Acc Ctrl

Question 1

3 primary types of access control

Answer 1

preventive, detective, and corrective.

Question 2

secondary types of access control

Answer 2

There are also four other access control types, commonly known as deterrent, recovery, directive, and compensation access controls

Question 3

process by which a subject professes an identity and accountability is initiated

Answer 3

Identification

Question 4

process of verifying or testing that a claimed identity is valid

Answer 4

Authentication

Question 5

indicates who is trusted to perform specific operation

Answer 5

Authorization

Question 6

which AAA protocol is done via auditing, logging, and monitoring, ensures that subjects can be held accountable for their actions. Auditing is the process of tracking and recording subject activities within logs

Answer 6

Accountability

Question 7

RSA token is what kind of token (sync/async, static/dynamic)?

Answer 7

is a synchronous dynamic password token. It generates passwords at fixed time intervals, such as every 60 seconds

Question 8

(sync or async) dynamic password token does not use a clock; it generates passwords based on an occurrence of some event. These tokens often generate a password after the user enters a PIN into the token device.

Answer 8

asynchronous

Question 9

Which access control model? Every object has an owner, owners have full control over their objects. Permissions are maintained in an ACL, and owners can easily change permissions.

Answer 9

Discretionary access control (DAC)

Question 10

Which access control model? Access does not focus on user identity. Instead, a static set of rules governing the whole environment is used to manage access

Answer 10

Non-Dac

Question 11

Rule-based access controls and lattice-based access controls are both considered ….

Answer 11

non-dac

Question 12

Which access control model?relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security.

Answer 12

MAC

Question 13

SSO solution for login, symmetric key crypto, AES encryption protocol. Provides confidentiality AND integrity for authentication.

Answer 13

Kerberos

Question 14

AAA protocols

Answer 14

provide authentication, authorization, and accounting (sometimes ID is included). typically used for VPN and other centralized access controls.

Question 15

3 common AAA protocols are …

Answer 15

RADIUS, TACACS+, and Diameter.

Question 16

various TYPES of access control (7):

Answer 16

Preventive, Detective, corrective, recovery, directive, compensation, recovery.

Question 17

birthday attack

Answer 17

birthday attack focuses on finding collisions. similar to finding two pswds with same hash. Ex = 50 ppl in room, 2 will have same bday.

Question 18

a variant of phishing that uses the phone system or VoIP. A common attack uses an automated call to the user explaining a problem with a credit card account.

Answer 18

Vishing

Question 19

name 4 different password attacks:

Answer 19

dictionary attacks, brute-force attacks, rainbow table attacks, and sniffer attacks

Question 20

What attack uses….all possible combinations of keyboard characters used.

Answer 20

brute-force

Question 21

What attack uses…. a predefined list of possible passwords possibly used

Answer 21

dictionary attack.

Question 22

Sym or Asym…..cryptosystems use a shared secret key available to all users of the cryptosystem.

Answer 22

symmetric

Question 23

Sym or Asym … cryptosystems utilize individual combinations of public and private keys for each user of the system

Answer 23

Asymmetric

Question 24

AND function

Answer 24

returns TRUE only when X&Y are TRUE. 1+1=1, else 0

Question 25

OR function

Answer 25

returns FALSE when X&Y are FALSE. 0-0=0, else 1.

Question 26

NOT operation (~ or !)

Answer 26

opposite.

Question 27

XOR ⊕ function

Answer 27

return TRUE is both are same.

Question 28

Cipher that uses an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message

Answer 28

Transposition

Question 29

Ciphers that use the encryption algorithm to replace each character or bit of the plaintext message with a different character

Answer 29

Subsititution

Question 30

one time pad

Answer 30

powerful type of substitution cipher. One-time pads use a different substitution alphabet for each letter of the plaintext message. (EX:ceasar, Vigenere)

Question 31

Cipher where the encryption key is as long as the message itself and is often chosen from a common book

Answer 31

book cipher or running key cipher

Question 32

A kind of cipher that operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time.

Answer 32

Block cipher

Question 33

A kind of cipher that operate on one character or bit of a message (or data stream) at a time.

Answer 33

Steam cipher

Question 34

Asymmetric key encryption

Answer 34

integrity, authentication, and non-repudiation. + /- of users easy, .regen of key incases of compromise is easy and fast

Question 35

Common Symmetric Cryptosystems

Answer 35

Data Encryption Standard (DES), Triple DES (3DES), International Data Encryption Algorithm (IDEA), Blowfish, Skipjack, and the Advanced Encryption Standard (AES)

Question 36

AES cipher

Answer 36

The AES cipher allows the use of three key strengths: 128 bits, 192 bits, and 256 bits.

