Access Control Flashcards

0
Q

Is a passive entity (system or process) a subject or an object?

A

Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

Is an active entity (individual or process) a subject or object?

A

Subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which type of control is used to reduce risk?

Preventative, deterrent, corrective, recovery, detective, compensating, directive

A

Preventative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which type of control identifies violations and incidents?

Preventative, corrective, detective, compensating, recovery, deterrent, directive

A

Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)

A

Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which control is used for discouraging violations?

Preventative, corrective, deterrent, recovery, detective, compensating, directive

A

Deterrent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)

A

Recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of these determines whether a subject can login?

Authentication, Authorisation, Accountability

A

authorisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which control provides alternative ways of achieving a task?

Preventative, corrective, recovery, compensating, detective, deterrent, directive

A

Compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)

A

Authorisation (or establishment)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is non-repudiation?

A

It means that a user can’t deny an action because their identity is positively associated with their actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of these determines what a subject did?

Authorisation, authentication, accountability

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

For the CISSP exam is an ATM card considered 2FA?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?

A

15 or longer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Biometrics: what is a one to one search?

A

Identify matched against an image file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Biometrics: what is a one to many search?

A

Identity matched against a database of identities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which type of authentication system is a false reject rate or type 1 error used?

A

Biometric system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Note for exam: is biometric authentication considered 2fa?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a false reject rate (FRR) or type 1 error?

A

The percentage of authorised users to whom a system incorrectly denies access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a false accept rate (far) or type 2 error?

A

The percentage of unauthorised users to whom the system incorrectly grants access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In biometrics what is the crossover error rate (CER)?

A

The point at which the false accept rate equals the false reject rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)

A

Crossover error rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CISSP answer: what is the most common difficulty about implementing a biometric system?

A

User acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
Generally accepted standards for biometric systems
Accuracy =
Speed =
Throughput =
Enrolment time =
A

Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the difference between a finger scan system and finger print system?

A

Finger scan systems don’t store an image of the finger print, but rather a digitised file describing its unique characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the two benefits of a finger scan system over a finger print system?

A
  • Less storage and processing resources

- greater user acceptance as image of fingerprint not stored ie concerns with privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a hand geometry system?

A

Digitise image recording length, width, height and other unique characteristics of hand and fingers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Biometrics: what is the difference between a retina pattern and iris pattern?

A

Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the most secure biometric system?

Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics

A

Iris pattern

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Two examples of one time passwords are:

A
  • tokens

- s/key protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the 3 general types of tokens?

A
  • static password tokens
  • synchronous dynamic password tokens
  • asynchronous (challenge-response) dynamic password tokens
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which type of token is a digital certificate?

  • static password token
  • synchronous dynamic password token
  • asynchronous dynamic password token (challenge-response)
A

Static password token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which type of token uses fixed time intervals?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token (challenge-response)

A

synchronous dynamic password token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which type of token uses challenge-response?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token

A

Asynchronous dynamic password token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Name a third party ticket based solution that uses SSO

A

Kerberos (symmetric key authentication protocol)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Basic Kerberos Operation

