the account is not needed. Changing the password without disabling the account will still allow the account to be used. Disabling the account will remove the access and is more direct than changing permissions.

53
Q 
20. What can used to disable an account if a user enters the wrong password too many times? 
A. A password policy 
B. An account lockout policy 
C. A password history 
D. De-provisioning accounts
A

B. An account lockout policy

An account lockout policy can disable an account if a user (or an attacker) enters the wrong password too many times. The threshold is often set to three or five, causing an account to be locked out after a user enters the wrong password three or five times, respectively. A password policy ensures that users create strong passwords and regularly change their password. Password history prevents users from reusing the same password. De-provisioning refers to ensuring that user rights and permissions are adjusted when users change jobs.

54
Q
  1. Which of the following is an example of Software-as-a-Service (SaaS)?
    A. Access to an operating system over the Internet
    B. Access to a server over the Internet
    C. Web-based e-mail
    D. VM Escape
A

C. Web-based e-mail

Web-based e-mail is an example of SaaS. SaaS is also known as on-demand software and it provides users with access to software or applications over the Internet. Platform-as-a-Service (PaaS) is a cloud computing service where users have access to a platform with an operating system. Infrastructure-as-a-Service (IaaS) provides users with access to hardware such as servers or network devices. VM Escape is an attack on virtual systems.

55
Q
  1. Which of the following represents the greatest risk to virtual systems?
    A. Confidentiality
    B. VM Escape
    C. Increased costs for power and cooling
    D. Loss of control of data in the cloud
A

B. VM Escape

VM Escape is a known attack against virtual systems. If the attack is successful, an attacker can access the host system and all virtual systems within the host. Loss of confidentiality (not confidentiality) is a risk that can be reduced with encryption. Virtualization reduces costs for power and cooling. Loss of control of data stored in the cloud is a risk associated with cloud computing, but organizations can use virtual systems internally to keep control of their data.

56
Q

T/F Objects are passive.

A

True

57
Q

What is AAA?

A

Authentication
Authorization
Accountability

58
Q

Describe Biba.

A

Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from a lower level than the subject.

59
Q

In Biba, data and subjects are grouped into ? levels of integrity.

A

ordered

60
Q

In Biba, the model is designed so that subjects may not corrupt objects in a level ranked ? than the subject, or be corrupted by objects from a ? level than the subject.

A

higher

lower

61
Q

In general the Biba model was developed to circumvent a weakness in the ? model which only addresses data confidentiality.

A

Bell-LaPadula

62
Q

This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: “no read down, no write up”

A

Biba

63
Q

Which model is characterized by the phrase “no write down, no read up”.

A

Bel-LaPadula

sscp (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions