3 - Access Control Flashcards

1
Q
  1. Authorization is often characterized by?a. An audit logb. A biometricc. A security label or classificationd. A challenge response token
A

C: Authorization is often characterized by a security label or classification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Which of the following can be used as either an identification or authentication factors?a. Employee codeb. Usernamec. Challenge-response tokend. Biometric
A

D: A biometric can be used as either an identification or an authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. A fingerprint is an example of what type of authentication factor?a. Type 1b. Type 2c. Type 3d. Type 4
A

C: A fingerprint is an example of a Type 3 authentication factor - something you are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Something you have is what type of authentication factor?a. Type 1b. Type 2c. Type 3d. Type 4
A

B: Something you have is a Type 2 authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. What are the three fundamental principles of security?a. Confidentiality, Integrity, Availabilityb. Authentication, Authorization, Accountabilityc. Accessibility, Integrity, Secrecyd. Privacy, Control, Prevention
A

A: The three fundamental principles of security are Confidentiality, Integrity, and Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. What is the process of verifying the identify of a subject?a. Authorizationb. Authenticationc. Auditingd. Accountability
A

B: The process of identify verification is authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. The most secure form of password is which of the following?a. Static passwordb. Dynamic passwordc. One time passwordd. Cognitive password
A

C: A one time password is the most secure type of password, since it is used only once then it becomes invalid. One-time passwords are a form of dynamic passwords. However, not all types of dynamic passwords are as secure as a one-time password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. The False Acceptance Rate (Type II) error of a biometric device indicates what?a. The rate at which authorized users are not granted accessb. The rate at which authorized users are granted accessc. The rate at which unauthorized users are not granted accessd. The rate at which unauthorized users are granted access
A

D: A False Acceptance Rate (a Type II) error of a biometric device indicates the rate at which unauthorized users are granted access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. A secure access control mechanism will default to?a. No accessb. Minimal accessc. Least privileged. Need to know access
A

A: A secure access control mechanism will default to no access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. What is the primary disadvantage of single sign on?a. Password management and administrationb. Users can roam the network without further interactive authenticationc. User work task prohibitived. Length of time required to perform logon
A

B: The primary disadvantage of single sign on is that users can roam the network without further interactive authentication, less security is involved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. A Type 1 authentication factor is also known as?a. Something you knowb. Something you havec. Something you ared. Something you do
A

A: A Type 1 authentication factor is something you know.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Auditing is dependant upon all but which of the following?a. Identificationb. Accountabilityc. Authorizationd. Authentication
A

B: Auditing is not dependant upon accountability. In fact, accountability is dependant upon auditing. Accountability is the result of the mechanisms of identification, authentication, authorization, access control, and auditing which is used to hold people responsible for their online activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. When two types of authentication are employed to provide improved security, this is known as?a. Challenge-response authenticationb. One-time authenticationc. Single sign-ond. Two-factor authentication
A

D: The use of two forms of authentication is known as two-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What type of password offers the best security possible for password-based authentication?a. One-time passwordsb. Static passwordsc. Dynamic passwordsd. Passphrases
A

A: One-time passwords offer the best security for password based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Authorization can be illustrated by all but which of the following?a. need to knowb. access control matrixc. security labeld. password
A

D: A password is an example of an authentication factor, not an authorization method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which of the following is not an example of a logical access control?a. Perimeter pad locked gatesb. Restricted database interfacesc. Forced logons to the operation systemd. Centralized remote access authentication services
A

A: Perimeter pad locked gates is an example of physical access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. Which of the following is not typically considered an identification factor?a. account numberb. passwordc. biometric featured. employee identification
A

B: A password is usually considered an authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. Which of the following is usually not labeled as an entity that serves as a subject and an object?a. userb. databasec. programd. computers
A

A: Users are usually labeled only as subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Which of the follow is the act of providing the who of a subject and is the first step in establishing accountability?a. Authorizationb. Identificationc. Auditingd. Non-repudiation
A

B: Identification establishes the who of a subject and is the first step in establishing accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Which of the following represents the activity of verifying the claimed identity of a subject?a. authorizationb. accountabilityc. authenticationd. availability
A