A
  1. Client prompts subject for username/password. Using password client temporarily generates and stores secret key and sends username to the KDC (key distribution centre’s) AS (authentication server)
  2. AS verifies that user exists in KDC database. KDC Ticket Granting Service (TGS) generates a client/TGS session key encrypted with subject secret key. TGS generates Ticket Granting Ticket (TGT) consisting of subjects identification, client network address, time period of ticket and client /TGS session key. TGS encrypts TGT using secret key and sends client /TGS session ket and TGT to client.
  3. Client decrypts client/TGS session key using secret key generated by subjects password, authenticates user and erases stored secret key. Client can’t decrypt TGT which TGS encrypted using TGS secret key.
  4. When subject requests access to object (server), it sends the TGT, object identifier (server name) and an Authenticator to the TGS on the KDC. Authenticator is separate msg containing client iD and time stamp and uses client/TGS session key to encrypt itself
  5. TGS on KDC generates both client/server session keyhole to encrypts using client/TGS session key which consists on subject ID, Client Network Address, time stamp, client/server session key. TGS encrypts service ticket using secret key of object (server). TGS sends client/server session key and service ticket to client.
  6. Client decrypts client /server session key using client/TGS session key. Client can’t decrypt service ticket which TGS encrypted using secret key of object (server)
  7. Client then communicates directly with server. Client sends service ticket and an Authenticator to server. Client encrypts Authenticator consisting of subject ID and time stamp using client/server session key that TGS generated. Server decrypts service ticket Using its secret key. Service ticket contains client/server session key which allows server to decrypt Authenticator. I’d subject ID and time stamp are valid (according to sub ID, client net add and valid period specified in service ticket) then comms between client/server is established. Client/server session key used for secure comms between subject and object
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Two common issue with using SSO

A
  • grants access to entire network and systems with single password
  • doesn’t always integrate well in different systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

In Kerberos, what is a session key?

A

A dynamic key that is generated when needed, shared between two principals and then deleted when no longer needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

In Kerberos, what is a secret key?

A

A static key used to encrypt a session key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What does SESAME stand for?

A

Secure European Systems and Applications in a Multi-Vendor environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which ticket based system uses symmetric and asymmetric cryptography to distribute secret keys and securely transmit data?
Kerberos or SESAME

A

SESAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which ticket based system uses public key cryptography to communicate between different organisations or security domains?

A

SESAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which ticket based system has the following security flaws? (Kerberos, SESAME, KryptoKnight)

  • it uses an XOR function for encryption
  • it performs authentication based on a small segment of a message instead of entire message
  • it’s key generation is not very random
  • it’s vulnerable to password guessing attacks
A

SESAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which ticket based system provides peer to peer relationships between the KDC and it’s principals, provides two party authentication, key distribution and data integrity services?
(Kerberos, SESAME, KryptoKnight)

A

KryptoKnight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which ticket based system can function at any layer of the OSI model and doesn’t use clock synchronisation?
(Kerberos, SESAME, KryptoKnight)

A

KryptoKnight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is a nonce?

A

A number used once, randomly generated that can only be used once to authenticate a session?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What are three examples of ticket based technologies that provide SSO services?

A

Kerberos, SESAME, KryptoKnight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which two methodologies generally define access controls?

A
  • centralised

- decentralised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Remote Access Service (RAS) utilises the Point to Point Protocol (PPP). Which 3 types of centralised authentication types use this?

A

PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which authentication protocol uses a two way handshake to authenticate with a peer to peer server?
PAP, CHAP or EAP

A

PAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which authentication protocol transfers passwords in clear text and is susceptible to replay and brute force attacks?
PAP, CHAP or EAP

A

PAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which two types of packets are used by a two way handshake?

A

Synchronise and Acknowledgement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Which authentication protocol uses a 3 way handshake?

PAP, CHAP or EAP

A

CHAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which authentication protocol uses Shared Secrets?

PAP, CHAP or EAP

A

CHAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What enhancement to CHAP allows for a shared secret to be stored encrypted using a MD5 one way hash function.

A

MS-CHAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Which authentication protocol utilises multiple authentication mechanisms including MD5-challenge, S/Key, generic token cards, digital certs, etc.
PAP, CHAP or EAP

A

EAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which authentication protocol does a wireless network commonly implement?
PAP, CHAP or EAP

A

EAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Which Authentication protocol uses UDP at the Application Layer and allows for authentication, authorisation and accountability (AAA)?

A

RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What are the benefits of the next generation RADIUS protocol, Diameter?

A
  • Uses TCP
  • Uses Stream Control Transmission Protocol (SCTP)
  • Uses IPSec or TLS rather than PAP or CHAP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What are the benefits of the authentication protocol TACACS (Terminal Access Controller Access Control System)?