Question 37

Diffie-Hellman

Answer 37

symetric key encryption used when offiline distribution nor public key encrypt are sufficient. Diffie-Hellman is an algo where 2 parties provide random values and extract key from: “K = S^r mod p”

Question 38

zero knowledge proof

Answer 38

Zero-knowledge proof is a communication concept. A specific type of information is exchanged but no real data is transferred, as with digital signatures and digital certificates.

Question 39

importance of key importance

Answer 39

Modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security. It’s generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long enough to provide security.

Question 40

4 modes of DES:

Answer 40

Electronic Codebook (ECB), Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB), and Output Feedback (OFB) mode. ECB is least secure.

Question 41

AES

Answer 41

Utilizes the Rijndael algorithm The US government standard Uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits Better than older DES algorithm.

Question 42

Take-Grant

Answer 42

Take-Grant model may also adopt a create rule and a remove rule to generate or delete rights. The key to this model is that using these rules allows one to figure out when rights in the system can change and where leakage (i.e., unintentional distribution of permissions) can occur.

Question 43

Access control matrix

Answer 43

table of subj and objs. col= acl.row= capability

Question 44

Goguen-Meseguer model

Answer 44

is an integrity model. The Goguen-Meseguer model is based on predetermining the set or domain—a list of objects that a subject can access. This model is based on automation theory and domain separation.

Question 45

Sutherland model

Answer 45

the model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited

Question 46

Biba

Answer 46

integrity model. No write down. No read up.

Question 47

Phishing

Answer 47

Phishing is a type of social engr whose goal is to obtain PII.

Question 48

Pharming

Answer 48

Pharming redirects victims to a fake website that looks legitimate and carries out DNS poisoning (in which a DNS server resolves a host name into an incorrect IP addy).

Question 49

Authentication vs Authorization.

Answer 49

They are close in meaning but Authentication is the PROCESS of verifying id of subj requesting access. Authorization is the ACTION of granting permission

Question 50

Collusion (not to be confused with collision)

Answer 50

Collusion (not to be confused with collision)

Practice of separation of duties to force 2 or more employees to work together in efforts to avoid fraud.

Question 51

x.500 std

Answer 51

Most directories follow a hierachical db format, based on the x.500 std. The primary cocept of it is that there is a single Directory Info Tree, a hierarchical org of entries which is distributed across 1 or more servers, called directory sys agents.

Question 52

Tunneling

Answer 52

Tunneling is an attack that utilizes low-level funct to infiltrate a sys.

Question 53

T or F?

Smurf attacks is a DOS attack.

Answer 53

True

Question 54

ICMP ECHO attack

Answer 54

The attacker changes an ICMP ECHO request packet’s source IP addy to that of victim which will flood the victim with replies and overwhelm it

Question 55

Something you know, are and have are 3 possible factors of …

Answer 55

Authentication!!!

Question 56

FACT: Meta-directory gathers ness info from multiple sources and stores them in a central dir. A virtual dir can also serve same purpose.

Answer 56

n/a

Question 57

Capacity to process info with Memory cards vs Smart cards

Answer 57

Memory card = holds info ONLY

Smart card = holds info and process info.

Question 58

Security assertion Mark up language

Answer 58

SAML allows the exchange of authentication and authorization data to be shared between security domain. Most used for SSO and a web-based environment

Question 59

What single sign-on technology is based upon symmetric cryptography thus not needing PKI

Answer 59

Kerberos

Question 60

Which single sign-on technology is based upon public-key crypto and thus requires PKI

Answer 60

Sesame

Question 61

SPML

Answer 61

The service provisioning markup language allows company and effaces to pass service request and receive company prevision access to the services of the sending and receiving companies need to befalling XML standard which will allow this type of vendor clarity to take place

Question 62

Security event management software

Answer 62

Security event management software allows the network traffic to confute holistically by gathering Log data centrally and analyzing

Question 63

Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you have been asked to implement a system that will require individuals to present a password and enter a PIN at the security gate before gaining access. What is this type of system called? A. Authorization B. Two-factor authentication C. Authentication D. Three-factor authentication

Answer 63

C. Authenticatoin

Question 64

Which style of authentication is not susceptible to a dictionary attack? A. CHAP B. LEAP C. WPA-PSK D. PAP

Answer 64

D. PAP

Question 65

Which of the following types of copper cabling is the most secure against eavesdropping and unauthorized access? A. Single-mode fiber B. Multimode fiber C. Category 6 cabling D. 802.11g wireless