C: Authentication represents the activity of verifying the claimed identity of a subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. A password is an example of what type of authentication factor?a. Type 1b. Type 2c. Type 3d. Type 4
A

A: A password is an example of a Type 1: something you know authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. A Type 3 authentication factor is?a. Something you haveb. Something you arec. Something you knowd. Something you provide
A

B: A fingerprint is an example of a Type 3: something you are authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Which form of password may require unique or different interactions or responses from the subject each time they attempt to logon?a. static passwordb. dynamic passwordc. cognitive passwordd. passphrase
A

C: A cognitive password is a collection of question and answers that only the subject will know. A random Selection from the databank of available queries will be employed at each logon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. Which of the following is also a dynamic password?a. passphraseb. PINc. smart cardd. one time password
A

D: A one time password is a form of dynamic password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. Biometrics can be used directly for all but which of the following purposes?a. Identificationb. Physical access controlc. Accountabilityd. Authentication
A

C: Biometrics cannot be used directly to provide for accountability. Biometrics are used indirectly for accountability if they are employed as a means of identification or authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. When used as an ____________ method, biometrics function as a one to one function.a. identificationb. authorizationc. impersonationd. authentication
A

D: When used as an authentication method, biometrics function as a one to one function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. A Type I biometric error indicates what?a. The rate at which authorized users are not granted accessb. The rate at which authorized users are granted accessc. The rate at which unauthorized users are not granted accessd. The rate at which unauthorized users are granted access
A

A: A False Rejection Rate (Type I) error of a biometric device indicates the rate at which authorized users are not granted access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. The primary use of the crossover error rate, when comparing devices, is what?a. sensitivity adjustmentb. comparison of similar biometric devicesc. configuration controld. reducing enrollment time
A

B: The primary use of the crossover error rate is to compare similar biometric devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Which of the following is converted to a virtual password before being sent to the authentication server for processing?a. passphraseb. one time passwordc. fingerprint scand. cognitive password
A

A: A passphrase is converted to a virtual password, usually encrypted, before being sent to the authentication server for processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. An example of a Type 3 authentication factor is?a. Passwordb. Typing a passphrasec. Fingerprintd. Smart card
A

C: A fingerprint is an example of a Type 3: something you are authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. What type of authentication token requires the subject to authenticate themselves to the token, then the token authenticates to the system?a. synchronous dynamic password tokenb. static password tokenc. asynchronous dynamic password tokend. challenge-response token
A

B: A static password token requires the subject to authenticate themselves to the token, then the token authenticates to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. What type of access control is based on job description?a. group basedb. role basedc. transaction basedd. discretionary based
A

B: Role based access controls are based on job descriptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. Which of the following is the odd element in this set of items?a. need to knowb. access based on work tasksc. data classificationd. least privilege
A

C: Data classification is different from the others. Access under data classification controls is based on defined strata of confidentiality for both objects (i.e. assets) and subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. Which of the following is a disadvantage of single sign on from the perspective of security?a. simplified password management and administrationb. less time required overall to perform logon and authenticationc. stronger passwords are often usedd. users can roam the network without additional authentication
A

D: Being able to roam the network without additional authentication is a disadvantage of single sign on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. Which of the following is not an example of a single sign on technology?a. TACACSb. Kerberosc. SESAMEd. KryptoKnight
A

A: TACACS is an example of a centralized remote access authentication technology, not single sign on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. What is the maximum enrollment time required at which a biometric device is generally considered acceptable to most users?a. 30 secondsb. 1 minutesc. 2 minutesd. 10 minutes
A

C: A maximum of 2 minutes for enrollment will ensure that the majority of users will accept the use of biometric devices for used in a secure environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. At what rate of subject processing is a biometric device considered by users to be acceptable?a. 50 subjects per minuteb. 2 subjects per minutec. 5 subjects per minuted. 10 subjects per minute
A

D: Any less than 10 subjects per minute is generally considered unacceptable as a rate of throughput processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. ______________ is what allows you to do what you are requesting from the system based on access criteria.a. authorizationb. identificationc. authenticationd. auditing
A