A

Supports various authentication mechanisms and allows more granular authorisation parameters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

LDAP, RAS (PAP, CHAP, EAP), RADIUS, Diameter, TACACS are all type of what system for remote access?
Centralised or decentralised?

A

Centralised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Which type of access control system would would describe a database or multi domain or trust environment?
Centralised or decentralised?

A

Decentralised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Data access controls fall into 2 categories. What are they?

A

Discretionary and mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

If an access control is Discretionary who determines the policy? owner or system.

A

Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

File/data ownership and access right/permission are an important concept of which access control technique? Discretionary or Mandatory

A

Discretionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What are the 3 basic access rights?

A

Read, Write and Execute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What is an access control list (ACL)?

A

Defines the access rights/permissions that a subject has on an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

ACL’s and role based controls are techniques used for which type of access control? Discretionary or Mandatory.

A

Discretionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

The following are 3 disadvantages to using which type of access control method? Discretionary or Mandatory?

  • lack of centralised admin
  • reliance on resource owner defining controls
  • difficult to audit due to large number of logs generated
A

Discretionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which type of access policy is determined by the system? Discretionary or Mandatory.

A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Sensitivity labels and Data Import/Export are two important concepts of which type of access control? discretionary or mandatory?

A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Which model users a mathematical structure that defines greatest lower bound and least upper bound values for a pair of elements, ie subject and object. (Could be used to determine least level of privilege to access a set of files. Rule-based or lattice-based?

A

Lattice-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

lattice-based is an access control methods for which type of access? Discretionary or Mandatory?

A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

The following disadvantages are akin to which type of access control? Discretionary or mandatory?

  • user frustration
  • difficult to implement and program
  • not flexible
A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Access Models: Which of these access models was purely developed for confidentiality? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.

A

Bell-La Padula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

The basic premise of which access model is that information cannot flow downward? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model

A

Bell-La Padula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) do the following two properties relate to:

  • Simple Security Property (SS Property)
  • *-Property (Star Property)
A

Bell-La Padula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Which property defines that a subject cannot read information from an object of a higher sensitivity label?

  • Simple Security Property (SS Property)
  • *-Property (Star Property)
A

Simple Security Property (SS Property)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Which property defines that a subject cannot write information to an object of a lower sensitivity label?

  • Simple Security Property (SS Property)
  • *-Property (Star Property)
A

*-Property (Star Property)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Access Models: Which of these access models addresses only the first goal of integrity? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.

A

Biba

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

The following two properties represent which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)?

  • Simple Integrity Property
  • *-integrity Property (Star Integrity Property)
A

Biba

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Which property defines that a subject cannot read information from an object that has a lower integrity level (no read down)

  • Simple Integrity Property
  • *-integrity Property (Star Integrity Property)
A

Simple Integrity Property

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Which property defines that a subject cannot write information to an object with a higher integrity level (no write up)

  • Simple Integrity Property
  • *-integrity Property (Star Integrity Property)
A

*-integrity Property (Star Integrity Property)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Which two access control models use the lattice-based model? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model

A

Biba and the Information Flow Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which access control model addresses all 3 goals of integrity? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

A

Clark-Wilson

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Which access control model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) identifies requirements for inputting data based on the following items and procedures?

  • Unconstrained Data Item
  • Constrained Data Item
  • Integrity Verification Procedures
  • Transformation procedures
A

Clark-Wilson

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Which access control model ensures that objects and subjects do not see the actions of other objects and subjects on the same system, ie cannot see changes made? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

A

Non-interference model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which access control model provides access rights to subjects in a DAV system? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

A

Access Matrix Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Which access control model assigns security classes and values to objects and uses a security policy to direct the flow of information? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

A

Information Flow Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What is the difference between a brute force attack and a dictionary attack?

A

A dictionary attack uses a predefined work list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What is the best way to protect against brute force and dictionary attacks?

A

Protecting Security Account Databases and Password files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

What is the common name for a buffer or stack overflow attack?