Answer 65

C. Cat 6 cabling

Question 66

Auditing is considered what method of access control? A. Preventive B. Technical C. Administrative D. Physical

Answer 66

C. Administrative

Question 67

Which of the following is not an example of a single sign-on service? A. RADIUS B. Kerberos C. SESAME D. KryptoKnight

Answer 67

A. RADIUS

Question 68

Christine, a newly certified CISSP, has offered to help her brother-in-law, Gary, at his small construction business. The business currently has 18 computers configured as a peer-to-peer network. All users are responsible for their own security and can set file and folder privileges as they see fit. Which access control model best describes the configuration at this organization? A. Discretionary B. Mandatory C. Role-based D. Nondiscretionary

Answer 68

A. Discretionary

Question 69

You are approached by a junior security officer who wants to know what CVE stands for. What do you tell him? A. Critical Vulnerability and Exploits B. Common Vulnerabilities and Exposures C. Chosen Vulnerabilities and Exploits D. Common Vulnerabilities and Exploits

Answer 69

B. Common Vulnerabilities and Exposures

Question 70

Various operating systems such as Windows use what to control access rights and permissions to resources and objects? A. RBAC B. MITM C. ABS D. ACL

Answer 70

D. ACL

Question 71

Kerberos has some features that make it a good choice for access control and authentication. One of these items is a ticket. What is a ticket used for? A. A ticket is a block of data that allows users to prove their identity to an authentication server. B. A ticket is a block of data that allows users to prove their identity to a service. C. A ticket is a block of data that allows users to prove their identity to a ticket-granting server. D. A ticket is a block of data that allows users to prove their identity to the Kerberos server.

Answer 71

B. A ticket is a block of data that allows users to prove identity to a service.

Question 72

What type of cryptography does SESAME use to distribute keys? A. Public key B. Secret key C. SHA hashing algorithm D. None; it uses clear text.

Answer 72

A. Public Key

Question 73

Your coworkers are having a heated discussion about access control models and their differences. To help them move on to more productive endeavors, you offer to answer their question. Specifically, they want to know what the driving force was behind the development of the Biba model. What do you tell them? A. The Biba model addressed the fact that the Bell-LaPadula model would allow a user with a higher security level rating to write to a subject’s information with a higher security level. B. The Biba model addressed the fact that the Bell-LaPadula model would allow a user with a lower security level rating to write to a subject’s information with a higher security level. C. The Biba model addressed the fact that the Clark-Wilson model would allow a user with a lower security level rating to write to a subject’s information with a lower security level. D. The Biba model addressed the fact that the Clark-Wilson model would allow a user with a higher security level rating to write to a subject’s information with a lower security level.

Answer 73

B. Biba model addressed the fact that Bell would allow a user with lower sec level to write to sub with higher level.

Question 74

What are three types of Anomaly based ips

Answer 74

Statistical, protocol, and traffic

Question 75

Which of the following access control models addresses integrity? A. Brewer Nash B. Biba C. Bell-LaPadula D. PERT

Answer 75

b

Question 76

difficulty remembering all their passwords as they complete their daily activities. What would be the best solution? A. Lower the passwords’ complexity requirements B. Implement harsher penalties C. Add assisted user reset capabilities D. Use single sign-on

Answer 76

d

Question 77

How do you lower type 1 errors on biometric devices? A. By increasing type 2 errors B. By decreasing type 2 errors C. By increasing precision D. By decreasing CER

Answer 77

a

Question 78

A Privilege Attribute Certificate (PAC) is a component of SESAME and acts as the ticket similar to Kerberos.

Answer 78

True

Question 79

is the best way to store passwords? A. In a one-way encrypted file B. Using symmetric encryption C. Using asymmetric encryption D. By means of a digital signature

Answer 79

a

Question 80

Which of the following best describes a Zephyr chart? A. A means of establishing the accuracy of a biometric systems B. A means of comparing different biometric systems C. A means of comparing type II and type III authentication systems D. A chart used to examine the accuracy of IDSs and IPSs

Answer 80

b

Question 81

Being asked what your maiden name is, what city you were born in, and what your pet’s name is is an example of what? A. Single sign-on (SSO) B. Self-service password reset C. Centralized authentication D. Assisted passwords

Answer 81

b

Question 82

Nondiscretionary access control includes which of the following? A. Role- and task-based B. Rule-based and mandatory C. Labeled and mandatory D. None of the above, because there are no subcategories

Answer 82

a

Question 83

Which of the following best describes a federated identity? A. Simply another term for SSO B. It is restricted to use within a specific domain or area of the network. C. Type I authentication (something you know) D. It is portable and can be used across business boundaries.