A: Authorization is what allows you to do what you are requesting from the system based on access criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. What form of access control is not centrally managed?a. Discretionaryb. Mandatoryc. Nondiscretionaryd. Role based
A

A: Discretionary access control is not centrally managed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. The most useful form of access control for environments with a high rate of personnel turnover is?a. Interpretiveb. Nondiscretionaryc. Mandatoryd. Discretionary
A

B: Role based or nondiscretionary access control is the most useful form of access control for environments with a high rate of personnel turnover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. Which of the following is not considered a technique for controlling access?a. encryption b. rule base accessc. restricted interfaced. capability table
A

A: Encryption is not used as an access control technique, rather it is used to prevent disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
  1. Role based access control is also known as?a. Discretionaryb. Mandatoryc. Nondiscretionaryd. Recursive
A

C: Role based access control is also known as nondiscretionary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
  1. ACLs are the most common implementation of what form of access control?a. Role basedb. Mandatoryc. Nondiscretionaryd. Discretionary
A

D: ACLs are the most common implementation of discretionary access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
  1. What form of single sign on technology employs symmetric key cryptography and DES encryption to provide end-to-end security?a. Scriptingb. Kerberosc. SESAMEd. KryptoKnight
A

B: Kerberos employs symmetric key cryptography and DES encryption to provide end-to-end security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
  1. Which form of TACACS (Terminal Access Controller Access Control System) uses tokens for two factor authentication and supports dynamic password authentication?a. TACACS (Terminal Access Controller Access Control System)b. Dual-TACACS (Dual Terminal Access Controller Access Control System)c. XTACACS (Extended Terminal Access Controller Access Control System)d. TACACS+ (Terminal Access Controller Access Control System Plus)
A

D: TACACS+ (Terminal Access Controller Access Control System Plus) uses tokens for two factor authentication and supports dynamic password authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
  1. Which of the following is not an administrative access control method?a. work area separationb. policies and proceduresc. personnel controlsd. supervisory structure
A

A: Work area separation is a physical access control method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
  1. Which of the following is not a form of a centralized access control mechanism?a. RADIUS (Remote Authentication Dial-in User Service)b. Extended TACACS (XTACACS)c. Security domainsd. TACACS (Terminal Access Controller Access Control System)
A

C: Security domains are decentralized access control mechanisms. Security domains are based on a realm of trust rather than a centralized or single trusted system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q
  1. Which of the following is not a form of access control administration?a. centralizedb. delegatedc. decentralizedd. hybrid
A

B: Delegation is not a form of access control administration. Delegation is often used to place responsibility for an activity onto another person.

49
Q
  1. Which of the following is not an element of personnel controls?a. Separation of dutiesb. Handling non-compliancec. Stipulating laws and regulationsd. Rotation of duties
A

C: Stipulating laws and regulations is an element of policies and procedures, not personnel controls.

50
Q
  1. The primary element in the supervisory structure access control method is?a. Only end users are auditedb. All employees need performance reviewsc. Senior management is always liabled. Every employee has a boss
A

D: Every employee has a boss is the primary element of the supervisory structure access control method. Every employee has to report to someone who oversees their activities.

51
Q
  1. Which of the following directly protects against physical computer theft?a. computer controlsb. work area separationc. lightingd. control zones
A

A: Computer controls are physical mechanisms to prevent physical computer theft.

52
Q
  1. Which of the following is a physical access control method?a. System and network accessb. encryptionc. security awareness trainingd. Computer controls
A

D: Computer controls is a physical access control method.

53
Q
  1. Which of the following is not a technical/logical access control method?a. network segregation b. network architecturec. encryptiond. control zones
A

D: Control zones is a physical access control method.

54
Q
  1. Which of the following is an administrative access control method?a. data backupsb. security awareness trainingc. network architectured. auditing
A

B: Security awareness training is an administrative access control method.

55
Q
  1. Which of the following is a technical/logical access control method?a. Work area separationb. Auditingc. Data backupsd. Policies and procedures
A

B: Auditing is a technical/logical access control method.

56
Q
  1. Which of the following is not an example of a preventative access control?a. backupsb. locksc. lightingd. security guards
A

A: Backups are not considered a form of preventative access control. Backups are a form of recovery access control.

