Access Control

Question 0

Is a passive entity (system or process) a subject or an object?

Answer 0

Object

Question 1

Is an active entity (individual or process) a subject or object?

Answer 1

Subject

Question 3

Which type of control is used to reduce risk?

Preventative, deterrent, corrective, recovery, detective, compensating, directive

Answer 3

Preventative

Question 4

Which type of control identifies violations and incidents?

Preventative, corrective, detective, compensating, recovery, deterrent, directive

Answer 4

Detective

Question 5

Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)

Answer 5

Corrective

Question 6

Which control is used for discouraging violations?

Preventative, corrective, deterrent, recovery, detective, compensating, directive

Answer 6

Deterrent

Question 7

Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)

Answer 7

Recovery

Question 7

Which of these determines whether a subject can login?

Authentication, Authorisation, Accountability

Answer 7

authorisation

Question 8

Which control provides alternative ways of achieving a task?

Preventative, corrective, recovery, compensating, detective, deterrent, directive

Answer 8

Compensating

Question 9

Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)

Answer 9

Authorisation (or establishment)

Question 10

What is non-repudiation?

Answer 10

It means that a user can’t deny an action because their identity is positively associated with their actions

Question 11

Which of these determines what a subject did?

Authorisation, authentication, accountability

Answer 11

Accountability

Question 12

For the CISSP exam is an ATM card considered 2FA?

Answer 12

Yes

Question 13

How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?

Answer 13

15 or longer

Question 14

Biometrics: what is a one to one search?

Answer 14

Identify matched against an image file

Question 15

Biometrics: what is a one to many search?

Answer 15

Identity matched against a database of identities

Question 16

Which type of authentication system is a false reject rate or type 1 error used?

Answer 16

Biometric system

Question 17

Note for exam: is biometric authentication considered 2fa?

Answer 17

No

Question 18

What is a false reject rate (FRR) or type 1 error?

Answer 18

The percentage of authorised users to whom a system incorrectly denies access

Question 19

What is a false accept rate (far) or type 2 error?

Answer 19

The percentage of unauthorised users to whom the system incorrectly grants access

Question 20

In biometrics what is the crossover error rate (CER)?

Answer 20

The point at which the false accept rate equals the false reject rate

Question 21

Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)

Answer 21

Crossover error rate

Question 22

CISSP answer: what is the most common difficulty about implementing a biometric system?

Answer 22

User acceptance

Question 23

Generally accepted standards for biometric systems
Accuracy =
Speed =
Throughput =
Enrolment time =

Answer 23

Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins

Question 24

What is the difference between a finger scan system and finger print system?

Answer 24

Finger scan systems don’t store an image of the finger print, but rather a digitised file describing its unique characteristics

Question 25

What are the two benefits of a finger scan system over a finger print system?

Answer 25

• Less storage and processing resources

- greater user acceptance as image of fingerprint not stored ie concerns with privacy

Question 26

What is a hand geometry system?

Answer 26

Digitise image recording length, width, height and other unique characteristics of hand and fingers

Question 27

Biometrics: what is the difference between a retina pattern and iris pattern?

Answer 27

Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.

Question 28

What is the most secure biometric system?

Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics

Answer 28

Iris pattern

Question 29

Two examples of one time passwords are:

Answer 29

• tokens

- s/key protocol

Question 30

What are the 3 general types of tokens?

Answer 30

• static password tokens
• synchronous dynamic password tokens
• asynchronous (challenge-response) dynamic password tokens

Question 31

Which type of token is a digital certificate?

• static password token
• synchronous dynamic password token
• asynchronous dynamic password token (challenge-response)

Answer 31

Static password token

Question 32

Which type of token uses fixed time intervals?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token (challenge-response)

Answer 32

synchronous dynamic password token

Question 33

Which type of token uses challenge-response?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token

Answer 33

Asynchronous dynamic password token

Question 34

Name a third party ticket based solution that uses SSO

Answer 34

Kerberos (symmetric key authentication protocol)