Answer 83

d

Question 84

What is a trust? A. A one-way-only bridge established between two domains B. A two-way-only bridge established between two domains C. A security bridge that is established after a valid authentication D. A security bridge that is established between two domains

Answer 84

d

Question 85

Which biometric system examines the colored portion of the eye that surrounds the pupil? A. Iris B. Retina C. Fovea D. Optic disk

Answer 85

a

Question 86

The Privilege Attribute Certificate (PAC) is a component of what? A. TACACS B. Kerberos C. RADIUS D. SESAME

Answer 86

d

Question 87

Triple model to ensure info INTEGRITY with enforcement of rules and certification rules. “seperation of duties”. Relies on auditing to ensure accountability. What access ctl model/theory?

Answer 87

Clark-Wilson

Question 88

What access ctl model/theory focuses on INTEGRITY via secure creation/del of subj & obj

Answer 88

goguen-meseguer and sutherland

Question 89

A system to require a passowrd and pin at the gate before being granted access is what type of system? A. Authorization, B. 2 factor Authorization, C. Authentication, D. 3-factor Authentication

Answer 89

C. Authentication

Question 90

Which biometric system examines the colored poriton of the eye that surrounds the pupil???

Answer 90

This Iris is the colored portion of the eye.

Question 91

Provide the formula to calculate Anualized Loss Expected?

Answer 91

ALE = SLE (or AV x EF) multiplied by ARO

Question 92

Define Delphi technique

Answer 92

an anonymous feedback and response process used to arive at a concensus.

Question 93

Trusted Computer System Evaluation Criteria (TCSEC) is DoD std for computer security requirements. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. What color book in the rainbow series?

Answer 93

ORANGE

Question 94

What are the levels of TCSEC and what do they represent?

Answer 94

The TCSEC defines four divisions: D, C, B and A where division A has the highest security. D= minimal protections C= discretionary protection B= mandatory protection A= verified protection

Question 95

Threat Events

Answer 95

Threat events are accidental or intentional exploitations of vulnerabilities.

Question 96

Documentation Reviews

Answer 96

A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.

Question 97

You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? a: exposure factor b: single loss expectancy c: asset value d: ARO

Answer 97

D: ARO. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

Question 98

Which of the following is a primary purpose of an exit interview?

Answer 98

To review NDA

Question 99

What is the primary goal of access control?

Answer 99

Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system and objects are accessed. A first step in access control is the identification and authentication of subjects, but access control also includes authorization and accountability.

Question 100

What type of access controls are hardware or software mechanisms used tomanage access to resources and systems and to provide protection for those resources and systems? A. Administrative B. Logical/techinal C. Physical

Answer 100

Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.

Question 101

All of the following are needed for system accountability except for one. Which one is not needed? A. ID B. Authentication C. Auditing D. Authorization

Answer 101

Authorization!

Question 102

What is an ACL based on? A: An Obj B: A Subj C: A Role

Answer 102

Answer is A An ACL is based on an object and includes a list of subjects that are granted access. A capability table is focused on a subject and includes a list of objects the subject can access. Roles and accounts are examples of subjects and may be included in an ACL, but they aren’t the focus.

Question 103

Which is not used to support single sign on? A: Kerberos B: Federated Identity Mgmt Sys C: TACACS+ D: SPML

Answer 103

TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on. Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.

Question 104

Which of the following is the best hoice to support federated id mgmt sys? A: Kerberos B: HTML C: XML (extensible markup lang) D: SPML

Answer 104

SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SPML.

Question 105

What is a passive, noninvasive attack to observe the operation of a device. Methods include power monitoring, timing, and fault analysis attacks.

Answer 105

A side-channel attack

Question 106

Define Whaling

Answer 106

Whaling is a type of phishing attack that targets high-level executives.

Question 107

Clipping

Answer 107

Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold

Question 108

Remember: Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and Physical controls are controls that you can physically touch.

Answer 108

..

Question 109

Which of the following is the least resistant to EMI? A; Thinnet B: 10Base-T UTP C: 10Base5 D: Coaxial cable

Answer 109

10Base-T UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) and thicknet (10Base5) are each a type of coaxial cable, which is shielded against EMI.

Question 110

Which of the following is not an example of network segmentation? A: Intranet B: DMZ C: Extranet D: VPN

Answer 110

A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.

Question 111

What is a TCP wrapper?

Answer 111

A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.

Question 112

Fact: Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. Stateful inspection AKA 3rd Gen Firewalls

Answer 112

..

Question 113

switches are smart

Answer 113

A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.