A

Denial of Service Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Vulnerabilities in the IP protocol can be exploited by which type of attack?

A

Teardrop Attack

93
Q

What is the best way to protect against a buffer/stack overflow/denial of service attack?

A

Identify and patch vulnerabilities in the system/network/applications.

94
Q

What is the difference between a Man in the Middle Attack and Session Hi-jacking?

A

In session hi-jacking the attacker impersonates the intended recipient instead of modifying messages in transit

95
Q

John the Ripper and LophtCrack are both commonly used for which type of attack?

A

Dictionary Attack

96
Q

Using two factor authentication or an account lockout policy can protect against which types of attacks?

A

Brute Force and Dictionary Attacks

97
Q

What four common tactics should be deployed to protect against Access Control Attacks?

A

Vulnerability Analysis
Threat Modelling
Asset Valuation
Access Aggregation

98
Q

What is another name for ensuring a security specification is created and tested during the design phase to identify likely threats, countermeasures, vulnerabilities, etc?

A

Threat Modeling

99
Q

What is another name for combining user access rights, permissions, privileges in single or multiple systems ie SSO?

A

Access Aggregation

100
Q

Which pen test term defines the probing of a system to determine which TCP/IP ports are running on the system?

A

Port Scanning

101
Q

Which pen test term defines the process of scanning an online application for an vulnerabilities or weaknesses?

A

Application Scanning

102
Q

In which type of testing does a tester have no prior knowledge of the system he/she is testing?

  • black box testing
  • white box testing
  • grey box testing
A

Black box testing

103
Q

Which pen test term defines the process of scanning a network for any host computers?

A

Host Scanning

104
Q

What is an allow by default policy?

A

allowing access to any information unless there is a specific need to restrict that access

105
Q

A deny by default access control philospohy is commonly used by government/military organisations and commercial enterprises. What is this?

A

any access that is not specifically permitted is denied

106
Q

What should be the first step for an access control strategy?

A

defining a core philosophy, ie allow by default or deny by default

107
Q

What is a general 3 step process for determining access controls?

A
  1. Defining resources
  2. Determining users
  3. Specifying the users’ use of the resources
108
Q

An organisation should have multiple access control strategies. True or False?

A

False

109
Q

What should be the first element of an effective access control program?

A

to establish an access control policy and associated standards and procedures.

110
Q

What is the primary objective of separation of duties?

A

to prevent fraud and errors

111
Q

What should be the first action to employ separation of duties in a process or work function?

A

define the individual elements of the process

112
Q

Which two factors must be addressed in determining the applicability of separation of duties?

A
  • the sensitivity of the function under consideration

- the elements within a process that lend themselves to distribution

113
Q

What are 4 important concepts when defining user access control?

A
  • Least Privilege: user or process given no more access privilege than necessary to perform a job/task/function
  • Need to know: access to information based on job or business requirements
  • Compartmentalisation: the process of separating groups of people and information from other groups.
  • Security Domain: based on trust between resources or services in areas or systems that share a single security policy, ie a subject can only access an object in an equal or lower domain. uses a hierarchy.
114
Q

What should be the first 2 steps when developing a information classification program?

A
  1. Determine the program objectives

2. Establish organisational support

115
Q

Who in the business is responsible for information classification?

A

Information Owner (normally someone in a business unit that understands the information in the area of their business.

116
Q

What are the 4 common levels of information classification used by most organisations?

A
  • Public (sometimes referred to as unclassified)
  • Internal Use Only
  • Confidential - trade secrets, privacy of individuals (may also be called top-secret, privileged, personal, sensitive, highly confidential)
  • Restricted (if released could cause irreparable harm to the organisation) - only suitable for a select few individuals such as “C” level executives.
117
Q

Which of the CIA principles should still be considered in relation to public classified information?

A

Availability

118
Q

What does aggregate data mean in relation to information classification?

A

Data when taken alone is of low sensitivity, but when combined with other data is of high sensitivity.