Question 35

Basic Kerberos Operation

Answer 35

1. Client prompts subject for username/password. Using password client temporarily generates and stores secret key and sends username to the KDC (key distribution centre’s) AS (authentication server)
2. AS verifies that user exists in KDC database. KDC Ticket Granting Service (TGS) generates a client/TGS session key encrypted with subject secret key. TGS generates Ticket Granting Ticket (TGT) consisting of subjects identification, client network address, time period of ticket and client /TGS session key. TGS encrypts TGT using secret key and sends client /TGS session ket and TGT to client.
3. Client decrypts client/TGS session key using secret key generated by subjects password, authenticates user and erases stored secret key. Client can’t decrypt TGT which TGS encrypted using TGS secret key.
4. When subject requests access to object (server), it sends the TGT, object identifier (server name) and an Authenticator to the TGS on the KDC. Authenticator is separate msg containing client iD and time stamp and uses client/TGS session key to encrypt itself
5. TGS on KDC generates both client/server session keyhole to encrypts using client/TGS session key which consists on subject ID, Client Network Address, time stamp, client/server session key. TGS encrypts service ticket using secret key of object (server). TGS sends client/server session key and service ticket to client.
6. Client decrypts client /server session key using client/TGS session key. Client can’t decrypt service ticket which TGS encrypted using secret key of object (server)
7. Client then communicates directly with server. Client sends service ticket and an Authenticator to server. Client encrypts Authenticator consisting of subject ID and time stamp using client/server session key that TGS generated. Server decrypts service ticket Using its secret key. Service ticket contains client/server session key which allows server to decrypt Authenticator. I’d subject ID and time stamp are valid (according to sub ID, client net add and valid period specified in service ticket) then comms between client/server is established. Client/server session key used for secure comms between subject and object

Question 36

Two common issue with using SSO

Answer 36

• grants access to entire network and systems with single password
• doesn’t always integrate well in different systems

Question 37

In Kerberos, what is a session key?

Answer 37

A dynamic key that is generated when needed, shared between two principals and then deleted when no longer needed

Question 38

In Kerberos, what is a secret key?

Answer 38

A static key used to encrypt a session key

Question 39

What does SESAME stand for?

Answer 39

Secure European Systems and Applications in a Multi-Vendor environment

Question 40

Which ticket based system uses symmetric and asymmetric cryptography to distribute secret keys and securely transmit data?
Kerberos or SESAME

Answer 40

SESAME

Question 41

Which ticket based system uses public key cryptography to communicate between different organisations or security domains?

Answer 41

SESAME

Question 42

Which ticket based system has the following security flaws? (Kerberos, SESAME, KryptoKnight)

• it uses an XOR function for encryption
• it performs authentication based on a small segment of a message instead of entire message
• it’s key generation is not very random
• it’s vulnerable to password guessing attacks

Answer 42

SESAME

Question 43

Which ticket based system provides peer to peer relationships between the KDC and it’s principals, provides two party authentication, key distribution and data integrity services?
(Kerberos, SESAME, KryptoKnight)

Answer 43

KryptoKnight

Question 44

Which ticket based system can function at any layer of the OSI model and doesn’t use clock synchronisation?
(Kerberos, SESAME, KryptoKnight)

Answer 44

KryptoKnight

Question 45

What is a nonce?

Answer 45

A number used once, randomly generated that can only be used once to authenticate a session?

Question 46

What are three examples of ticket based technologies that provide SSO services?

Answer 46

Kerberos, SESAME, KryptoKnight

Question 47

Which two methodologies generally define access controls?

Answer 47

• centralised

- decentralised

Question 48

Remote Access Service (RAS) utilises the Point to Point Protocol (PPP). Which 3 types of centralised authentication types use this?

Answer 48

PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol

Question 49

Which authentication protocol uses a two way handshake to authenticate with a peer to peer server?
PAP, CHAP or EAP

Answer 49

PAP

Question 50

Which authentication protocol transfers passwords in clear text and is susceptible to replay and brute force attacks?
PAP, CHAP or EAP

Answer 50

PAP

Question 51

Which two types of packets are used by a two way handshake?

Answer 51

Synchronise and Acknowledgement

Question 52

Which authentication protocol uses a 3 way handshake?

PAP, CHAP or EAP

Answer 52

CHAP

Question 53

Which authentication protocol uses Shared Secrets?

PAP, CHAP or EAP

Answer 53

CHAP

Question 54

What enhancement to CHAP allows for a shared secret to be stored encrypted using a MD5 one way hash function.