57
Q
  1. Which of the following is not considered a detective security control?a. monitoringb. separation of dutiesc. job rotationd. intrusion detection
A

B: Separation of duties is not a detective security control, rather it is a preventative and deterrent security control.

58
Q
  1. Which of the following is an example of a corrective security control?a. intrusion detectionb. encryptionc. anti-virus softwared. smart cards
A

C: Anti-virus software is an example of a recovery security control.

59
Q
  1. What method is used to ensure confidentiality and integrity?a. network access controlb. encryptionc. data backupsd. perimeter security
A

B: Encryption is used to ensure confidentiality and integrity.

60
Q
  1. What types of access controls serve as a deterrent?a. detectiveb. correctivec. preventatived. recovery
A

C: Preventative access controls serve as a deterrent.

61
Q
  1. A biometric scanner for facility access is considered all but which of the follow type of access control?a. Preventativeb. Detectivec. Inhibits unauthorized accessd. Recovery
A

D: A biometric scanner for facility access is not considered a type of recovery access control.

62
Q
  1. Which of the following is used to ensure that users are held responsible for their actions?a. auditingb. authenticationc. identificationd. non-repudiation
A

A: Auditing is used to ensure that users are held responsible for their actions.

63
Q
  1. Auditing allows for all but which of the following?a. controlling data classificationsb. reconstruction of eventsc. evidence for legal actiond. producing problem reports
A

A: Auditing is not related to controlling data classifications. Data classification is assigned by the data owner.

64
Q
  1. What is a clipping level?a. The threshold of unauthorized activityb. A baseline of normal activityc. The collection of abnormal activityd. The saturation point above which only violations occur
A

B: A clipping level is the baseline of normal activity. Events above the clipping level are more likely to be abnormal or unauthorized.

65
Q
  1. Which of the following is not an example of a preventative administrative access control?a. background checksb. controlled termination processc. data classificationd. alarms
A

D: Alarms are an example of a preventative physical access control.

66
Q
  1. Which of the following is not an example of a preventative physical access control?a. clipping levelsb. badgesc. dogsd. mantraps
A

A: Clipping levels is a preventative logical/technical access control that is the baseline of normal activity on a system.

67
Q
  1. Which of the following is not an example of a preventative technical/logical access control?a. passwordsb. motion detectorsc. constrained user interfacesd. firewalls
A

B: Motion detectors are an example of a preventative physical access control.

68
Q
  1. Which of the following is not a preventative physical access control?a. biometricsb. fencesc. call back systemsd. CCTV
A

C: Call back systems are preventive technical access controls.

69
Q
  1. The act of a hacker cleaning out all traces of their activities from audit logs is known as?a. spoofingb. masquerading c. scrubbingd. data diddling
A

C: Scrubbing is the act of cleaning out all traces of activities from audit logs.

70
Q
  1. Which of the following methods is effective in maintaining the integrity of audit logs?a. real-time recordingb. periodic manual inspectionc. storage in binary rather than text formatd. hash values
A

D: Hash values provide a means to maintain the integrity of audit logs.

71
Q
  1. What means can be used to protect the confidentiality of audit logs?a. encryptionb. storage on write-once mediac. redundant event recordingd. digital signatures
A

A: Encryption can be used to protect the confidentiality of audit logs.

72
Q
  1. Which of the following will not exceed clipping levels?a. Exceeding the authority of a user accountb. Too many users with unrestricted accessc. Repeated high-volume intrusion attemptsd. Failing to submit logon credentials to access resources
A

D: Failing to submit logon credentials to access resources is a failure to transmit anything. The absence of activity will not exceed the clipping level.

73
Q
  1. Which of the following is not considered an audit analysis tool?a. malicious code scanning toolb. data reduction toolc. variance detection toold. intrusion detection tool
A

A: A malicious code scanning tool, such as anti-virus or anti-trojan software, is not a type of audit analysis tool.

74
Q
  1. Which of the following is a method by which accountability can be enforced?a. data backupsb. keystroke loggingc. bandwidth throttlingd. trusted recovery
A

B: Keystroke logging is a method by which accountability can be enforced.

