Access Control

Question 1

What data structure is used to implement discretionary access control?

a. Linked list
b. 2d matrix
c. Red and black tree
d. Stack

Answer 1

b. 2d matrix

Question 2

Which of the following is granting permission to a system entity to access a system resource?

a. Authentication
b. Authorization
c. Audit
d. Allowance
e. None of the above

Answer 2

b. Authorization

Question 3

What kind of relationship is a role to a user in role based access control?

a. 1 to 1
b. 1 to many
c. Many to one
d. Many to many

Answer 3

d. Many to many (a role can have many users, many users can have many roles review chapter 4, page 146 and chapter 27)

Question 4

T/F: Access control implements a security policy that verifies the credentials of a user

Answer 4

False (page 107)

Question 5

Which entities and functions form access control?

Answer 5

Authentication, Authorization, and Audit

Question 6

Define Authentication

Answer 6

Verification that the credentials of a user or other system entity are valid

Question 7

Define Authorization

Answer 7

The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.

Question 8

Define Audit

Answer 8

An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures

Question 9

This policy controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed [ ] because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

Answer 9

c. Discretionary Access Control (DAC)

Question 10

This policy controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). This policy is termed [ ] because an entity that has clearance to access a resources may not, just by its own volition, enable another entity to access that resource

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

Answer 10

a. Mandatory Access Control (MAC)

Question 11

This policy controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

Answer 11

d. Role Based Access Control (RBAC)

Question 12

This policy controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

Answer 12

b. Attribute Based Access Control (ABAC)

Question 13

Which of the following is an entity capable of accessing objects. Generally, the concept of [ ] equates with that of process.

a. Subject
b. Object
c. Access Right
d. Access Matrix

Answer 13

a. Subject

Question 14

Which of the three classes of subject have the least amount of access granted to users who are able to access the system but are not included in the categories owner and group for this resource

a. Owner
b. Group
c. World

Answer 14

c. World

Question 15

Which of the three classes of subject may be the creator of a resource, such as a file? For system resources [ ] may belong to a system administrator. For project resources, a project administrator or leader may be assigned [ ].

a. Owner
b. Group
c. World

Answer 15

a. Owner

Question 16

Which of the three classes of subject is described as: a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights.

a. Owner
b. Group
c. World

Answer 16

b. Group

Question 17

Which of the following is a recourse to which access is controlled? A [ ] is an entity used to contain and/or receive information. Examples include records, blocks, pages, segments, files, portions of files, directories, directory trees, mailboxes, messages and programs.

a. Subject
b. Object
c. Access Right
d. Access Matrix

Answer 17

b. Object

Question 18

Which of the following described the way in which a subject may access an object?

a. Access Matrix
b. Capability List
c. Capability Matrix
d. Access Right

Answer 18

d. Access Right

Question 19

This access right allows a user to view information in a system or resource. It includes the ability to copy or print.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 19

c. Read

Question 20

This access right allows a user to list the files in a directory or otherwise find the directory.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 20

a. Search

Question 21

This access right allows a user to create new files, records, or fields

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 21

f. Create

Question 22

This access right allows a user to add, modify, or delete data in a system resource. It includes read access.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 22

d. Write

Question 23

This access right allows a user to delete certain system resources such as files or records

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 23

e. Delete (duh)

Question 24

This access right allows a user to execute specified programs

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

Answer 24

b. Execute

Question 25

What is the general approach to Discretionary Access Control (DAC) as exercised by an operating system or a database management system? a. Access Control List b. Access Matrix c. Capability Control Matrix d. Capability List

Answer 25

b. Access Matrix

Question 26

What are the two dimensions of an access matrix?