Answer 54

MS-CHAP

Question 55

Which authentication protocol utilises multiple authentication mechanisms including MD5-challenge, S/Key, generic token cards, digital certs, etc.
PAP, CHAP or EAP

Answer 55

EAP

Question 56

Which authentication protocol does a wireless network commonly implement?
PAP, CHAP or EAP

Answer 56

EAP

Question 57

Which Authentication protocol uses UDP at the Application Layer and allows for authentication, authorisation and accountability (AAA)?

Answer 57

RADIUS

Question 58

What are the benefits of the next generation RADIUS protocol, Diameter?

Answer 58

• Uses TCP
• Uses Stream Control Transmission Protocol (SCTP)
• Uses IPSec or TLS rather than PAP or CHAP

Question 59

What are the benefits of the authentication protocol TACACS (Terminal Access Controller Access Control System)?

Answer 59

Supports various authentication mechanisms and allows more granular authorisation parameters

Question 60

LDAP, RAS (PAP, CHAP, EAP), RADIUS, Diameter, TACACS are all type of what system for remote access?
Centralised or decentralised?

Answer 60

Centralised

Question 61

Which type of access control system would would describe a database or multi domain or trust environment?
Centralised or decentralised?

Answer 61

Decentralised

Question 62

Data access controls fall into 2 categories. What are they?

Answer 62

Discretionary and mandatory

Question 63

If an access control is Discretionary who determines the policy? owner or system.

Answer 63

Owner

Question 64

File/data ownership and access right/permission are an important concept of which access control technique? Discretionary or Mandatory

Answer 64

Discretionary

Question 65

What are the 3 basic access rights?

Answer 65

Read, Write and Execute

Question 66

What is an access control list (ACL)?

Answer 66

Defines the access rights/permissions that a subject has on an object

Question 67

ACL’s and role based controls are techniques used for which type of access control? Discretionary or Mandatory.

Answer 67

Discretionary

Question 68

The following are 3 disadvantages to using which type of access control method? Discretionary or Mandatory?

• lack of centralised admin
• reliance on resource owner defining controls
• difficult to audit due to large number of logs generated

Answer 68

Discretionary

Question 69

Which type of access policy is determined by the system? Discretionary or Mandatory.

Answer 69

Mandatory

Question 70

Sensitivity labels and Data Import/Export are two important concepts of which type of access control? discretionary or mandatory?

Answer 70

Mandatory

Question 71

Which model users a mathematical structure that defines greatest lower bound and least upper bound values for a pair of elements, ie subject and object. (Could be used to determine least level of privilege to access a set of files. Rule-based or lattice-based?

Answer 71

Lattice-based

Question 72

lattice-based is an access control methods for which type of access? Discretionary or Mandatory?

Answer 72

Mandatory

Question 73

The following disadvantages are akin to which type of access control? Discretionary or mandatory?

• user frustration
• difficult to implement and program
• not flexible

Answer 73

Mandatory

Question 74

Access Models: Which of these access models was purely developed for confidentiality? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.

Answer 74

Bell-La Padula

Question 75

The basic premise of which access model is that information cannot flow downward? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model

Answer 75

Bell-La Padula

Question 76

Which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) do the following two properties relate to:

• Simple Security Property (SS Property)
• *-Property (Star Property)

Answer 76

Bell-La Padula

Question 77

Which property defines that a subject cannot read information from an object of a higher sensitivity label?

• Simple Security Property (SS Property)
• *-Property (Star Property)

Answer 77

Simple Security Property (SS Property)

Question 78

Which property defines that a subject cannot write information to an object of a lower sensitivity label?

• Simple Security Property (SS Property)
• *-Property (Star Property)

Answer 78

*-Property (Star Property)

Question 79

Access Models: Which of these access models addresses only the first goal of integrity? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.

Answer 79

Biba

Question 80

The following two properties represent which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)?

• Simple Integrity Property
• *-integrity Property (Star Integrity Property)

Answer 80

Biba

Question 81

Which property defines that a subject cannot read information from an object that has a lower integrity level (no read down)

• Simple Integrity Property
• *-integrity Property (Star Integrity Property)

Answer 81

Simple Integrity Property

Question 82

Which property defines that a subject cannot write information to an object with a higher integrity level (no write up)

• Simple Integrity Property
• *-integrity Property (Star Integrity Property)

Answer 82

*-integrity Property (Star Integrity Property)

Question 83

Which two access control models use the lattice-based model? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model

Answer 83

Biba and the Information Flow Model

Question 84

Which access control model addresses all 3 goals of integrity? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

Answer 84

Clark-Wilson

Question 85

Which access control model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) identifies requirements for inputting data based on the following items and procedures?

