21

Question 1

Group-based access control in MS Windows environments is an example of:

Answer 1

** RBAC **

Group-based access control in MS Windows environments is an example of RBAC, which stands for Role-Based Access Control.

Question 2

An access control model in which access to resources is granted or denied depending on the contents of Access Control List (ACL) entries is called:

Answer 2

** Rule-Based Access Control **

The access control model in which access to resources is granted or denied depending on the contents of Access Control List (ACL) entries is called Rule-Based Access Control (RBAC).

In RBAC, access control decisions are based on rules specified in ACLs associated with resources. These rules define which users or groups have permission to access specific resources and what actions they can perform on those resources. ACLs consist of entries that match users or groups to specific permissions or access rights.

Question 3

Which of the following answers refer to the Rule-Based Access Control (RBAC) model? (Select 2 answers)

Answer 3

• Access to resources granted or denied depending on Access Control List (ACL) entries
• Implemented in network devices such as firewalls to control inbound and outbound traffic based on filtering rules

Question 4

Which of the following answers list the characteristic features of the Mandatory Access Control (MAC) model? (Select 3 answers)

Answer 4

• Users are not allowed to change access policies at their own discretion
• Labels and clearance levels can only be applied and changed by an administrator
• Every resource has a sensitivity label matching a clearance level assigned to a user

Question 5

Which of the following access control models enforces the strictest set of access rules?

Answer 5

** MAC **

MAC (Mandatory Access Control) enforces the strictest set of access rules. In MAC, access control decisions are based on security labels and clearances assigned to both users and resources. These labels and clearances are determined by administrators and follow a strict security policy. Users can only access resources for which they have the necessary clearance level, and they cannot arbitrarily change access permissions.

MAC is commonly used in high-security environments where access control is critical and needs to be rigorously enforced to protect sensitive information.

Question 6

Discretionary Access Control (DAC) is an access control model based on user identity. In DAC, every object has an owner who at his/her own discretion determines what kind of permissions other users can have to that object.

Answer 6

True

Question 7

A security solution that provides control over elevated (i.e. administrative type) accounts is known as:

Answer 7

** PAM **

A security solution that provides control over elevated (i.e., administrative-type) accounts is known as PAM, which stands for Pluggable Authentication Module.

PAM is a framework used in Unix-like operating systems to manage authentication, including the authentication of administrative accounts. It provides a modular and flexible way to configure and enforce authentication policies for various types of accounts, including those with elevated privileges, such as root or administrator accounts. PAM allows system administrators to control and customize authentication methods, ensuring secure access to administrative accounts.

Question 8

Which of the following answers refers to a rule-based access control mechanism associated with files and/or directories?

Answer 8

** FACL **

The rule-based access control mechanism associated with files and/or directories is FACL, which stands for File Access Control Lists.

Question 9

Which of the following answers refers to a hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates?

Answer 9

** PKI **

The term that refers to a hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates is PKI, which stands for Public Key Infrastructure.

PKI is a framework that includes policies, standards, and technologies for securing communication and verifying the identities of users, devices, and services in a networked environment. It involves the use of digital certificates issued by Certificate Authorities (CAs) to authenticate and secure data transmission. PKI plays a crucial role in ensuring the confidentiality, integrity, and authenticity of digital information and communications.

Question 10

A type of trusted third party that issues digital certificates used for creating digital signatures and public-private key pairs is known as:

Answer 10

** CA **

certificate authority (CA)

Question 11

What is the PKI role of Registration Authority (RA)?

Answer 11

• Accepting requests for digital certificates
• Authenticating the entity making the request

Question 12

Which of the following solutions allow to check whether a digital certificate has been revoked? (Select 2 answers)

Answer 12

• CRL (Certificate Revocation List): A Certificate Revocation List is a regularly updated list maintained by a Certificate Authority (CA) that contains information about certificates that have been revoked before their expiration dates. Clients can check the CRL to see if a particular certificate has been revoked.)
• OCSP (Online Certificate Status Protocol): OCSP is a protocol used to obtain the revocation status of a digital certificate in real-time. Instead of relying on periodically updated lists like CRLs, OCSP allows a client to send a request to the CA or an OCSP responder to check the status of a certificate at the moment of the request.)

