Access Control

Question 1

A preliminary step in managing resources is
A. Conducting a risk analysis
B. Defining who can access a given system or information
C. Performing a business impact analysis
D. Obtaining top management support

Answer 1

B. Defining who can access a given system or information

Question 2

Which best describes access controls?
A. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications.
B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.
C. Access control is the employment of encryption solutions to protect authentication information during logon.
D. Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.

Answer 2

B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.

Question 3

\_\_\_\_\_\_\_ requires that a user or process be granted access to only those resources necessary to perform assigned functions
A. Discretionary access control
B. separation of duties
C. Least privilege
D. Rotation of duties

Answer 3

C. Least privilege

Question 4

What are the seven main categories of access control?
A. Detective, corrective, monitoring, logging, recovery, classification, and directive
B. Directive, deterrent, preventative, detective, corrective, compensating, recovery
C. authorization, identification, factor, corrective, privilege, detective, directive
D. identification, authentication, authorization, detective, corrective, recovery, directive,

Answer 4

B. Directive, deterrent, preventative, detective, corrective, compensating, recovery

Question 5

What are the 3 types of access control?
A. administrative, physical, technical
B. identification, authentication, authorization
C. mandatory, discretionary, least privilege
D. access, management, monitoring

Answer 5

A. administrative, physical, technical

Question 6

Which approach revolutionized the cracking of passwords?
A. brute force
B. rainbow table
C. memory tabling
D one-time hashing

Answer 6

B. rainbow table

Question 7

What best describes 2-factor authentication?
A. hard token and smart card
B. username and pin
C. password and pin
D. pin and hard token

Answer 7

D. pin and hard token

Question 8

A potential vulnerability of the kerberos authentication server is
A. single point of failure
B. asymmetric key compromise
C. use of dynamic passwords
D. limited lifetimes for authentication credentials.

Answer 8

A. single point of failure

Question 9

In mandatory access control the system controls access and the owner determines
A. validation
B. need to know
C. consensus
D. verification

Answer 9

B. need to know

Question 10

Which is the least significant issue when considering biometrics?
A. resistance to counterfeiting
B. technology type
C. user acceptance
D. reliability and accuracy

Answer 10

B. technology type

Question 11

Which is a fundamental disadvantage of biometrics?
A. revoking credentials
B. encryption
C. communications
D. Placement

Answer 11

A. revoking credentials

Question 12

role based access control
A. is unique to mandatory access control
B. is independent of owner input
C. is based on job functions
D. can be compromised by inheritance

Answer 12

C. is based on job functions

Question 13

Identity management is
A. another name for access controls
B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment
C. Technologies and processes focused on the provisioning and decommissioning of user credentials.
D. Technologies and processes used to establish trust relationships with disparate systems.

Answer 13

B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment

Question 14

A disadvantage of single sign on is
A. consistent time-out enforcement across platforms
B. A compromised password exposes all authorized resources
C. Use of multiple passwords to remember
D. password change control

Answer 14

B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment

Question 15

Which of the following is incorrect when considering privilege management?
A. privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed should be identified and clearly documented.
B. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role.
C. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.
D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

Answer 15

D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

Question 16

Threat modeling is the process of
A. determining which threats to neutralize first.
B. developing access controls which will compensate for vulnerabilities.
C. a risk assessment approach in which decisions are based on risk and value.
D. scenario analysis targeted towards determining the best approach for threat elimination.

Answer 16

C. a risk assessment approach in which decisions are based on risk and value.

Question 17

When reviewing user entitlement the security professional must be most aware of
A. identity management and disaster recovery capability.
B. business or organization processes and access aggregation
C. The organizational tenure of the user requesting entitlement
D. Automated processes which grant user access to resources.

Answer 17

B. business or organization processes and access aggregation

Question 18

Which formula represents ALE or annual loss exposure?
A. ALE = SLE x ARO
B. SLE = ARO x ALE
C. SLE = ARO x EF
D. ALE = EF x SLE

Answer 18

A. ALE = SLE x ARO

Question 19

In constructing a continuous monitoring system, numerous feeds from several systems must be correlated and analyzed. Which of the following best provides this capability?
A. IPS
B. Identity management and access control system
C. IDS
D. Security Information and event management SIEM.

Answer 19

D. Security Information and event management SIEM.

Question 20

A guard dog patrolling the perimeter of a data center is what type of control?
A. recovery
B. administrative
C. logical
D. physical

Answer 20

D. physical

Question 21

Define access controls

Answer 21

the collection of mechanisms, processes that work together to protect the assets of an organization.