• Unconstrained Data Item
• Constrained Data Item
• Integrity Verification Procedures
• Transformation procedures

Answer 85

Clark-Wilson

Question 86

Which access control model ensures that objects and subjects do not see the actions of other objects and subjects on the same system, ie cannot see changes made? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

Answer 86

Non-interference model

Question 87

Which access control model provides access rights to subjects in a DAV system? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

Answer 87

Access Matrix Model

Question 88

Which access control model assigns security classes and values to objects and uses a security policy to direct the flow of information? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)

Answer 88

Information Flow Model

Question 89

What is the difference between a brute force attack and a dictionary attack?

Answer 89

A dictionary attack uses a predefined work list

Question 90

What is the best way to protect against brute force and dictionary attacks?

Answer 90

Protecting Security Account Databases and Password files.

Question 91

What is the common name for a buffer or stack overflow attack?

Answer 91

Denial of Service Attack

Question 92

Vulnerabilities in the IP protocol can be exploited by which type of attack?

Answer 92

Teardrop Attack

Question 93

What is the best way to protect against a buffer/stack overflow/denial of service attack?

Answer 93

Identify and patch vulnerabilities in the system/network/applications.

Question 94

What is the difference between a Man in the Middle Attack and Session Hi-jacking?

Answer 94

In session hi-jacking the attacker impersonates the intended recipient instead of modifying messages in transit

Question 95

John the Ripper and LophtCrack are both commonly used for which type of attack?

Answer 95

Dictionary Attack

Question 96

Using two factor authentication or an account lockout policy can protect against which types of attacks?

Answer 96

Brute Force and Dictionary Attacks

Question 97

What four common tactics should be deployed to protect against Access Control Attacks?

Answer 97

Vulnerability Analysis
Threat Modelling
Asset Valuation
Access Aggregation

Question 98

What is another name for ensuring a security specification is created and tested during the design phase to identify likely threats, countermeasures, vulnerabilities, etc?

Answer 98

Threat Modeling

Question 99

What is another name for combining user access rights, permissions, privileges in single or multiple systems ie SSO?

Answer 99

Access Aggregation

Question 100

Which pen test term defines the probing of a system to determine which TCP/IP ports are running on the system?

Answer 100

Port Scanning

Question 101

Which pen test term defines the process of scanning an online application for an vulnerabilities or weaknesses?

Answer 101

Application Scanning

Question 102

In which type of testing does a tester have no prior knowledge of the system he/she is testing?

• black box testing
• white box testing
• grey box testing

Answer 102

Black box testing

Question 103

Which pen test term defines the process of scanning a network for any host computers?

Answer 103

Host Scanning

Question 104

What is an allow by default policy?

Answer 104

allowing access to any information unless there is a specific need to restrict that access

Question 105

A deny by default access control philospohy is commonly used by government/military organisations and commercial enterprises. What is this?

Answer 105

any access that is not specifically permitted is denied

Question 106

What should be the first step for an access control strategy?

Answer 106

defining a core philosophy, ie allow by default or deny by default

Question 107

What is a general 3 step process for determining access controls?

Answer 107

1. Defining resources
2. Determining users
3. Specifying the users’ use of the resources

Question 108

An organisation should have multiple access control strategies. True or False?

Answer 108

False

Question 109

What should be the first element of an effective access control program?

Answer 109

to establish an access control policy and associated standards and procedures.

Question 110

What is the primary objective of separation of duties?

Answer 110

to prevent fraud and errors

Question 111

What should be the first action to employ separation of duties in a process or work function?

Answer 111

define the individual elements of the process

Question 112

Which two factors must be addressed in determining the applicability of separation of duties?

Answer 112

• the sensitivity of the function under consideration

- the elements within a process that lend themselves to distribution

Question 113

What are 4 important concepts when defining user access control?

Answer 113

• Least Privilege: user or process given no more access privilege than necessary to perform a job/task/function
• Need to know: access to information based on job or business requirements
• Compartmentalisation: the process of separating groups of people and information from other groups.
• Security Domain: based on trust between resources or services in areas or systems that share a single security policy, ie a subject can only access an object in an equal or lower domain. uses a hierarchy.

Question 114

What should be the first 2 steps when developing a information classification program?