Answer 26

One dimension of the matrix consists of identified subjects that may attempt data access to the resources (individual users or user groups) The other dimension lists the objects that may be accessed. Objects may be individual data fields or records, files or databases Key is that each entry in the matrix indicates the access rights of a particular subject for a particular object

Question 27

Name and describe the two ways access control matrices can be decomposed

Answer 27

Access Control Lists (ACLs): for each object, an ACL lists users and their permitted access rights Capability Tickets: specifies authorized objects and operations for a particular user. Each user has a number of tickets and may be authorized to load or give them to others

Question 28

The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to delete, stop/block, and wake these up. a. Processes b. Devices c. Memory Locations or Regions d. Subjects

Answer 28

a. Processes

Question 29

The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to read/write, control operation of, and block/unblock these for use. a. Processes b. Devices c. Memory Locations or Regions d. Subjects

Answer 29

b. Devices

Question 30

The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to read/write these. They are protected such that the default is to disallow access a. Processes b. Devices c. Memory Locations or Regions d. Subjects

Answer 30

c. Memory Locations or Regions

Question 31

The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights with respect to these have to do with the ability to grant or delete access rights of them to other objects a. Processes b. Devices c. Memory Locations or Regions d. Subjects

Answer 31

d. Subjects

Question 32

Explain the meaning of inode in the UNIX file administration system

Answer 32

Is a control structure that contains the key information needed by the operating system for a particular file. Several file names may be associated with a single inode, but an active inode is associated with exactly one file, and each file is controlled by exactly one inode.

Question 33

There are four entities in an RBAC system. This one is an individual that has access to his computer system. Each individual has an associated user IDF a. User b. Role c. Permission d. Session

Answer 33

a. User

Question 34

There are four entities in an RBAC system. This one is a named job function within the organization that controls this computer system. Typically, associated with each [ ] is a description of the authority and responsibility conferred to it, and on any user who assumes this [ ] a. User b. Role c. Permission d. Session

Answer 34

b. Role

Question 35

There are four entities in an RBAC system. This one is an approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization a. User b. Role c. Permission d. Session

Answer 35

c. Permission

Question 36

There are four entities in an RBAC system. This one is a mapping between a user and an activated subset of the set of roles to which the user is assigned a. User b. Role c. Permission d. Session

Answer 36

d. Session

Question 37

Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to setting a maximum number with respect to roles. One such constraint is to set a maximum number of users that can be assigned to a given role. a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles

Answer 37

b. Cardinality

Question 38

Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to roles such that a user can be assigned to only one role in the set a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles

Answer 38

a. Mutually Exclusive Roles

Question 39

Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to dictating a user can only be assigned to a particular role if it is already assigned to some other specified role. a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles

Answer 39

c. Prerequisite Roles

Question 40

T/F: The main obstacle to adoption of ABAC is the concern about the performance impact. Its evaluation is predicated on both resource and user properties for each access.

Answer 40

True

Question 41

What are the 3 key elements to an ABAC model?

Answer 41

Attributes: defined for entities in a configuration Policy Model: defines the ABAC policies Architecture Model: applies to policies which enforce access control

Question 42

There are three types of attributes for ABAC Model. This one is defined as: an active entity (e.g. a user, an application, a process, or a device) which causes information to flow among objects or changes the system state a. Subject Attributes b. Object Attributes c. Environmental Attributes

Answer 42

a. Subject Attributes

Question 43

There are three types of attributes for ABAC Model. This one is defined as: a resource. Is a passive information system-related entity (e.g. devices, files, records, tables, processes, programs, networks, domains) containing or receiving information a. Subject Attributes b. Object Attributes c. Environmental Attributes

Answer 43

b. Object Attributes

Question 44

There are three types of attributes for ABAC Model. This one is defined as: the operational, technical, and even situational environment or context in which the information access occurs. a. Subject Attributes b. Object Attributes c. Environmental Attributes

Answer 44

c. Environmental Attributes

Question 45

T/F: Privileges in ABAC are a set of rules and relationships which govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions.

Answer 45

False. Defined is a policy in ABAC.

Question 46

T/F: Policy in ABAC represent the authorized behavior of a subject (also called rights, authorizations, or entitlements).