Question 13

What is the fastest way for checking the validity of a digital certificate?

Answer 13

** OCSP **

(Online Certificate Status Protocol): OCSP is a protocol used to obtain the revocation status of a digital certificate in real-time. Instead of relying on periodically updated lists like CRLs, OCSP allows a client to send a request to the CA or an OCSP responder to check the status of a certificate at the moment of the request.)

Question 14

Which of the answers listed below refers to a method for requesting a digital certificate?

Answer 14

** CSR **

Certificate signing request

Question 15

In a digital certificate, the Common Name (CN) field describes a device, an individual, an organization, or any other entity the certificate has been issued for. In an SSL certificate, CN refers to the Fully Qualified Domain Name (FQDN), which is the domain name of the server protected by the SSL certificate

Answer 15

True

Question 16

Which digital certificate type allows multiple subdomains to be protected by a single certificate?

Answer 16

Wildcard certificate

Question 17

A digital certificate which allows multiple domains to be protected by a single certificate is known as:

Answer 17

Subject Alternative Name (SAN) certificate

Question 18

Code-signing certificates are used to verify the authenticity and integrity of software. Self-signed certificates have a lower level of trustworthiness, because they are not signed by a Certificate Authority (CA). Computer certificates (a.k.a. machine certificates) are used to prove the identity of devices. S/MIME certificates are used to encrypt and digitally sign email messages. User digital certificates provide improved security during authentication and authorization of individuals. Root certificates are self-signed certificates that identify a root Certificate Authority (CA). Domain validation certificates prove a user’s ownership rights to a domain. Extended Validation (EV) certificates provide the highest level of trust and protection.

Answer 18

True

Question 19

What are the characteristic features of the Distinguished Encoding Rules (DER) digital certificate format? (Select 3 answers)

Answer 19

• Encoded in binary format
• .der and .cer file extensions
• Generally used for Java servers

Question 20

Which of the following answers refer to the Privacy Enhanced Email (PEM) digital certificate format?

Answer 20

• Encoded in text (ASCII Base64) format
• .pem, .crt, .cer and .key file extensions
• Generally used for Apache servers or similar configurations

Question 21

What are the characteristic features of the Personal Information Exchange (PFX) and P12 digital certificate format? (Select 3 answers)

Answer 21

• .pfx and .p12 file extensions
• Generally used for Microsoft windows servers
• Encoded in binary format

Question 22

Which of the following answers refer to the P7B digital certificate format?

Answer 22

• Encoded in text (ASCII Base64) format
• .p7b file extension
• Generally used for Microsoft windows and Java Tomcat servers

Question 23

Which of the following allows for checking digital certificate revocation status without contacting Certificate Authority (CA)?

Answer 23

** Stapling **

The option that allows for checking digital certificate revocation status without contacting the Certificate Authority (CA) is Stapling.

Certificate Stapling, specifically OCSP Stapling (Online Certificate Status Protocol Stapling), is a technique used in SSL/TLS connections. In OCSP Stapling, the web server, instead of the client, contacts the CA’s OCSP responder to obtain the certificate revocation status and then “staples” that status information to the server’s certificate during the TLS handshake. This allows the client to check the revocation status without directly contacting the CA, improving security and performance.

Question 24

Which of the following answers refers to a deprecated security mechanism designed to defend HTTPS websites against impersonation attacks performed with the use of fraudulent digital certificates?

Answer 24

** Pinning **

Pinning - A security mechanism used by some web sites to prevent web site impersonation. Web sites provide clients with a list of public key hashes

Question 25

Which of the answers listed below refer to examples of PKI trust models?

Answer 25

• Single CA model
• Hierarchical model (root CA + intermediate CAs)
• Mesh model (cross-certifying CAs)
• Web of trust model (all CAs act as root CAs)
• Client-server mutual authentication model
  All of the above