119
Q

Name 7 access control requirements that should be considered?

A
  • Reliability: must give consistent results
  • Transparency: must be transparent to end-user. the less user interaction the better
  • Scalability: should ensure a system can accommodate future growth
  • Integrity: ensuring only authorised personnel have access to administrative functions of the system.
  • Maintainability: administrative effort required to maintain the application
  • Authentication Data Security: user identities, passwords, access capabilities, etc. (data encryption, system & file level access controls, strong authentication for admin functions)
  • Audibility: authentication requests, data access attempts, changes to privileges and exercise of administrative capabilities.
120
Q

Which type of control is used to specify acceptable rules of behaviour?
(Preventative, deterrent, corrective, recovery, detective, compensating, directive)

A

Directive

121
Q

What are the 7 main categories of access control?

A
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
122
Q
A security policy can be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Directive and deterrent

123
Q
A user registration procedure would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Preventative

124
Q
Termination would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Corrective

125
Q
Supervision would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Compensating

126
Q
Job rotation would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Compensating

127
Q
Logging would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Compensating

128
Q
Keystroke Monitoring would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Compensating

129
Q
A fence would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
A

Preventative

130
Q

Which type of control can cover all 7 access control categories?

A

CCTV

131
Q

Categories of access controls can be implemented in what 3 ways?

A

Administrative (sometimes called management controls
Logical (sometimes called Technical controls)
Physical (sometimes called operational controls)

132
Q

Maintaining an authorisation process and a record of all privileges is known as what?

A

Privilege Management

133
Q

The ability to restrict access to systems based on a network wide policy is known as what? Involves querying a system to ensure it is adhering to established policies, ie AV on the system.

A

Network Access Control (NAC)

134
Q

What is a race condition?

A

Where two or more processes are waiting for the same resource.

135
Q

What is a hash?

A

A one-way mathematical function that cannot be reversed.

136
Q

In relation to access permission what does (C) Change provide?

A

Read, write, execute and delete. may not change file permission.

137
Q

What is non-discretionary access control?

A

based on the assignment of permission to read, write and execute files on a system, however unlike discretionary access controls, which allows the file owner to specify those permissions, non-discretionary access control requires the admin of a system to define and control the access rules for files in the system.

138
Q

ACL’s typically have two basic pieces of data. What are they?

A

a keyword pattern and an action taken if the keyword is matched.

139
Q

An ACL in the form of a table is known as what?

A

An access control matrix

140
Q

Rule based access are most commonly associated with which type of access control? DAC or MAC

A

DAC because the system owner typically develops the rules based on the organisation or processing needs.

141
Q

Role based access control can be applied using both DAC and MAC. true or false?

A

True
DAC by owner
MAC by system

142
Q

What are the 4 basic role based access control architectures?

A
  • Non-RBAC: user granted access to data using ACL’s. no role based model
  • Limited RBAC: mapped to roles within an application (users of this system are also able to access non-RBAC based apps or data)
  • Hybrid RBAC: role is applied to multiple apps where apps subscribe to the organisations role based model
  • Full RBAC: all app access controlled by organisations role based model
143
Q

What is content dependent access control?

A

access control based on value of data, ie data may be assigned a department number that only staff within that department can access. User access to a piece of data can change if the data is changed as opposed to the user role changing.

144
Q

What type of access control is Constrained User Interface?

A

user restricted to specific functions on a system based on their role within that system. common on devices such as an ATM.

145
Q

What is an advantage of using the Constrained User Interface access control model?

A

can limit the potential avenues of attack and system failure by limiting the processing options available to a user.

146
Q

A database ‘View’ is a common example of which type of access control?

A

Constrained User Interface

147
Q

What is a capability table?

A

Matches subject and their capabilities against system objects and the ability to use those capabilities on those objects.

148
Q

What is temporal (time-based- isolation?