Answer 114

1. Determine the program objectives

2. Establish organisational support

Question 115

Who in the business is responsible for information classification?

Answer 115

Information Owner (normally someone in a business unit that understands the information in the area of their business.

Question 116

What are the 4 common levels of information classification used by most organisations?

Answer 116

• Public (sometimes referred to as unclassified)
• Internal Use Only
• Confidential - trade secrets, privacy of individuals (may also be called top-secret, privileged, personal, sensitive, highly confidential)
• Restricted (if released could cause irreparable harm to the organisation) - only suitable for a select few individuals such as “C” level executives.

Question 117

Which of the CIA principles should still be considered in relation to public classified information?

Answer 117

Availability

Question 118

What does aggregate data mean in relation to information classification?

Answer 118

Data when taken alone is of low sensitivity, but when combined with other data is of high sensitivity.

Question 119

Name 7 access control requirements that should be considered?

Answer 119

• Reliability: must give consistent results
• Transparency: must be transparent to end-user. the less user interaction the better
• Scalability: should ensure a system can accommodate future growth
• Integrity: ensuring only authorised personnel have access to administrative functions of the system.
• Maintainability: administrative effort required to maintain the application
• Authentication Data Security: user identities, passwords, access capabilities, etc. (data encryption, system & file level access controls, strong authentication for admin functions)
• Audibility: authentication requests, data access attempts, changes to privileges and exercise of administrative capabilities.

Question 120

Which type of control is used to specify acceptable rules of behaviour?
(Preventative, deterrent, corrective, recovery, detective, compensating, directive)

Answer 120

Directive

Question 121

What are the 7 main categories of access control?

Answer 121

Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Question 122

A security policy can be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 122

Directive and deterrent

Question 123

A user registration procedure would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 123

Preventative

Question 124

Termination would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 124

Corrective

Question 125

Supervision would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 125

Compensating

Question 126

Job rotation would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 126

Compensating

Question 127

Logging would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 127

Compensating

Question 128

Keystroke Monitoring would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 128

Compensating

Question 129

A fence would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective

Answer 129

Preventative

Question 130

Which type of control can cover all 7 access control categories?

Answer 130

CCTV

Question 131

Categories of access controls can be implemented in what 3 ways?

Answer 131

Administrative (sometimes called management controls
Logical (sometimes called Technical controls)
Physical (sometimes called operational controls)

Question 132

Maintaining an authorisation process and a record of all privileges is known as what?

Answer 132

Privilege Management

Question 133

The ability to restrict access to systems based on a network wide policy is known as what? Involves querying a system to ensure it is adhering to established policies, ie AV on the system.

Answer 133

Network Access Control (NAC)

Question 134

What is a race condition?

Answer 134

Where two or more processes are waiting for the same resource.

Question 135

What is a hash?

Answer 135

A one-way mathematical function that cannot be reversed.

Question 136

In relation to access permission what does (C) Change provide?

Answer 136

Read, write, execute and delete. may not change file permission.

Question 137

What is non-discretionary access control?

Answer 137

based on the assignment of permission to read, write and execute files on a system, however unlike discretionary access controls, which allows the file owner to specify those permissions, non-discretionary access control requires the admin of a system to define and control the access rules for files in the system.

Question 138

ACL’s typically have two basic pieces of data. What are they?

Answer 138

a keyword pattern and an action taken if the keyword is matched.

Question 139

An ACL in the form of a table is known as what?

Answer 139

An access control matrix

Question 140

Rule based access are most commonly associated with which type of access control? DAC or MAC

Answer 140

DAC because the system owner typically develops the rules based on the organisation or processing needs.

Question 141

Role based access control can be applied using both DAC and MAC. true or false?

Answer 141

True
DAC by owner
MAC by system

Question 142

What are the 4 basic role based access control architectures?

Answer 142

• Non-RBAC: user granted access to data using ACL’s. no role based model
• Limited RBAC: mapped to roles within an application (users of this system are also able to access non-RBAC based apps or data)
• Hybrid RBAC: role is applied to multiple apps where apps subscribe to the organisations role based model
• Full RBAC: all app access controlled by organisations role based model

Question 143

What is content dependent access control?

Answer 143

access control based on value of data, ie data may be assigned a department number that only staff within that department can access. User access to a piece of data can change if the data is changed as opposed to the user role changing.

Question 144

What type of access control is Constrained User Interface?