Question 22

3 core security principles

Answer 22

confidentiality
integrity
availability

Question 23

define defense in depth

Answer 23

practice of applying multiple layers of security protection

Question 24

7 categories of access control

Answer 24

directive
deterrent
preventative
compensating
detective
corrective
recovery

Question 25

define directive control

Answer 25

designed to specify acceptable rules of behavior within an organization

Question 26

define deterrent control

Answer 26

designed to discourage people from violating security directives

Question 27

define preventative control

Answer 27

implemented to prevent a security incident

Question 28

define compensating control

Answer 28

implemented to substitute for the loss of primary control

Question 29

define detective control

Answer 29

designed to signal a warning when a security control has been breached

Question 30

define corrective control

Answer 30

implemented to remedy circumstance, mitigate damage

Question 31

define recovery control

Answer 31

implemented to restore conditions to normal

Question 32

3 access control types

Answer 32

administrative
logical/technical
physical

Question 33

2 access control techniques

Answer 33

discretionary

mandatory

Question 34

define discretionary access control

Answer 34

control placed on data by the owner of the data.

Question 35

define mandatory access control

Answer 35

controls determined by the system and based on organizational policy.

Question 36

3 factors in authentication

Answer 36

something you know
something you have
something you are

Question 37

Does Kerberos use symmetric or asymmetric encryption?

Answer 37

symmetric

Question 38

What is SESAME?

Secure European System for Applications in a Multi-vendor Environment

Answer 38

Extension to Kerberos to overcome limitations

Question 39

What encryption types are used by SESAME?

Answer 39

symmetric, asymmetric

Question 40

Which of the following does not correctly describe a directory service?
A. It manages objects within a directory by using namespaces.
B. It enforces security policy by carrying out access control and identity management functions.
C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.
D. It allows an administrator to configured and manage how identification takes place within the network.

Answer 40

C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.

Question 41

Hannah has been assigned the task of installing web access management (WAM) software. What is the best description for what WAM is commonly used for?
A. Control external entities requesting access through X.500 databases.
B. Control external entities requesting access to internal objects.
C. Control internal entities requesting access through X.500 databases.
D. Control internal entities requesting access to external objects.

Answer 41

B. Control external entities requesting access to internal objects.

Question 42

There are several types of password management approaches used by identity management systems.  Which of the following reduces help desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
A.  Management password reset
B. self service password reset
C. Password synchronization
D. Assisted password reset

Answer 42

C. Password synchronization

Question 43

A number of attacks can be performed against smart cards.  Side channel is a class of attacks that doesn't try to compromise a flaw or weakness.  Which of the following is not a side-channel attack?
A. Differential power analysis
B. Microprobing analysis
C. Timing analysis
D. Electromagentic analysis

Answer 43

B. Microprobing analysis

Question 44

Which of the following does not describe privacy aware role based access control?
A. It is an example of a discretionary access control model
B. Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.
C. It is an extension of role-based access control
D. It should be used to integrate privacy policies and access control policies.

Answer 44

A. It is an example of a discretionary access control model

Question 45

What was the direct predecessor to Standard Generalized Markup Language?
A. HTML
B. XML
C. LaTex
D. GML

Answer 45

D. GML

Question 46

Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
A. Meta-directory
B. User attribute information stored in an HR database
C. Virtual container for data from multiple sources
D. A service that allows an administrator to configure and manage how identification takes place.

Answer 46

C. Virtual container for data from multiple sources

Question 47

Emily is listening to network traffic and capturing passwords as they are sent to the authentication server.  She plans to use the passwords as part of a future attack.  What type of attack is this?
A. Brute-force
B. Dictionary
C. Social engineering
D. Replay

Answer 47

D. Replay

Question 48

Which of the following correctly describes a federated identity and its role within identity management processes?
A. A non-portable identity that can be used across business boundaries
B. A portable identity that can be used across business boundaries
C. An identity that can be used within intranet virtual directories and identity stores.
D. An identity specified by domain names that can be used across business boundaries.

Answer 48

B. A portable identity that can be used across business boundaries

Question 49

Phishing and pharming are similar. Which of the following correctly describes the difference?
A. Personal information is collected from victims through legitimate looking web sites in phishing attacks, while personal information is collected from victims via email in pharming attacks.
B. Phishing attacks point email recipients to a from where victims input personal information, while pharming attacks use pop-up forms at legitimate web sites to collect personal information from victims.
C. Victims are pointed a fake web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.
D. Phishing is a technical attack, while pharming is a type of social engineering.

Answer 49

C. Victims are pointed a fake web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.

Question 50

Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A. User activities are monitored and tracked without negatively affecting system performance.
B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C. Users are allowed access in a manner that does not negatively affect business processes.
D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.