Answer 46

False. This is the definition for privileges in ABAC

Question 47

This is a comprehensive approach to managing and implementing digital identities, credentials, and access control. a. ICAM b. Identity Management c. RBAC d. Privilege Management

Answer 47

a. ICAM (Identity, Credential, and Access Management)

Question 48

This is concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE. The goal is to establish a trustworthy digital identity that is independent of a specific application or context. a. ICAM b. Identity Management c. RBAC d. Privilege Management

Answer 48

b. Identity Management

Question 49

List the elements of identity lifecycle management.

Answer 49

a. Mechanisms, policies, procedures for protecting PII b. Controlling access to identity data c. Techniques for sharing authoritative identity data with applications which need it d. Revocation of an enterprise identity

Question 50

This is an object or data structure which authoritatively binds an identity to a token possessed and controlled by a subscriber a. Privilege b. User c. Role d. Credential

Answer 50

d. Credential

Question 51

There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with defining rules for a resource which requires access control. a. Resource Management b. Privilege Management c. Policy Management

Answer 51

a. Resource Management

Question 52

There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with establishing and maintaining the entitlement attributes that comprise an individual's access profile. a. Resource Management b. Privilege Management c. Policy Management

Answer 52

b. Privilege Management

Question 53

There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with governing what is allowable and not allowed in an access transaction. a. Resource Management b. Privilege Management c. Policy Management

Answer 53

c. Policy Management

Question 54

Multiple Selection: What are the requirements of a trusted computing base (TCB)? a. User Experience b. Tamper Proof c. Reliability d. Complete Mediation e. Correctness

Answer 54

b. Tamper-Proof: untrusted code should not be able to tamper with code or data which make up the TCB d. Complete Mediation: TCB must be a reference monitor. Every reference from a resource that needs to be protected must go through the TCB. There should be no way to bypass this. e. Correctness: since we put all our trust in the TCB, it must be correct.

Question 55

Which Type of control is based on the identity of the requestor and the access rules state what a requestor can or cannot do? A) Mandatory Access Control (MAC) B) Role-based access control (RBAC) C) Discretionary access control (DAC) D) Attribute-based access control (ABAC)

Answer 55

Answer C This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource. Source: Book Chapter 4.2 Page 131

Question 56

T/F: Access Control Lists make it easy to look up who all the users are that can access a resource, and the type of access they have for that resource.

Answer 56

Answer True | Source: Book Chapter 4.3 Page 111

Question 57

What does each entry of an access matrix indicate? A. Access rights of a particular object for a particular subject. B. Access rights of a particular subject for a particular object. C. Access rights of a particular subject for a particular directory. D. Access rights of a particular object for a particular group.

Answer 57

Answer B Source: Book pg. 111

Question 58

T/F: DAC is a concept that evolved out of requirements for military information security.

Answer 58

Answer False DAC is the traditional method for implementing access control, MAC was created out of military necessity. Source: Book, Ch 4, Pg. 109

Question 59

T/F: One problem with DAC is that it is not possible to control information flow.

Answer 59

Answer True Source: Mandatory Access Control Lecture

Question 60

T/F: DAC is popular with corporations because it reflects how they treat their data.

Answer 60

Answer False Employers mandate explicit policies on who can share what. Source: Mandatory Access Control Lecture

Question 61

An access control mechanism mediates between a user (or a process executing on behalf of a user) and system resources, such as: a) firewalls b) routers c) applications d) a & b only f) All of the above

Answer 61

f) All of the above | ch. 4, p. 108 of text

Question 62

Which of the following is granting permission to a system entity to access a system resource? ``` A) Authentication B) Authorization C) Audit D) Allowance E) None of the Above ```

Answer 62

Answer B Authorization determines who is trusted for a given purpose Source: Book Chapter 4.1 Page 130

Question 63

T/F: Access control implements a security policy that verifies the credentials of a user.

