Access Control Flashcards
Which of the following is true related to a subject?
A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from the object.
D. A single entity can never change roles between subject and object.
C. The subject is active and is always the entity that receives information about or data from the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.
Which of the following is considered a primary goal of access control?
A. Preserve confidentiality, integrity, and availability of systems.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.
A. Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system and objects are accessed. A first step in access control is the identification and authentication of subjects, but access control also includes authorization and accountability.
Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?
A. Preventive
B. Detective
C. Corrective
D. Authoritative
A. A preventive access control is deployed to stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Access controls are not categorized as authoritative.
What type of access controls are hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems?
A. Administrative
B. Logical/technical
C. Physical
D. Preventive
B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.
All of the following are needed for system accountability except for one. Which one is not needed?
A. Identification
B. Authentication
C. Auditing
D. Authorization
D. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions logged using some type of auditing to provide accountability.
Which of the following is an example of a Type 2 authentication factor?
A. “Something you have,” such as a smart card, ATM card, token device, and memory card
B. “Something you are,” such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
C. “Something you do,” such as typing a passphrase, or signing your name
D. “Something you know,” such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color
A. A Type 2 authentication factor is “something you have,” including a smart card, token device, or memory card. Type 3 authentication is “something you are,” and some behavioral biometrics include “something you do.” Type 1 authentication is “something you know.”
Users are given a device that generates one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?
A. Synchronous token
B. Asynchronous token
C. Smart card
D. Common access card
A synchronous token generates one-time passwords and displays them in an LCD, and this password is synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the token. Smart cards do not generate one-time passwords, and common access cards are a version of a smart card that includes a picture of the user.
What can be used as an authentication factor that is a behavioral or physiological characteristic unique to a subject?
A. Account ID
B. Biometric factor
C. Token
D. PIV
B. A biometric factor is a behavioral or physiological characteristic that is unique to a subject, such as fingerprints and face scans, and is also known as a Type 3 authentication factor. An account ID provides identification. A token is a Type 2 authentication factor. A Personal Identity Verification (PIV) card is a smart card that includes a picture of the user.
What does the crossover error rate (CER) for a biometric device indicate?
A. It indicates that the sensitivity is tuned too high.
B. It indicates that the sensitivity is tuned too low.
C. It indicates the point where false rejection rate and the false acceptance rate are equal.
D. It indicates that the biometric device is not properly configured.
C. The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER). The CER level is used as a standard assessment point to compare biometric authentication systems. It does not indicate that sensitivity is too high or too low or whether the device is configured properly.
A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?
A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate
A. A Type 1 error occurs when a valid subject is not authenticated and is also known as a false negative authentication. A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication. The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.
A large table includes multiple subjects and objects. It identifies the specific access each subject has to different objects. What is this table called?
A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege
- B. An access control matrix includes multiple subjects and objects and lists subjects’ access to various objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to excessive privileges a subject gathers over time.
What is an access control list (ACL) based on?
A. An object
B. A subject
C. A role
D. An account
A. An ACL is based on an object and includes a list of subjects that are granted access. A capability table is focused on a subject and includes a list of objects the subject can access. Roles and accounts are examples of subjects and may be included in an ACL, but they aren’t the focus.
What type of access controls rely upon the use of labels?
A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based
C. Mandatory access controls rely on use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall. Role-based access controls define a subject’s access based on job-related roles.
An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this?
A. Discretionary
B. Mandatory
C. Rule based
D. Role based
D. A role-based access control policy grants specific privileges based on roles, and roles are frequently job based or task based. Discretionary access controls allow owners to control privileges, mandatory access controls use labels to control privileges, and rule-based access controls use rules.
Which of the following is not used to support single sign-on?
A. Kerberos
B. Federated identity management system
C. TACACS+
D. SPML
C. TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on. Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.
- Which of the following is the best choice to support federated identity management systems?
A. Kerberos
B. Hypertext Markup Language (HTML)
C. Extensible Markup Language (XML)
D. Service Provisioning Markup Language (SPML)
D. SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SPML.
Which of the following authentication, authorization, and accounting (AAA) protocols is based on RADIUS and supports Mobile IP and Voice over IP?
A. Distributed access control
B. Diameter
C. TACACS+
D. TACACS
B. Diameter is based on RADIUS and it supports Mobile IP and Voice over IP. Distributed access control systems such as a federated identity management system are not a specific protocol, and they don’t necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are AAA protocols, but they are alternatives to RADIUS, not based on RADIUS.
Name at least seven access control types.
Access control types include preventive access control, deterrent access control, detective access control, corrective access control, recovery access control, compensation access control, directive access control, administrative access control, logical or technical access control, and physical control. They are implemented as administrative controls, logical/technical controls, and/or physical controls.
Describe the three primary authentication factor types.
A Type 1 authentication factor is “something you know.” A Type 2 authentication factor is “something you have.” A Type 3 authentication factor is “something you are.”
Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.
Federated identity management systems allow single sign-on to be extended beyond a single organization. Single sign-on allows users to authenticate once and access multiple resources without authenticating again.
Identify the three primary elements within the identity and access provisioning life cycle.
The identity and access provisioning life cycle includes provisioning accounts, periodically reviewing and managing accounts, and revocation of accounts when they are no longer being used.
When an organization is attempting to identify risks, what should they identify first?
A. Assets
B. Threats
C. Vulnerabilities
D. Public attacks
A. An organization must first identify the value of assets when identifying risks so that they can focus on risks to their most valuable assets. They can then identify threats and vulnerabilities. Public attacks can be evaluated to determine if they present a risk to the organization, but this should not be the first step.
What would an organization do to identify weaknesses?
A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review
C. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, and threats are often paired with vulnerabilities to identify risk, but threat modeling doesn’t identify weaknesses. An access review audits account management and object access practices.
Which of the following is not a valid measure to take to improve protection against brute-force and dictionary attacks?
A. Enforce strong passwords through a security policy.
B. Maintain strict control over physical access.
C. Require all users to log in remotely.
D. Use two-factor authentication.
C. Requiring users to log in remotely does not protect against password attacks such as brute-force or dictionary attacks. Strong password policies, physical access control, and two-factor authentication all improve the protection against brute-force and dictionary password attacks.
What type of attack can detect passwords sent across a network in cleartext?
A. Spoofing attack
B. Spamming attack
C. Sniffing attack
D. Side-channel attack
C. A sniffing attack uses a sniffer (also called a packet analyzer or protocol analyzer) to capture data and can be used to read passwords sent across a network in cleartext. A spoofing attack attempts to hide the identity of the attacker. A spamming attack involves sending massive amounts of email. A side-channel attack is a passive, noninvasive attack used against smart cards.
Which of the following can help mitigate the success of an online brute-force attack?
A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password
B. An account lockout policy will prevent someone from logging into an account after they have entered an incorrect password too many times. A rainbow table is used by an attacker in offline password attacks, and password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute-force attack.
What is an attack that attempts to detect flaws in smart cards?
A. Whaling
B. Side-channel attack
C. Brute-force
D. Rainbow table attack
B. A side-channel attack is a passive, noninvasive attack to observe the operation of a device. Methods include power monitoring, timing, and fault analysis attacks. Whaling is a type of phishing attack that targets high-level executives. A brute-force attack attempts to discover passwords by using all possible character combinations. A rainbow table attack is used to crack passwords.
What type of attack uses email and attempts to trick high-level executives?
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing
C. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).