Access Control

Question 1

Access control methodology that only uses access control lists to maintain subject permissions for objects:

Answer 1

Discretionary access control

Question 2

What is the least reliable value for logical access control to use?

Answer 2

Physical location

Question 3

What is best paired with a password to provide improved security?

Answer 3

A biometric factor

Question 4

What AC methodology only uses ACL’s to maintain subject permissions for subjects

Answer 4

Discretionary access control

Question 5

What is the access control method where the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object.

Answer 5

Mandatory Access Control

Question 6

What is best paired with a password to provide more secure authentication?

Answer 6

A biometric factor

Question 7

What would be the least reliable value for a logical access control to use?

Answer 7

Physical location

Question 8

Why would someone be opposed to Biometric Authentication?

Answer 8

Biometric authentication can reveal PII and medical information about a person (especially when using the iris and retinal patterns)

Question 9

What is the CIA triad?

Answer 9

Confidentiality, Integrity, Availability

Question 10

What function of the CIA triad does Hashing provide?

Answer 10

Integrity

Question 11

What function of the CIA triad does Cryptography provide?

Answer 11

Confidentiality

Question 12

What function of the CIA triad does Authentication provide?

Answer 12

Availability (to only the right people, ideally)

Question 13

What authentication service grants access through tickets?

Answer 13

Kerberos

Question 14

What AC model enforces permissions based on data labels?

Answer 14

Mandatory Access Control

Question 15

What authentication service uses the X.500 spec?

Answer 15

Lightweight Directory Access Protocol (LDAP)

Question 16

What are the three most effective authentication factors?

Answer 16

Something you are, Something you know, Something you have

Question 17

What is Role Based Access Control?

Answer 17

A list of user roles matched with the levels of access they require to perform their function (often in a matrix)

Question 18

What does RADIUS stand for?

Answer 18

Remote Authentication Dial-In User Service

Question 19

What is Diameter?

Answer 19

A more powerful version of RADIUS (not backwards compatible) with much greater capability notably the use of Extensible Authentication Protocol.

Question 20

What is Role Based Access Control?

Answer 20

A list of rules defining user roles and the levels of access they require to perform their function

Question 21

What is need-to-know ideology?

Answer 21

If a person has sufficient privilege to view information but does not require that information for the execution of their duties, then they do not get access.

Question 22

List three Type 2 authentication inputs

Answer 22

Common Access Card (CAC), RFID Card, Token

Question 23

What is the benefit of De-centralized Access control?

Answer 23

Policy is easily adjusted to local laws and requirements

Question 24

What is summary of the Bell-La Padula Security model?

Answer 24

3 Rules

• Simple: read access no read above your level
• *: write access up, not down
• strong *: no read/write

Question 25

What complexity constitutes a “strong” password?

Answer 25

8 characters minimum, with at least one of uppercase, lowercase, numbers and special characters.

Question 26

What principle should prevent any one person from performing multiple job functions that may allow them to commit fraud?

Answer 26

Separation of duties

Question 27

What type of password must be regenerated each time a user logs in?

Answer 27

One-time password

Question 28

What constitutes a strong password?

Answer 28

8 characters minimum, with at least one of uppercase, lowercase, numbers and special characters.

Question 29

If a contractor has an account (e-mail or login) within your organization, when should her access expire?

Answer 29

The day her contract expires.

Question 30

Why should an organization require administrators to disable user accounts of ex-employees?

Answer 30

To ensure that user keys are retained.

Question 31

What it is it an example of if you are required to use a thumbprint scan and PIN to gain access to a system?

Answer 31

Dual-factor authentication

Question 32

What type of authentication stores credentials in a central database and allows them to access multiple systems after logging on only one time?

Answer 32

Single Sign-on

Question 33

Who is ultimately responsible for the Information Security of an organization?

Answer 33

The data owner (CEO, Executive Director, etc.)