Answer 63

Answer False. Access control implements a security policy that specifies who or what may have access to each specific system resource, and the type of access that is permitted in each instance. Source: Book pg. 107

Question 64

Under Mandatory Access Control (MAC), what two properties provide confidentiality: A) Read Up, Write Down B) No Read Up, No Write Down C) Read Up, No Write Down D) No Read Up, Write Down

Answer 64

Answer B) No Read Up, No Write Down No read up: A subject can only read an object of less or equal security level No write down: A subject can only write into an object of greater or equal security level. ch. 27, p. 27-2 text

Question 65

T/F: A subject is said to have a security clearance of a given level and an object is said to have a security classification of a given level.

Answer 65

Answer True Source: Book Chapter 27 Page 27-4

Question 66

For the Bell-Lapadula Model (BLP), the properties needed for the confidentiality form of MAC are: 1. ds-property and *-property 2. ss-property and *-property 3. ss-property and ds-property 4. None of the above

Answer 66

Answer 2. (Chapter 27.1) ss-property (simple security property): no read up *-property (star property): no write down The ds-property is a provision made by BLP for DAC but must be consistent with MAC rules.

Question 67

T/F: Other MAC models such as Bell and La Padua (BLP Model) is focused on Integrity, and BIBA model is focused on Confidentiality.

Answer 67

Answer False BLP focuses on Confidentiality and BIBA focuses on Integrity Source: P1:L6 MAC slides | Other MAC models

Question 68

T/F: Examples of BLP model classifications are High, Medium, and Low.

Answer 68

Answer False. Examples are Top Secret, Secret, Confidential Source: P1:L6 MAC slides | Other MAC models

Question 69

T/F: MAC cannot be employed with other access control policies, such as DAC, RBAC, and ABAC.

Answer 69

Answer False All four access policies (DAC, MAC, RBAC, and ABAC) are not mutually exclusive Source: Book, Ch. 4, Pg. 109

Question 70

______ is based on the roles that users assume in a system rather than a user’s identity. A. DAC B. MAC C. RBAC D. ABAC

Answer 70

Answer C Source: Book pg. 120

Question 71

What aspect of an established RBAC system is likely to change infrequently? ``` A) The set of resources and the specific access rights associated with a particular role. B) The set of roles in the system. C) The set of users. D) A & B E) None of the above. ```

Answer 71

Answer D Source: Book. Ch 4, Pg 120

Question 72

The RBAC prerequisite role can be used for the following: A) A way to increase the difficulty of collusion among individuals of different skills or divergent job functions to thwart security policies. B) For structuring the implementation of the least privilege concept. C) As a risk mitigation technique for a sensitive or powerful permission. D) None of the above

Answer 72

Answer B Source: Book, Ch 4, Pg 125

Question 73

How does ABAC model controls access?

Answer 73

ABAC evaluates attributes of subject/object and access control rule defining allowable operation in a given environment Source: book p. 127

Question 74

In the Attribute-Based Access Control (ABAC) model: current date and time, the current virus/hacker activities, and the network’s security level are known as ____ ``` A) Object attributes B) Subjects attributes C) Environment attributes D) Access Right E) None of the Above ```

Answer 74

Answer C environments describe the operational, technical, and even situational environment or context in which the information access occurs Source: Book Chapter 4.6 Page 149

Question 75

In a(n) _____ model, authorizations can be defined that express conditions on properties of both the resource and the subject. A. DAC B. MAC C. RBAC D. ABAC

Answer 75

Answer D Source: Book pg. 126

Question 76

The strength of the ABAC approach is its ________ and ________. A. strictness, performance B. flexibility, expressive power C. extensibility, ease of use D. None of the above

Answer 76

Answer B Source: Book pg. 126

Question 77

T/F: Access Control Lists may have default entry that should always follow the rule of least privilege

Answer 77

Answer True Source: book p.111

Question 78

T/F: The columns of an Access Control Matrix are Access Control Lists.