A

Activities performed at a given time for a pre-determined duration. can extend to system processing when certain jobs are only performed during certain times of the day.

149
Q

What is an important caveat when using temporal access controls?

A

care must be taken if an organisation is spread across multiple time zones

150
Q

The assertion of a unique identity for a person is known as what?

A

Identification

151
Q

Binding a user to the appropriate controls based on based on that unique user instance is an objective of what? Identification, Authentication or Authorisation?

A

Identification

152
Q

What is IAA in relation to access control?

A

Identification (provides uniqueness)
Authentication (provides validity)
Authorisation (provides control)

153
Q

How many bits is a MAC address?

A

48bit represented in a hexadecimal format

154
Q

Is a MAC address considered a strong identifier or authenticator?

A

No because most network-enabled devices allow the MAC to be stored in software instead of hardware meaning the MAC can be altered.

155
Q

Should an IP address be used as an identifier alone?

A

No, because it is stored in software and can be altered.

156
Q

What is a Radio Frequency Identification Tag (RFID)?

A

small label that can be embedded in objects such as passports, consumer goods, even humans.

157
Q

How does an RFID tag work?

A

When the tag comes within the proximity of the reader, the reader reads the information from the tag and determines the identity of the object

158
Q

What is the main concern with using RFID tags in passports?

A

Privacy concerns, because tags can be read from a distance, there are concerns that an individuals information may be taken without their consent.

159
Q

Should an email address by used alone as a unique identifier?

A

No

160
Q

What are the 3 essential security characteristics regarding identities?

A

Uniqueness
Non-descriptiveness
Secure issuance

161
Q

What is the key difference between the Unix ‘root’ account and Windows Admin account?

A

Windows Admin account can be changed to a different name.

162
Q

What is the goal of an identity management system?

A

to consolidate access right into an easily managed record of identity and access for each user in a system

163
Q

In an identity management system, what is the best way of managing ID’s for contractors, business partners, etc?

A

segment these users into their own group.

164
Q

What is the benefit of using centralised identity management?

A
  • can enforce organisation wide control over identity allocation. promotes consistency of policy. helps with leavers process
165
Q

What is the main issue with using centralised identity management?

A

access needs of departments, regional office can be different. political or legal reasons also a factor depending on region.

166
Q

What is the advantage and disadvantage of a de-centralised identity management system?

A

Advantage is that local managers have a better sense of user requirements in their area.

Disadvantage is that it’s difficult to enforce a central policy. can also be more expensive and can cause conflicting rights on shared resources.

167
Q

In authentication there are traditionally 3 factors. What is the 4th one?

A

Geo-location

168
Q

In relation to Geo-location, what does the term apparent location mean?

A

An IP address is not a foolproof method of geo-location.

169
Q

What are the 3 basic types of character passwords?

A
Standard Words
Combination passwords (includes numbers)
Complex passwords (includes non-alphanumeric)
170
Q

What is a more secure alternative to a password when using single factor authentication?

A

Passphrase

171
Q

What is a Graphical Password?

A

an image or sequence of images used as password

172
Q

What two types of static authentication devices exist?

A

Memory cards and smart cards

173
Q

What is the main difference between a memory card and smart card authentication device?

A

availability of processing power. a memory card can hold information but not process it whereas a smart card can do both

174
Q

What is a common example of a memory card?

A

A swipe card

175
Q

What is the main weakness with a memory card?

A

Data is stored unprotected

176
Q

What is an ISO term for a smart card?

A

Integrated Circuit (IC) Card

177
Q

What are the advantages of using a smart card over a memory card?

A
  • can hold more data than memory cards
  • can provide secure login, secure email, digital signatures, secure web/remote access, VPN, Hard disk encryption
  • login process is done by reader instead of at host so the identifier and password is not exposed whilst in transit to the host.
178
Q

What is a trusted path?

A

A communications channel through which all information passing through is deemed to be secure.

179
Q

Which type of memory does a smart card use?

