Access Control - CISSP for Dummies

Question 1

1. General-purpose control types include all the following except

A. Detective

B. Mandatory

C. Preventive

D. Compensating

Answer 1

1 - B. Mandatory.

Control types identified by purpose include preventive, detective, corrective, deterrent, recovery, and compensating controls. Review “Control types.”

Question 2

2. Violation reports and audit trails are examples of what type of control?

A. Detective technical

B. Preventive technical

C. Detective administrative

D. Preventive administrative

Answer 2

2 - A. Detective technical.

Preventive technical controls include access control mechanisms and protocols. Review of audit trails is a detective administrative control, but the actual generating of audit trails is a technical function (control). Review “Technical controls.”

Question 3

3. “A user cannot deny an action” describes the concept of

A. Authentication

B. Accountability

C. Non-repudiation

D. Plausible deniability

Answer 3

3 - C. Non-repudiation.

Authentication and accountability are related to but aren’t the same as non-repudiation. Plausible deniability is a bogus answer. Review “Accountability.”

Question 4

4. Authentication can be based on any combination of the following factors except

A. Something you know

B. Something you have

C. Something you need

D. Something you are

Answer 4

4 - C. Something you need.

The three factors of authentication are something you know, something you have, and something you are. Review “System access controls.”

Question 5

5. Unauthorized users that are incorrectly granted access in biometric systems are described as the

A. False Reject Rate (Type II error)

B. False Accept Rate (Type II error)

C. False Reject Rate (Type I error)

D. False Accept Rate (Type I error)

Answer 5

5 - B. False Accept Rate (Type II error).

You should know the biometric error types by both the name (False Accept Rate) and the classification (Type II). The False Reject Rate is a Type I error and describes the percentage of authorized users that are incorrectly denied access. Review “Biometrics and behavior.”

Question 6

6. All the following devices and protocols can be used to implement one-time passwords except

A. Tokens

B. S/ Key

C. Diameter

D. Kerberos

Answer 6

6 - D. Kerberos.

Kerberos is a ticket-based authentication protocol. Although the tickets that are generated are unique for every log-on, Kerberos relies on shared secrets that are static. Therefore, Kerberos isn’t considered a one-time password protocol. Review these three sections: “One-time passwords,” “Tokens,” and “Single sign-on (SSO).”

Question 7

8. Which of the following is not considered a method of attack against access control systems?

A. Brute force

B. Dictionary

C. Denial of Service

D. Buffer overflow

Answer 7

8 - C. Denial of Service.

The purpose of an attack against

access controls is to gain access to a system. Brute-force and dictionary attacks are both password-cracking methods. Although commonly used in Denial of Service attacks, a buffer overflow attack can exploit vulnerabilities or flaws in certain applications and protocols that will allow unauthorized access. Review “Methods of attack.”

Question 8

8. Which of the following is not considered a method of attack against access control systems?

A. Brute force

B. Dictionary

C. Denial of Service

D. Buffer overflow

Question 9

10. Which of the following access control models addresses availability issues?

A. Bell-La Padula

B. Biba

C. Clark-Wilson

D, None of the above