Answer 144

user restricted to specific functions on a system based on their role within that system. common on devices such as an ATM.

Question 145

What is an advantage of using the Constrained User Interface access control model?

Answer 145

can limit the potential avenues of attack and system failure by limiting the processing options available to a user.

Question 146

A database ‘View’ is a common example of which type of access control?

Answer 146

Constrained User Interface

Question 147

What is a capability table?

Answer 147

Matches subject and their capabilities against system objects and the ability to use those capabilities on those objects.

Question 148

What is temporal (time-based- isolation?

Answer 148

Activities performed at a given time for a pre-determined duration. can extend to system processing when certain jobs are only performed during certain times of the day.

Question 149

What is an important caveat when using temporal access controls?

Answer 149

care must be taken if an organisation is spread across multiple time zones

Question 150

The assertion of a unique identity for a person is known as what?

Answer 150

Identification

Question 151

Binding a user to the appropriate controls based on based on that unique user instance is an objective of what? Identification, Authentication or Authorisation?

Answer 151

Identification

Question 152

What is IAA in relation to access control?

Answer 152

Identification (provides uniqueness)
Authentication (provides validity)
Authorisation (provides control)

Question 153

How many bits is a MAC address?

Answer 153

48bit represented in a hexadecimal format

Question 154

Is a MAC address considered a strong identifier or authenticator?

Answer 154

No because most network-enabled devices allow the MAC to be stored in software instead of hardware meaning the MAC can be altered.

Question 155

Should an IP address be used as an identifier alone?

Answer 155

No, because it is stored in software and can be altered.

Question 156

What is a Radio Frequency Identification Tag (RFID)?

Answer 156

small label that can be embedded in objects such as passports, consumer goods, even humans.

Question 157

How does an RFID tag work?

Answer 157

When the tag comes within the proximity of the reader, the reader reads the information from the tag and determines the identity of the object

Question 158

What is the main concern with using RFID tags in passports?

Answer 158

Privacy concerns, because tags can be read from a distance, there are concerns that an individuals information may be taken without their consent.

Question 159

Should an email address by used alone as a unique identifier?

Answer 159

No

Question 160

What are the 3 essential security characteristics regarding identities?

Answer 160

Uniqueness
Non-descriptiveness
Secure issuance

Question 161

What is the key difference between the Unix ‘root’ account and Windows Admin account?

Answer 161

Windows Admin account can be changed to a different name.

Question 162

What is the goal of an identity management system?

Answer 162

to consolidate access right into an easily managed record of identity and access for each user in a system

Question 163

In an identity management system, what is the best way of managing ID’s for contractors, business partners, etc?

Answer 163

segment these users into their own group.

Question 164

What is the benefit of using centralised identity management?

Answer 164

• can enforce organisation wide control over identity allocation. promotes consistency of policy. helps with leavers process

Question 165

What is the main issue with using centralised identity management?

Answer 165

access needs of departments, regional office can be different. political or legal reasons also a factor depending on region.

Question 166

What is the advantage and disadvantage of a de-centralised identity management system?

Answer 166

Advantage is that local managers have a better sense of user requirements in their area.

Disadvantage is that it’s difficult to enforce a central policy. can also be more expensive and can cause conflicting rights on shared resources.

Question 167

In authentication there are traditionally 3 factors. What is the 4th one?

Answer 167

Geo-location

Question 168

In relation to Geo-location, what does the term apparent location mean?

Answer 168

An IP address is not a foolproof method of geo-location.

Question 169

What are the 3 basic types of character passwords?

Answer 169

Standard Words
Combination passwords (includes numbers)
Complex passwords (includes non-alphanumeric)

Question 170

What is a more secure alternative to a password when using single factor authentication?

Answer 170

Passphrase

Question 171

What is a Graphical Password?

Answer 171

an image or sequence of images used as password

Question 172

What two types of static authentication devices exist?

Answer 172

Memory cards and smart cards

Question 173

What is the main difference between a memory card and smart card authentication device?

Answer 173

availability of processing power. a memory card can hold information but not process it whereas a smart card can do both

Question 174

What is a common example of a memory card?

Answer 174

A swipe card

Question 175

What is the main weakness with a memory card?

Answer 175

Data is stored unprotected

Question 176

What is an ISO term for a smart card?

Answer 176

Integrated Circuit (IC) Card

Question 177

What are the advantages of using a smart card over a memory card?