75
Q
  1. The act of using a bad sector on a hard drive to store data which can be located and used by an unauthorized recipient is known as?a. data remananceb. data diddlingc. data hidingd. data reduction
A

C: Data hiding is the use of a covert channel, such as a fake bad sector on a hard drive, to store and transmit data.

76
Q
  1. TEMPEST is what?a. a centralized remote access authentication serviceb. a security domain authorization systemc. A vulnerability scannerd. the study and control of stray electrical signals
A

D: TEMPEST is the study and control of stray electrical signals.

77
Q
  1. What type of token requires the owner to authenticate to the token itself and then allows the token to authenticate with the system?a. Synchronous Dynamic Password Tokenb. Static Password Tokenc. Asynchronous Password Tokend. Challenge-response Token
A

B: A static password token requires the owner to authenticate to the token itself and then allows the token to authenticate with the system.

78
Q
  1. What token generates unique passwords at fixed time intervals which must be provided to the authenticating system with the appropriate PIN within a valid time window?a. Asynchronous Dynamic Password Token b. Challenge-response Tokenc. Synchronous Dynamic Password Tokend. Static Password Token
A

C: A Synchronous Dynamic Password Token generates unique passwords at fixed time intervals that must be provided to the authenticating system with the appropriate PIN within a valid time window.

79
Q
  1. Audit logs can be used for all but which of the following?a. Legal evidenceb. Predicting the source of the next intrusion attemptc. Demonstrate the means by which an attack was wagedd. Corroborate and verify a story
A

B: Audit logs may provide clues, but they cannot accurately predict the source of the next intrusion attempt.

80
Q
  1. Which of the following is not a means by which data is disclosed unintentionally?a. social engineeringb. malicious codec. espionaged. object/media reuse
A

C: Espionage is the deliberate and intentional act of gathering and disclosing confidential data.

81
Q
  1. The process of removing data from a media so it can be re-used within the same security environment is known as?a. clearingb. purgingc. overwritingd. destruction
A

A: Clearing is the process of removing data from a media so it can be re-used within the same security environment.

82
Q
  1. Which of the following will never result in data remanancea. erasing the data using the native OS toolsb. cremation of mediac. degaussing mediad. performing a single format of the media
A

B: Cremation of media (i.e. complete destruction) is the only assured means to prevent remanance.

83
Q
  1. The act of recycling a backup tape for another purpose is known as?a. disclosureb. remanancec. cost effective resource managementd. object reuse
A

D: The act of recycling a backup tape for another purpose is known as object reuse.

84
Q
  1. Which of the following does not represent a reason a biometric device would be rejected by a majority of users?a. Invasion of privacyb. A high level of invasivenessc. A low enrollment timed. A moderate degree of physical discomfort
A

C: A low enrollment time is typically not a reason to reject a biometric device.

85
Q
  1. What aspect of access control is responsible for verifying that you are allowed to perform the activities or actions you request on a system?a. Auditingb. Authenticationc. Administrationd. Authorization
A

D: Authorization is the aspect of access control that is responsible for verifying that you are allowed to perform the activities or actions you request on a system.

86
Q
  1. Which of the following is not true in regards to roles?a. Similar users are placed within a role and access to resources is granted or restricted to that role.b. A role has a pre-assigned classification.c. Roles are assigned to users who perform specific activities or tasks.d. Roles are often based on job descriptions or work tasks.
A

A: This does not describe roles, it describes groups.

87
Q
  1. When a biometric is used and a valid user is rejected, what type of error has occurred?a. Type I errorb. Type II errorc. Authorization errord. Accountability error
A

A: A Type 1 error or False Rejection error fails to authenticate a valid user.

88
Q
  1. In regards to biometric devices, what is the crossover error rate (CER) used for?a. Tuning the device for efficiencyb. Comparing performance between similar devicesc. Adjusting the sensitivity of the deviced. Reducing the enrollment time
A

B: The crossover error rate is most useful as a comparison point between similar devices.

89
Q
  1. What authentication technology was developed to address weaknesses in Kerberos?a. RADIUSb. TACACSc. SESAMEd. KrytoKnight
A

C: SESAME was designed to address weaknesses in Kerberos.