A

Electrically Erasable Programmable Read Only Memory (EEPROM)

180
Q

What two types of smart cards are there?

A

Contact and contactless

181
Q

List of typical smart card pinouts

A
Vcc - power connection
RST - reset line
CLK - clock signal (controls operation speed)
RFU - reserved for future use
GND - Ground Line
Vpp - Programming power
I/O - Input/Output line for comms with reader
RFU - Reserved for future use
182
Q

What are the two types of biometrics?

A

Physiological and behavioural

183
Q

What are the most common biometrics used?

A

Fingerprints

184
Q

What is a vascular scan?

A

studies the veins in the user’s hand or face

185
Q

What are 3 types of behavioural biometrics?

A

Signature Dynamics
Keystroke Dynamics
Voice Pattern

186
Q

What are 5 ways of protecting desktop sessions?

A
Screensavers
Timeouts
Automatic Logouts
Session/Login Management (multiple devices)
Schedule Limitations (time based)
187
Q

Typical example of a login session to a banking website:

A
  1. user navigates to website which starts session
  2. users click’s secure login which is then encrypted using SSL
  3. user authenticates and information is passed through the encrypted session
  4. user log’s off an session is terminated.
188
Q

Session hi-jacking is a form of which type of attack?

A

Man in the middle attack

189
Q

What is arguably the most significant aspect of ensuring accountability in access control systems?

A

Culture of the organisation. must be supported at the top level of the organisation

190
Q

What are the 4 most common directory technologies?

A

X500
the Lightweight Directory Access Protocol (LDAP)
Active Directory
X400

191
Q

What are the characteristics of the X500 protocol?

A
  • Developed by ITU-T and also known as ISO/IEC 9594
  • originally developed for telecommunications companies
  • consists of 4 protocols: DAP, DSP, DISP and DOP
  • organised as a hierarchical database of information
192
Q

Which of the following protocols is the primary one used by X500?
Directory Access Protocol (DAP)
Directory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Directory Operational Bindings Management Protocol (DOP)

A

DAP

193
Q

What is the key field used by the X500 directory and what does it provide?

A

The Distinguished name (DN) which provides the full path through the X500 database where a particular entry may be found.

194
Q

What is the opposite of DN in an X500 directory?

A

RDN (relative distinguished name) which provides the name of a specific entry without the full path component attached.

195
Q

What is the main disadvantage of X500?

A

complex to implement and complicated to administer

196
Q

Which protocol in the X500 suite is LDAP based on?

A

DAP

197
Q

What is the main benefit of LDAP over X500?

A

provides a simpler implementation of directory services for enterprises that operates in a TCP/IP environment

198
Q

What are the characteristics of LDAP?

A
  • uses a hierarchical tree structure for directory entries and also supports DN and RDN concepts.
  • Common attributes for a LDAP entry include the following: DN, CN, DC, OU
  • operates in a client/server architecture
  • typically runs over unsecured network connections using TCP port 389
  • version 3 of the LDAP protocol supports the use of TLS to encrypt communications
  • can also use SSL via TCP, port 636.
199
Q

What is Active Directory?

A

An implementation of the LDAP protocol for Microsoft based environments

  • provides authentication and authorisation capabilities on an enterprise wide level.
  • can enforce organisational security and configuration policies.
  • AD uses LDAP for its naming structure
  • AD directories are organised into forests and trees
  • Domains identified by DNS name and objects by OU’s
200
Q

What is a forest in relation to AD?

A

a collection of all the objects and their associated attributes

201
Q

What is a tree in relation to AD?

A

logical groupings of one or more AD security domains within a forest.

202
Q

What is X400?

A

predecessor to SMTP thats also known as Message Handling System (MHS)

203
Q

What is Perimeter based web portal access?

A

LDAP integration with web based apps to provide authentication

204
Q

In a Perimeter Bsed Web Portal Access solution, what handles the user authentication state?

A

WAM (Web Access Management)

205
Q

What does a Federated Identity Management system provide?