Answer 78

Answer True The matrix may be decomposed by columns, yielding access control lists (ACLs) (see Figure 4.2b). Decomposition by rows yields capability lists (see Figure 4.2c). Source: Book chapter 4.3 page 133

Question 79

In Unix, a user (U) can run with the permission of the file creator (C) under what condition(s)? a) U has execute privileges b) C has read, write, and execute permissions c) Set User ID d) Set Group ID e) a & c f) all of the above

Answer 79

Answer E

Question 80

Multiple Choice: What contents exist inside of a file’s inode? a) Environmental Variables b) Answer Owner ID c) Group ID d) User ID e) 12 protection bits

Answer 80

Answer b), c), e)

Question 81

What is an inode (index node)? A.) An inode is part of a linked list design for memory storage B.) An inode is a special directory only to bee seen by root C.) An inode is a control structure that contains information needed by the OS for a file. D.) An inode is a user permission for a given user group.

Answer 81

Answer C Page 117

Question 82

T/F: An inode contains all information about a file.

Answer 82

Answer False inode’s don’t contain the file name and actual data

Question 83

The concept of inheritance enables one role to implicitly include access rights associated with a subordinate role. What role-based access control makes use of this concept?

Answer 83

Answer: Role Hierarchy Source: book p.124

Question 84

What is the initial requirement for performing user authentication? A.) User must be registered within the system. B.) A token must be verified C.) A digital signature needs to be authenticated D.) A multi factor system has to be in place

Answer 84

Answer A Page 65

Question 85

What are examples of static vs dynamic biometric recognition? A.) Dynamic biometric could be a fingerprint and Static could be a voice pattern B.) Dynamic can be face recognition and static could be fingerprint C.) Dynamic is when you have an electronic keycard and static is a fingerprint D.) Static biometric is a fingerprint and dynamic biometric is a voice pattern

Answer 85

Answer D Page 66

Question 86

The means for authenticating a user can be summarized in general terms by four things. What are the four things? A.) Something the user knows, possesses, is and does. B.) Something the user knows, possesses, is and wants C.) Something the user can see, knows, wants and doesn’t have D.) something the user knows, is, wants and does

Answer 86

Answer A Page 66

Question 87

Bad person Eve walks up to the system and says she is Alice, and successfully logs in as Alice. This authentication outcome is a: A.) False negative B.) False positive

Answer 87

Answer B P1:L4 Authentication (Authentication Goals video slide)

Question 88

A ________ is a set of programs installed on a system to maintain covert access to that system with administrator or root privileges, while hiding evidence of its presence to the greatest extent possible

Answer 88

Answer Rootkit Source: Book Page 212

Question 89

A rootkit can be classified into which of the following characteristics: ``` A.) Persistent B.) Memory Based C.) User Mode D.) Kernel Mode E.) Virtual Machine based F.) External Mode G.) All of the above ```

Answer 89

Answer G Source: Book page 312

Question 90

A rootkit can be classified into _______ this is when the rootkit intercepts calls to APIs and modifies the returned results. A.) Memory based B.) User Mode C.) Kernel Mode D.) External mode

Answer 90

Answer B.) User Mode Source Book page 212

Question 91

What type of rootkit can not survive a reboot and why not? A.) Kernel Mode and because there is no user intervention B.) Persistent and because the firewall flushes the rootkit out C.) Memory based and there is no persistent code D.) External Mode and because it is located in the BIOS

Answer 91

Answer C Page 212: The book says “Memory based rootkits have no persistent code and therefore can not survive a reboot”

Question 92

Which of the following are valid defenses against Client Attacks on a user authentication system? I. Use passwords and pins with high entropy II. Protect the password database III. Implement a challenge-response protocol IV. Limit authentication attempts a. I and II b. I and IV c. II and IV d. II and III e. I, II, and IV

Answer 92

Answer: B (I and IV)

Question 93

T/F: The three A's of access control are Authentication, Authorization, and Allowance

Answer 93

False. Third "A" is Audit