90
Q
  1. Role based access control is also known as?a. Mandatory access control b. Discretionary access control c. Dynamic access control d. Nondiscretionary access control
A

D: Role based access control is also known as nondiscretionary access control.

91
Q
  1. Which of the following is not one of the three mechanisms that must be in place in order to audit the activity of subjects?a. Identificationb. Authorizationc. Accountabilityd. Authentication
A

C: Accountability is available only after auditing is established, it is not a prerequisite for auditing.

92
Q
  1. The security principle or axiom that restricts a person’s access to resources or data even if they have sufficient security clearance is known as?a. Principle of least privilegeb. Accountabilityc. Clark-Wilson controld. Need to know
A

D: Need to know is the security principle or axiom that restricts a person’s access to resources or data even if they have sufficient security clearance.

93
Q
  1. What is the primary disadvantage of a single sign-on?a. Users can rove the network without re-authenticatingb. Stronger passwords can be enforcedc. Simpler password administrationd. Scripts may be used that contain logon credentials
A

A: Users can rove the network without re-authenticating is the primary disadvantage of single sign-on.

94
Q
  1. Which of the following is the golden rule of access control?a. If access control is not explicitly denied, it should be implicitly granted.b. If access control is denied implicitly, only role assignments can be used to grant access explicitly.c. If access is not explicitly granted, it should be implicitly denied. d. Access controls should default to minimal read access if access is not explicitly granted or denied.
A

C: If access is not explicitly granted, it should be implicitly denied.

95
Q
  1. Which of the following is not an example of a single sign-on technology?a. Kerberosb. TACACSc. SESAMEd. KryptoKnight
A

B: TACACS is not a single sign-on technology, it is a centrally managed remote access authentication service.

96
Q
  1. Which of the following is not a weakness of Kerberos?a. The KDC (Key Distribution Center) is a single point of failureb. Secret keys are temporarily stored on the client systemc. A one-way hash is used to generate the client’s secret keyd. Kerberos only protects authentication traffic
A

C: This is a strength of Kerberos.

97
Q
  1. What type of area on a network is created so that it would attract intruders but which no valid user would enter?a. Padded cellb. Honey potc. DMZd. Extranet
A

B: A honey pot is designed to attract intruders, but since it holds no real or useful data or resources, valid users don’t enter it.

98
Q
  1. Audit logs can be used for all but which of the following?a. Patch systems by re-playing the audit trailb. Forensic evidence in cyber crime prosecutionc. Rebuilding the process of an attackd. Track down the perpetrator of an intrusion
A

A: Audit logs can be used to create a safeguard against a recorded intrusion, but playing back an audit trail against another system will not patch it, more likely it will cause the same security violation.

99
Q
  1. Which of the following is not true regarding clipping levels?a. Activity below a clipping level is considered normal and expected.b. When the clipping level is exceeded, a violation record may be recordedc. All abnormal activity, including intrusions, will cross a clipping level.d. The use of clipping levels is considered a detective technical access control method.
A

C: This is incorrect. Many abnormal activities, including intrusions, will not generate sufficient effect to cross a clipping level.

100
Q
  1. What is a capability table?a. The list of roles within a no discretionary access control systemb. A column of an access control matrixc. The services supported by a specific objectd. A row of an access control matrix
A

D: A capability table is a single row of an access control matrix.

101
Q
  1. Which of the following is the action of overwriting media that is intended for use outside of the protected environment to prevent remanence gathering?a. Purgingb. Cleaningc. Formattingd. Erasing
A

A: Purging is the action of overwriting media that is intended for use outside of the protected environment to prevent remanence gathering.

102
Q
  1. Which of the following is not a physical access control method?a. Segmentation of the networkb. Filters/Rules on firewallc. Parking lot access controlsd. Security guards
A

B: Filter or Rules of a firewall is an example of a technical not physical access control method.

103
Q
  1. Which of the following is an example of an administrative access control method?a. Policies and proceduresb. Perimeter lightingc. CCTVd. Encryption
A

A: Policies and procedures are examples of an administrative access control method.