A

authentication between different organisations that may share the same apps or users.

206
Q

A Federated Identity Management System can provide two basic processes for linking the member organisations together. What are they?

A

Cross-certification model: each organisation must individually certify that every other participating organisation is worthy of trust.
Trusted third party or bridge model: participating organisations subscribe to standards and practicies of a third party that manages the verification

207
Q

What is the benefit of a trusted third party model over a cross certification model?

A

Don’t have to maintain individual trusts with every organisation. one organisation verifies all connecting organisations.

208
Q

What is a “Once In-Unlimited Access” model?

A

Users authenticates once and then has access to all the resources participating in the model. could be used on a intranet.

209
Q

What is a drawback of the “Once In-Unlimited Access” model?

A

an assumption on each participating system that user authentication and authorisation was properly handled before access was granted.

210
Q

What are the 5 key types of logging that are the foundation of security auditing?

A
Network Events
System Events
Application Events
User Actions
Keystroke Activity
211
Q

What is a Multi-Host Intrusion Detection System?

A

allows systems to share policy information and real-time attack data.

212
Q

What is a drawback of using a Host IDS?

A

can be very invasive to the host OS and can consume a lot of memory on the host and interfere with processing.

213
Q

What is Stateful Matching Intrusion Detection?

A

scans for attack signatures in the context of a stream of traffic or overall system behaviour rather than looking at individual packets or discrete behaviour

214
Q

How can an attacker evade Stateful Matching Intrusion Detection?

A

by sending packets from multiple locations or with long wait period between each transmission. signatures must also be updated.

215
Q

What is Protocol Anomaly Based Intrusion Detection?

A

identifies unacceptable deviation from expected behaviour of known protocols, ie HTTP.

216
Q

What is a weakness of Protocol Anomaly Based Intrusion Detection?

A

if custom or non-standard protocols are used.

217
Q

What is a Traffic Anomaly Based Intrusion Detection System?

A

identifies any unacceptable deviation from expected behaviour based on traffic structure.

218
Q

What is a weakness of Traffic Anomaly Based Intrusion Detection System?

A

relies on the ability to establish normal patterns of traffic

219
Q

What are the 3 fundamental components of IDS alarm capability?

A

Sensor: detection mechanism
Control and Communication: handling alert information
Enunciator: relay system - alert local resources

220
Q

What is SIEM (Security Information and Event management)?

A

a group of technologies which aggregates information about access controls and selected system activity. real time reporting on events and incidents as they occur in network and information systems.

221
Q

What are two types of spyware?

A

Malvertisements: web advertisements which appear legitimate
Malnets: infected nodes clustered together such as websites, desktop, laptops, etc. to launch further attacks.

222
Q

What is the unused space in the cluster after where data has been written called?

A

Slack space

223
Q

Why does deleting data from a disk or formatting a disk not remove the data?

A

In these scenarios information is simply removed from the FAT table signifying that those clusters are now available for use. Actual data still physically resides on the drive, waiting to be found or until new data has been written to the cluster. Data will remain in slack space until entire cluster is overwritten.

224
Q

In what way can slack space be used by an attacker?

A

Attacker can use a tool that writes information only to the slack space from available clusters such as malicious code which will be hidden from the user.

225
Q

What 3 things should a tool erase to ensure everything is deleted from a hard disk?

A

the data
the files directory entry
the files FAT entry

226
Q

What is data mining?

A

The statistical analysis on general information in the absence of specific data

227
Q

What is Access Aggregation?

A

the act of collecting additional roles and responsibilities in an organisation.

228
Q

What is User Entitlement in relation to access control?

A

the action of provisioning resources to a user, ie mapped drives. Changing roles can aggregate this entitlement.

229
Q

What are the steps in the Identity and Access Provisioning Lifecycle?

A
  1. Provisioning
  2. Review
  3. Revocation
230
Q

What is the first line of a defence in depth strategy?

A

Access Control