Answer 50

A. User activities are monitored and tracked without negatively affecting system performance.

Question 51

What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
A. XML
B. SPML
C. XACML
D. GML

Answer 51

C. XACML

Question 52

The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A. If not properly protected, these logs may not be admissible during a prosecution.
B. Audit logs contain sensitive data and should only be accessible to certain subset of people.
C. Intruders may attempt to scrub the logs to hide their activities.
D. The format of the logs should be unknown and unavailable to the intruder.

Answer 52

D. The format of the logs should be unknown and unavailable to the intruder.

Question 53

Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing products?
A. Classification level of data
B. Level of training that employees have received
C. Logical access controls provided by products
D. Legal and regulation issues

Answer 53

B. Level of training that employees have received

Question 54

There are several types of intrusion detection systems.  What type of IDS builds a profile of an environment's normal activities and assigns an anomaly score to packets based on the profile?
A. state based
B. statistical anomaly based
C. misuse detection
D. protocol signature

Answer 54

B. statistical anomaly based

Question 55

A rule based IDS takes a different approach than signature based or anomaly based system. Which of the following is characteristic of a rule based IDS?
A. Uses if/then programming within expert systems
B. Identifies protocols used outside of their common bounds
C. Compares patterns to several activities at once.
D. Can detect new attacks

Answer 55

A. Uses if/then programming within expert systems

Question 56

Sam plans to establish mobile phone service using the information he has stolen from his former boss.  What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover

Answer 56

B. True name

Question 57

Of the following, what is the primary item that a capability list is based on?
A. A subject
B. An object
C. A product
D. An application

Answer 57

A. A subject

Question 58

Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
A. They are the same thing with different titles
B. They are administrative controls that enforce access control and protect the company’s resources
C. Separation of duties ensures that one person can’t perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.
D. Job rotation ensures that one person can’t perform a high risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.

Answer 58

C. Separation of duties ensures that one person can’t perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.

Question 59

What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?
A. XML
B. SPML
C. SGML
D. HTML

Answer 59

B. SPML (Service Provision Markup Language)

Question 60

Sally is carrying out a software analysis on her company's proprietary application.  She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully.  What type of issue would allow for this type of compromise to take place?
A. Backdoor
B. Maintenance hook
C. Race condition
D. Data validation error

Answer 60

C. Race condition

Question 61

Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides web services?
A. Security attributes are put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in a HTTP connection.
B. Security attributes are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection over TLS.
C. Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.
D. Authentication data are put into SAML format. HTTP request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.

Answer 61

C. Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.

Question 62

Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability?
A. The company’s security team does not understand how to secure this type of technology
B. The cost of integrating security within RFID is cost prohibitive
C. The technology has low processing capabilities, and encryption is very processor intensive
D. RFID is a new and emerging technology, the industry does not currently have ways to secure it.

Answer 62

C. The technology has low processing capabilities, and encryption is very processor intensive

Question 63

The security staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. What is the best solution for this company to implement?
A. Security information and event management
B. Event correlation tools
C. Intrusion detection systems
D. Security event correlation management tools

Answer 63

A. Security information and event management

Question 64

The CISO has asked that a threat model be developed for the network. Which of the following best describes what this model is and what it would be used for?
A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.
B. A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole.
C. A threat model is a risk based model that is used to calculate the probabilities of the various risks identified during the vulnerability tests.
D. A threat model is used in software development practices to uncover programming errors.

Answer 64

A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.

Question 65

5 types of side-channel attacks

Answer 65

fault generation
differential power analysis
electromagnetic analysis
timing
software

Question 66

What is a side-channel attack?

Answer 66

A class of attack that doesn’t try to compromise a flaw or weakness.

Question 67

What is involved in a differential power analysis?

Answer 67

Examine power emissions released during processing. By statistically analyzing data from multiple cryptographic operations, for example, an attacker can determine the intermediate values within cryptographic computations.

Question 68

What is involved in a timing attack?

Answer 68

Calculating the time a specific function takes to complete a task.

Question 69

What is involved in an electromagnetic analysis?

Answer 69

Examine frequencies emitted to make correlations between the data and the EM emanations in an effort to uncover cryptographic keys or other sensitive info.

Question 70

What are the predecessors to HTML?

Answer 70

SGML and GML

Question 71

What was the purpose of the XML standard?

Answer 71

Developed as a specification to create various mark up languages.

Question 72

What is XACML - eXtensible Access Control Markup Language?

Answer 72

A markup language and processing model that is implemented in XML. It declares access control policies and how to interpret them.

Question 73

Is security information shared through XML?

Answer 73

no

Question 74

What is SPML - Service Provisioning Markup Language used for?

Answer 74

Used to exchange user, resource, and service provisioning information.

Question 75

What was GML - Generalized Markup Language used for?

Answer 75

Formatting documents

Question 76

What is the diameter protocol used for?

Answer 76

authentication, authorization, and auditing

Question 77

What is a watchdog timer used for?

Answer 77

detect software faults