Answer 177

• can hold more data than memory cards
• can provide secure login, secure email, digital signatures, secure web/remote access, VPN, Hard disk encryption
• login process is done by reader instead of at host so the identifier and password is not exposed whilst in transit to the host.

Question 178

What is a trusted path?

Answer 178

A communications channel through which all information passing through is deemed to be secure.

Question 179

Which type of memory does a smart card use?

Answer 179

Electrically Erasable Programmable Read Only Memory (EEPROM)

Question 180

What two types of smart cards are there?

Answer 180

Contact and contactless

Question 181

List of typical smart card pinouts

Answer 181

Vcc - power connection
RST - reset line
CLK - clock signal (controls operation speed)
RFU - reserved for future use
GND - Ground Line
Vpp - Programming power
I/O - Input/Output line for comms with reader
RFU - Reserved for future use

Question 182

What are the two types of biometrics?

Answer 182

Physiological and behavioural

Question 183

What are the most common biometrics used?

Answer 183

Fingerprints

Question 184

What is a vascular scan?

Answer 184

studies the veins in the user’s hand or face

Question 185

What are 3 types of behavioural biometrics?

Answer 185

Signature Dynamics
Keystroke Dynamics
Voice Pattern

Question 186

What are 5 ways of protecting desktop sessions?

Answer 186

Screensavers
Timeouts
Automatic Logouts
Session/Login Management (multiple devices)
Schedule Limitations (time based)

Question 187

Typical example of a login session to a banking website:

Answer 187

1. user navigates to website which starts session
2. users click’s secure login which is then encrypted using SSL
3. user authenticates and information is passed through the encrypted session
4. user log’s off an session is terminated.

Question 188

Session hi-jacking is a form of which type of attack?

Answer 188

Man in the middle attack

Question 189

What is arguably the most significant aspect of ensuring accountability in access control systems?

Answer 189

Culture of the organisation. must be supported at the top level of the organisation

Question 190

What are the 4 most common directory technologies?

Answer 190

X500
the Lightweight Directory Access Protocol (LDAP)
Active Directory
X400

Question 191

What are the characteristics of the X500 protocol?

Answer 191

• Developed by ITU-T and also known as ISO/IEC 9594
• originally developed for telecommunications companies
• consists of 4 protocols: DAP, DSP, DISP and DOP
• organised as a hierarchical database of information

Question 192

Which of the following protocols is the primary one used by X500?
Directory Access Protocol (DAP)
Directory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Directory Operational Bindings Management Protocol (DOP)

Answer 192

DAP

Question 193

What is the key field used by the X500 directory and what does it provide?

Answer 193

The Distinguished name (DN) which provides the full path through the X500 database where a particular entry may be found.

Question 194

What is the opposite of DN in an X500 directory?

Answer 194

RDN (relative distinguished name) which provides the name of a specific entry without the full path component attached.

Question 195

What is the main disadvantage of X500?

Answer 195

complex to implement and complicated to administer

Question 196

Which protocol in the X500 suite is LDAP based on?

Answer 196

DAP

Question 197

What is the main benefit of LDAP over X500?

Answer 197

provides a simpler implementation of directory services for enterprises that operates in a TCP/IP environment

Question 198

What are the characteristics of LDAP?

Answer 198

• uses a hierarchical tree structure for directory entries and also supports DN and RDN concepts.
• Common attributes for a LDAP entry include the following: DN, CN, DC, OU
• operates in a client/server architecture
• typically runs over unsecured network connections using TCP port 389
• version 3 of the LDAP protocol supports the use of TLS to encrypt communications
• can also use SSL via TCP, port 636.

Question 199

What is Active Directory?

Answer 199

An implementation of the LDAP protocol for Microsoft based environments

• provides authentication and authorisation capabilities on an enterprise wide level.
• can enforce organisational security and configuration policies.
• AD uses LDAP for its naming structure
• AD directories are organised into forests and trees
• Domains identified by DNS name and objects by OU’s

Question 200

What is a forest in relation to AD?

Answer 200

a collection of all the objects and their associated attributes

Question 201

What is a tree in relation to AD?

Answer 201

logical groupings of one or more AD security domains within a forest.

Question 202

What is X400?

Answer 202

predecessor to SMTP thats also known as Message Handling System (MHS)

Question 203

What is Perimeter based web portal access?