104
Q
  1. The act of an intruder erasing their tracks by tampering with audit logs is known as?a. Entrapmentb. Using covert channelsc. Superzappingd. Scrubbing
A

D: Modifying audit logs to hide access trails is known as scrubbing.

105
Q
  1. The standards for overwriting media before re-use outside of the secured environment is to format or overwrite the media ________ times?a. 1b. 3c. 7d. 12
A

: The standard is to overwrite media 7 times before re-use.

106
Q
  1. Which of the following is an example of data hiding?a. Causing the light on a monitor to blink in Morris codeb. Employing the use of time to communicate informationc. Storing data in a sector marked as badd. Communicating a message through the byte size of a file stored on a publicly accessible server
A

C: This is an example of data hiding since the data is hidden. This is also an example of a covert channel.

107
Q
  1. The aspect of access control that holds subjects responsible for the activities they perform within a secured environment is known as?a. Integrityb. Accountability c. Authorizationd. Auditing
A

B: Accountability is the aspect of access control that holds subjects responsible for the activities they perform within a secured environment.

108
Q
  1. Which of the following is labeled as a technical or logical access control method but which does not prevent attacks but is used to pinpoint weaknesses in a system?a. DMZb. Awareness trainingc. TACACSd. Auditing
A

D: Auditing is labeled as a technical or logical access control method but which does not prevent attacks but is used to pinpoint weaknesses in a system.

109
Q
  1. Discretionary access control is most often implemented using what mechanism?a. Access Control Listsb. Biometricsc. Rolesd. Subject classification
A

A: Discretionary access control is most often implemented using ACLs.

110
Q
  1. Mandatory access controls relies on what mechanism?a. Access control listsb. Security labelsc. Role assignmentsd. Data format
A

B: Mandatory access control relies on security labels (i.e. classifications)

111
Q
  1. The greatest security is maintained by organizations that perform which of the following?a. Media purging before re-useb. Media destruction, no re-use of mediac. Media cleaning before re-used. Media formatting before re-use
A

B: The greatest security is maintained if no media is ever re-used and all used media are destroyed.

112
Q
  1. Which one of the following examples of access control methods is of a different type than the other three?a. Controlling access to network components throughout a facilityb. Routing cables through walls to prevent tappingc. Segmenting the network with subnetsd. Installing a mantrap
A

C: This is a logical or technical access control method. It differs that the other three which are physical access control methods.

113
Q
  1. Which of the following is not a characteristic of network based IDS?a. Actively scans the network for intrusionsb. Monitors in real time.c. Can respond to some types of attacks while they are in progress.d. Cannot detect attacks committed on a system by a subject logged into that system.
A

A: Network based IDS is passive.

114
Q
  1. What is TEMPEST?a. A tool used to hide data in an image or audio fileb. A VPN protocol encryption schemec. A centralized remote access authentication systemd. The study and control of EM signals.
A

D: TEMPEST is the study and control of EM signals.

115
Q
  1. What type of IDS has the most number of false detections?a. Signature based IDSb. Statistical Anomaly based IDSc. Network based IDSd. Host based IDS
A

B: Statistical Anomaly based IDS have the most false detections.

116
Q
  1. What access control method is best suited for an organization with a high rate of personnel turnover and change?a. Access control listsb. Mandatory access controlsc. Role based access controlsd. Discretionary access controls
A

C: Role based access controls is best suited for high-turnover organizations.

117
Q
  1. Unauthorized or unintentional disclosure can occur when all but which of the following take place?a. Execution of malicious codeb. Social engineeringc. Use of a covert channeld. Requiring encryption on traffic
A

D: Encryption is a security mechanism to protect confidentiality.

118
Q
  1. What authentication mechanism supports two factor authentication for remote access clients?a. TACACS+b. Kerberosc. RADIUSd. XTACACS
A

A: TACACS+ supports two-factor authentication for remote access clients.

119
Q
  1. The act of providing the opportunity for a person to commit a crime without coercion is known as?a. Entrapmentb. Accountabilityc. Enticementd. Superzapping
A

C: Enticement is the act of providing the opportunity for a person to commit a crime without coercion.