Answer 203

LDAP integration with web based apps to provide authentication

Question 204

In a Perimeter Bsed Web Portal Access solution, what handles the user authentication state?

Answer 204

WAM (Web Access Management)

Question 205

What does a Federated Identity Management system provide?

Answer 205

authentication between different organisations that may share the same apps or users.

Question 206

A Federated Identity Management System can provide two basic processes for linking the member organisations together. What are they?

Answer 206

Cross-certification model: each organisation must individually certify that every other participating organisation is worthy of trust.
Trusted third party or bridge model: participating organisations subscribe to standards and practicies of a third party that manages the verification

Question 207

What is the benefit of a trusted third party model over a cross certification model?

Answer 207

Don’t have to maintain individual trusts with every organisation. one organisation verifies all connecting organisations.

Question 208

What is a “Once In-Unlimited Access” model?

Answer 208

Users authenticates once and then has access to all the resources participating in the model. could be used on a intranet.

Question 209

What is a drawback of the “Once In-Unlimited Access” model?

Answer 209

an assumption on each participating system that user authentication and authorisation was properly handled before access was granted.

Question 210

What are the 5 key types of logging that are the foundation of security auditing?

Answer 210

Network Events
System Events
Application Events
User Actions
Keystroke Activity

Question 211

What is a Multi-Host Intrusion Detection System?

Answer 211

allows systems to share policy information and real-time attack data.

Question 212

What is a drawback of using a Host IDS?

Answer 212

can be very invasive to the host OS and can consume a lot of memory on the host and interfere with processing.

Question 213

What is Stateful Matching Intrusion Detection?

Answer 213

scans for attack signatures in the context of a stream of traffic or overall system behaviour rather than looking at individual packets or discrete behaviour

Question 214

How can an attacker evade Stateful Matching Intrusion Detection?

Answer 214

by sending packets from multiple locations or with long wait period between each transmission. signatures must also be updated.

Question 215

What is Protocol Anomaly Based Intrusion Detection?

Answer 215

identifies unacceptable deviation from expected behaviour of known protocols, ie HTTP.

Question 216

What is a weakness of Protocol Anomaly Based Intrusion Detection?

Answer 216

if custom or non-standard protocols are used.

Question 217

What is a Traffic Anomaly Based Intrusion Detection System?

Answer 217

identifies any unacceptable deviation from expected behaviour based on traffic structure.

Question 218

What is a weakness of Traffic Anomaly Based Intrusion Detection System?

Answer 218

relies on the ability to establish normal patterns of traffic

Question 219

What are the 3 fundamental components of IDS alarm capability?

Answer 219

Sensor: detection mechanism
Control and Communication: handling alert information
Enunciator: relay system - alert local resources

Question 220

What is SIEM (Security Information and Event management)?

Answer 220

a group of technologies which aggregates information about access controls and selected system activity. real time reporting on events and incidents as they occur in network and information systems.

Question 221

What are two types of spyware?

Answer 221

Malvertisements: web advertisements which appear legitimate
Malnets: infected nodes clustered together such as websites, desktop, laptops, etc. to launch further attacks.

Question 222

What is the unused space in the cluster after where data has been written called?

Answer 222

Slack space

Question 223

Why does deleting data from a disk or formatting a disk not remove the data?

Answer 223

In these scenarios information is simply removed from the FAT table signifying that those clusters are now available for use. Actual data still physically resides on the drive, waiting to be found or until new data has been written to the cluster. Data will remain in slack space until entire cluster is overwritten.

Question 224

In what way can slack space be used by an attacker?

Answer 224

Attacker can use a tool that writes information only to the slack space from available clusters such as malicious code which will be hidden from the user.

Question 225

What 3 things should a tool erase to ensure everything is deleted from a hard disk?

Answer 225

the data
the files directory entry
the files FAT entry

Question 226

What is data mining?

Answer 226

The statistical analysis on general information in the absence of specific data

Question 227

What is Access Aggregation?

Answer 227

the act of collecting additional roles and responsibilities in an organisation.

Question 228

What is User Entitlement in relation to access control?

Answer 228

the action of provisioning resources to a user, ie mapped drives. Changing roles can aggregate this entitlement.

Question 229

What are the steps in the Identity and Access Provisioning Lifecycle?

Answer 229

1. Provisioning
2. Review
3. Revocation

Question 230

What is the first line of a defence in depth strategy?

Answer 230

Access Control